acl-socket operators (original) (raw)

accept-connection
configure-dns
dns-ipaddr-to-hostname
dns-lookup-hostname
dns-nameserver-ipaddr
dns-nameserver-name
dns-nameserver-received
dns-nameserver-sent
dns-query
dns-response-additional
dns-response-answer
dns-response-authority
dns-response-flags
dns-response-flags-value
dns-response-id
dns-rr-answer
dns-rr-class
dns-rr-name
dns-rr-time-to-live
dns-rr-type
dotted-address-p
dotted-to-ipaddr
ftp-transfer-file
get-ip-interfaces
get-ssl-peer-certificate
get-ssl-verify-result
initialize-socket
ipaddr-equalp
ipaddr-to-dotted
ipaddr-to-hostname
ipaddrp
ipv6
ipv6-address-p
local-filename
local-host
local-port
lookup-hostname
lookup-port
make-socket
make-ssl-client-context
make-ssl-client-stream
make-ssl-server-context
make-ssl-server-stream
open-ftp-stream
receive-from
remote-filename
remote-host
remote-port
send-to
set-socket-format
set-socket-options
set-tcp-md5-sig
shutdown
socket-address-family
socket-connect
socket-control
socket-format
socket-os-fd
socket-type
ssl-do-handshake
with-pending-connect
x509-certificate-issuer
x509-certificate-not-after
x509-certificate-not-before
x509-certificate-serial-number
x509-certificate-subject
x509-certificate-subject-alt-name
x509-certificate-version

accept-connection

Generic function, acl-socket package

Arguments: sock &key (wait t)

If wait is true, waits for there to be a connection to this socket and returns a new stream object that can be used to do I/O to the connected socket. If wait is nil and there is no connection pending it returns nil immediately; if a connection is pending, connects and returns a new stream object that can be used to do I/O to the connected socket.

See <socket.html> for general information on sockets in Allegro CL.

configure-dns

Function, acl-socket package

Arguments: &key nameserver search domain auto

In order to work, the DNS utility needs to know the IP address of at least one nameserver willing to respond to recursive queries (that is, to do the work of the query if it doesn't know the answer). This function is used to specify the nameserver addresses. It can also specify other optional information. When DNS is configured, the variable *dns-configured* is set to true.

The arguments:

nameserver: An IP address or a list of IP addresses of the nameservers we should consult
search: a list of strings naming the domains we should search in dns-lookup-hostname.
domain: the domain of this machine (e.g. "foo.com"). This value is stored in the variable *dns-domain* for programs to use.
auto: If true, determine as much of this information as possible automatically, overriding the values set by the other arguments.

We would like to be able to compute this information automatically in every situation. Currently we can handle Unix machines that specify this information in a file called /etc/resolv.conf, and we try to handle all versions of Windows (but see the note under the heading Automatic DNS configuation on Windows below).

When dns-query is called, it checks to see if configure-dns has been called since lisp started, and if not it calls configure-dns with :auto t. If this doesn't work it means that you need to call configure-dns with the appropriate information before you call dns-query on this machine.

Automatic DNS configuation on Windows

On Windows the information we need to automatically configure this module is found in the Windows registry. Unfortunately the information we need is in a different place in each on the various Windows configurations we tested (such as Win NT 4 and Win2000, each with a fixed IP address or using DCHP to configure the IP address). Therefore it's likely that information will move around again in future versions of Windows. Furthermore sometimes we encounter stale information in the registry (for example, a laptop computer that used to be on a network but isn't at the moment may hold the last known nameserver information in the registry even though those nameservers are unreachable). Therefore, if you wish to make use of the Allegro CL DNS facility, you should be prepared to manually configure-dns on machines (by calling this function with auto nil and filling in the necessary information) when auto configuration fails.

See <dns.html> for information on the domain naming system utility in Allegro CL and see <socket.html> for general information on sockets in Allegro CL.

dns-ipaddr-to-hostname

Arguments: name &rest rest

Function, acl-socket package

This function calls dns-query passing a type value of :ptr. This is the functional equivalent of ipaddr-to-hostname when you ignore the extra values returned.

See also *dns-mode*.

See <dns.html> for information on the domain naming system utility in Allegro CL and see <socket.html> for general information on sockets in Allegro CL.

dns-lookup-hostname

Function, acl-socket package

Arguments: name &rest rest

This function calls dns-query passing a type value of :a. This is the functional equivalent of lookup-hostname if you ignore the extra values returned. It has one additional feature, which is that if the query on name doesn't return any IP addresses, and if name doesn't contain any periods (that is, it's not a fully qualified domain name), then we try appending the values in *domain-search-list* to the name and redoing the query. Because the query can be done once for the given name and once for each name in the *domain-search-list*, this function can take longer to return than dns-query when nameservers aren't responsive.

Limitations

This function does not check a local file (often /etc/hosts) for name to IP address mappings. Thus there are cases where dns-lookup-hostname won't act just like lookup-hostname.
If a nameserver response is too large to fit in 512 bytes and is thus truncated, this function does not switch from UDP to TCP and retry the query.

See also *dns-mode*.

See <dns.html> for information on the domain naming system utility in Allegro CL and see <socket.html> for general information on sockets in Allegro CL.

dns-nameserver-ipaddr

Function, acl-socket package

Arguments: dns-nameserver-object

Accessor for the ipaddr slot of dns-nameserver-object. See dns-nameserver.

See <dns.html>.

dns-nameserver-name

Function, acl-socket package

Arguments: dns-nameserver-object

Accessor for the name slot of dns-nameserver-object. See dns-nameserver.

See <dns.html>.

dns-nameserver-received

Arguments: dns-nameserver-object

Accessor for the received slot of dns-nameserver-object. See dns-nameserver.

See <dns.html>.

dns-nameserver-sent

Function, acl-socket package

Arguments: dns-nameserver-object

Accessor for the sent slot of dns-nameserver-object. See dns-nameserver.

See <dns.html>.

dns-query

Function, acl-socket package

Arguments: name &key type nameserver repeat timeout queue decode search ignore-cache

The arguments are:

Name	Default	What
name	Depending on the value of the type argument, this is either a string or an integer IP address.
type	:a	The type of dns query to make. :a means determine the ip address(es) for the given name. (_name_should be a string.) :ptr means determine the hostname for a given IP address. (_name_should be an integer IP address, a string containing a dotted IP address, or an IPv6 address. :mx means determine if there is another machine that email for _name_should be directed. (_name_should be a string.):srv means get SRV records for a domain. name should be a string. See SRV queries in <dns.html> :txt means get all TXT records associated with name. The answer is a list containing one or more strings (TXT records can be composed of multiple strings), or nil if there are no TXT records. If there is more than one TXT record, then the third return value will contain a list of the remaining answers. :aaaa means look up IPv6 adresses. :any means return all information about the first argument. decode should be specified nil (its default is t) when type is :any.
nameserver	nil	If specified this can be an IP address or a list of IP addresses. This overrides the configured list of nameservers for just this query.
repeat	5	How many times to try to get an answer to this query before giving up.
timeout	5	How long to wait until we assume that a try has failed and we then try again or give up. The value should be an integer indicating a number of seconds.
queue	t	If true then handle this request using the background process that is backed up by a cache of recent answers. If this is nil then a request will always be sent to the nameserver
decode	t	The nameserver returns a structure of many fields. If true then dns-querywill examine the returned structures and will return only the information requested by the query. If this is nil then the result of dns-query will be the actual information returned by the nameserver. This response is a dns-response object. See that page for information on this raw object. Please specify nil when you specify :anyas the value of type.
search	nil	When specified true,dns-domain anddomain-search-list will be used to fully qualify the name argument before doing the query. See below for details on how the search is conducted.
ignore-cache	nil	Allegro CL DNS caches positive and negative responses for at least the time-to-live specified in the respones. If dns-queryis called again with the same request before the time-to-live expires, the cached information will be returned immediately. If ignore-cache is true, then the cached value will be ignored and a DNS lookup will occur.

If either nameserver is non-nil or decode is nil, then queue will be set to nil regardless of the value of queue supplied. This ensures that a fresh query is sent to the nameserver.

Where an IP address is a valid argument, it can be specified as either an integer or as a string such as "192.132.95.1" or "127.1". Ipv6 address structures and IPv6 colon hex strings are allowed too.

Search details

When the search keyword argument is specified true, and so *dns-domain* and *domain-search-list* are used to fully qualify the name argument before doing the query, the search steps are as follows:

The search list comprises *dns-domain* followed by *domain-search-list*. If the given name ends in a period (e.g. www.cnn.com.) then that is an absolute name. Only that name is checked and the search list is not used.
If the given name has a period in it, but that period is not at the end (e.g. www.cnn.com) then that name is checked first.
Finally for the given name N and for each name S in the search list a new name is constructed by concatenating the strings with a period in between (e.g N.S). That constructed name is used in the query. If the query returns a response with :no-such-domain then the next item in the search list is used.

Thus the first response from the search (with a positive or negative valid time, which is the second returned value) is returned as the first returned value, but illegal domains in the search list are ignored.

Return values

There are four return values from dns-query.

the primary answer
the amount of time that that answer is valid (in seconds) This can be a negative number (see the discussion in the The DNS API section of <dns.html> for why).
a list of other answers
a list of the flags returned by the dns server that replied to the query

There are examples of using dns-query in the subsections of The DNS API in <dns.html>.

See <dns.html> for information on the domain naming system utility in Allegro CL and see <socket.html> for general information on sockets in Allegro CL.

dns-response-additional

Function, acl-socket package

Arguments: dns-response-object

Accessor for the additional slot of dns-response-object. See dns-response.

See <dns.html>.

dns-response-answer

Function, acl-socket package

Arguments: dns-response-object

Accessor for the answer slot of dns-response-object. See dns-response.

See <dns.html>.

dotted-to-ipaddr

Function, acl-socket package

Arguments: dotted &key errorp

If dotted is a string like "192.132.95.84" (or one of the extensions to this format), this function converts the string to an unsigned 32-bit IP address. If there are any invalid characters in the string then an error will be signaled unless the value of errorp keyword is nil, in which case nil is returned.

dotted-to-ipaddr supports IPv6 "colon hex" address notation, including the %scopeid extension. The scope id can be an interface number or interface name. dotted-to-ipaddr supports IPv4-mapped IPv6 address notation (::ffff:w.x.y.z).

IPv6 colon hex notation examples:

"2001:5c0:0:2::24"              ;; 6bone.net
"fe80::209:5bff:fe8e:61c1"      ;; a link-local address
"fe80::209:5bff:fe8e:61c1%eth0" ;; a link-local address with scope-id
"fe80::209:5bff:fe8e:61c1%2"    ;; a link-local address with numeric scope-id
"::"                            ;; unspecific/wildcard address
"::1"                           ;; loopback
"::ffff:192.168.0.1"            ;; IPv4-mapped IPv6 address

ftp-transfer-file

Function, acl-socket package

Arguments: from-host from-port from-file (from-user "anonymous") (from-password "[email protected]") to-host to-port to-file (to-user "anonymous") (to-password "[email protected]") (mode :binary) debug*

This function transfers the file from-file from from-port on the from-host machine to to-file via the to-port on the to-host machine. (from-port and to-port have standard defaults and it is typical not to provide values for them. The arguments are there to allow specification of servers on non-default ports.) The files on the different machines can have different names. Users and passwords should be strings.

mode can be :binary (the default), or :text. :text mode lines end with cr-lf (the internet standard).

If debug is a stream (or t) is given, this function will print the ftp interaction to that stream.

get-ip-interfaces

Function, acl-socket package

Arguments:

This function returns a list of conses. The car of each cons is the interface id. The cdr of each cons is the name of the interface.

Either the numeric interface id or the name can be used in the %scopid extension of dotted (colon hex) IPv6 addresses.

Not supported on HP/UX or Mac OS X 64-bit

This function is not supported on HP/UX. It also does not work (it typically signals an error when called) on Mac OS X 64-bit. (The problem on the Mac 64-bit seems to result from an Operating System bug, so it may at some later time be fixed by an OS update. This function does work on Mac OS X 32-bit.)

get-ssl-peer-certificate

Generic Function, acl-socket package

Arguments: stream

get-ssl-peer-certificate returns an x509-certificate object representing the certificate that the peer supplied. If the peer did not supply a certificate, nil is returned. The x509-certificate is created the first time this function is called on a stream.

stream must be an SSL client or server stream (such as is created by make-ssl-server-stream and make-ssl-client-stream).

Note that get-ssl-peer-certificate automatically calls ssl-do-handshake if SSL handshake has not already occurred.

See <socket.html>.

get-ssl-verify-result

Generic Function, acl-socket package

Arguments: stream

get-ssl-verify-result returns information about the success or failure of peer certificate verification.

stream must be an SSL client or server stream (such as is created by make-ssl-server-stream and make-ssl-client-stream).

get-ssl-verify-result returns two values. The first value is a numeric code indicating the status of verification. 0 indicates successful verification. The second value is a string with a text representation of the status.

Note, if SSL handshake has not yet been performed, or if the peer did not provide a certificate, this function returns an OK status.

The possible return values are shown in the following information copied from the OpenSSL documentation. The numeric value (0, 2, 3, 4, etc.) is the first returned value and the string is the second. The string does not include the capitalized and underscored descriptor. Additional information not included in the returned string is included in this list. Thus, when the peer certificate verification is sucessful, 0 and "ok" are returned. X509_V_OK and 'the operation was successful.' are not part of the string.

0 X509_V_OK: "ok" the operation was successful.
2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate" the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
3 X509_V_ERR_UNABLE_TO_GET_CRL "unable to get certificate CRL" the CRL of a certificate could not be found. Unused.
4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: "unable to decrypt certificate's signature" the certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys.
5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: "unable to decrypt CRL's signature" the CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused.
6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: "unable to decode issuer public key" the public key in the certificate SubjectPublicKeyInfo could not be read.
7 X509_V_ERR_CERT_SIGNATURE_FAILURE: "certificate signature failure" the signature of the certificate is invalid.
8 X509_V_ERR_CRL_SIGNATURE_FAILURE: "CRL signature failure" the signature of the certificate is invalid. Unused.
9 X509_V_ERR_CERT_NOT_YET_VALID: "certificate is not yet valid" the certificate is not yet valid: the notBefore date is after the current time.
10 X509_V_ERR_CERT_HAS_EXPIRED: "certificate has expired" the certificate has expired: that is the notAfter date is before the current time.
11 X509_V_ERR_CRL_NOT_YET_VALID: "CRL is not yet valid" the CRL is not yet valid. Unused.
12 X509_V_ERR_CRL_HAS_EXPIRED: "CRL has expired" the CRL has expired. Unused.
13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: "format error in certificate's notBefore field" the certificate notBefore field contains an invalid time.
14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: "format error in certificate's notAfter field" the certificate notAfter field contains an invalid time.
15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: "format error in CRL's lastUpdate field" the CRL lastUpdate field contains an invalid time. Unused.
16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: "format error in CRL's nextUpdate field" the CRL nextUpdate field contains an invalid time. Unused.
17 X509_V_ERR_OUT_OF_MEM: "out of memory" an error occurred trying to allocate memory. This should never happen.
18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: "self signed certificate" the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.
19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: "self signed certificate in certificate chain" the certificate chain could be built up using the untrusted cer- tificates but the root could not be found locally.
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: "unable to get local issuer certificate" the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete.
21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: "unable to verify the first certificate" no signatures could be verified because the chain contains only one certificate and it is not self signed.
22 X509_V_ERR_CERT_CHAIN_TOO_LONG: "certificate chain too long" the certificate chain length is greater than the supplied maximum depth. Unused.
23 X509_V_ERR_CERT_REVOKED: "certificate revoked" the certificate has been revoked. Unused.
24 X509_V_ERR_INVALID_CA: "invalid CA certificate" a CA certificate is invalid. Either it is not a CA or its exten- sions are not consistent with the supplied purpose.
25 X509_V_ERR_PATH_LENGTH_EXCEEDED: "path length constraint exceeded" the basicConstraints pathlength parameter has been exceeded.
26 X509_V_ERR_INVALID_PURPOSE: "unsupported certificate purpose" the supplied certificate cannot be used for the specified purpose.
27 X509_V_ERR_CERT_UNTRUSTED: "certificate not trusted" the root CA is not marked as trusted for the specified purpose.
28 X509_V_ERR_CERT_REJECTED: "certificate rejected" the root CA is marked to reject the specified purpose.
29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: "subject issuer mismatch" the current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set.
30 X509_V_ERR_AKID_SKID_MISMATCH: "authority and subject key identifier mismatch" the current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set.
31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: "authority and issuer serial number mismatch" the current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set.
32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN: key usage does not include certificate signing" the current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing.
50 X509_V_ERR_APPLICATION_VERIFICATION: "application verification failure" an application specific error. Unused.

See <socket.html>.

Function, acl-socket package

Arguments: ipaddr &key ignore-cache

ipaddr should be a 32-bit unsigned integer (representing an IPv4 address), an ipv6-address stucture, or a dotted IP address string. This function returns, as a string, the hostname of the machine with the given address.

if the ignore-cache argument is specified true, then the lookup will be done by querying the operating system ipaddr lookup libraries rather than using a value that Lisp has cached. The result of the lookup is still cached, however.

See also *dns-mode*.

See <socket.html> for general information on sockets in Allegro CL.

ipaddrp

Function, acl-socket package

Arguments: object

Returns true if the argument is an IP address (either an integer or an ipv6-address structure).

See <socket.html>.

ipv6

Generic Function, acl-socket package

Arguments: internet-socket

Returns true if the argument, which must be an internet socket, is a IPv6 socket. See make-socket.

See <socket.html>.

ipv6-address-p

Function, acl-socket package

Arguments: object

Returns true if the argument is an IPv6 address structure.

See <socket.html>.

local-filename

Generic Function, acl-socket package

Arguments: af-file

Returns the local filename of socket. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N.

See <socket.html> for general information on sockets in Allegro CL.

local-host

Generic Function, acl-socket package

Arguments: af-internet

Returns an IP address. You can use ipaddr-to-dotted or ipaddr-to-hostname to make a more readable version of this value if you plan to print it out.

See <socket.html> for general information on sockets in Allegro CL.

local-port

Generic Function, acl-socket package

Arguments: af-internet

Returns the local port of socket. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N.

See <socket.html> for general information on sockets in Allegro CL.

lookup-hostname

Function, acl-socket package

Arguments: host &key ignore-cache ipv6 all

host should be a string naming a host, a 32-bit IP address, a string in dotted form, or an IPv6 address. This function returns the 32-bit IP address or an IPv6 address structure for the host. An error is signaled if the host can not be found. See the documentation for *dns-mode* for information on the manner in which name resolution occurs.

To enhance performance, lookup-hostname caches answers to queries and reuses those answers for subsequent lookups of the same name. If the IP address associated with a given hostname has changed since the information was cached, lookup-hostname may return out-of-date information.

If the ignore-cache argument is specified true, then the lookup will be done by querying the operating system libraries rather than using a value that Lisp has cached. The result of the lookup is still cached, however.

The ipv6 keyword argument was added with IPv6 support. ipv6 defaults to the value of *ipv6*. If nil, only IPv4 addresses will be returned. If :ipv6, then only IPv6 addresses will be returned. If t, then IPv6 addresses (if any) are returned in preference of IPv4 addresses. If ipv6 and all are both t, IPv6 addresses will be before IPv4 addresses in the returned list.

The all keyword argument was added with IPv6 support. If all is true, this function will return a list of all records.

See also *dns-mode*.

See <socket.html> for general information on sockets in Allegro CL.

lookup-port

Function, acl-socket package

Arguments: port protocol

A port number is a 16-bit unsigned number (except port 0 is not used). Certain commonly used ports on machines are given symbolic names. The mapping between name and port number is kept in a file in the system area of the machine (often /etc on Unix and the Windows system directory on MS Windows). Given a symbolic name as the value of port and a protocol (either "tcp" or "udp"), lookup-port returns the associated port number (or signals an error if such a port doesn't exist). The reason that the protocol type is supplied is that the port N for protocol "tcp" is distinct from port N for protocol "udp".

See <socket.html> for general information on sockets in Allegro CL.

make-socket

Function, acl-socket package

Arguments: &rest args &key type format connect address-family eol ipv6 scope-id tcp-md5-sig-key tcp-md5-sig-key-ef

Create and return a socket object with characteristics specified by the arguments. make-socket checks whether multiprocessing has been started and starts it if it hasn't been. The socket object will be an instance of a particular class (see socket for a list of classes). The class is determined from the values supplied to the keyword arguments.

The keywords arguments have the following possible values (with the default value given first):

type: :stream or :datagram
format: All sockets are :multivalent. This argument is ignored.
address-family: :internet or :file
connect: :active or :passive
ipv6: The default is the value of *ipv6*. If nil, then an IPv4 socket will be created (unless local-host or remote-host are specified as an IPv6 address). If non-nil, then an IPv6 socket will be created. See the note below for additional information. (If an IPv6 socket is requested but the underlying operating system does not have IPv6 support enabled, an error will be signaled.)
*scope-id: this argument specifies the interface to use when making an IPv6 connection to remote-host. If remote-host is specified and is an ipv6-address structure, its scope-id slot will be updated to the value of the scope-id keyword argument.
If scope-id is not specified, then the scope-id slot of the remote-host argument will be used. If remote-host is not specified or does not have a scope-id, then 0 will be used.
tcp-md5-sig-key: If tcp-md5-sig-key is non-nil, it must be a string or octet array which will be used to set the TCP MD5 signature key to be used during the connection to remote-host. If tcp-md5-sig-key is a string, tcp-md5-sig-key-ef can be supplied to specify a non-default external format for the string. The string will not be null-terminated.
This argument and tcp-md5-sig-key-ef are accepted on any platform but have effect only on Linux platforms. They are only relevant for active IPv4/IPv6 connections. See set-tcp-md5-sig.
tcp-md5-sig-key-ef: If tcp-md5-sig-key is a string, tcp-md5-sig-key-ef can be supplied to specify a non-default external format for the string. The string will not be null-terminated.
This argument and tcp-md5-sig-key are accepted on any platform but have effect only on Linux platforms. They are only relevant for active ipv4 connections. See set-tcp-md5-sig.
eol: kept for backward compatibility only (this argument was used in a much earlier release on Windows). It should not be specified in new code.
Further notes on the :ipv6 keyword argument
If remote-host and/or local-host are specified as hostname strings, they will be resolved by calling lookup-hostname. make-socket's ipv6 keyword argument will be passed through to lookup-hostname (which is also modified to accept IPv6 addresses).
make-socket does not allow the creation of an IPv6 socket with an IPv4 remote host. The success or failure of creating an IPv4 socket with an IPv6 remote host is operating system dependent.
Some operating systems allow the creation on an IPv6 passive socket which will accept both IPv4 and IPv6 connections. Others (typically for security reasons) require separate passive sockets for IPv4 and IPv6. Consult your operating system documentation for details.

All of the various kinds of sockets are created with make-socket, which determines the kind of socket you want based on the values of the type, format, connect, and address-family arguments. The value of the address-family keyword can't be :file on Windows because Windows does not support it.

The following socket options for an existing socket can be modified with set-socket-options. The options that can be set are reuse-address, broadcast, keepalive, nodelay, oob-inline, receive-buffer-size, and send-buffer-size. Not all options are relevant for all types of sockets. Look at the man pages for your specific OS to see what options are supported for particular sockets. Each socket type below specifies additional keyword arguments accepted by make-socket.

Additional options are tcp-keepalive-idle-time, tcp-keepalive-probe-interval, and tcp-keepalive-max-probes. These correspond to the C constants TCP_KEEPIDLE, TCP_KEEPINTVL, and TCP_KEEPCNT available on some (but not all) operating systems. These can only be set with set-socket-options. See the description of that function for more information.

make-socket calls a specialized socket creation function and that function looks for other keywords designed just for that socket type (some naming options that can be modified with set-socket-options). We describe next the extra keywords that are permitted for given values of address-family and type:

:address-family internet :type :stream
These additional keyword arguments are valid: :local-port, :local-host, :remote-host, :remote-port, :backlog, :reuse-address, :keepalive and :nodelay.
The port values are 16-bit integer or strings naming ports found in the operating system's services file and labeled as being "tcp" services. On Unix the file is called /etc/services. On Windows, it is also called services but is located in different places in different versions, such as C:\WINNT\system32\drivers\etc in Windows 2000 and C:\XPPRO\system32\drivers\etc in Windows XP.
:local-host is usually only specified for :passive sockets. When specified it must be a host name or IP address belonging to one of the network interfaces on the machine on which Lisp is running. By specifying the :local-host you can select the network device on which the socket is made. For example if you specify the "127.1" then it restricts this socket to be on the loopback network which means that this socket can only connect to other sockets on the same machine. If :local-host isn't specified then the operating system will create the socket on the most appropriate network device when a connection is made to it.
The host value can be a 32-bit internet address, a string naming a host, or an IPv6 address.
- If the :local-port argument is not given, one will be selected by the system. You can use the local-port function to determine which port the system selected.
  Note: The remote-host and remote-port values aren't used for :passive sockets.
- The :backlog value is used by :passive sockets to tell the operating system how many connections can be pending (connected but for which an accept-connection hasn't been done). The default is 5. :reuse-address sets the SO_REUSEADDR flag. This allows a particular port to be reopened in :connect :passive mode even if there is an existing connection for the port. This is very useful when debugging a server program since without it you may have to wait up to a minute after closing a particular port to reopen the same port again (due to certain port-non-reuse requirements found in the TCP/IP protocol).
  :keepalive if true then continue to verify that the connection is alive by sending empty packets to the receiving end. A passive internet address family socket can now be created with a specific :local-host value. Normally the :local-host doesn't need to be specified as the operating system will determine that when a connection is made. There may be times when you want to specify the local-host. For example, a convention has been established that every machine running tcp/ip has at least two IP addresses: one is associated with the ethernet card and one is for a local-to-the-machine network called the loopback network. The loopback IP address is usually 127.1 (it's a Class A address so it is written as two numbers). If you open up a passive socket and specify "127.1" as the local-host, then that means that only programs on your machine can connect to that socket. Naturally, this could be very important for security reasons. The :nodelay additional keyword argument: normally the network layer will delay sending small packets of data across the network, hoping that if it waits a bit longer there will be more data it can include in the packet. A true value for the :nodelay argument (which, starting in release 6.2, is the default) suppresses that optimization in the network layer. Specifying nil as the value allows the delay optimization, but is rarely beneficial unless the network is very slow.
:address-family :file :type stream
These additional keyword arguments are valid: :local-filename, :remote-filename, and :backlog. These are the files that name the local and remote filenames for the connection. For :passive sockets the :local-filename must be specified (and :remote-filename will be ignored). For :active sockets :local-filename can be omitted but :remote-filename must be specified. The filename specified must not already exist in the filesystem (or you'll get an error).
:address-family :internet :type :datagram
These additional keyword arguments are valid: :local-port, :local-host, :remote-host, and :remote-port, :reuse-address, :broadcast.
See the :internet :stream case above for the general meaning of the keywords. :reuse-address has the same meaning here as described there. :local-host may be specified to select the network device on which the datagram socket is created. Specifying "127.1" for example will put the datagram socket on the loopback network and it will only receive datagrams from other processes on the same machine. If :local-host is not specified then the datagram socket will be on all network devices simultaneously. :broadcast requests permission to send broadcast packets from this socket. Whether permission is granted depends on the policy of the operating system. To send a broadcast packet you must specify the broadcast IP address for the network on which you want to broadcast. The convention is that the broadcast address is the highest numbered host address on a network. For example, if the machine has a network interface with an IP address of 192.168.1 34 then it is on network 192.168.1.0 and the broadcast address for that network will mostly likely be 192.168.1.255. A datagram socket is never connected to a remote socket, it can send a message to a different host and port each time data is sent through it. However if you know that you'll be sending data to a particular host and port with this socket, then you can specify that :remote-host and :remote-port when you create the socket. If you've done that then you can omit the :remote-host and :remote-port arguments to the send-to function. In other words, specifying the :remote-host and :remote-port just sets the default values for the :remote-host and :remote-port arguments when a send-to is done.
:address-family :file :type :datagram
These additional keyword arguments are valid: :local-filename and :remote-filename. See the :file :stream case above for the meaning of the keywords. As in the description just above, if you specify a :remote-filename then you are merely setting the default value for the :remote-filename argument when a send-to is done.

See <socket.html> for general information on sockets.

make-ssl-client-context

Function, acl-socket package

Arguments: &key method certificate key certificate-password method verify max-depth ca-file ca-directory ciphers ciphersuites crl-check crl-file prefer-server-cipher-order

This function creates and returns an SSL context object (an instance of the class excl::ssl-context) suitable for use as the value of the context keyword argument to make-ssl-client-stream.

The context has values for all relevant arguments. For the arguments method, ciphers, ciphersuites, verify, max-depth, and prefer-server-cipher-order, specifying a value in a call to make-ssl-client-stream which is also passed a context object as the value of the context argument causes the associated argument value to be local to that connection (i.e. the specified argument value overrides the value in the context object). The value for the arguments certificate, key, ca-file, ca-directory, certificate-password, crl-file, and crl-check cannot be overridden when a context is provided. It is an error to supply a context and values for any of those arguments.

The keyword arguments

method keyword argument values are described here. The list form discussed at the previous link is accepted by this function.
certificate: (default is nil) this argument names a file which contains one or more PEM-encoded certificates. The first (or only) certificate in the file will be used to identify the client (in the case of make-ssl-client-stream). Optionally, subsequent entries in the file may be used to supply intermediate CA certificates (also known as a certificate chain).
key: (default is nil) this argument is a string or pathname naming a file containing the private RSA key corresponding the the public key in the certificate. The file must be in PEM format. The key can be stored in an encrypted form which requires a pass phrase to read, but in that case the certificate-password must also be specified. If the key is stored in the certificate file, then you needn't specify the key argument.
certificate-password: (default is nil) this argument, if specified, should be a string. If the private key stored with the certificate inside the file named by the certificate argument is encrypted, then this value is used as the key to decrypt it.
verify: (default is :optional) this argument can be nil, :optional, or :required. Due to the way OpenSSL is implemented, the behavior of peer verification differs for servers and clients; here is the behavior for clients:
- :verify nil means that no automatic verification will occur on the server-supplied certificate. Manual verification can be done using get-ssl-peer-certificate and get-ssl-verify-result.
- :verify :optional means that the server's certificate (if supplied) will be automatically verified during SSL handshake. If verification fails, an error will be generated during SSL handshake. This is the default for client streams.
- :verify :required means that the server's certificate will be automatically verified during SSL handshake. If the server does not supply a certificate or if verification of the supplied certificate fails, an error will be generated during SSL handshake.
maxdepth: (default is 10) the value must be an integer which indicates the maximum allowable depth of the certificate verification chain. If the chain exceeds this depth, an error will be generated during SSL handshake.
ca-file: (default is "sys:;examples;ssl;ca-bundle.crt") this argument specifies the name of a file containing a series of trusted PEM-encoded Intermediate CA or Root CA certificates that will be used during peer certificate verification. Keep in mind that, when using on an SSL server, the subject name information for each of these certificates is supplied to the peer during SSL handshake, so you may want to keep the number of certificates listed in the file to a minimum. A file containing certificates of well-known root CAs can be found in [acl directory]/examples/ssl/ca-bundle.crt, (to give the actual pathname, a logical pathname is used to specify the default value).
ca-directory: (default is nil) this argument specifies the name of a directory containing a series of trusted Intermediate CA or Root CA certificate files that will be used during peer certificate verification. Each file in the directory should contain one certificate. The files should be named based on the hash value of the certificate subject name. If more than one certificate with the same hash value exists, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash (available via standard OpenSSL distributions) utility to create the necessary links.
ciphers: (default is the string given at the end of this paragraph) if the ciphers keyword argument is supplied, it must be a string which specifies an OpenSSL cipher list. This list determines which ciphers the SSL server will support. The strongest common entry from this list and the list supplied by the client during handshake will be used. If there is no entry in common, SSL handshake will fail and an error will be generated. This argument is not used with TLS 1.3. See the ciphersuites argument below. For details on the cipher list format, see https://www.openssl.org/docs/apps/ciphers.html. The default value is the string "ALL".
ciphersuites: used by TLS 1.3. See TLS 1.3 support and ciphersuites in <socket.html> for more information and suitable values. When nil or unspecified, OpenSSL defaults are used.
crl-check: (default is nil) this argument controls certificate revocation list (CRL) checking. Its value may be nil (the default) for no CRL checking, t for CRL checking of the peer's certificate (if provided by the peer), or :all for CRL checking of all components of the peer's supplied certificate chain. If this argument is non-nil, the verify argument must also be non-nil. If you enable CRL checking, you must supply a proper PEM-encoded CRL, even if it contains zero revocations. If you do not supply a CRL, peer verification will never succeed.
crl-file: (default is value of the ca-file argument) this argument specifies the location of a PEM-encoded CRL file. If nil or not supplied, defaults to the value of the ca-file argument. It is acceptable for CRL to be included amongst other PEM-encoded certificates.
prefer-server-cipher-order: this argument is ignored. (It is used by make-ssl-server-context and that function and this one have the same argument lists.)

See <socket.html> for information on sockets. For information on Secure Sockets, see the section Secure Socket Layer (SSL) in that document.

make-ssl-client-stream

Function, acl-socket package

Arguments: socket &key context method certificate key certificate-password method verify max-depth ca-file ca-directory ciphers ciphersuites crl-check crl-file server-name

You must have the OpenSSL libraries installed for this facility to work. Note that shared library versions of the OpenSSL libraries (required by Allegro CL) are not available on all platforms. The SSL functionality is in the ssl module. To ensure it is loaded, evaluate (require :ssl). Calling this function automatically loads the module.

This function creates and returns a new SSL server socket stream that communicates via SSL via the given socket. Once this function is called and an SSL socket stream is returned, no I/O calls should be done directly to socket. Note that closing the SSL socket stream will result in the original socket file descriptor being closed as well. Therefore, the idiomatic way to establish an SSL server socket stream is:

;; SOCK is already a socket:
(setf sock (make-ssl-server-stream sock ...))

Unless ssl-do-handshake is called, the secure connection isn't negotiated until the first byte is sent through the SSL socket stream to the underlying stream (and this will usually occur when the first force-output is done to the SSL socket stream).

When that first write is done a negotiation process is begun that involves reads and writes. This negotiation process will not occur if the SSL socket on the other end of the connection is not sitting waiting for data to arrive. Thus if you create two connected sockets in a single Lisp process, and make one the client and the other the server, and then write to the client side the Lisp will hang since the server side socket isn't being read. You can make this work if you use the Lisp multiprocessing facility (see <multiprocessing.html>) to cause the server socket to be read at the same time that the write to the client socket is being done.

The context keyword argument takes an SSL context object as a value. Such objects contain relevant information about the client stream being created. The function make-ssl-client-context create a context suitable for a client stream.

Note: if you supply an SSL context object as the value of context, you can specify values for the arguments method, ciphers, ciphersuites, verify, and max-depth in the call to this function. Doing so causes the associated argument value to be local to the connection being created (i.e. the specified argument value overrides the value in the context object). However, it is an error to specify values for the arguments certificate, key, ca-file, ca-directory, certificate-password, crl-file, and crl-check. Those arguments cannot be overridden when a context is provided.

If an error occurs, a condition of type excl::ssl-error is signaled. This condition has slots what (a string indicating what internal operation was being performed when the error occurred), codes (a ist of numeric OpenSSL error codes that represented the accumulated errors that resulted in the final error), strings (a list of the corresponding string forms of the OpenSSL error codes in the 'codes' slot) and verify-result, and verify-result-string. The last two will be populated if possible when an ssl error occurs. If non-nil, this information is included in the printed representation of the condition. This aids recognizing and debugging certificate-related SSL errors.

The keyword arguments

make-ssl-client-stream's keyword arguments are the same as make-ssl-server-stream's. The keyword arguments to make-ssl-client-stream are:

method keyword argument values are described here.
certificate names a file which contains one or more PEM-encoded certificates. The first (or only) certificate in the file will be used to identify the client (in the case of make-ssl-client-stream) or server (in the case of make-ssl-server-stream). Optionally, subsequent entries in the file may be used to supply intermediate CA certificates (also known as a certificate chain).
The key argument is a string or pathname naming a file containing the private RSA key corresponding the the public key in the certificate. The file must be in PEM format. The key can be stored in an encrypted form which requires a pass phrase to read, but in that case the certificate-password must also be specified. If the key is stored in the certificate file, then you needn't specify the key argument.
The certificate-password argument, if specified, should be a string. If the private key stored with the certificate inside the file named by the certificate argument is encrypted, then this value is used as the key to decrypt it.
verify can be nil (the default), :optional, or :required. Due to the way OpenSSL is implemented, the behavior of peer verification differs for clients and servers. Here we describe the behavior for clients. See make-ssl-server-stream for a discussion of the server behavior.
- :verify nil means that no automatic verification will occur on the server-supplied certificate. Manual verification can be done using get-ssl-peer-certificate and get-ssl-verify-result.
- :verify :optional means that the server's certificate (if supplied) will be automatically verified during SSL handshake. If verification fails, an error will be generated during SSL handshake.
- :verify :required means that the server's certificate will be automatically verified during SSL handshake. If the server does not supply a certificate or if verification of the supplied certificate fails, an error will be generated during SSL handshake.
maxdepth must be an integer (which defaults to 10) which indicates the maximum allowable depth of the certificate verification chain. If the chain exceeds this depth, an error will be generated during SSL handshake.
ca-file specifies the name of a file containing a series of trusted PEM-encoded Intermediate CA or Root CA certificates that will be used during peer certificate verification. A file containing certificates of well-known root CAs can be found in [acl directory]/examples/ssl/ca-bundle.crt.
ca-directory specifies the name of a directory containing a series of trusted Intermediate CA or Root CA certificate files that will be used during peer certificate verification. Each file in the directory should contain one certificate. The files should be named based on the hash value of the certificate subject name. If more than one certificate with the same hash value exists, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility (available via standard OpenSSL distributions) to create the necessary links.
ciphers: if the ciphers keyword argument is supplied, it must be a string which specifies an OpenSSL cipher list. The list is advertised to the SSL server during handshake. From that list, the SSL server will select a cipher to use for subsequent communications. If the SSL server does not support any of the ciphers in the list, SSL handshake will fail and an error will be generated.
For details on the cipher list format, see openssl.org.
This argument is support for TLS 1.3 and there may be cases when both ciphers and ciphersuites (see below) may be desirable in a call.
ciphersuites: used by TLS 1.3. See TLS 1.3 support and ciphersuites in <socket.html> for more information and suitable values. When nil or unspecified, OpenSSL defaults are used.
crl-check: this argument controls certificate revocation list (CRL) checking. Its value may be nil (the default) for no CRL checking, t for CRL checking of the peer's certificate (if provided by the peer), or :all for CRL checking of all components of the peer's supplied certificate chain. If this argument is non-nil, the verify argument must also be non-nil. If you enable CRL checking, you must supply a proper PEM-encoded CRL, even if it contains zero revocations. If you do not supply a CRL, peer verification will never succeed.
crl-file: this argument specifies the location of a PEM-encoded CRL file. If nil or not supplied, defaults to the value of the ca-file argument (if supplied). It is acceptable for CRL to be included amongst other PEM-encoded certificates.
server-name: This argument indicates which hostname the client is attempting to connect to. This information is passed to the server to allow it to select the SSL certificate to present to the client. The variable acl-socket:*ssl-features* has as its value a list of keywords indicating SSL supported features, such as :sni.

See make-ssl-server-stream. See also <socket.html> for information on sockets. For information on Secure Sockets, see the section Secure Socket Layer (SSL) in that document.

make-ssl-server-context

Function, acl-socket package

Arguments: &key method certificate key certificate-password method verify max-depth ca-file ca-directory ciphers ciphersuites crl-check crl-file (prefer-server-cipher-order t) server-name

This function creates and returns an SSL context object (an instance of the class excl::ssl-context) suitable for use as the value of the context keyword argument to make-ssl-server-stream.

The context has values for all relevant arguments. For the arguments method, ciphers, ciphersuites, verify, max-depth, and prefer-server-cipher-order, specifying a value in a call to make-ssl-server-stream which is also passed a context object as the value of the context argument causes the associated argument value to be local to that connection (i.e. the specified argument value overrides the value in the context object). The value for the arguments certificate, key, ca-file, ca-directory, certificate-password, crl-file, and crl-check cannot be overridden when a context is provided. It is an error to supply a context and values for any of those arguments.

The keyword arguments

method keyword argument values are described here. The list form discussed at the previous link is accepted by this function.
certificate: (default is nil) this argument names a file which contains one or more PEM-encoded certificates. The first (or only) certificate in the file will be used to identify the client (in the case of make-ssl-client-stream). Optionally, subsequent entries in the file may be used to supply intermediate CA certificates (also known as a certificate chain).
key: (default is nil) this argument is a string or pathname naming a file containing the private RSA key corresponding the the public key in the certificate. The file must be in PEM format. The key can be stored in an encrypted form which requires a pass phrase to read, but in that case the certificate-password must also be specified. If the key is stored in the certificate file, then you needn't specify the key argument.
certificate-password: (default is nil) this argument, if specified, should be a string. If the private key stored with the certificate inside the file named by the certificate argument is encrypted, then this value is used as the key to decrypt it.
verify: (default is nil) this argument can be nil, :optional, or :required. Due to the way OpenSSL is implemented, the behavior of peer verification differs for servers and clients; here is the behavior for servers:
- :verify nil means that the server will not ask the client to supply a certificate and will not do automatic verification if the client supplies a certificate anyway. If the client does provide a certificate, manual verification can be done using get-ssl-peer-certificate and get-ssl-verify-result.
- :verify :optional means that the client will be asked to supply a certificate during SSL handshake. The certificate (if supplied) will be automatically verified during SSL handshake. If verification fails, an error will be generated during SSL handshake.
- :verify :required means that the client will be asked to supply a certificate during SSL handshake. The client certificate will be automatically verified during SSL handshake. If the client does not supply a certificate or if verification of the supplied certificate fails, an error will be generated during SSL handshake.
maxdepth: (default is 10) the value must be an integer which indicates the maximum allowable depth of the certificate verification chain. If the chain exceeds this depth, an error will be generated during SSL handshake.
ca-file: (default is nil) this argument specifies the name of a file containing a series of trusted PEM-encoded Intermediate CA or Root CA certificates that will be used during peer certificate verification. Keep in mind that, when using on an SSL server, the subject name information for each of these certificates is supplied to the peer during SSL handshake, so you may want to keep the number of certificates listed in the file to a minimum. A file containing certificates of well-known root CAs can be found in [acl directory]/examples/ssl/ca-bundle.crt.
ca-directory: (default is nil) this argument specifies the name of a directory containing a series of trusted Intermediate CA or Root CA certificate files that will be used during peer certificate verification. Each file in the directory should contain one certificate. The files should be named based on the hash value of the certificate subject name. If more than one certificate with the same hash value exists, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash (available via standard OpenSSL distributions) utility to create the necessary links.
ciphers: (default is the string given at the end of this paragraph) if the ciphers keyword argument is supplied, it must be a string which specifies an OpenSSL cipher list. This list determines which ciphers the SSL server will support. The strongest common entry from this list and the list supplied by the client during handshake will be used. If there is no entry in common, SSL handshake will fail and an error will be generated. For details see openssl.org. This argument is not used with TLS 1.3. See the ciphersuites argument below. The default value is the string "ALL".
ciphersuites: used by TLS 1.3. See TLS 1.3 support and ciphersuites in <socket.html> for more information and suitable values. When nil or unspecified, OpenSSL defaults are used.
crl-check: (default is nil) this argument controls certificate revocation list (CRL) checking. Its value may be nil (the default) for no CRL checking, t for CRL checking of the peer's certificate (if provided by the peer), or :all for CRL checking of all components of the peer's supplied certificate chain. If this argument is non-nil, the verify argument must also be non-nil. If you enable CRL checking, you must supply a proper PEM-encoded CRL, even if it contains zero revocations. If you do not supply a CRL, peer verification will never succeed.
crl-file: (default is value of the ca-file argument) this argument specifies the location of a PEM-encoded CRL file. If nil or not supplied, defaults to the value of the ca-file argument. It is acceptable for CRL to be included amongst other PEM-encoded certificates.
prefer-server-cipher-order: (default is t). The typical behavior when choosing a cipher during an SSLv3 or TLSv1 handshake is to use the client's preference. If this argument is true (the default), the server's preference will be used.
server-name: this argument appears in the argument list for this function but is not supported at this time. Do not specify a value for that argument.

See <socket.html> for information on sockets. For information on Secure Sockets, see the section Secure Socket Layer (SSL) in that document.

make-ssl-server-stream

Function, acl-socket package

Arguments: socket &key context certificate key certificate-password method verify max-depth ca-file ca-directory ciphers ciphersuites crl-check crl-file prefer-server-cipher-order server-name

;; SOCK is already a socket:
(setf sock (make-ssl-server-stream sock ...))

The context keyword argument takes an SSL context object as a value. Such objects contain relevant information about the server stream being created. The function make-ssl-server-context create a context suitable for a server stream.

Note that if you supply an SSL context object as the value of context, you can specify values for the arguments method, ciphers, ciphersuites, verify, max-depth, and prefer-server-cipher-order in the call to this function. Doing so causes the associated argument value to be local to the connection being created (i.e. the specified argument value overrides the value in the context object). However, it is an error to specify values for the arguments certificate, key, ca-file, ca-directory, certificate-password, crl-file, and crl-check as they cannot be overridden when a context is provided.

The server-name keyword argument appears in the argument list for this function but is not supported at this time. Do not specify a value for that argument.

The keyword arguments

make-ssl-server-stream's keyword arguments are the same as make-ssl-client-stream's. The keyword arguments to make-ssl-server-stream are:

method keyword argument values are described here.
certificate names a file which contains one or more PEM-encoded certificates. The first (or only) certificate in the file will be used to identify the client (in the case of make-ssl-client-stream) or server (in the case of make-ssl-server-stream). Optionally, subsequent entries in the file may be used to supply intermediate CA certificates (also known as a certificate chain).
The key argument is a string or pathname naming a file containing the private RSA key corresponding the the public key in the certificate. The file must be in PEM format. The key can be stored in an encrypted form which requires a pass phrase to read, but in that case the certificate-password must also be specified. If the key is stored in the certificate file, then you needn't specify the key argument.
The certificate-password argument, if specified, should be a string. If the private key stored with the certificate inside the file named by the certificate argument is encrypted, then this value is used as the key to decrypt it.
verify can be nil, :optional, or :required. Due to the way OpenSSL is implemented, the behavior of peer verification differs for servers and clients. Here we describe the behavior for servers. See make-ssl-client-stream for a discussion of the client behavior.
- :verify nil means that the server will not ask the client to supply a certificate and will not do automatic verification if the client supplies a certificate anyway. If the client does provide a certificate, manual verification can be done using get-ssl-peer-certificate and get-ssl-verify-result.
- :verify :optional means that the client will be asked to supply a certificate during SSL handshake. The certificate (if supplied) will be automatically verified during SSL handshake. If verification fails, an error will be generated during SSL handshake.
- :verify :required means that the client will be asked to supply a certificate during SSL handshake. The client certificate will be automatically verified during SSL handshake. If the client does not supply a certificate or if verification of the supplied certificate fails, an error will be generated during SSL handshake.
maxdepth must be an integer (which defaults to 10) which indicates the maximum allowable depth of the certificate verification chain. If the chain exceeds this depth, an error will be generated during SSL handshake.
ca-file specifies the name of a file containing a series of trusted PEM-encoded Intermediate CA or Root CA certificates that will be used during peer certificate verification. Keep in mind that, when using on an SSL server, the subject name information for each of these certificates is supplied to the peer during SSL handshake, so you may want to keep the number of certificates listed in the file to a minimum. A file containing certificates of well-known root CAs can be found in [acl directory]/examples/ssl/ca-bundle.crt.
ca-directory specifies the name of a directory containing a series of trusted Intermediate CA or Root CA certificate files that will be used during peer certificate verification. Each file in the directory should contain one certificate. The files should be named based on the hash value of the certificate subject name. If more than one certificate with the same hash value exists, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash (available via standard OpenSSL distributions) utility to create the necessary links.
ciphers: if the ciphers keyword argument is supplied, it must be a string which specifies an OpenSSL cipher list. This list determines which ciphers the SSL server will support. The strongest common entry from this list and the list supplied by the client during handshake will be used. If there is no entry in common, SSL handshake will fail and an error will be generated.
For details on the cipher list format, see the CIPHER LIST FORMAT section of http://www.openssl.org/docs/apps/ciphers.html.
This argument is not used with TLS 1.3. See the ciphersuites argument below.
ciphersuites: used by TLS 1.3. See TLS 1.3 support and ciphersuites in <socket.html> for more information and suitable values. When nil or unspecified, OpenSSL defaults are used.
crl-check: this argument controls certificate revocation list (CRL) checking. Its value may be nil (the default) for no CRL checking, t for CRL checking of the peer's certificate (if provided by the peer), or :all for CRL checking of all components of the peer's supplied certificate chain. If this argument is non-nil, the verify argument must also be non-nil. If you enable CRL checking, you must supply a proper PEM-encoded CRL, even if it contains zero revocations. If you do not supply a CRL, peer verification will never succeed.
crl-file: this argument specifies the location of a PEM-encoded CRL file. If nil or not supplied, defaults to the value of the ca-file argument (if supplied). It is acceptable for CRL to be included amongst other PEM-encoded certificates.
prefer-server-cipher-order: the value should be true or nil. The typical behavior when choosing a cipher during an SSLv3 or TLSv1 handshake is to use the client's preference. If this argument is true (the default is nil), the server's preference will be used.

See make-ssl-client-stream. See also <socket.html> for information on sockets. For information on Secure Sockets, see the section Secure Socket Layer (SSL) in that document.

open-ftp-stream

Function, acl-socket package

Arguments: file &key (host "localhost") (user "anonymous") (password (format nil "~[email protected]" (sys:user-name))) (direction :input) debug (mode :binary) passive

This function creates a stream to/from the given file on the given host using the given user and password for authentication.

The keyword arguments are:

host: name of remote host.
user: name of user to log in as.
password: password to use.
direction: :input (the default), :output, or :directory. :directory returns an input stream containing a directory listing.
debug: if a stream (or t) is given, this function will print the ftp interaction to that stream.
mode: :binary (the default), or :text. :text mode lines end with cr-lf (the internet standard).
passive: if t then do a passive mode transfer (useful to get through certain ip filters and firewalls).

receive-from

Generic Function, acl-socket package

Arguments: sock size &key buffer extract

This generic function is used to read from a datagram socket. You must specify a size bigger than the size of the message you expect (usually the rest of the datagram will be thrown away if it doesn't all fit).

If the buffer argument is given then it should be a Lisp vector of some raw type (like (unsigned-byte 8) but definitely not t) of at least size bytes that will be used to read in the datagram. If buffer is not given then a fresh buffer will be created (of the type appropriate to the format of the socket).

The buffer argument may be a character vector. In this case receive-from will create a temporary buffer of type (unsigned-byte 8) into which to read the octets and then octets-to-string will be used to convert those octets to characters. If you want to save the creation of this temporary array for each call to receive-from you should pass an (unsigned-byte 8) array in as the buffer. When using an 8-bit character Lisp (e.g., alisp8 or mlisp8-- see Allegro CL Executables: alisp, alisp8, mlisp, mlisp8, allegro, allegro-ansi in <startup.html>), no temporary buffer is created and no conversion occurs.

If extract is unspecified or nil then the first value returned is the buffer used to read the data. If extract is true then the first value returned is a subsequence of the buffer, that subsequence being that part of the buffer that contains the data just read.

The second value returned is the number of bytes read by receive-from.

In the case of an :internet socket, the third value returned is the 32-bit internet address or the IPv6 address of the sender of the data and the fourth value is the port number.

In the case of a :file socket, the third (and last) value returned is the filename of the sender's socket (or "" if there is no filename).

See <socket.html> for general information on sockets in Allegro CL.

remote-filename

Generic Function, acl-socket package

Arguments: af-file

Returns the remote filename of socket. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N.

See <socket.html> for general information on sockets in Allegro CL.

remote-host

Generic Function, acl-socket package

Arguments: af-internet

Returns an IP address. You can use ipaddr-to-dotted or ipaddr-to-hostname to make a more readable version of this value if you plan to print it out.

See <socket.html> for general information on sockets in Allegro CL.

remote-port

Generic Function, acl-socket package

Arguments: af-internet

Returns the remote port of socket. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N.

See <socket.html> for general information on sockets in Allegro CL.

send-to

Generic Function, acl-socket package

Arguments: sock buffer size &key remote-host remote-port ipv6 scope-id

For datagram sockets you can't do normal Lisp stream I/O. The data is written to the socket using this function.

The buffer argument can be a string or a byte vector; the size argument is the number of bytes of data to send. (The buffer argument is actually passed unmodified to a foreign function that will grab bytes from the address, so any simple 1-d Lisp array with any element size can in principle work, given the right byte count, provided sender and receiver have the same endianess.)

remote-host and remote-port describe where to send the data. If they aren't given then the values saved when the socket was created with make-socket are used.

The ipv6 and scope-id keyword arguments are part of IPv6 support. ipv6 defaults to the value of *ipv6*. This keyword argument is passed on to lookup-hostname when resolving remote-host.

scope-id specifies the interface to use when sending IPv6 traffic to remote-host. If remote-host is specified and is an ipv6-address structure, its scope-id slot will be updated to the value of the scope-id keyword argument.

If scope-id is not specified, then the scope-id slot of the remote-host argument will be used. If remote-host is not specified or does not have a scope-id, then 0 will be used.

Method for file-datagram-socket

Arguments (sock file-datagram-socket) buffer size &key remote-filename

The method for file-datagram-sockets is like the method for datagram sockets described above, except it is used for sockets within the address family :file.

The method for file-datagram-socket is unaffected by the IPv6 changes. file-datagram sockets are not internet sockets so they cannot use IPv6 (or IPv4) addresses.

See <socket.html> for general information on sockets in Allegro CL.

set-socket-format

Generic Function, acl-socket package

Arguments: str to

Because socket formats are not used (see socket-format), this generic function has no effect.

See <socket.html> for general information on sockets in Allegro CL.

set-socket-options

Function, acl-socket package

Arguments: socket &key reuse-address broadcast keepalive nodelay oob-inline receive-buffer-size send-buffer-size tcp-keepalive-idle-time tcp-keepalive-probe-interval tcp-keepalive-max-probes

Sets system socket options for this socket.
The meanings of most of the options are described in the description of make-socket. The various tcp-keepalive-* options are described below.

The following are boolean options, and so specifying a true value turns them on and specifying nil turns them off. If you do not specify a value for one of these options, then the value is not changed.

reuse-address
broadcast
keepalive
nodelay
oob-inline

receive-buffer-size and send-buffer-size take integer arguments. Again, not specifying a value leaves it unchanged.

Note that certain options only work with certain kinds of sockets (e.g. broadcast only works for datagram sockets). See the description of make-socket for more information on what works with what sort of socket.

The tcp-keepalive-idle-time, tcp-keepalive-probe-interval, and tcp-keepalive-max-probes keywords set socket options defined by the C constants TCP_KEEPIDLE, TCP_KEEPINTVL, and TCP_KEEPCNT on operating systems where they are supported (none is supported on Solaris, TCP_KEEPIDLE is not supported on macOS). The values should be integers (defaults 7200, 75, and 9 respectively). See the tcp(7) UNIX man page for more information.

It is an error to try to specify a value of an unsupported value. Thus (socket:set-socket-options socket :tcp-keepalive-idle-time 1) will signal an error on Solaris and macOS.

See <socket.html> for information on sockets.

set-tcp-md5-sig

Generic Function, acl-socket package

Arguments: socket address key &key (external-format :default)

This function only works on Linux. If executed on a non-Linux host, an error will be generated.

This function provides an interface to the TCP_MD5SIG (RFC2385) socket option. It sets the key to be used for TCP connections from address. This function can be called multiple times to set up keys for different addresses.

socket must be a passive stream socket (as created by (make-socket :connect :passive ...)). See make-socket.

address must be an IP address.

key must be a string or octet array.

If key is a string, external-format can supplied to specify a non-default external format for the string. The string will not be null-terminated.

See <socket.html>.

shutdown

Generic Function, acl-socket package

Arguments: sock &key direction

sock is a socket currently connected to another socket. The value of the direction must be specified either :input or :output. Note that direction defaults to nil which is not a legal value. shutdown will signal an error if direction is not specified either :input or :output.

shutdown closes down the specified half of the bidirectional socket connection. It does not force out unflushed buffers first (as the close function does).

Calling shutdown on a socket twice, once for :input and once for :output will cause the operating system file descriptor associated with the socket to be closed. Thus you need not call the Lisp function close. Note it is not an error to call close; it will just do nothing.

This function is useful in many socket applications.

For example:

(setq sock (make-socket :remote-host &quot;foo&quot; :remote-port 1234))
(format sock &quot;are you ok?~%&quot;)
(force-output sock)
(shutdown sock :direction :output)

(read sock)

Calling shutdown in the above example causes the program at the other end of the connection to receive an End of File indication. Some programs, when they receive an End of File, formulate and send a reply back down the socket. Using shutdown rather than close allows this reply to be read.

See <socket.html> for general information on sockets in Allegro CL.

socket-address-family

Generic Function, acl-socket package

Arguments: socket

Returns the socket address family of socket. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N.

See <socket.html> for general information on sockets in Allegro CL.

socket-connect

Generic Function, acl-socket package

Arguments: socket

Returns the type of connection for socket. The value can be :active or :passive. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N.

See <socket.html> for general information on sockets in Allegro CL.

socket-control

Generic Function, acl-socket package

Arguments: sock &key output-chunking output-chunking-eof input-chunking read-timeout write-timeout

This function modifies the state of the socket stream. The associated value in the argument socket of any unspecified keyword argument is not modified. Only specified keyword arguments change the state of the argument socket.

If specified, the output-chunking argument controls whether the chunking protocol will be used for output on this socket (yes if true, no if nil). If this argument is not specified, output chunking is not affected. Note that if there is data still in the output buffer for this socket stream and chunking is turned on, then the chunking protocol will be applied to the data in the buffer when it is eventually written to the socket. Therefore you may want to call force-output before turning on chunking.

If output-chunking-eof is true then this occurs:

a force-output is done to flush the socket output buffer.
a zero sized chunk message is sent to the socket, which causes the process at the other end of the socket connect to interpret this as a chunking end of file.
chunking for this socket is turned off (as if socket-control were called with :output-chunking nil)

If specified, the input-chunking argument controls whether data being read from the socket is interpreted as chunked data (yes if true, no if nil). If this argument is not specified, input chunking is not affected.

When input chunking is enabled a chunk end of file will cause the reading function (read-byte, read-char, read-sequence) to return just as if a real end of file was reached. In order to distinguish a real end of file from a chunking end of file, when a chunking end of file occurs the socket code will signal the condition excl::socket-chunking-end-of-file with the format-arguments slot being a list whose sole member is the stream that received the chunking end of file. This condition is not an error or warning, thus if it isn't caught Lisp will simply ignore it.

Timeout arguments

If specified, the value timeout arguments read-timeout and write-timeout should be nil or a positive real number. If nil, reads or writes will not timeout (except possibly because of other timeouts specified by other tools). If the value is a positive real number, attempted reads (when read-timeout is not nil) and attempted writes (when write-timeout is not nil) will timeout if the time is exceeded and the system will signal a socket-error.

Specifying timeout can be important for SSL streams (such as created by make-ssl-client-stream and make-ssl-server-stream) because read from and writes to a socket stream will not timeout when executed in a sys:with-timeout body (see the description of sys:with-timeout for more information). Reads from and writes to an SSL stream are done by breaking the data to be read/written into blocks and then processing the blocks one at a time. Note: the timeout values for SSL streams apply to the reading/writing time for individual blocks ony, not to the entire read or write.

Note that if reading from/writing to an SSL stream times out and an error is signaled, it is very likely the SSL stream will be in a broken state and should be closed (with the abort keyword argument to close specified true).

See <socket.html> for general information on sockets in Allegro CL.

socket-format

Generic Function, acl-socket package

Arguments: socket

Starting in 6.0, all sockets have :multivalent format and this function always returns :multivalent.

See <socket.html> for general information on sockets in Allegro CL.

socket-os-fd

Generic Function, acl-socket package

Arguments: sock

Return the operating system file descriptor associated with this socket. This is useful if you want to do some socket processing in foreign code and that code needs to access the socket directly. Note: Such accessing will likely confuse the buffering done by Lisp.

See <socket.html> for general information on sockets in Allegro CL.

socket-type

Generic Function, acl-socket package

Arguments: socket

Returns the type of socket. Note: Both internet stream and internet datagram sockets use 16-bit port numbers. Note that stream (tcp) port N is totally distinct from datagram (udp) port N.

See <socket.html> for general information on sockets in Allegro CL.

ssl-do-handshake

Generic Function, acl-socket package

Arguments: stream

This function returns t but is called for its side effect, which is to initiate a handshake between SSL server and client streams.

make-ssl-server-stream and make-ssl-client-stream do not immediately initiate SSL handshake. Instead, handshake is deferred until the first I/O is made on the stream. If there are certificate verification or other errors during SSL handshake, the error will be generated during the I/O request that initiated handshake.

In some circumstances you may want to control when SSL starts. The ssl-do-handshake method initiates SSL handshake. stream must be an SSL client or server stream (such as is created by make-ssl-server-stream).

This function returns t but is called for its side effect, which is to initiate a handshake between SSL server and client streams.

Peer certificate verification (if requested) occurs during SSL handshake. If verification fails, an error will be generated.

See <socket.html>.

with-pending-connect

Macro, acl-socket package

Arguments: &rest body

A call to make-socket can take a while (maybe a minute or two) to make or fail to make a connection.

If you want to limit the amount of time spent in the make-socket call you can write it with a with-timeout. If the timeout occurs, then the program gives up on trying to make the connection. However the connection is offically still pending and operating system resources will continue to be used. Thus, it's important to clean up after a timed out attempt to make a connection.

The best way to ensure that things are cleaned up is to use with-pending-connect. Just write your code something like this:

(socket:with-pending-connect
  (sys:with-timeout (10 (error &quot;connect failed&quot;))
    (socket:make-socket
      :remote-host &quot;foo.com&quot; :remote-port 1234)))

This function returns the value of the subject-alt-name slot of a x509-certificate object. (It can also be used to set the value but setting it has no effect at the moment.) This slot contains information about the subjectAltName extension information which may be part of v3 certificates. If available, the subjectAltName information is represented as a list of attribute/value conses. The car of each cons is a string representing the type of subjectAltName (such as "DNS"). The cdr of each cons is a string representing the attribute value.

See <socket.html>.

x509-certificate-version

Generic Function, acl-socket package

Arguments: stream

This function returns the value of the version slot of a x509-certificate object. (It can also be used to set the value but setting it has no effect at the moment.) This slot typically contains a keyword indicating the version number of the certificate. The value will be either :v1, :v2, or :v3. If the version number of the certificate is not recognized, this slot will contain the raw integer supplied in the certificate.

The version number indicates the format of the certificate. Most certificates seen these days will be version 3 certificates (:v3).

See <socket.html>.