1 /****************************************************************************** 2 3 C binding to OpenSSL v1.0.x 4 5 The OpenSSL library is very large. This binding includes only a tiny 6 fraction of the available functions. 7 8 copyright: Copyright (c) 2018 dunnhumby Germany GmbH. All rights reserved 9 10 *******************************************************************************/ 11 12 module ocean.net.ssl.openssl.OpenSsl; 13 14 15 import core.stdc.config : c_ulong, c_long; 16 import ocean.meta.types.Qualifiers; 17 18 19 extern (C): 20 21 /******************************************************************************* 22 23 Opaque struct which contains function pointers for SSLv2 or 24 SSLv3/TLSv1 functions. This is roughly equivalent to a virtual function 25 table, but implemented in plain C. 26 27 *******************************************************************************/ 28 29 public struct ssl_method_st; 30 31 32 /******************************************************************************* 33 34 Opaque struct which implements an SSL connection 35 36 *******************************************************************************/ 37 38 public struct SSL; 39 40 41 /******************************************************************************* 42 43 Opaque struct which implements an SSL connection context 44 45 *******************************************************************************/ 46 47 public struct SSL_CTX; 48 49 50 /******************************************************************************* 51 52 Opaque struct which implements an X509 certificate 53 54 *******************************************************************************/ 55 56 public struct X509; 57 58 59 /******************************************************************************* 60 61 The context used wile verifying an X509 certificate 62 63 *******************************************************************************/ 64 65 public struct X509_STORE_CTX; 66 67 68 /******************************************************************************* 69 70 Opaque struct which holds RSA encryption parameters 71 72 *******************************************************************************/ 73 74 public struct RSA; 75 76 77 /******************************************************************************* 78 79 Opaque struct which holds a message digest 80 81 *******************************************************************************/ 82 83 public struct EVP_MD; 84 85 86 /******************************************************************************* 87 88 Opaque struct which holds a message digest context 89 90 *******************************************************************************/ 91 92 public struct EVP_MD_CTX; 93 94 95 /******************************************************************************* 96 97 Opaque struct which holds a private key 98 99 *******************************************************************************/ 100 101 public struct EVP_PKEY; 102 103 104 /******************************************************************************* 105 106 Opaque struct which holds a private key context 107 108 *******************************************************************************/ 109 110 public struct EVP_PKEY_CTX; 111 112 113 /******************************************************************************* 114 115 Opaque struct which holds a digest encryption engine 116 117 *******************************************************************************/ 118 119 public struct ENGINE; 120 121 122 /******************************************************************************* 123 124 Retrieve the function pointers for SSLv3, or v2 if v3 is unavailable 125 126 Returns; 127 A struct with all of the function pointers pointing to the SSL v3 128 functions, falling back to v2 if v3 is unavailable 129 130 *******************************************************************************/ 131 132 public ssl_method_st* SSLv23_method (); 133 134 135 /******************************************************************************* 136 137 Initialize the SSL library by registering algorithms 138 139 Returns: 140 Always returns 1. 141 142 *******************************************************************************/ 143 144 public int SSL_library_init (); 145 146 147 /******************************************************************************* 148 149 Registers the error strings for all libcrypto and libssl function 150 151 *******************************************************************************/ 152 153 public void SSL_load_error_strings (); 154 155 156 /******************************************************************************* 157 158 Obtains a human-readable error message 159 160 Params: 161 e = the error code 162 163 Returns: 164 A human-readable string representing the error code. 165 166 *******************************************************************************/ 167 168 public const(char *) ERR_reason_error_string (c_ulong e); 169 170 171 /******************************************************************************* 172 173 Empties the current thread's error queue. 174 175 *******************************************************************************/ 176 177 public void ERR_clear_error (); 178 179 180 /******************************************************************************* 181 182 Returns the earliest error code from the thread's error queue and 183 removes the entry. This function can be called repeatedly until there 184 are no more error codes to return. 185 186 *******************************************************************************/ 187 188 public c_ulong ERR_get_error (); 189 190 191 /******************************************************************************* 192 193 Obtains the result code for a TLS/SSL I/O operation. 194 195 Gets a result code for a preceding call to SSL_connect, SSL_accept, 196 SSL_do_handshake, SSL_read, SSL_read_ex, SSL_peek, SSL_peek_ex, 197 SSL_write, or SSL_writex. 198 199 The OpenSSL interface is rather brittle. 200 The current thread's error queue must be empty before the call is made, 201 and no other OpenSSL calls should be made before calling SSL_get_error. 202 203 Params: 204 ssl = the ssl object which was used to perform the call 205 ret = the value which was returned by the call. 206 207 *******************************************************************************/ 208 209 public int SSL_get_error (const(SSL)* ssl, int ret); 210 211 212 /******************************************************************************* 213 214 Creates a new SSL object for a connection. 215 216 The new structure inherits the settings of the underlying context ctx. 217 218 Params: 219 ctx = the SSL context 220 221 Returns: 222 an allocated SSL object, or null if creation failed. 223 224 *******************************************************************************/ 225 226 public SSL* SSL_new (SSL_CTX* ctx); 227 228 229 /******************************************************************************* 230 231 Sets the file descriptor for the SSL object 232 233 The new structure inherits the settings of the underlying context ctx. 234 235 Params: 236 ssl = the SSL object 237 fd = the file descriptor to be used for I/O operations 238 239 Returns: 240 1 on success, 0 if the operation failed. 241 242 *******************************************************************************/ 243 244 public int SSL_set_fd (SSL* ssl, int fd); 245 246 247 /******************************************************************************* 248 249 Sets the SSL object to work in client mode 250 251 Params: 252 ssl = the ssl object 253 254 *******************************************************************************/ 255 256 public void SSL_set_connect_state (SSL* ssl); 257 258 259 /******************************************************************************* 260 261 Sets the SSL object to work in server mode 262 263 Params: 264 ssl = the ssl object 265 266 *******************************************************************************/ 267 268 public void SSL_set_accept_state (SSL* ssl); 269 270 271 /******************************************************************************* 272 273 Start an SSL handshake 274 275 If the object is blocking, the function will return only once the 276 handshake is complete. If it is non-blocking, it will return with a 277 negative value which specifies the next action required. 278 279 Params: 280 ssl = the ssl object 281 282 Returns: 283 1 if the handshake succeeded. Any value <= 0 should be passed to 284 SSL_get_error to find the reason why the connection is not complete. 285 286 *******************************************************************************/ 287 288 public int SSL_do_handshake (SSL* ssl); 289 290 291 /******************************************************************************* 292 293 Creates a new SSL_CTX object as framework to establish TLS/SSL or DTLS 294 enabled connections. 295 296 The object must be freed using SSL_CTX_free. It is reference counted, 297 so it will only be deleted when the reference count drops to zero. 298 299 Params: 300 meth = the SSL/TLS connection methods to use 301 302 Returns: 303 an allocated SSL_CTX object, or null if creation failed. 304 305 *******************************************************************************/ 306 307 public SSL_CTX* SSL_CTX_new (const(ssl_method_st)* meth); 308 309 310 /******************************************************************************* 311 312 Frees memory and resources associated with the SSL_CTX object. 313 314 Params: 315 ctx = SSL_CTX object to be released 316 317 *******************************************************************************/ 318 319 public void SSL_CTX_free (SSL_CTX* ctx); 320 321 322 /******************************************************************************* 323 324 Writes bytes to an SSL connection 325 326 Params: 327 ssl = the SSL connection 328 buf = buffer containing bytes to be written 329 num = the number of bytes to be written 330 331 Returns: 332 the number of bytes written to the SSL connection, or 0 if the 333 connection was closed, or a negative value if an error occurred or 334 if action must be taken by the calling process. 335 336 *******************************************************************************/ 337 338 public int SSL_write (SSL *ssl, const(void*) buf, int num); 339 340 341 /******************************************************************************* 342 343 Read bytes from an SSL connection 344 345 Params: 346 ssl = the SSL connection 347 buf = buffer containing bytes to be written 348 num = the number of bytes to be written 349 350 Returns: 351 the number of bytes written to the SSL connection, or 0 if the 352 connection was closed, or a negative value if an error occurred or 353 action must be taken by the calling process. 354 355 *******************************************************************************/ 356 357 public int SSL_read (SSL* ssl, void* buf, int num); 358 359 360 /******************************************************************************* 361 362 Sets the verification parameters for an SSL context 363 364 Params: 365 ctx = the SSL context to be set 366 mode = the verification flags to use. For a client, this must be 367 SSL_VERIFY_NONE or SSL_VERIFY_PEER. 368 callback = the verification callback to use when mode is set to 369 SSL_VERIFY_PEER, or null to use the default callback 370 371 *******************************************************************************/ 372 373 public void SSL_CTX_set_verify (SSL_CTX* ctx, int mode, 374 int function (int, X509_STORE_CTX*) callback); 375 376 377 /******************************************************************************* 378 379 Sets the maxiumum depth for certificate chain verification 380 381 Params: 382 ctx = the SSL context for which the depth should be set 383 depth = The maximum depth to be allowed 384 385 *******************************************************************************/ 386 387 public void SSL_CTX_set_verify_depth (SSL_CTX* ctx, int depth); 388 389 390 /******************************************************************************* 391 392 Specifies the locations for ctx, at which CA certificates for 393 verification purposes are located. The certificates available via 394 CAfile and CApath are trusted. 395 396 When looking up CA certificates, the OpenSSL library will first search 397 the certificates in CAfile, then those in CApath. 398 399 Params: 400 ctx = the CTX 401 CAfile = pointer to a file of CA certificates in PEM format, or 402 null. The file can containe several CA certificates. 403 CApath = a directory containing CA certificates in PEM format 404 405 Returns: 406 0 if the operation fails, 1 if the operation was successful 407 408 *******************************************************************************/ 409 410 public int SSL_CTX_load_verify_locations (SSL_CTX* ctx, 411 const(char*) CAfile, const(char*) CApath); 412 413 414 /******************************************************************************* 415 416 Get the result of peer certficate verification 417 418 Params: 419 ssl = the SSL object which obtained the peer certificate 420 421 Returns: 422 X509_V_OK if the verification succeeded or no peer certificate was 423 presented, ot an error code if the verification failed. 424 425 *******************************************************************************/ 426 427 public c_long SSL_get_verify_result (const(SSL)* ssl); 428 429 430 /******************************************************************************* 431 432 Sets the list of available ciphers 433 434 Sets the list of available ciphers (TLS v1.2 and below). For TLSv1.3, 435 this function has no effect; call SSL_set_ciphersuites instead. 436 437 Params: 438 ssl = the SSL object to set the cipher list for 439 str = a colon-delimited sequence of cipher names 440 441 Returns: 442 1 if any cipher could be selected, 0 on complete failure 443 444 *******************************************************************************/ 445 446 public int SSL_set_cipher_list (SSL* ssl, const(char*) str); 447 448 449 /******************************************************************************* 450 451 Internal function used to manipulate settings of an SSL object. 452 Should never be called directly. 453 454 Params: 455 ctx = the SSL object to manipulate 456 cmd = the command to execute 457 larg = an integer argument to the command 458 parg = a pointer argument to the command 459 460 Returns: 461 an integer whose meaning depends on the value of cmd 462 463 *******************************************************************************/ 464 465 private c_long SSL_ctrl (SSL* ssl,int cmd, c_long larg, void* parg); 466 467 468 /******************************************************************************* 469 470 Internal function used to manipulate settings of an SSL Context object. 471 Should never be called directly. 472 473 Params: 474 ctx = the SSL context to manipulate 475 cmd = the command to execute 476 larg = an integer argument to the command 477 parg = a pointer argument to the command 478 479 Returns: 480 an integer whose meaning depends on the value of cmd 481 482 *******************************************************************************/ 483 484 private c_long SSL_CTX_ctrl (SSL_CTX* ctx, int cmd, c_long larg, void* parg); 485 486 487 /******************************************************************************* 488 489 Allocates and initializes an X509 structure 490 491 Returns: 492 The newly-allocated structure, or null if allocation fails, in which 493 case ERR_get_error can be used to obtain the error code. 494 495 *******************************************************************************/ 496 497 public X509* X509_new (); 498 499 500 /******************************************************************************* 501 502 Frees an X509 structure 503 504 Params: 505 a = the X509 object to free 506 507 *******************************************************************************/ 508 509 public void X509_free (X509* a); 510 511 512 /******************************************************************************* 513 514 Gets the X509 certificate of the peer 515 516 Params: 517 s = the SSL object 518 519 Returns: 520 A pointer to the X509 certificate which the peer presented 521 522 *******************************************************************************/ 523 524 public X509* SSL_get_peer_certificate (const(SSL)* s); 525 526 527 /******************************************************************************* 528 529 Sets up the digest context for generating a signature 530 531 For some key types and parameters the random number generator must be 532 seeded or the operation will fail. 533 534 Params: 535 ctx = context, must have been created with EVP_MD_CTX_new() 536 pctx = if not null, then the pkey context will be copied here 537 type = the message digest algorithm that will be used 538 e = the digest engine to use. May be null for some algorithms 539 pkey = the private key 540 541 Returns: 542 1 on success, 0 or negative for failure, -2 if the operation is not 543 supported by the publuc key algorithm 544 545 *******************************************************************************/ 546 547 public int EVP_DigestSignInit (EVP_MD_CTX* ctx, EVP_PKEY_CTX** pctx, 548 const(EVP_MD)* type, ENGINE* e, EVP_PKEY* pkey); 549 550 551 /******************************************************************************* 552 553 Hashes data into a digest context, to update a signature 554 555 This function can be called multiple times on the same ctx to hash 556 additional data. 557 558 Params: 559 ctx = the digest context containing the hash 560 d = pointer to the start of the data to be hashed 561 cnt = the number of bytes of data to be hashed 562 563 Returns: 564 1 on success. 0 for failure 565 566 *******************************************************************************/ 567 568 public int EVP_DigestUpdate (EVP_MD_CTX* ctx, const(void)* d, size_t cnt); 569 570 571 /******************************************************************************* 572 573 Generates a signature for the data in the message digest context 574 575 Typically this function will be called twice, firstly to determine the 576 length of the signature, and secondly to retrieve the signature. 577 578 Params: 579 ctx = the message digest context 580 signature = buffer where the signature should be written, or null 581 sig_len = the length of the buffer, if sig is not null. 582 e = the engine to use 583 pkey = the private key 584 585 Returns: 586 1 on success. 0 or negative for failure 587 588 *******************************************************************************/ 589 590 public int EVP_DigestSignFinal (EVP_MD_CTX* ctx, const(void)* signature, 591 size_t* sig_len); 592 593 594 /******************************************************************************* 595 596 Allocates, initializes and returns a message digest context. 597 598 Returns: 599 An initialized message digest context 600 601 *******************************************************************************/ 602 603 public EVP_MD_CTX* EVP_MD_CTX_create (); 604 605 606 /******************************************************************************* 607 608 Cleans up digest context ctx and frees up the space allocated to it. 609 Should be called only on a context created using EVP_MD_CTX_create(). 610 611 Params: 612 ctx = the context to be destroyed 613 614 *******************************************************************************/ 615 616 public void EVP_MD_CTX_destroy (EVP_MD_CTX *ctx); 617 618 619 /******************************************************************************* 620 621 Allocates an empty EVP_PKEY structure, which is used to store public and 622 private keys 623 624 Returns: 625 An empty key with a reference count of 1, or null if an error 626 occurred. 627 628 *******************************************************************************/ 629 630 public EVP_PKEY* EVP_PKEY_new (); 631 632 633 /******************************************************************************* 634 635 Frees an EVP_PKEY structure 636 637 Decrements the reference count of key, and frees if it the reference 638 count has dropped to zero. 639 640 Params: 641 key = the key to be freed 642 643 *******************************************************************************/ 644 645 public void EVP_PKEY_free (EVP_PKEY* key); 646 647 648 /******************************************************************************* 649 650 Sets the key referenced by pkey to rsa 651 652 Params: 653 pkey = the key to be set 654 rsa = the rsa key to use 655 656 Returns: 657 1 on success, 0 on failure 658 659 *******************************************************************************/ 660 661 public int EVP_PKEY_set1_RSA (EVP_PKEY* pkey, RSA* rsa); 662 663 664 /******************************************************************************* 665 666 Returns an EVP_MD structure for the SHA256 digest algorithm 667 668 Returns: 669 A pointer to the EVP_MD structure. 670 671 *******************************************************************************/ 672 673 public const(EVP_MD)* EVP_sha256 (); 674 675 676 /******************************************************************************* 677 678 Allocates and initializes an RSA structure 679 680 Returns: 681 the initialized structure, or null if allocation fails. 682 683 *******************************************************************************/ 684 685 public RSA* RSA_new (); 686 687 688 /******************************************************************************* 689 690 Frees an RSA structure 691 692 Params: 693 rsa = the RSA structure to be freed 694 695 Returns: 696 1 on success. No other return values are documented. 697 698 *******************************************************************************/ 699 700 public void RSA_free (RSA* rsa); 701 702 703 /******************************************************************************* 704 705 Decodes a PKCS#1 RSAPrivateKey structure 706 707 This function should never be called directly. The documentation 708 includes three pages of warnings, caveats, and bugs, noting that unless 709 great care is taken with the parameters, this function causes segfaults 710 and/or internal memory corruption. 711 712 Use decodeRSAPrivateKey() instead. 713 714 *******************************************************************************/ 715 716 private RSA* d2i_RSAPrivateKey (RSA** ptr_to_ptr_which_must_be_null, 717 const(void)** ptr_to_ptr_which_gets_corrupted, c_long len); 718 719 720 721 /******************************************************************************* 722 723 SSL error codes 724 725 *******************************************************************************/ 726 727 public enum 728 { 729 SSL_ERROR_NONE = 0, 730 SSL_ERROR_SSL = 1, 731 SSL_ERROR_WANT_READ = 2, 732 SSL_ERROR_WANT_WRITE = 3, 733 SSL_ERROR_WANT_X509_LOOKUP = 4, 734 SSL_ERROR_SYSCALL = 5, 735 SSL_ERROR_ZERO_RETURN = 6, 736 SSL_ERROR_WANT_CONNECT = 7, 737 SSL_ERROR_WANT_ACCEPT = 8 738 } 739 740 741 /******************************************************************************* 742 743 Enum used by SSL_CTX_set_verify 744 745 *******************************************************************************/ 746 747 public enum 748 { 749 SSL_VERIFY_NONE = 0, 750 SSL_VERIFY_PEER = 1 751 } 752 753 754 /******************************************************************************* 755 756 Options used by SSL_CTX_set_options 757 758 *******************************************************************************/ 759 760 public enum : ulong 761 { 762 SSL_OP_ALL = 0x80000BFFL, /// Various workarounds for broken implementations 763 SSL_OP_NO_SSLv2 = 0x01000000, /// Do not use SSL v2 764 SSL_OP_NO_SSLv3 = 0x02000000, /// Do not use SSL v3. 765 SSL_OP_NO_COMPRESSION = 0x00020000 /// Do not use compression 766 } 767 768 769 extern (D): 770 771 /******************************************************************************* 772 773 Adds the options to the SSL context. Options already set before are not 774 cleared. 775 776 Params: 777 ctx = the SSL context 778 op = the option flags to set. 779 780 Returns: 781 The new options bitmask, after adding options. 782 783 *******************************************************************************/ 784 785 public c_long SSL_CTX_set_options (SSL_CTX* ctx, c_long op) 786 { 787 static immutable SSL_CTRL_OPTIONS = 32; 788 789 return SSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, op, null); 790 } 791 792 793 /******************************************************************************* 794 795 Decodes a PKCS#1 RSAPrivateKey structure, creating an RSA object 796 797 Params: 798 key = the bytes to decode 799 800 Returns: 801 A decoded structure, or null if an error occurs. 802 803 *******************************************************************************/ 804 805 public RSA * decodeRSAPrivateKey (const(void)[] key) 806 { 807 // If this isn't null, memory corruption will happen 808 809 RSA * rsa = null; 810 811 // This variable gets corrupted by the call 812 813 auto keyptr = key.ptr; 814 815 return d2i_RSAPrivateKey(&rsa, &keyptr, key.length); 816 }