1 /******************************************************************************
2 
3     C binding to OpenSSL v1.0.x
4 
5     The OpenSSL library is very large. This binding includes only a tiny
6     fraction of the available functions.
7 
8     copyright: Copyright (c) 2018 dunnhumby Germany GmbH. All rights reserved
9 
10 *******************************************************************************/
11 
12 module ocean.net.ssl.openssl.OpenSsl;
13 
14 
15 import core.stdc.config : c_ulong, c_long;
16 import ocean.meta.types.Qualifiers;
17 
18 
19 extern (C):
20 
21 /*******************************************************************************
22 
23     Opaque struct which contains function pointers for SSLv2 or
24     SSLv3/TLSv1 functions. This is roughly equivalent to a virtual function
25     table, but implemented in plain C.
26 
27 *******************************************************************************/
28 
29 public struct ssl_method_st;
30 
31 
32 /*******************************************************************************
33 
34     Opaque struct which implements an SSL connection
35 
36 *******************************************************************************/
37 
38 public struct SSL;
39 
40 
41 /*******************************************************************************
42 
43     Opaque struct which implements an SSL connection context
44 
45 *******************************************************************************/
46 
47 public struct SSL_CTX;
48 
49 
50 /*******************************************************************************
51 
52     Opaque struct which implements an X509 certificate
53 
54 *******************************************************************************/
55 
56 public struct X509;
57 
58 
59 /*******************************************************************************
60 
61     The context used wile verifying an X509 certificate
62 
63 *******************************************************************************/
64 
65 public struct X509_STORE_CTX;
66 
67 
68 /*******************************************************************************
69 
70     Opaque struct which holds RSA encryption parameters
71 
72 *******************************************************************************/
73 
74 public struct RSA;
75 
76 
77 /*******************************************************************************
78 
79     Opaque struct which holds a message digest
80 
81 *******************************************************************************/
82 
83 public struct EVP_MD;
84 
85 
86 /*******************************************************************************
87 
88     Opaque struct which holds a message digest context
89 
90 *******************************************************************************/
91 
92 public struct EVP_MD_CTX;
93 
94 
95 /*******************************************************************************
96 
97     Opaque struct which holds a private key
98 
99 *******************************************************************************/
100 
101 public struct EVP_PKEY;
102 
103 
104 /*******************************************************************************
105 
106     Opaque struct which holds a private key context
107 
108 *******************************************************************************/
109 
110 public struct EVP_PKEY_CTX;
111 
112 
113 /*******************************************************************************
114 
115     Opaque struct which holds a digest encryption engine
116 
117 *******************************************************************************/
118 
119 public struct ENGINE;
120 
121 
122 /*******************************************************************************
123 
124     Retrieve the function pointers for SSLv3, or v2 if v3 is unavailable
125 
126     Returns;
127         A struct with all of the function pointers pointing to the SSL v3
128         functions, falling back to v2 if v3 is unavailable
129 
130 *******************************************************************************/
131 
132 public ssl_method_st* SSLv23_method ();
133 
134 
135 /*******************************************************************************
136 
137     Initialize the SSL library by registering algorithms
138 
139     Returns:
140         Always returns 1.
141 
142 *******************************************************************************/
143 
144 public int SSL_library_init ();
145 
146 
147 /*******************************************************************************
148 
149     Registers the error strings for all libcrypto and libssl function
150 
151 *******************************************************************************/
152 
153 public void  SSL_load_error_strings ();
154 
155 
156 /*******************************************************************************
157 
158     Obtains a human-readable error message
159 
160     Params:
161         e = the error code
162 
163     Returns:
164         A human-readable string representing the error code.
165 
166 *******************************************************************************/
167 
168 public const(char *) ERR_reason_error_string (c_ulong e);
169 
170 
171 /*******************************************************************************
172 
173     Empties the current thread's error queue.
174 
175 *******************************************************************************/
176 
177 public void ERR_clear_error ();
178 
179 
180 /*******************************************************************************
181 
182     Returns the earliest error code from the thread's error queue and
183     removes the entry. This function can be called repeatedly until there
184     are no more error codes to return.
185 
186 *******************************************************************************/
187 
188 public c_ulong ERR_get_error ();
189 
190 
191 /*******************************************************************************
192 
193     Obtains the result code for a TLS/SSL I/O operation.
194 
195     Gets a result code for a preceding call to SSL_connect, SSL_accept,
196     SSL_do_handshake, SSL_read, SSL_read_ex, SSL_peek, SSL_peek_ex,
197     SSL_write, or SSL_writex.
198 
199     The OpenSSL interface is rather brittle.
200     The current thread's error queue must be empty before the call is made,
201     and no other OpenSSL calls should be made before calling SSL_get_error.
202 
203     Params:
204         ssl = the ssl object which was used to perform the call
205         ret = the value which was returned by the call.
206 
207 *******************************************************************************/
208 
209 public int SSL_get_error (const(SSL)* ssl, int ret);
210 
211 
212 /*******************************************************************************
213 
214     Creates a new SSL object for a connection.
215 
216     The new structure inherits the settings of the underlying context ctx.
217 
218     Params:
219         ctx = the SSL context
220 
221     Returns:
222         an allocated SSL object, or null if creation failed.
223 
224 *******************************************************************************/
225 
226 public SSL* SSL_new (SSL_CTX* ctx);
227 
228 
229 /*******************************************************************************
230 
231     Sets the file descriptor for the SSL object
232 
233     The new structure inherits the settings of the underlying context ctx.
234 
235     Params:
236         ssl = the SSL object
237         fd = the file descriptor to be used for I/O operations
238 
239     Returns:
240         1 on success, 0 if the operation failed.
241 
242 *******************************************************************************/
243 
244 public int SSL_set_fd (SSL* ssl, int fd);
245 
246 
247 /*******************************************************************************
248 
249     Sets the SSL object to work in client mode
250 
251     Params:
252         ssl = the ssl object
253 
254 *******************************************************************************/
255 
256 public void SSL_set_connect_state (SSL* ssl);
257 
258 
259 /*******************************************************************************
260 
261     Sets the SSL object to work in server mode
262 
263     Params:
264         ssl = the ssl object
265 
266 *******************************************************************************/
267 
268 public void SSL_set_accept_state (SSL* ssl);
269 
270 
271 /*******************************************************************************
272 
273     Start an SSL handshake
274 
275     If the object is blocking, the function will return only once the
276     handshake is complete. If it is non-blocking, it will return with a
277     negative value which specifies the next action required.
278 
279     Params:
280         ssl = the ssl object
281 
282     Returns:
283         1 if the handshake succeeded. Any value <= 0 should be passed to
284         SSL_get_error to find the reason why the connection is not complete.
285 
286 *******************************************************************************/
287 
288 public int SSL_do_handshake (SSL* ssl);
289 
290 
291 /*******************************************************************************
292 
293     Creates a new  SSL_CTX object as framework to establish TLS/SSL or DTLS
294     enabled connections.
295 
296     The object must be freed using SSL_CTX_free. It is reference counted,
297     so it will only be deleted when the reference count drops to zero.
298 
299     Params:
300         meth = the SSL/TLS connection methods to use
301 
302     Returns:
303         an allocated SSL_CTX object, or null if creation failed.
304 
305 *******************************************************************************/
306 
307 public SSL_CTX* SSL_CTX_new (const(ssl_method_st)* meth);
308 
309 
310 /*******************************************************************************
311 
312     Frees memory and resources associated with the SSL_CTX object.
313 
314     Params:
315         ctx = SSL_CTX object to be released
316 
317 *******************************************************************************/
318 
319 public void SSL_CTX_free (SSL_CTX* ctx);
320 
321 
322 /*******************************************************************************
323 
324     Writes bytes to an SSL connection
325 
326     Params:
327         ssl = the SSL connection
328         buf = buffer containing bytes to be written
329         num = the number of bytes to be written
330 
331     Returns:
332         the number of bytes written to the SSL connection, or 0 if the
333         connection was closed, or a negative value if an error occurred or
334         if action must be taken by the calling process.
335 
336 *******************************************************************************/
337 
338 public int SSL_write (SSL *ssl, const(void*) buf, int num);
339 
340 
341 /*******************************************************************************
342 
343     Read bytes from an SSL connection
344 
345     Params:
346         ssl = the SSL connection
347         buf = buffer containing bytes to be written
348         num = the number of bytes to be written
349 
350     Returns:
351         the number of bytes written to the SSL connection, or 0 if the
352         connection was closed, or a negative value if an error occurred or
353         action must be taken by the calling process.
354 
355 *******************************************************************************/
356 
357 public int SSL_read (SSL* ssl, void* buf, int num);
358 
359 
360 /*******************************************************************************
361 
362     Sets the verification parameters for an SSL context
363 
364     Params:
365         ctx = the SSL context to be set
366         mode = the verification flags to use. For a client, this must be
367             SSL_VERIFY_NONE or SSL_VERIFY_PEER.
368         callback = the verification callback to use when mode is set to
369             SSL_VERIFY_PEER, or null to use the default callback
370 
371 *******************************************************************************/
372 
373 public void SSL_CTX_set_verify (SSL_CTX* ctx, int mode,
374     int function (int, X509_STORE_CTX*) callback);
375 
376 
377 /*******************************************************************************
378 
379     Sets the maxiumum depth for certificate chain verification
380 
381     Params:
382         ctx = the SSL context for which the depth should be set
383         depth = The maximum depth to be allowed
384 
385 *******************************************************************************/
386 
387 public void SSL_CTX_set_verify_depth (SSL_CTX* ctx, int depth);
388 
389 
390 /*******************************************************************************
391 
392     Specifies the locations for ctx, at which CA certificates for
393     verification purposes are located. The certificates available via
394     CAfile and CApath are trusted.
395 
396     When looking up CA certificates, the OpenSSL library will first search
397     the certificates in CAfile, then those in CApath.
398 
399     Params:
400         ctx = the CTX
401         CAfile = pointer to a file of CA certificates in PEM format, or
402             null. The file can containe several CA certificates.
403         CApath = a directory containing CA certificates in PEM format
404 
405     Returns:
406         0 if the operation fails, 1 if the operation was successful
407 
408 *******************************************************************************/
409 
410 public int SSL_CTX_load_verify_locations (SSL_CTX* ctx,
411     const(char*) CAfile, const(char*) CApath);
412 
413 
414 /*******************************************************************************
415 
416     Get the result of peer certficate verification
417 
418     Params:
419         ssl = the SSL object which obtained the peer certificate
420 
421     Returns:
422         X509_V_OK if the verification succeeded or no peer certificate was
423         presented, ot an error code if the verification failed.
424 
425 *******************************************************************************/
426 
427 public c_long SSL_get_verify_result (const(SSL)* ssl);
428 
429 
430 /*******************************************************************************
431 
432     Sets the list of available ciphers
433 
434     Sets the list of available ciphers (TLS v1.2 and below). For TLSv1.3,
435     this function has no effect; call SSL_set_ciphersuites instead.
436 
437     Params:
438         ssl = the SSL object to set the cipher list for
439         str = a colon-delimited sequence of cipher names
440 
441     Returns:
442         1 if any cipher could be selected, 0 on complete failure
443 
444 *******************************************************************************/
445 
446 public int SSL_set_cipher_list (SSL* ssl, const(char*) str);
447 
448 
449 /*******************************************************************************
450 
451     Internal function used to manipulate settings of an SSL object.
452     Should never be called directly.
453 
454     Params:
455         ctx = the SSL object to manipulate
456         cmd = the command to execute
457         larg = an integer argument to the command
458         parg = a pointer argument to the command
459 
460     Returns:
461         an integer whose meaning depends on the value of cmd
462 
463 *******************************************************************************/
464 
465 private c_long SSL_ctrl (SSL* ssl,int cmd, c_long larg, void* parg);
466 
467 
468 /*******************************************************************************
469 
470     Internal function used to manipulate settings of an SSL Context object.
471     Should never be called directly.
472 
473     Params:
474         ctx = the SSL context to manipulate
475         cmd = the command to execute
476         larg = an integer argument to the command
477         parg = a pointer argument to the command
478 
479     Returns:
480         an integer whose meaning depends on the value of cmd
481 
482 *******************************************************************************/
483 
484 private c_long SSL_CTX_ctrl (SSL_CTX* ctx, int cmd, c_long larg, void* parg);
485 
486 
487 /*******************************************************************************
488 
489     Allocates and initializes an X509 structure
490 
491     Returns:
492         The newly-allocated structure, or null if allocation fails, in which
493         case ERR_get_error can be used to obtain the error code.
494 
495 *******************************************************************************/
496 
497 public X509* X509_new ();
498 
499 
500 /*******************************************************************************
501 
502     Frees an X509 structure
503 
504     Params:
505         a = the X509 object to free
506 
507 *******************************************************************************/
508 
509 public void X509_free (X509* a);
510 
511 
512 /*******************************************************************************
513 
514     Gets the X509 certificate of the peer
515 
516     Params:
517         s = the SSL object
518 
519     Returns:
520         A pointer to the X509 certificate which the peer presented
521 
522 *******************************************************************************/
523 
524 public X509* SSL_get_peer_certificate (const(SSL)* s);
525 
526 
527 /*******************************************************************************
528 
529     Sets up the digest context for generating a signature
530 
531     For some key types and parameters the random number generator must be
532     seeded or the operation will fail.
533 
534     Params:
535         ctx = context, must have been created with EVP_MD_CTX_new()
536         pctx = if not null, then the pkey context will be copied here
537         type = the message digest algorithm that will be used
538         e = the digest engine to use. May be null for some algorithms
539         pkey = the private key
540 
541     Returns:
542         1 on success, 0 or negative for failure, -2 if the operation is not
543         supported by the publuc key algorithm
544 
545 *******************************************************************************/
546 
547 public int EVP_DigestSignInit (EVP_MD_CTX* ctx, EVP_PKEY_CTX** pctx,
548                     const(EVP_MD)* type, ENGINE* e, EVP_PKEY* pkey);
549 
550 
551 /*******************************************************************************
552 
553     Hashes data into a digest context, to update a signature
554 
555     This function can be called multiple times on the same ctx to hash
556     additional data.
557 
558     Params:
559         ctx = the digest context containing the hash
560         d = pointer to the start of the data to be hashed
561         cnt = the number of bytes of data to be hashed
562 
563     Returns:
564         1 on success. 0 for failure
565 
566 *******************************************************************************/
567 
568 public int EVP_DigestUpdate (EVP_MD_CTX* ctx, const(void)* d, size_t cnt);
569 
570 
571 /*******************************************************************************
572 
573     Generates a signature for the data in the message digest context
574 
575     Typically this function will be called twice, firstly to determine the
576     length of the signature, and secondly to retrieve the signature.
577 
578     Params:
579         ctx = the message digest context
580         signature = buffer where the signature should be written, or null
581         sig_len = the length of the buffer, if sig is not null.
582         e = the engine to use
583         pkey = the private key
584 
585     Returns:
586         1 on success. 0 or negative for failure
587 
588 *******************************************************************************/
589 
590 public int EVP_DigestSignFinal (EVP_MD_CTX* ctx, const(void)* signature,
591     size_t* sig_len);
592 
593 
594 /*******************************************************************************
595 
596     Allocates, initializes and returns a message digest context.
597 
598     Returns:
599         An initialized message digest context
600 
601 *******************************************************************************/
602 
603 public EVP_MD_CTX* EVP_MD_CTX_create ();
604 
605 
606 /*******************************************************************************
607 
608     Cleans up digest context ctx and frees up the space allocated to it.
609     Should be called only on a context created using EVP_MD_CTX_create().
610 
611     Params:
612         ctx = the context to be destroyed
613 
614 *******************************************************************************/
615 
616 public void EVP_MD_CTX_destroy (EVP_MD_CTX *ctx);
617 
618 
619 /*******************************************************************************
620 
621     Allocates an empty EVP_PKEY structure, which is used to store public and
622     private keys
623 
624     Returns:
625         An empty key with a reference count of 1, or null if an error
626         occurred.
627 
628 *******************************************************************************/
629 
630 public EVP_PKEY* EVP_PKEY_new ();
631 
632 
633 /*******************************************************************************
634 
635     Frees an EVP_PKEY structure
636 
637     Decrements the reference count of key, and frees if it the reference
638     count has dropped to zero.
639 
640     Params:
641         key = the key to be freed
642 
643 *******************************************************************************/
644 
645 public void EVP_PKEY_free (EVP_PKEY* key);
646 
647 
648 /*******************************************************************************
649 
650     Sets the key referenced by pkey to rsa
651 
652     Params:
653         pkey = the key to be set
654         rsa = the rsa key to use
655 
656     Returns:
657         1 on success, 0 on failure
658 
659 *******************************************************************************/
660 
661 public int EVP_PKEY_set1_RSA (EVP_PKEY* pkey, RSA* rsa);
662 
663 
664 /*******************************************************************************
665 
666     Returns an EVP_MD structure for the SHA256 digest algorithm
667 
668     Returns:
669         A pointer to the EVP_MD structure.
670 
671 *******************************************************************************/
672 
673 public const(EVP_MD)* EVP_sha256 ();
674 
675 
676 /*******************************************************************************
677 
678     Allocates and initializes an RSA structure
679 
680     Returns:
681         the initialized structure, or null if allocation fails.
682 
683 *******************************************************************************/
684 
685 public RSA* RSA_new ();
686 
687 
688 /*******************************************************************************
689 
690     Frees an RSA structure
691 
692     Params:
693         rsa = the RSA structure to be freed
694 
695     Returns:
696         1 on success. No other return values are documented.
697 
698 *******************************************************************************/
699 
700 public void RSA_free (RSA* rsa);
701 
702 
703 /*******************************************************************************
704 
705     Decodes a PKCS#1 RSAPrivateKey structure
706 
707     This function should never be called directly. The documentation
708     includes three pages of warnings, caveats, and bugs, noting that unless
709     great care is taken with the parameters, this function causes segfaults
710     and/or internal memory corruption.
711 
712     Use decodeRSAPrivateKey() instead.
713 
714 *******************************************************************************/
715 
716 private RSA* d2i_RSAPrivateKey (RSA** ptr_to_ptr_which_must_be_null,
717     const(void)** ptr_to_ptr_which_gets_corrupted, c_long len);
718 
719 
720 
721 /*******************************************************************************
722 
723     SSL error codes
724 
725 *******************************************************************************/
726 
727 public enum
728 {
729     SSL_ERROR_NONE = 0,
730     SSL_ERROR_SSL  = 1,
731     SSL_ERROR_WANT_READ = 2,
732     SSL_ERROR_WANT_WRITE = 3,
733     SSL_ERROR_WANT_X509_LOOKUP = 4,
734     SSL_ERROR_SYSCALL = 5,
735     SSL_ERROR_ZERO_RETURN = 6,
736     SSL_ERROR_WANT_CONNECT = 7,
737     SSL_ERROR_WANT_ACCEPT = 8
738 }
739 
740 
741 /*******************************************************************************
742 
743     Enum used by SSL_CTX_set_verify
744 
745 *******************************************************************************/
746 
747 public enum
748 {
749     SSL_VERIFY_NONE = 0,
750     SSL_VERIFY_PEER = 1
751 }
752 
753 
754 /*******************************************************************************
755 
756     Options used by SSL_CTX_set_options
757 
758 *******************************************************************************/
759 
760 public enum : ulong
761 {
762     SSL_OP_ALL = 0x80000BFFL, /// Various workarounds for broken implementations
763     SSL_OP_NO_SSLv2 = 0x01000000,  /// Do not use SSL v2
764     SSL_OP_NO_SSLv3 = 0x02000000,   /// Do not use SSL v3.
765     SSL_OP_NO_COMPRESSION = 0x00020000  /// Do not use compression
766 }
767 
768 
769 extern (D):
770 
771 /*******************************************************************************
772 
773     Adds the options to the SSL context. Options already set before are not
774     cleared.
775 
776     Params:
777         ctx = the SSL context
778         op = the option flags to set.
779 
780     Returns:
781         The new options bitmask, after adding options.
782 
783 *******************************************************************************/
784 
785 public c_long SSL_CTX_set_options (SSL_CTX* ctx, c_long op)
786 {
787     static immutable SSL_CTRL_OPTIONS = 32;
788 
789     return SSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, op, null);
790 }
791 
792 
793 /*******************************************************************************
794 
795     Decodes a PKCS#1 RSAPrivateKey structure, creating an RSA object
796 
797     Params:
798         key = the bytes to decode
799 
800     Returns:
801         A decoded structure, or null if an error occurs.
802 
803 *******************************************************************************/
804 
805 public RSA * decodeRSAPrivateKey (const(void)[] key)
806 {
807     // If this isn't null, memory corruption will happen
808 
809     RSA * rsa = null;
810 
811     // This variable gets corrupted by the call
812 
813     auto keyptr = key.ptr;
814 
815     return d2i_RSAPrivateKey(&rsa, &keyptr, key.length);
816 }