1 /******************************************************************************
2 3 C binding to OpenSSL v1.0.x
4 5 The OpenSSL library is very large. This binding includes only a tiny
6 fraction of the available functions.
7 8 copyright: Copyright (c) 2018 dunnhumby Germany GmbH. All rights reserved
9 10 *******************************************************************************/11 12 moduleocean.net.ssl.openssl.OpenSsl;
13 14 15 importcore.stdc.config : c_ulong, c_long;
16 importocean.meta.types.Qualifiers;
17 18 19 extern (C):
20 21 /*******************************************************************************
22 23 Opaque struct which contains function pointers for SSLv2 or
24 SSLv3/TLSv1 functions. This is roughly equivalent to a virtual function
25 table, but implemented in plain C.
26 27 *******************************************************************************/28 29 publicstructssl_method_st;
30 31 32 /*******************************************************************************
33 34 Opaque struct which implements an SSL connection
35 36 *******************************************************************************/37 38 publicstructSSL;
39 40 41 /*******************************************************************************
42 43 Opaque struct which implements an SSL connection context
44 45 *******************************************************************************/46 47 publicstructSSL_CTX;
48 49 50 /*******************************************************************************
51 52 Opaque struct which implements an X509 certificate
53 54 *******************************************************************************/55 56 publicstructX509;
57 58 59 /*******************************************************************************
60 61 The context used wile verifying an X509 certificate
62 63 *******************************************************************************/64 65 publicstructX509_STORE_CTX;
66 67 68 /*******************************************************************************
69 70 Opaque struct which holds RSA encryption parameters
71 72 *******************************************************************************/73 74 publicstructRSA;
75 76 77 /*******************************************************************************
78 79 Opaque struct which holds a message digest
80 81 *******************************************************************************/82 83 publicstructEVP_MD;
84 85 86 /*******************************************************************************
87 88 Opaque struct which holds a message digest context
89 90 *******************************************************************************/91 92 publicstructEVP_MD_CTX;
93 94 95 /*******************************************************************************
96 97 Opaque struct which holds a private key
98 99 *******************************************************************************/100 101 publicstructEVP_PKEY;
102 103 104 /*******************************************************************************
105 106 Opaque struct which holds a private key context
107 108 *******************************************************************************/109 110 publicstructEVP_PKEY_CTX;
111 112 113 /*******************************************************************************
114 115 Opaque struct which holds a digest encryption engine
116 117 *******************************************************************************/118 119 publicstructENGINE;
120 121 122 /*******************************************************************************
123 124 Retrieve the function pointers for SSLv3, or v2 if v3 is unavailable
125 126 Returns;
127 A struct with all of the function pointers pointing to the SSL v3
128 functions, falling back to v2 if v3 is unavailable
129 130 *******************************************************************************/131 132 publicssl_method_st* SSLv23_method ();
133 134 135 /*******************************************************************************
136 137 Initialize the SSL library by registering algorithms
138 139 Returns:
140 Always returns 1.
141 142 *******************************************************************************/143 144 publicintSSL_library_init ();
145 146 147 /*******************************************************************************
148 149 Registers the error strings for all libcrypto and libssl function
150 151 *******************************************************************************/152 153 publicvoidSSL_load_error_strings ();
154 155 156 /*******************************************************************************
157 158 Obtains a human-readable error message
159 160 Params:
161 e = the error code
162 163 Returns:
164 A human-readable string representing the error code.
165 166 *******************************************************************************/167 168 publicconst(char *) ERR_reason_error_string (c_ulonge);
169 170 171 /*******************************************************************************
172 173 Empties the current thread's error queue.
174 175 *******************************************************************************/176 177 publicvoidERR_clear_error ();
178 179 180 /*******************************************************************************
181 182 Returns the earliest error code from the thread's error queue and
183 removes the entry. This function can be called repeatedly until there
184 are no more error codes to return.
185 186 *******************************************************************************/187 188 publicc_ulongERR_get_error ();
189 190 191 /*******************************************************************************
192 193 Obtains the result code for a TLS/SSL I/O operation.
194 195 Gets a result code for a preceding call to SSL_connect, SSL_accept,
196 SSL_do_handshake, SSL_read, SSL_read_ex, SSL_peek, SSL_peek_ex,
197 SSL_write, or SSL_writex.
198 199 The OpenSSL interface is rather brittle.
200 The current thread's error queue must be empty before the call is made,
201 and no other OpenSSL calls should be made before calling SSL_get_error.
202 203 Params:
204 ssl = the ssl object which was used to perform the call
205 ret = the value which was returned by the call.
206 207 *******************************************************************************/208 209 publicintSSL_get_error (const(SSL)* ssl, intret);
210 211 212 /*******************************************************************************
213 214 Creates a new SSL object for a connection.
215 216 The new structure inherits the settings of the underlying context ctx.
217 218 Params:
219 ctx = the SSL context
220 221 Returns:
222 an allocated SSL object, or null if creation failed.
223 224 *******************************************************************************/225 226 publicSSL* SSL_new (SSL_CTX* ctx);
227 228 229 /*******************************************************************************
230 231 Sets the file descriptor for the SSL object
232 233 The new structure inherits the settings of the underlying context ctx.
234 235 Params:
236 ssl = the SSL object
237 fd = the file descriptor to be used for I/O operations
238 239 Returns:
240 1 on success, 0 if the operation failed.
241 242 *******************************************************************************/243 244 publicintSSL_set_fd (SSL* ssl, intfd);
245 246 247 /*******************************************************************************
248 249 Sets the SSL object to work in client mode
250 251 Params:
252 ssl = the ssl object
253 254 *******************************************************************************/255 256 publicvoidSSL_set_connect_state (SSL* ssl);
257 258 259 /*******************************************************************************
260 261 Sets the SSL object to work in server mode
262 263 Params:
264 ssl = the ssl object
265 266 *******************************************************************************/267 268 publicvoidSSL_set_accept_state (SSL* ssl);
269 270 271 /*******************************************************************************
272 273 Start an SSL handshake
274 275 If the object is blocking, the function will return only once the
276 handshake is complete. If it is non-blocking, it will return with a
277 negative value which specifies the next action required.
278 279 Params:
280 ssl = the ssl object
281 282 Returns:
283 1 if the handshake succeeded. Any value <= 0 should be passed to
284 SSL_get_error to find the reason why the connection is not complete.
285 286 *******************************************************************************/287 288 publicintSSL_do_handshake (SSL* ssl);
289 290 291 /*******************************************************************************
292 293 Creates a new SSL_CTX object as framework to establish TLS/SSL or DTLS
294 enabled connections.
295 296 The object must be freed using SSL_CTX_free. It is reference counted,
297 so it will only be deleted when the reference count drops to zero.
298 299 Params:
300 meth = the SSL/TLS connection methods to use
301 302 Returns:
303 an allocated SSL_CTX object, or null if creation failed.
304 305 *******************************************************************************/306 307 publicSSL_CTX* SSL_CTX_new (const(ssl_method_st)* meth);
308 309 310 /*******************************************************************************
311 312 Frees memory and resources associated with the SSL_CTX object.
313 314 Params:
315 ctx = SSL_CTX object to be released
316 317 *******************************************************************************/318 319 publicvoidSSL_CTX_free (SSL_CTX* ctx);
320 321 322 /*******************************************************************************
323 324 Writes bytes to an SSL connection
325 326 Params:
327 ssl = the SSL connection
328 buf = buffer containing bytes to be written
329 num = the number of bytes to be written
330 331 Returns:
332 the number of bytes written to the SSL connection, or 0 if the
333 connection was closed, or a negative value if an error occurred or
334 if action must be taken by the calling process.
335 336 *******************************************************************************/337 338 publicintSSL_write (SSL *ssl, const(void*) buf, intnum);
339 340 341 /*******************************************************************************
342 343 Read bytes from an SSL connection
344 345 Params:
346 ssl = the SSL connection
347 buf = buffer containing bytes to be written
348 num = the number of bytes to be written
349 350 Returns:
351 the number of bytes written to the SSL connection, or 0 if the
352 connection was closed, or a negative value if an error occurred or
353 action must be taken by the calling process.
354 355 *******************************************************************************/356 357 publicintSSL_read (SSL* ssl, void* buf, intnum);
358 359 360 /*******************************************************************************
361 362 Sets the verification parameters for an SSL context
363 364 Params:
365 ctx = the SSL context to be set
366 mode = the verification flags to use. For a client, this must be
367 SSL_VERIFY_NONE or SSL_VERIFY_PEER.
368 callback = the verification callback to use when mode is set to
369 SSL_VERIFY_PEER, or null to use the default callback
370 371 *******************************************************************************/372 373 publicvoidSSL_CTX_set_verify (SSL_CTX* ctx, intmode,
374 intfunction (int, X509_STORE_CTX*) callback);
375 376 377 /*******************************************************************************
378 379 Sets the maxiumum depth for certificate chain verification
380 381 Params:
382 ctx = the SSL context for which the depth should be set
383 depth = The maximum depth to be allowed
384 385 *******************************************************************************/386 387 publicvoidSSL_CTX_set_verify_depth (SSL_CTX* ctx, intdepth);
388 389 390 /*******************************************************************************
391 392 Specifies the locations for ctx, at which CA certificates for
393 verification purposes are located. The certificates available via
394 CAfile and CApath are trusted.
395 396 When looking up CA certificates, the OpenSSL library will first search
397 the certificates in CAfile, then those in CApath.
398 399 Params:
400 ctx = the CTX
401 CAfile = pointer to a file of CA certificates in PEM format, or
402 null. The file can containe several CA certificates.
403 CApath = a directory containing CA certificates in PEM format
404 405 Returns:
406 0 if the operation fails, 1 if the operation was successful
407 408 *******************************************************************************/409 410 publicintSSL_CTX_load_verify_locations (SSL_CTX* ctx,
411 const(char*) CAfile, const(char*) CApath);
412 413 414 /*******************************************************************************
415 416 Get the result of peer certficate verification
417 418 Params:
419 ssl = the SSL object which obtained the peer certificate
420 421 Returns:
422 X509_V_OK if the verification succeeded or no peer certificate was
423 presented, ot an error code if the verification failed.
424 425 *******************************************************************************/426 427 publicc_longSSL_get_verify_result (const(SSL)* ssl);
428 429 430 /*******************************************************************************
431 432 Sets the list of available ciphers
433 434 Sets the list of available ciphers (TLS v1.2 and below). For TLSv1.3,
435 this function has no effect; call SSL_set_ciphersuites instead.
436 437 Params:
438 ssl = the SSL object to set the cipher list for
439 str = a colon-delimited sequence of cipher names
440 441 Returns:
442 1 if any cipher could be selected, 0 on complete failure
443 444 *******************************************************************************/445 446 publicintSSL_set_cipher_list (SSL* ssl, const(char*) str);
447 448 449 /*******************************************************************************
450 451 Internal function used to manipulate settings of an SSL object.
452 Should never be called directly.
453 454 Params:
455 ctx = the SSL object to manipulate
456 cmd = the command to execute
457 larg = an integer argument to the command
458 parg = a pointer argument to the command
459 460 Returns:
461 an integer whose meaning depends on the value of cmd
462 463 *******************************************************************************/464 465 privatec_longSSL_ctrl (SSL* ssl,intcmd, c_longlarg, void* parg);
466 467 468 /*******************************************************************************
469 470 Internal function used to manipulate settings of an SSL Context object.
471 Should never be called directly.
472 473 Params:
474 ctx = the SSL context to manipulate
475 cmd = the command to execute
476 larg = an integer argument to the command
477 parg = a pointer argument to the command
478 479 Returns:
480 an integer whose meaning depends on the value of cmd
481 482 *******************************************************************************/483 484 privatec_longSSL_CTX_ctrl (SSL_CTX* ctx, intcmd, c_longlarg, void* parg);
485 486 487 /*******************************************************************************
488 489 Allocates and initializes an X509 structure
490 491 Returns:
492 The newly-allocated structure, or null if allocation fails, in which
493 case ERR_get_error can be used to obtain the error code.
494 495 *******************************************************************************/496 497 publicX509* X509_new ();
498 499 500 /*******************************************************************************
501 502 Frees an X509 structure
503 504 Params:
505 a = the X509 object to free
506 507 *******************************************************************************/508 509 publicvoidX509_free (X509* a);
510 511 512 /*******************************************************************************
513 514 Gets the X509 certificate of the peer
515 516 Params:
517 s = the SSL object
518 519 Returns:
520 A pointer to the X509 certificate which the peer presented
521 522 *******************************************************************************/523 524 publicX509* SSL_get_peer_certificate (const(SSL)* s);
525 526 527 /*******************************************************************************
528 529 Sets up the digest context for generating a signature
530 531 For some key types and parameters the random number generator must be
532 seeded or the operation will fail.
533 534 Params:
535 ctx = context, must have been created with EVP_MD_CTX_new()
536 pctx = if not null, then the pkey context will be copied here
537 type = the message digest algorithm that will be used
538 e = the digest engine to use. May be null for some algorithms
539 pkey = the private key
540 541 Returns:
542 1 on success, 0 or negative for failure, -2 if the operation is not
543 supported by the publuc key algorithm
544 545 *******************************************************************************/546 547 publicintEVP_DigestSignInit (EVP_MD_CTX* ctx, EVP_PKEY_CTX** pctx,
548 const(EVP_MD)* type, ENGINE* e, EVP_PKEY* pkey);
549 550 551 /*******************************************************************************
552 553 Hashes data into a digest context, to update a signature
554 555 This function can be called multiple times on the same ctx to hash
556 additional data.
557 558 Params:
559 ctx = the digest context containing the hash
560 d = pointer to the start of the data to be hashed
561 cnt = the number of bytes of data to be hashed
562 563 Returns:
564 1 on success. 0 for failure
565 566 *******************************************************************************/567 568 publicintEVP_DigestUpdate (EVP_MD_CTX* ctx, const(void)* d, size_tcnt);
569 570 571 /*******************************************************************************
572 573 Generates a signature for the data in the message digest context
574 575 Typically this function will be called twice, firstly to determine the
576 length of the signature, and secondly to retrieve the signature.
577 578 Params:
579 ctx = the message digest context
580 signature = buffer where the signature should be written, or null
581 sig_len = the length of the buffer, if sig is not null.
582 e = the engine to use
583 pkey = the private key
584 585 Returns:
586 1 on success. 0 or negative for failure
587 588 *******************************************************************************/589 590 publicintEVP_DigestSignFinal (EVP_MD_CTX* ctx, const(void)* signature,
591 size_t* sig_len);
592 593 594 /*******************************************************************************
595 596 Allocates, initializes and returns a message digest context.
597 598 Returns:
599 An initialized message digest context
600 601 *******************************************************************************/602 603 publicEVP_MD_CTX* EVP_MD_CTX_create ();
604 605 606 /*******************************************************************************
607 608 Cleans up digest context ctx and frees up the space allocated to it.
609 Should be called only on a context created using EVP_MD_CTX_create().
610 611 Params:
612 ctx = the context to be destroyed
613 614 *******************************************************************************/615 616 publicvoidEVP_MD_CTX_destroy (EVP_MD_CTX *ctx);
617 618 619 /*******************************************************************************
620 621 Allocates an empty EVP_PKEY structure, which is used to store public and
622 private keys
623 624 Returns:
625 An empty key with a reference count of 1, or null if an error
626 occurred.
627 628 *******************************************************************************/629 630 publicEVP_PKEY* EVP_PKEY_new ();
631 632 633 /*******************************************************************************
634 635 Frees an EVP_PKEY structure
636 637 Decrements the reference count of key, and frees if it the reference
638 count has dropped to zero.
639 640 Params:
641 key = the key to be freed
642 643 *******************************************************************************/644 645 publicvoidEVP_PKEY_free (EVP_PKEY* key);
646 647 648 /*******************************************************************************
649 650 Sets the key referenced by pkey to rsa
651 652 Params:
653 pkey = the key to be set
654 rsa = the rsa key to use
655 656 Returns:
657 1 on success, 0 on failure
658 659 *******************************************************************************/660 661 publicintEVP_PKEY_set1_RSA (EVP_PKEY* pkey, RSA* rsa);
662 663 664 /*******************************************************************************
665 666 Returns an EVP_MD structure for the SHA256 digest algorithm
667 668 Returns:
669 A pointer to the EVP_MD structure.
670 671 *******************************************************************************/672 673 publicconst(EVP_MD)* EVP_sha256 ();
674 675 676 /*******************************************************************************
677 678 Allocates and initializes an RSA structure
679 680 Returns:
681 the initialized structure, or null if allocation fails.
682 683 *******************************************************************************/684 685 publicRSA* RSA_new ();
686 687 688 /*******************************************************************************
689 690 Frees an RSA structure
691 692 Params:
693 rsa = the RSA structure to be freed
694 695 Returns:
696 1 on success. No other return values are documented.
697 698 *******************************************************************************/699 700 publicvoidRSA_free (RSA* rsa);
701 702 703 /*******************************************************************************
704 705 Decodes a PKCS#1 RSAPrivateKey structure
706 707 This function should never be called directly. The documentation
708 includes three pages of warnings, caveats, and bugs, noting that unless
709 great care is taken with the parameters, this function causes segfaults
710 and/or internal memory corruption.
711 712 Use decodeRSAPrivateKey() instead.
713 714 *******************************************************************************/715 716 privateRSA* d2i_RSAPrivateKey (RSA** ptr_to_ptr_which_must_be_null,
717 const(void)** ptr_to_ptr_which_gets_corrupted, c_longlen);
718 719 720 721 /*******************************************************************************
722 723 SSL error codes
724 725 *******************************************************************************/726 727 publicenum728 {
729 SSL_ERROR_NONE = 0,
730 SSL_ERROR_SSL = 1,
731 SSL_ERROR_WANT_READ = 2,
732 SSL_ERROR_WANT_WRITE = 3,
733 SSL_ERROR_WANT_X509_LOOKUP = 4,
734 SSL_ERROR_SYSCALL = 5,
735 SSL_ERROR_ZERO_RETURN = 6,
736 SSL_ERROR_WANT_CONNECT = 7,
737 SSL_ERROR_WANT_ACCEPT = 8738 }
739 740 741 /*******************************************************************************
742 743 Enum used by SSL_CTX_set_verify
744 745 *******************************************************************************/746 747 publicenum748 {
749 SSL_VERIFY_NONE = 0,
750 SSL_VERIFY_PEER = 1751 }
752 753 754 /*******************************************************************************
755 756 Options used by SSL_CTX_set_options
757 758 *******************************************************************************/759 760 publicenum : ulong761 {
762 SSL_OP_ALL = 0x80000BFFL, /// Various workarounds for broken implementations763 SSL_OP_NO_SSLv2 = 0x01000000, /// Do not use SSL v2764 SSL_OP_NO_SSLv3 = 0x02000000, /// Do not use SSL v3.765 SSL_OP_NO_COMPRESSION = 0x00020000/// Do not use compression766 }
767 768 769 extern (D):
770 771 /*******************************************************************************
772 773 Adds the options to the SSL context. Options already set before are not
774 cleared.
775 776 Params:
777 ctx = the SSL context
778 op = the option flags to set.
779 780 Returns:
781 The new options bitmask, after adding options.
782 783 *******************************************************************************/784 785 publicc_longSSL_CTX_set_options (SSL_CTX* ctx, c_longop)
786 {
787 staticimmutableSSL_CTRL_OPTIONS = 32;
788 789 returnSSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, op, null);
790 }
791 792 793 /*******************************************************************************
794 795 Decodes a PKCS#1 RSAPrivateKey structure, creating an RSA object
796 797 Params:
798 key = the bytes to decode
799 800 Returns:
801 A decoded structure, or null if an error occurs.
802 803 *******************************************************************************/804 805 publicRSA * decodeRSAPrivateKey (const(void)[] key)
806 {
807 // If this isn't null, memory corruption will happen808 809 RSA * rsa = null;
810 811 // This variable gets corrupted by the call812 813 autokeyptr = key.ptr;
814 815 returnd2i_RSAPrivateKey(&rsa, &keyptr, key.length);
816 }