diff options
Diffstat (limited to 'lib/wrappers/openssl.nim')
| -rw-r--r--[-rwxr-xr-x] | lib/wrappers/openssl.nim | 1019 |
1 files changed, 750 insertions, 269 deletions
diff --git a/lib/wrappers/openssl.nim b/lib/wrappers/openssl.nim index ca4ad6a99..9921b7ffd 100755..100644 --- a/lib/wrappers/openssl.nim +++ b/lib/wrappers/openssl.nim @@ -1,89 +1,157 @@ -#==============================================================================# -# Project: Ararat Synapse | 003.004.001 # -#==============================================================================# -# Content: SSL support by OpenSSL # -#==============================================================================# -# Copyright (c)1999-2005, Lukas Gebauer # -# All rights reserved. # -# # -# Redistribution and use in source and binary forms, with or without # -# modification, are permitted provided that the following conditions are met: # -# # -# Redistributions of source code must retain the above copyright notice, this # -# list of conditions and the following disclaimer. # -# # -# Redistributions in binary form must reproduce the above copyright notice, # -# this list of conditions and the following disclaimer in the documentation # -# and/or other materials provided with the distribution. # -# # -# Neither the name of Lukas Gebauer nor the names of its contributors may # -# be used to endorse or promote products derived from this software without # -# specific prior written permission. # -# # -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # -# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR # -# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # -# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH # -# DAMAGE. # -#==============================================================================# -# The Initial Developer of the Original Code is Lukas Gebauer (Czech Republic).# -# Portions created by Lukas Gebauer are Copyright (c)2002-2005. # -# All Rights Reserved. # -#==============================================================================# - -## OpenSSL support - -{.deadCodeElim: on.} - -when defined(WINDOWS): - const - DLLSSLName = "(ssleay32|libssl32).dll" - DLLUtilName = "libeay32.dll" +# +# +# Nim's Runtime Library +# (c) Copyright 2015 Andreas Rumpf +# +# See the file "copying.txt", included in this +# distribution, for details about the copyright. +# + +## OpenSSL wrapper. Supports OpenSSL >= 1.1.0 dynamically (as default) or statically linked +## using `--dynlibOverride:ssl`. +## +## `-d:sslVersion=1.2.3` can be used to force an SSL version. +## This version must be included in the library name. +## `-d:useOpenssl3` may be set for OpenSSL 3 instead. +## +## There is also limited support for OpenSSL 1.0.x which may require `-d:openssl10`. +## +## Build and test examples: +## +## ```cmd +## ./bin/nim c -d:ssl -p:. -r tests/stdlib/tssl.nim +## ./bin/nim c -d:ssl --threads:on -p:. -r tests/stdlib/thttpclient_ssl.nim +## ./bin/nim c -d:ssl -p:. -r tests/untestable/tssl.nim +## ./bin/nim c -d:ssl -p:. --dynlibOverride:ssl --passl:-lcrypto --passl:-lssl -r tests/untestable/tssl.nim +## ./bin/nim r --putenv:NIM_TESTAMENT_REMOTE_NETWORKING:1 -d:ssl -p:testament/lib --threads:on tests/untestable/thttpclient_ssl_remotenetwork.nim +## ``` + +# https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html +# +from std/strutils import startsWith + +when defined(nimPreviewSlimSystem): + import std/syncio + +when defined(nimHasStyleChecks): + {.push styleChecks: off.} + +const useWinVersion = defined(windows) or defined(nimdoc) + +# To force openSSL version use -d:sslVersion=1.2.3 +# See: #10281, #10230 +# General issue: +# Other dynamic libraries (like libpg) load different openSSL version then what nim loads. +# Having two different openSSL loaded version causes a crash. +# Use this compile time define to force the openSSL version that your other dynamic libraries want. +const sslVersion {.strdefine.}: string = "" +const useOpenssl3* {.booldefine.} = sslVersion.startsWith('3') +when sslVersion != "": + when defined(macosx): + const + DLLSSLName* = "libssl." & sslVersion & ".dylib" + DLLUtilName* = "libcrypto." & sslVersion & ".dylib" + from std/posix import SocketHandle + elif defined(windows): + const + DLLSSLName* = "libssl-" & sslVersion & ".dll" + DLLUtilName* = "libcrypto-" & sslVersion & ".dll" + from std/winlean import SocketHandle + else: + const + DLLSSLName* = "libssl.so." & sslVersion + DLLUtilName* = "libcrypto.so." & sslVersion + from std/posix import SocketHandle + +elif useWinVersion: + when defined(openssl10) or defined(nimOldDlls): + when defined(cpu64): + const + DLLSSLName* = "(ssleay32|ssleay64).dll" + DLLUtilName* = "(libeay32|libeay64).dll" + else: + const + DLLSSLName* = "ssleay32.dll" + DLLUtilName* = "libeay32.dll" + elif defined(cpu64): + const + DLLSSLName* = "(libssl-1_1-x64|ssleay64|libssl64).dll" + DLLUtilName* = "(libcrypto-1_1-x64|libeay64).dll" + else: + const + DLLSSLName* = "(libssl-1_1|ssleay32|libssl32).dll" + DLLUtilName* = "(libcrypto-1_1|libeay32).dll" + + from std/winlean import SocketHandle else: - const - versions = "(|.1.0.0|.0.9.9|.0.9.8|.0.9.7|.0.9.6|.0.9.5|.0.9.4)" + # same list of versions but ordered differently? + when defined(osx): + const versions = "(.3|.1.1|.38|.39|.41|.43|.44|.45|.46|.47|.48|.10|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|)" + else: + const versions = "(.3|.1.1|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|.48|.47|.46|.45|.44|.43|.41|.39|.38|.10|)" + when defined(macosx): const - DLLSSLName = "libssl" & versions & ".dylib" - DLLUtilName = "libcrypto" & versions & ".dylib" + DLLSSLName* = "libssl" & versions & ".dylib" + DLLUtilName* = "libcrypto" & versions & ".dylib" + elif defined(genode): + const + DLLSSLName* = "libssl.lib.so" + DLLUtilName* = "libcrypto.lib.so" else: - const - DLLSSLName = "libssl.so" & versions - DLLUtilName = "libcrypto.so" & versions + const + DLLSSLName* = "libssl.so" & versions + DLLUtilName* = "libcrypto.so" & versions + from std/posix import SocketHandle + +import std/dynlib + +{.pragma: lcrypto, cdecl, dynlib: DLLUtilName, importc.} +{.pragma: lssl, cdecl, dynlib: DLLSSLName, importc.} -type +type SslStruct {.final, pure.} = object SslPtr* = ptr SslStruct PSslPtr* = ptr SslPtr - PSSL_CTX* = SslPtr - PSSL* = SslPtr + SslCtx* = SslPtr PSSL_METHOD* = SslPtr + PSTACK* = SslPtr PX509* = SslPtr PX509_NAME* = SslPtr - PEVP_MD* = SslPtr PBIO_METHOD* = SslPtr - PBIO* = SslPtr + BIO* = SslPtr EVP_PKEY* = SslPtr PRSA* = SslPtr PASN1_UTCTIME* = SslPtr PASN1_cInt* = SslPtr PPasswdCb* = SslPtr + EVP_MD* = SslPtr + EVP_MD_CTX* = SslPtr + EVP_PKEY_CTX* = SslPtr + ENGINE* = SslPtr PFunction* = proc () {.cdecl.} DES_cblock* = array[0..7, int8] PDES_cblock* = ptr DES_cblock - des_ks_struct*{.final.} = object + des_ks_struct*{.final.} = object ks*: DES_cblock - weak_key*: cInt + weak_key*: cint des_key_schedule* = array[1..16, des_ks_struct] -const + pem_password_cb* = proc(buf: cstring, size, rwflag: cint, userdata: pointer): cint {.cdecl.} + + PaddingType* = enum + RSA_PKCS1_PADDING = 1.cint, + RSA_SSLV23_PADDING = 2.cint, + RSA_NO_PADDING = 3.cint, + RSA_PKCS1_OAEP_PADDING = 4.cint, + RSA_X931_PADDING = 5.cint, + RSA_PKCS1_PSS_PADDING = 6.cint + + +const + SSL_SENT_SHUTDOWN* = 1 + SSL_RECEIVED_SHUTDOWN* = 2 EVP_MAX_MD_SIZE* = 16 + 20 SSL_ERROR_NONE* = 0 SSL_ERROR_SSL* = 1 @@ -109,8 +177,8 @@ const SSL_CTRL_GET_FLAGS* = 13 SSL_CTRL_EXTRA_CHAIN_CERT* = 14 SSL_CTRL_SET_MSG_CALLBACK* = 15 - SSL_CTRL_SET_MSG_CALLBACK_ARG* = 16 # only applies to datagram connections - SSL_CTRL_SET_MTU* = 17 # Stats + SSL_CTRL_SET_MSG_CALLBACK_ARG* = 16 # only applies to datagram connections + SSL_CTRL_SET_MTU* = 17 # Stats SSL_CTRL_SESS_NUMBER* = 20 SSL_CTRL_SESS_CONNECT* = 21 SSL_CTRL_SESS_CONNECT_GOOD* = 22 @@ -134,6 +202,15 @@ const SSL_CTRL_GET_MAX_CERT_LIST* = 50 SSL_CTRL_SET_MAX_CERT_LIST* = 51 #* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success # * when just a single record has been written): * + SSL_CTRL_SET_TLSEXT_SERVERNAME_CB = 53 + SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG = 54 + SSL_CTRL_SET_TLSEXT_HOSTNAME = 55 + SSL_CTRL_SET_ECDH_AUTO* = 94 + TLSEXT_NAMETYPE_host_name* = 0 + SSL_TLSEXT_ERR_OK* = 0 + SSL_TLSEXT_ERR_ALERT_WARNING* = 1 + SSL_TLSEXT_ERR_ALERT_FATAL* = 2 + SSL_TLSEXT_ERR_NOACK* = 3 SSL_MODE_ENABLE_PARTIAL_WRITE* = 1 #* Make it possible to retry SSL_write() with changed buffer location # * (buffer contents must stay the same!); this is not the default to avoid # * the misconception that non-blocking SSL_write() behaves like @@ -145,9 +222,13 @@ const SSL_OP_NO_SSLv2* = 0x01000000 SSL_OP_NO_SSLv3* = 0x02000000 SSL_OP_NO_TLSv1* = 0x04000000 + SSL_OP_NO_TLSv1_1* = 0x08000000 SSL_OP_ALL* = 0x000FFFFF SSL_VERIFY_NONE* = 0x00000000 SSL_VERIFY_PEER* = 0x00000001 + SSL_ST_CONNECT* = 0x1000 + SSL_ST_ACCEPT* = 0x2000 + SSL_ST_INIT* = SSL_ST_CONNECT or SSL_ST_ACCEPT OPENSSL_DES_DECRYPT* = 0 OPENSSL_DES_ENCRYPT* = 1 X509_V_OK* = 0 @@ -189,240 +270,640 @@ const SSL_FILETYPE_ASN1* = 2 SSL_FILETYPE_PEM* = 1 EVP_PKEY_RSA* = 6 # libssl.dll - + BIO_C_SET_CONNECT = 100 BIO_C_DO_STATE_MACHINE = 101 BIO_C_GET_SSL = 110 -proc SSL_library_init*(): cInt{.cdecl, dynlib: DLLSSLName, importc, discardable.} -proc SSL_load_error_strings*(){.cdecl, dynlib: DLLSSLName, importc.} -proc ERR_load_BIO_strings*(){.cdecl, dynlib: DLLSSLName, importc.} - -proc SSLv23_client_method*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} -proc SSLv23_method*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} -proc SSLv2_method*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} -proc SSLv3_method*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} proc TLSv1_method*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_new*(context: PSSL_CTX): PSSL{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_free*(ssl: PSSL){.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_CTX_new*(meth: PSSL_METHOD): PSSL_CTX{.cdecl, +# TLS_method(), TLS_server_method(), TLS_client_method() are introduced in 1.1.0 +# and support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 +# SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() are removed in 1.1.0 + +const useStaticLink = compileOption("dynlibOverride", "ssl") or defined(noOpenSSLHacks) + +when useStaticLink: + # Static linking + + when defined(openssl10): + proc SSL_library_init*(): cint {.cdecl, dynlib: DLLSSLName, importc, discardable.} + proc SSL_load_error_strings*() {.cdecl, dynlib: DLLSSLName, importc.} + proc SSLv23_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.} + proc SSLeay(): culong {.cdecl, dynlib: DLLUtilName, importc.} + + proc getOpenSSLVersion*(): culong = + SSLeay() + + proc ERR_load_BIO_strings*() {.cdecl, dynlib: DLLUtilName, importc.} + else: + proc OPENSSL_init_ssl*(opts: uint64, settings: uint8): cint {.cdecl, dynlib: DLLSSLName, importc, discardable.} + proc SSL_library_init*(): cint {.discardable.} = + ## Initialize SSL using OPENSSL_init_ssl for OpenSSL >= 1.1.0 + return OPENSSL_init_ssl(0.uint64, 0.uint8) + + proc TLS_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.} + proc SSLv23_method*(): PSSL_METHOD = + TLS_method() + + proc OpenSSL_version_num(): culong {.cdecl, dynlib: DLLUtilName, importc.} + + proc getOpenSSLVersion*(): culong = + ## Return OpenSSL version as unsigned long + OpenSSL_version_num() + + proc SSL_load_error_strings*() = + ## Removed from OpenSSL 1.1.0 + # This proc prevents breaking existing code calling SslLoadErrorStrings + # Static linking against OpenSSL < 1.1.0 is not supported + discard + + proc ERR_load_BIO_strings*() = + discard + + when defined(libressl) or defined(openssl10): + proc SSL_state(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc.} + proc SSL_in_init*(ssl: SslPtr): cint {.inline.} = + SSL_state(ssl) and SSL_ST_INIT + else: + proc SSL_in_init*(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc.} + proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.} + + template OpenSSL_add_all_algorithms*() = discard + + proc SSLv23_client_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.} + proc SSLv2_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.} + proc SSLv3_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.} + proc CRYPTO_set_mem_functions(a,b,c: pointer){.cdecl, dynlib: DLLUtilName, importc.} + +else: + # Here we're trying to stay compatible between openssl versions. Some + # symbols are loaded dynamically and we don't use them if not found. + proc thisModule(): LibHandle {.inline.} = + var thisMod {.global.}: LibHandle + if thisMod.isNil: thisMod = loadLib() + + result = thisMod + + proc sslModule(): LibHandle {.inline, raises: [LibraryError], tags:[RootEffect].} = + var sslMod {.global.}: LibHandle + try: + if sslMod.isNil: sslMod = loadLibPattern(DLLSSLName) + except: + raise newException(LibraryError, "Could not load SSL using " & DLLSSLName) + + result = sslMod + + proc utilModule(): LibHandle {.inline.} = + var utilMod {.global.}: LibHandle + if utilMod.isNil: utilMod = loadLibPattern(DLLUtilName) + + result = utilMod + + proc symNullable(dll: LibHandle, name: string, alternativeName = ""): pointer = + # Load from DLL. + if not dll.isNil: + result = symAddr(dll, name) + if result.isNil and alternativeName.len > 0: + result = symAddr(dll, alternativeName) + + # Attempt to load from current exe. + if result.isNil: + let thisDynlib = thisModule() + if thisDynlib.isNil: return nil + result = symAddr(thisDynlib, name) + if result.isNil and alternativeName.len > 0: + result = symAddr(thisDynlib, alternativeName) + + proc sslSymNullable(name: string, alternativeName = ""): pointer {.raises: [LibraryError], tags:[RootEffect].} = + sslModule().symNullable(name, alternativeName) + + proc sslSymThrows(name: string, alternativeName = ""): pointer {.raises: [LibraryError].} = + result = sslSymNullable(name, alternativeName) + if result.isNil: raiseInvalidLibrary(name) + + proc utilSymNullable(name: string, alternativeName = ""): pointer = + utilModule().symNullable(name, alternativeName) + + proc loadPSSLMethod(method1, method2: string): PSSL_METHOD {.raises: [LibraryError], tags:[RootEffect].} = + ## Load <method1> from OpenSSL if available, otherwise <method2> + ## + let methodSym = sslSymNullable(method1, method2) + if methodSym.isNil: + raise newException(LibraryError, "Could not load " & method1 & " nor " & method2) + + let method2Proc = cast[proc(): PSSL_METHOD {.cdecl, gcsafe, raises: [].}](methodSym) + return method2Proc() + + proc CRYPTO_set_mem_functions(a,b,c: pointer) = + let theProc = cast[proc(a,b,c: pointer) {.cdecl.}](utilModule().symNullable("CRYPTO_set_mem_functions")) + if not theProc.isNil: theProc(a, b, c) + + proc SSL_library_init*(): cint {.discardable.} = + ## Initialize SSL using OPENSSL_init_ssl for OpenSSL >= 1.1.0 otherwise + ## SSL_library_init + let newInitSym = sslSymNullable("OPENSSL_init_ssl") + if not newInitSym.isNil: + let newInitProc = + cast[proc(opts: uint64, settings: uint8): cint {.cdecl.}](newInitSym) + return newInitProc(0, 0) + let olderProc = cast[proc(): cint {.cdecl.}](sslSymThrows("SSL_library_init")) + if not olderProc.isNil: result = olderProc() + + proc SSL_load_error_strings*() = + # TODO: Are we ignoring this on purpose? SSL GitHub CI fails otherwise. + let theProc = cast[proc() {.cdecl.}](sslSymNullable("SSL_load_error_strings")) + if not theProc.isNil: theProc() + + proc ERR_load_BIO_strings*() = + let theProc = cast[proc() {.cdecl.}](utilModule().symNullable("ERR_load_BIO_strings")) + if not theProc.isNil: theProc() + + proc SSLv23_client_method*(): PSSL_METHOD = + loadPSSLMethod("SSLv23_client_method", "TLS_client_method") + + proc SSLv23_method*(): PSSL_METHOD = + loadPSSLMethod("SSLv23_method", "TLS_method") + + proc SSLv2_method*(): PSSL_METHOD = + loadPSSLMethod("SSLv2_method", "TLS_method") + + proc SSLv3_method*(): PSSL_METHOD = + loadPSSLMethod("SSLv3_method", "TLS_method") + + proc TLS_method*(): PSSL_METHOD = + loadPSSLMethod("TLS_method", "SSLv23_method") + + proc TLS_client_method*(): PSSL_METHOD = + loadPSSLMethod("TLS_client_method", "SSLv23_client_method") + + proc TLS_server_method*(): PSSL_METHOD = + loadPSSLMethod("TLS_server_method", "SSLv23_server_method") + + proc OpenSSL_add_all_algorithms*() = + # TODO: Are we ignoring this on purpose? SSL GitHub CI fails otherwise. + let theProc = cast[proc() {.cdecl.}](sslSymNullable("OPENSSL_add_all_algorithms_conf")) + if not theProc.isNil: theProc() + + proc getOpenSSLVersion*(): culong = + ## Return OpenSSL version as unsigned long or 0 if not available + let theProc = cast[proc(): culong {.cdecl, gcsafe.}](utilSymNullable("OpenSSL_version_num", "SSLeay")) + result = + if theProc.isNil: 0.culong + else: theProc() + + proc SSL_in_init*(ssl: SslPtr): cint = + # A compatibility wrapper for `SSL_in_init()` for OpenSSL 1.0, 1.1 and LibreSSL + const MainProc = "SSL_in_init" + let + theProc {.global.} = cast[proc(ssl: SslPtr): cint {.cdecl, gcsafe.}](sslSymNullable(MainProc)) + # Fallback + sslState {.global.} = cast[proc(ssl: SslPtr): cint {.cdecl, gcsafe.}](sslSymNullable("SSL_state")) + + if not theProc.isNil: + result = theProc(ssl) + elif not sslState.isNil: + result = sslState(ssl) and SSL_ST_INIT + else: + raiseInvalidLibrary MainProc + + proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint = + var theProc {.global.}: proc(ctx: SslCtx, str: cstring): cint {.cdecl, gcsafe.} + if theProc.isNil: + theProc = cast[typeof(theProc)](sslSymThrows("SSL_CTX_set_ciphersuites")) + result = theProc(ctx, str) + +proc SSL_new*(context: SslCtx): SslPtr{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_free*(ssl: SslPtr){.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_get_SSL_CTX*(ssl: SslPtr): SslCtx {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_set_SSL_CTX*(ssl: SslPtr, ctx: SslCtx): SslCtx {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_set_session_id_context*(context: SslCtx, sid_ctx: string, sid_ctx_len: int){.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_get0_verified_chain*(ssl: SslPtr): PSTACK {.cdecl, dynlib: DLLSSLName, + importc.} +proc SSL_CTX_new*(meth: PSSL_METHOD): SslCtx{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_CTX_load_verify_locations*(ctx: PSSL_CTX, CAfile: cstring, - CApath: cstring): cInt{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_CTX_free*(arg0: PSSL_CTX){.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_CTX_set_verify*(s: PSSL_CTX, mode: int, cb: proc (a: int, b: pointer): int {.cdecl.}){.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_get_verify_result*(ssl: PSSL): int{.cdecl, +proc SSL_CTX_load_verify_locations*(ctx: SslCtx, CAfile: cstring, + CApath: cstring): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_free*(arg0: SslCtx){.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_set_verify*(s: SslCtx, mode: int, cb: proc (a: int, b: pointer): int {.cdecl.}){.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_get_verify_result*(ssl: SslPtr): int{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_CTX_set_cipher_list*(s: PSSLCTX, ciphers: cstring): cint{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_CTX_use_certificate_file*(ctx: PSSL_CTX, filename: cstring, typ: cInt): cInt{. +proc SSL_CTX_set_cipher_list*(s: SslCtx, ciphers: cstring): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_use_certificate_file*(ctx: SslCtx, filename: cstring, typ: cint): cint{. stdcall, dynlib: DLLSSLName, importc.} -proc SSL_CTX_use_certificate_chain_file*(ctx: PSSL_CTX, filename: cstring): cInt{. +proc SSL_CTX_use_certificate_chain_file*(ctx: SslCtx, filename: cstring): cint{. stdcall, dynlib: DLLSSLName, importc.} -proc SSL_CTX_use_PrivateKey_file*(ctx: PSSL_CTX, - filename: cstring, typ: cInt): cInt{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_CTX_check_private_key*(ctx: PSSL_CTX): cInt{.cdecl, dynlib: DLLSSLName, +proc SSL_CTX_use_PrivateKey_file*(ctx: SslCtx, + filename: cstring, typ: cint): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_check_private_key*(ctx: SslCtx): cint{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_set_fd*(ssl: PSSL, fd: cint): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_get_ex_new_index*(argl: clong, argp: pointer, new_func: pointer, dup_func: pointer, free_func: pointer): cint {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_set_ex_data*(ssl: SslCtx, idx: cint, arg: pointer): cint {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_get_ex_data*(ssl: SslCtx, idx: cint): pointer {.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_shutdown*(ssl: PSSL): cInt{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_connect*(ssl: PSSL): cint{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_read*(ssl: PSSL, buf: pointer, num: int): cint{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_write*(ssl: PSSL, buf: cstring, num: int): cint{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_get_error*(s: PSSL, ret_code: cInt): cInt{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_accept*(ssl: PSSL): cInt{.cdecl, dynlib: DLLSSLName, importc.} -proc SSL_pending*(ssl: PSSL): cInt{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_set_fd*(ssl: SslPtr, fd: SocketHandle): cint{.cdecl, dynlib: DLLSSLName, importc.} -proc BIO_new_ssl_connect*(ctx: PSSL_CTX): PBIO{.cdecl, - dynlib: DLLSSLName, importc.} -proc BIO_ctrl*(bio: PBIO, cmd: cint, larg: int, arg: cstring): int{.cdecl, +proc SSL_shutdown*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_set_shutdown*(ssl: SslPtr, mode: cint) {.cdecl, dynlib: DLLSSLName, importc: "SSL_set_shutdown".} +proc SSL_get_shutdown*(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc: "SSL_get_shutdown".} +proc SSL_connect*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_read*(ssl: SslPtr, buf: pointer, num: int): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_write*(ssl: SslPtr, buf: cstring, num: int): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_get_error*(s: SslPtr, ret_code: cint): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_accept*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_pending*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.} + +proc BIO_new_mem_buf*(data: pointer, len: cint): BIO{.cdecl, + dynlib: DLLUtilName, importc.} +proc BIO_new_ssl_connect*(ctx: SslCtx): BIO{.cdecl, dynlib: DLLSSLName, importc.} -proc BIO_get_ssl*(bio: PBIO, ssl: ptr PSSL): int = +proc BIO_ctrl*(bio: BIO, cmd: cint, larg: int, arg: cstring): int{.cdecl, + dynlib: DLLUtilName, importc.} +proc BIO_get_ssl*(bio: BIO, ssl: ptr SslPtr): int = return BIO_ctrl(bio, BIO_C_GET_SSL, 0, cast[cstring](ssl)) -proc BIO_set_conn_hostname*(bio: PBIO, name: cstring): int = +proc BIO_set_conn_hostname*(bio: BIO, name: cstring): int = return BIO_ctrl(bio, BIO_C_SET_CONNECT, 0, name) -proc BIO_do_handshake*(bio: PBIO): int = - return BIO_ctrl(bio, BIO_C_DO_STATE_MACHINE, 0, NIL) -proc BIO_do_connect*(bio: PBIO): int = +proc BIO_do_handshake*(bio: BIO): int = + return BIO_ctrl(bio, BIO_C_DO_STATE_MACHINE, 0, nil) +proc BIO_do_connect*(bio: BIO): int = return BIO_do_handshake(bio) -proc BIO_read*(b: PBIO, data: cstring, length: cInt): cInt{.cdecl, - dynlib: DLLUtilName, importc.} -proc BIO_write*(b: PBIO, data: cstring, length: cInt): cInt{.cdecl, +proc BIO_read*(b: BIO, data: cstring, length: cint): cint{.cdecl, dynlib: DLLUtilName, importc.} +proc BIO_write*(b: BIO, data: cstring, length: cint): cint{.cdecl, dynlib: DLLUtilName, importc.} + +proc BIO_free*(b: BIO): cint{.cdecl, dynlib: DLLUtilName, importc.} + +proc ERR_print_errors_fp*(fp: File){.cdecl, dynlib: DLLUtilName, importc.} + +proc ERR_error_string*(e: culong, buf: cstring): cstring{.cdecl, dynlib: DLLUtilName, importc.} +proc ERR_get_error*(): culong{.cdecl, dynlib: DLLUtilName, importc.} +proc ERR_peek_last_error*(): culong{.cdecl, dynlib: DLLUtilName, importc.} + +proc OPENSSL_config*(configName: cstring){.cdecl, dynlib: DLLUtilName, importc.} -proc BIO_free*(b: PBIO): cInt{.cdecl, dynlib: DLLUtilName, importc.} +proc OPENSSL_sk_num*(stack: PSTACK): int {.cdecl, dynlib: DLLSSLName, importc.} + +proc OPENSSL_sk_value*(stack: PSTACK, index: int): pointer {.cdecl, + dynlib: DLLSSLName, importc.} -proc ERR_print_errors_fp*(fp: TFile){.cdecl, dynlib: DLLSSLName, importc.} +proc d2i_X509*(px: ptr PX509, i: ptr ptr uint8, len: cint): PX509 {.cdecl, + dynlib: DLLUtilName, importc.} -proc ERR_error_string*(e: cInt, buf: cstring): cstring{.cdecl, +proc i2d_X509*(cert: PX509; o: ptr ptr uint8): cint {.cdecl, dynlib: DLLUtilName, importc.} -proc ERR_get_error*(): cInt{.cdecl, dynlib: DLLUtilName, importc.} -proc ERR_peek_last_error*(): cInt{.cdecl, dynlib: DLLUtilName, importc.} -proc OpenSSL_add_all_algorithms*(){.cdecl, dynlib: DLLSSLName, importc: "OPENSSL_add_all_algorithms_conf".} +proc d2i_X509*(b: string): PX509 = + ## decode DER/BER bytestring into X.509 certificate struct + var bb = b.cstring + let i = cast[ptr ptr uint8](addr bb) + let ret = d2i_X509(addr result, i, b.len.cint) + if ret.isNil: + raise newException(Exception, "X.509 certificate decoding failed") + +proc i2d_X509*(cert: PX509): string = + ## encode `cert` to DER string + let encoded_length = i2d_X509(cert, nil) + result = newString(encoded_length) + var q = result.cstring + let o = cast[ptr ptr uint8](addr q) + let length = i2d_X509(cert, o) + if length.int <= 0: + raise newException(Exception, "X.509 certificate encoding failed") + +const + useNimsAlloc = not defined(nimNoAllocForSSL) and not defined(gcDestructors) + +when not useWinVersion and not defined(macosx) and not defined(android) and useNimsAlloc: + proc allocWrapper(size: int): pointer {.cdecl.} = allocShared(size) + proc reallocWrapper(p: pointer; newSize: int): pointer {.cdecl.} = + if p == nil: + if newSize > 0: result = allocShared(newSize) + elif newSize == 0: deallocShared(p) + else: result = reallocShared(p, newSize) + proc deallocWrapper(p: pointer) {.cdecl.} = + if p != nil: deallocShared(p) + + proc CRYPTO_malloc_init*() = + CRYPTO_set_mem_functions(cast[pointer](allocWrapper), cast[pointer](reallocWrapper), cast[pointer](deallocWrapper)) +else: + proc CRYPTO_malloc_init*() = + discard + +proc SSL_CTX_ctrl*(ctx: SslCtx, cmd: cint, larg: clong, parg: pointer): clong{. + cdecl, dynlib: DLLSSLName, importc.} + +proc SSL_CTX_callback_ctrl(ctx: SslCtx, typ: cint, fp: PFunction): int{. + cdecl, dynlib: DLLSSLName, importc.} + +proc SSLCTXSetMode*(ctx: SslCtx, mode: int): int = + result = SSL_CTX_ctrl(ctx, SSL_CTRL_MODE, clong mode, nil) + +proc SSL_ctrl*(ssl: SslPtr, cmd: cint, larg: int, parg: pointer): int{. + cdecl, dynlib: DLLSSLName, importc.} + +proc SSL_set_tlsext_host_name*(ssl: SslPtr, name: cstring): int = + ## Set the SNI server name extension to be used in a client hello. + ## Returns 1 if SNI was set, 0 if current SSL configuration doesn't support SNI. + result = SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, name) + +proc SSL_get_servername*(ssl: SslPtr, typ: cint = TLSEXT_NAMETYPE_host_name): cstring {.cdecl, dynlib: DLLSSLName, importc.} + ## Retrieve the server name requested in the client hello. This can be used + ## in the callback set in `SSL_CTX_set_tlsext_servername_callback` to + ## implement virtual hosting. May return `nil`. + +proc SSL_CTX_set_tlsext_servername_callback*(ctx: SslCtx, cb: proc(ssl: SslPtr, cb_id: int, arg: pointer): int {.cdecl.}): int = + ## Set the callback to be used on listening SSL connections when the client hello is received. + ## + ## The callback should return one of: + ## * SSL_TLSEXT_ERR_OK + ## * SSL_TLSEXT_ERR_ALERT_WARNING + ## * SSL_TLSEXT_ERR_ALERT_FATAL + ## * SSL_TLSEXT_ERR_NOACK + result = SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, cast[PFunction](cb)) + +proc SSL_CTX_set_tlsext_servername_arg*(ctx: SslCtx, arg: pointer): int = + ## Set the pointer to be used in the callback registered to `SSL_CTX_set_tlsext_servername_callback`. + result = SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG, 0, arg) + +type + PskClientCallback* = proc (ssl: SslPtr; + hint: cstring; identity: cstring; max_identity_len: cuint; psk: ptr uint8; + max_psk_len: cuint): cuint {.cdecl.} + + PskServerCallback* = proc (ssl: SslPtr; + identity: cstring; psk: ptr uint8; max_psk_len: cint): cuint {.cdecl.} + +proc SSL_CTX_set_psk_client_callback*(ctx: SslCtx; callback: PskClientCallback) {.cdecl, dynlib: DLLSSLName, importc.} + ## Set callback called when OpenSSL needs PSK (for client). + +proc SSL_CTX_set_psk_server_callback*(ctx: SslCtx; callback: PskServerCallback) {.cdecl, dynlib: DLLSSLName, importc.} + ## Set callback called when OpenSSL needs PSK (for server). + +proc SSL_CTX_use_psk_identity_hint*(ctx: SslCtx; hint: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.} + ## Set PSK identity hint to use. + +proc SSL_get_psk_identity*(ssl: SslPtr): cstring {.cdecl, dynlib: DLLSSLName, importc.} + ## Get PSK identity. + +proc SSL_CTX_set_ecdh_auto*(ctx: SslCtx, onoff: cint): cint {.inline.} = + ## Set automatic curve selection. + ## + ## On OpenSSL >= 1.1.0 this is on by default and cannot be disabled. + if getOpenSSLVersion() < 0x010100000 or getOpenSSLVersion() == 0x020000000: + result = cint SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, onoff, nil) + else: + result = 1 + +proc bioNew*(b: PBIO_METHOD): BIO{.cdecl, dynlib: DLLUtilName, importc: "BIO_new".} +proc bioFreeAll*(b: BIO){.cdecl, dynlib: DLLUtilName, importc: "BIO_free_all".} +proc bioSMem*(): PBIO_METHOD{.cdecl, dynlib: DLLUtilName, importc: "BIO_s_mem".} +proc bioCtrlPending*(b: BIO): cint{.cdecl, dynlib: DLLUtilName, importc: "BIO_ctrl_pending".} +proc bioRead*(b: BIO, Buf: cstring, length: cint): cint{.cdecl, + dynlib: DLLUtilName, importc: "BIO_read".} +proc bioWrite*(b: BIO, Buf: cstring, length: cint): cint{.cdecl, + dynlib: DLLUtilName, importc: "BIO_write".} -proc OPENSSL_config*(configName: cstring){.cdecl, dynlib: DLLSSLName, importc.} +proc sslSetConnectState*(s: SslPtr) {.cdecl, + dynlib: DLLSSLName, importc: "SSL_set_connect_state".} +proc sslSetAcceptState*(s: SslPtr) {.cdecl, + dynlib: DLLSSLName, importc: "SSL_set_accept_state".} -proc CRYPTO_set_mem_functions(a,b,c: pointer){.cdecl, dynlib: DLLSSLName, importc.} +proc sslRead*(ssl: SslPtr, buf: cstring, num: cint): cint{.cdecl, + dynlib: DLLSSLName, importc: "SSL_read".} +proc sslPeek*(ssl: SslPtr, buf: cstring, num: cint): cint{.cdecl, + dynlib: DLLSSLName, importc: "SSL_peek".} +proc sslWrite*(ssl: SslPtr, buf: cstring, num: cint): cint{.cdecl, + dynlib: DLLSSLName, importc: "SSL_write".} -proc CRYPTO_malloc_init*() = - CRYPTO_set_mem_functions(alloc, realloc, dealloc) +proc sslSetBio*(ssl: SslPtr, rbio, wbio: BIO) {.cdecl, + dynlib: DLLSSLName, importc: "SSL_set_bio".} -when True: - nil +proc sslDoHandshake*(ssl: SslPtr): cint {.cdecl, + dynlib: DLLSSLName, importc: "SSL_do_handshake".} + + +proc ErrClearError*(){.cdecl, dynlib: DLLUtilName, importc: "ERR_clear_error".} +proc ErrFreeStrings*(){.cdecl, dynlib: DLLUtilName, importc: "ERR_free_strings".} +proc ErrRemoveState*(pid: cint){.cdecl, dynlib: DLLUtilName, importc: "ERR_remove_state".} + +proc PEM_read_bio_RSA_PUBKEY*(bp: BIO, x: ptr PRSA, pw: pem_password_cb, u: pointer): PRSA {.cdecl, + dynlib: DLLUtilName, importc.} +proc PEM_read_RSA_PUBKEY*(fp: pointer; x: ptr PRSA; cb: pem_password_cb, u: pointer): PRSA {.cdecl, + dynlib: DLLUtilName, importc.} +proc RSA_verify*(kind: cint, origMsg: pointer, origMsgLen: cuint, signature: pointer, + signatureLen: cuint, rsa: PRSA): cint {.cdecl, dynlib: DLLUtilName, importc.} +proc PEM_read_RSAPrivateKey*(fp: pointer; x: ptr PRSA; cb: pem_password_cb, u: pointer): PRSA {.cdecl, + dynlib: DLLUtilName, importc.} +proc PEM_read_RSAPublicKey*(fp: pointer; x: ptr PRSA; cb: pem_password_cb, u: pointer): PRSA {.cdecl, + dynlib: DLLUtilName, importc.} +proc PEM_read_bio_RSAPublicKey*(bp: BIO, x: ptr PRSA, cb: pem_password_cb, u: pointer): PRSA {.cdecl, + dynlib: DLLUtilName, importc.} +proc PEM_read_bio_RSAPrivateKey*(bp: BIO, x: ptr PRSA, cb: pem_password_cb, u: pointer): PRSA {.cdecl, + dynlib: DLLUtilName, importc.} +proc RSA_private_encrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl, + dynlib: DLLUtilName, importc.} +proc RSA_public_encrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl, + dynlib: DLLUtilName, importc.} +proc RSA_private_decrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl, + dynlib: DLLUtilName, importc.} +proc RSA_public_decrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl, + dynlib: DLLUtilName, importc.} +proc RSA_free*(rsa: PRSA) {.cdecl, dynlib: DLLUtilName, importc.} +proc RSA_size*(rsa: PRSA): cint {.cdecl, dynlib: DLLUtilName, importc.} + +# sha types +proc EVP_md_null*(): EVP_MD {.lcrypto.} +proc EVP_md2*(): EVP_MD {.lcrypto.} +proc EVP_md4*(): EVP_MD {.lcrypto.} +proc EVP_md5*(): EVP_MD {.lcrypto.} +proc EVP_sha*(): EVP_MD {.lcrypto.} +proc EVP_sha1*(): EVP_MD {.lcrypto.} +proc EVP_dss*(): EVP_MD {.lcrypto.} +proc EVP_dss1*(): EVP_MD {.lcrypto.} +proc EVP_ecdsa*(): EVP_MD {.lcrypto.} +proc EVP_sha224*(): EVP_MD {.lcrypto.} +proc EVP_sha256*(): EVP_MD {.lcrypto.} +proc EVP_sha384*(): EVP_MD {.lcrypto.} +proc EVP_sha512*(): EVP_MD {.lcrypto.} +proc EVP_mdc2*(): EVP_MD {.lcrypto.} +proc EVP_ripemd160*(): EVP_MD {.lcrypto.} +proc EVP_whirlpool*(): EVP_MD {.lcrypto.} +proc EVP_MD_size*(md: EVP_MD): cint {.lcrypto.} + +# hmac functions +proc HMAC*(evp_md: EVP_MD; key: pointer; key_len: cint; d: cstring; n: csize_t; md: cstring; md_len: ptr cuint): cstring {.lcrypto.} + +# RSA key functions +proc PEM_read_bio_PrivateKey*(bp: BIO, x: ptr EVP_PKEY, cb: pointer, u: pointer): EVP_PKEY {.lcrypto.} +proc EVP_PKEY_free*(p: EVP_PKEY) {.lcrypto.} +proc EVP_DigestSignInit*(ctx: EVP_MD_CTX, pctx: ptr EVP_PKEY_CTX, typ: EVP_MD, e: ENGINE, pkey: EVP_PKEY): cint {.lcrypto.} +proc EVP_DigestInit_ex*(ctx: EVP_MD_CTX, typ: EVP_MD, engine: SslPtr = nil): cint {.lcrypto.} +proc EVP_DigestUpdate*(ctx: EVP_MD_CTX, data: pointer, len: cuint): cint {.lcrypto.} +proc EVP_DigestFinal_ex*(ctx: EVP_MD_CTX, buffer: pointer, size: ptr cuint): cint {.lcrypto.} +proc EVP_DigestSignFinal*(ctx: EVP_MD_CTX, data: pointer, len: ptr csize_t): cint {.lcrypto.} +proc EVP_PKEY_CTX_new*(pkey: EVP_PKEY, e: ENGINE): EVP_PKEY_CTX {.lcrypto.} +proc EVP_PKEY_CTX_free*(pkeyCtx: EVP_PKEY_CTX) {.lcrypto.} +proc EVP_PKEY_sign_init*(c: EVP_PKEY_CTX): cint {.lcrypto.} + +when defined(macosx) or defined(windows): + proc EVP_MD_CTX_create*(): EVP_MD_CTX {.lcrypto.} + proc EVP_MD_CTX_destroy*(ctx: EVP_MD_CTX) {.lcrypto.} + proc EVP_MD_CTX_cleanup*(ctx: EVP_MD_CTX): cint {.lcrypto.} else: - proc SslCtxSetCipherList*(arg0: PSSL_CTX, str: cstring): cInt{.cdecl, - dynlib: DLLSSLName, importc.} - proc SslCtxNew*(meth: PSSL_METHOD): PSSL_CTX{.cdecl, - dynlib: DLLSSLName, importc.} - - proc SslSetFd*(s: PSSL, fd: cInt): cInt{.cdecl, dynlib: DLLSSLName, importc.} - proc SslCtrl*(ssl: PSSL, cmd: cInt, larg: int, parg: Pointer): int{.cdecl, - dynlib: DLLSSLName, importc.} - proc SslCTXCtrl*(ctx: PSSL_CTX, cmd: cInt, larg: int, parg: Pointer): int{. - cdecl, dynlib: DLLSSLName, importc.} - - proc SSLCTXSetMode*(ctx: PSSL_CTX, mode: int): int - proc SSLSetMode*(s: PSSL, mode: int): int - proc SSLCTXGetMode*(ctx: PSSL_CTX): int - proc SSLGetMode*(s: PSSL): int - proc SslMethodV2*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} - proc SslMethodV3*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} - proc SslMethodTLSV1*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} - proc SslMethodV23*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.} - proc SslCtxUsePrivateKey*(ctx: PSSL_CTX, pkey: SslPtr): cInt{.cdecl, - dynlib: DLLSSLName, importc.} - proc SslCtxUsePrivateKeyASN1*(pk: cInt, ctx: PSSL_CTX, - d: cstring, length: int): cInt{.cdecl, dynlib: DLLSSLName, importc.} - - proc SslCtxUseCertificate*(ctx: PSSL_CTX, x: SslPtr): cInt{.cdecl, - dynlib: DLLSSLName, importc.} - proc SslCtxUseCertificateASN1*(ctx: PSSL_CTX, length: int, d: cstring): cInt{. - cdecl, dynlib: DLLSSLName, importc.} - - # function SslCtxUseCertificateChainFile(ctx: PSSL_CTX; const filename: PChar):cInt; - proc SslCtxUseCertificateChainFile*(ctx: PSSL_CTX, filename: cstring): cInt{. - cdecl, dynlib: DLLSSLName, importc.} - proc SslCtxSetDefaultPasswdCb*(ctx: PSSL_CTX, cb: PPasswdCb){.cdecl, - dynlib: DLLSSLName, importc.} - proc SslCtxSetDefaultPasswdCbUserdata*(ctx: PSSL_CTX, u: SslPtr){.cdecl, - dynlib: DLLSSLName, importc.} - # function SslCtxLoadVerifyLocations(ctx: PSSL_CTX; const CAfile: PChar; const CApath: PChar):cInt; - proc SslCtxLoadVerifyLocations*(ctx: PSSL_CTX, CAfile: cstring, CApath: cstring): cInt{. - cdecl, dynlib: DLLSSLName, importc.} - proc SslNew*(ctx: PSSL_CTX): PSSL{.cdecl, dynlib: DLLSSLName, importc.} - - - proc SslConnect*(ssl: PSSL): cInt{.cdecl, dynlib: DLLSSLName, importc.} - - proc SslRead*(ssl: PSSL, buf: SslPtr, num: cInt): cInt{.cdecl, - dynlib: DLLSSLName, importc.} - proc SslPeek*(ssl: PSSL, buf: SslPtr, num: cInt): cInt{.cdecl, - dynlib: DLLSSLName, importc.} - proc SslWrite*(ssl: PSSL, buf: SslPtr, num: cInt): cInt{.cdecl, - dynlib: DLLSSLName, importc.} - proc SslGetVersion*(ssl: PSSL): cstring{.cdecl, dynlib: DLLSSLName, importc.} - proc SslGetPeerCertificate*(ssl: PSSL): PX509{.cdecl, dynlib: DLLSSLName, - importc.} - proc SslCtxSetVerify*(ctx: PSSL_CTX, mode: cInt, arg2: PFunction){.cdecl, - dynlib: DLLSSLName, importc.} - proc SSLGetCurrentCipher*(s: PSSL): SslPtr{.cdecl, dynlib: DLLSSLName, importc.} - proc SSLCipherGetName*(c: SslPtr): cstring{.cdecl, dynlib: DLLSSLName, importc.} - proc SSLCipherGetBits*(c: SslPtr, alg_bits: var cInt): cInt{.cdecl, - dynlib: DLLSSLName, importc.} - proc SSLGetVerifyResult*(ssl: PSSL): int{.cdecl, dynlib: DLLSSLName, importc.} - # libeay.dll - proc X509New*(): PX509{.cdecl, dynlib: DLLUtilName, importc.} - proc X509Free*(x: PX509){.cdecl, dynlib: DLLUtilName, importc.} - proc X509NameOneline*(a: PX509_NAME, buf: cstring, size: cInt): cstring{. - cdecl, dynlib: DLLUtilName, importc.} - proc X509GetSubjectName*(a: PX509): PX509_NAME{.cdecl, dynlib: DLLUtilName, - importc.} - proc X509GetIssuerName*(a: PX509): PX509_NAME{.cdecl, dynlib: DLLUtilName, - importc.} - proc X509NameHash*(x: PX509_NAME): int{.cdecl, dynlib: DLLUtilName, importc.} - # function SslX509Digest(data: PX509; typ: PEVP_MD; md: PChar; len: PcInt):cInt; - proc X509Digest*(data: PX509, typ: PEVP_MD, md: cstring, length: var cInt): cInt{. - cdecl, dynlib: DLLUtilName, importc.} - proc X509print*(b: PBIO, a: PX509): cInt{.cdecl, dynlib: DLLUtilName, importc.} - proc X509SetVersion*(x: PX509, version: cInt): cInt{.cdecl, dynlib: DLLUtilName, - importc.} - proc X509SetPubkey*(x: PX509, pkey: EVP_PKEY): cInt{.cdecl, dynlib: DLLUtilName, - importc.} - proc X509SetIssuerName*(x: PX509, name: PX509_NAME): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - proc X509NameAddEntryByTxt*(name: PX509_NAME, field: cstring, typ: cInt, - bytes: cstring, length, loc, theSet: cInt): cInt{. - cdecl, dynlib: DLLUtilName, importc.} - proc X509Sign*(x: PX509, pkey: EVP_PKEY, md: PEVP_MD): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - proc X509GmtimeAdj*(s: PASN1_UTCTIME, adj: cInt): PASN1_UTCTIME{.cdecl, - dynlib: DLLUtilName, importc.} - proc X509SetNotBefore*(x: PX509, tm: PASN1_UTCTIME): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - proc X509SetNotAfter*(x: PX509, tm: PASN1_UTCTIME): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - proc X509GetSerialNumber*(x: PX509): PASN1_cInt{.cdecl, dynlib: DLLUtilName, - importc.} - proc EvpPkeyNew*(): EVP_PKEY{.cdecl, dynlib: DLLUtilName, importc.} - proc EvpPkeyFree*(pk: EVP_PKEY){.cdecl, dynlib: DLLUtilName, importc.} - proc EvpPkeyAssign*(pkey: EVP_PKEY, typ: cInt, key: Prsa): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - proc EvpGetDigestByName*(Name: cstring): PEVP_MD{.cdecl, dynlib: DLLUtilName, - importc.} - proc EVPcleanup*(){.cdecl, dynlib: DLLUtilName, importc.} - # function ErrErrorString(e: cInt; buf: PChar): PChar; - proc SSLeayversion*(t: cInt): cstring{.cdecl, dynlib: DLLUtilName, importc.} - - proc ErrClearError*(){.cdecl, dynlib: DLLUtilName, importc.} - proc ErrFreeStrings*(){.cdecl, dynlib: DLLUtilName, importc.} - proc ErrRemoveState*(pid: cInt){.cdecl, dynlib: DLLUtilName, importc.} - proc OPENSSLaddallalgorithms*(){.cdecl, dynlib: DLLUtilName, importc.} - proc CRYPTOcleanupAllExData*(){.cdecl, dynlib: DLLUtilName, importc.} - proc RandScreen*(){.cdecl, dynlib: DLLUtilName, importc.} - proc BioNew*(b: PBIO_METHOD): PBIO{.cdecl, dynlib: DLLUtilName, importc.} - proc BioFreeAll*(b: PBIO){.cdecl, dynlib: DLLUtilName, importc.} - proc BioSMem*(): PBIO_METHOD{.cdecl, dynlib: DLLUtilName, importc.} - proc BioCtrlPending*(b: PBIO): cInt{.cdecl, dynlib: DLLUtilName, importc.} - proc BioRead*(b: PBIO, Buf: cstring, length: cInt): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - proc BioWrite*(b: PBIO, Buf: cstring, length: cInt): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - proc d2iPKCS12bio*(b: PBIO, Pkcs12: SslPtr): SslPtr{.cdecl, dynlib: DLLUtilName, - importc.} - proc PKCS12parse*(p12: SslPtr, pass: cstring, pkey, cert, ca: var SslPtr): cint{. - dynlib: DLLUtilName, importc, cdecl.} - - proc PKCS12free*(p12: SslPtr){.cdecl, dynlib: DLLUtilName, importc.} - proc RsaGenerateKey*(bits, e: cInt, callback: PFunction, cb_arg: SslPtr): PRSA{. - cdecl, dynlib: DLLUtilName, importc.} - proc Asn1UtctimeNew*(): PASN1_UTCTIME{.cdecl, dynlib: DLLUtilName, importc.} - proc Asn1UtctimeFree*(a: PASN1_UTCTIME){.cdecl, dynlib: DLLUtilName, importc.} - proc Asn1cIntSet*(a: PASN1_cInt, v: cInt): cInt{.cdecl, dynlib: DLLUtilName, - importc.} - proc i2dX509bio*(b: PBIO, x: PX509): cInt{.cdecl, dynlib: DLLUtilName, importc.} - proc i2dPrivateKeyBio*(b: PBIO, pkey: EVP_PKEY): cInt{.cdecl, - dynlib: DLLUtilName, importc.} - # 3DES functions - proc DESsetoddparity*(Key: des_cblock){.cdecl, dynlib: DLLUtilName, importc.} - proc DESsetkeychecked*(key: des_cblock, schedule: des_key_schedule): cInt{. - cdecl, dynlib: DLLUtilName, importc.} - proc DESecbencrypt*(Input: des_cblock, output: des_cblock, ks: des_key_schedule, - enc: cInt){.cdecl, dynlib: DLLUtilName, importc.} - # implementation - - proc SSLCTXSetMode(ctx: PSSL_CTX, mode: int): int = - Result = SslCTXCtrl(ctx, SSL_CTRL_MODE, mode, nil) - - proc SSLSetMode(s: PSSL, mode: int): int = - Result = SSLctrl(s, SSL_CTRL_MODE, mode, nil) - - proc SSLCTXGetMode(ctx: PSSL_CTX): int = - Result = SSLCTXctrl(ctx, SSL_CTRL_MODE, 0, nil) - - proc SSLGetMode(s: PSSL): int = - Result = SSLctrl(s, SSL_CTRL_MODE, 0, nil) + # some times you will need this instead: + proc EVP_MD_CTX_create*(): EVP_MD_CTX {.cdecl, importc: "EVP_MD_CTX_new", dynlib: DLLUtilName.} + proc EVP_MD_CTX_destroy*(ctx: EVP_MD_CTX) {.cdecl, importc: "EVP_MD_CTX_free", dynlib: DLLUtilName.} + proc EVP_MD_CTX_cleanup*(ctx: EVP_MD_CTX): cint {.cdecl, importc: "EVP_MD_CTX_cleanup", dynlib: DLLUtilName.} + +# <openssl/md5.h> +type + MD5_LONG* = cuint +const + MD5_CBLOCK* = 64 + MD5_LBLOCK* = int(MD5_CBLOCK div 4) + MD5_DIGEST_LENGTH* = 16 +type + MD5_CTX* = object + A,B,C,D,Nl,Nh: MD5_LONG + data: array[MD5_LBLOCK, MD5_LONG] + num: cuint + +{.push callconv:cdecl, dynlib:DLLUtilName.} +proc md5_Init*(c: var MD5_CTX): cint{.importc: "MD5_Init".} +proc md5_Update*(c: var MD5_CTX; data: pointer; len: csize_t): cint{.importc: "MD5_Update".} +proc md5_Final*(md: cstring; c: var MD5_CTX): cint{.importc: "MD5_Final".} +proc md5*(d: ptr uint8; n: csize_t; md: ptr uint8): ptr uint8{.importc: "MD5".} +proc md5_Transform*(c: var MD5_CTX; b: ptr uint8){.importc: "MD5_Transform".} +{.pop.} + +from std/strutils import toHex, toLowerAscii + +proc hexStr(buf: cstring): string = + # turn md5s output into a nice hex str + result = newStringOfCap(32) + for i in 0 ..< 16: + result.add toHex(buf[i].ord, 2).toLowerAscii + +proc md5_File*(file: string): string {.raises: [IOError,Exception].} = + ## Generate MD5 hash for a file. Result is a 32 character + # hex string with lowercase characters (like the output + # of `md5sum` + const + sz = 512 + let f = open(file,fmRead) + var + buf: array[sz,char] + ctx: MD5_CTX + + discard md5_Init(ctx) + while (let bytes = f.readChars(buf); bytes > 0): + discard md5_Update(ctx, buf[0].addr, cast[csize_t](bytes)) + + discard md5_Final(cast[cstring](buf[0].addr), ctx) + f.close + + result = hexStr(cast[cstring](addr buf)) + +proc md5_Str*(str: string): string = + ## Generate MD5 hash for a string. Result is a 32 character + ## hex string with lowercase characters + var + ctx: MD5_CTX + res: array[MD5_DIGEST_LENGTH,char] + input = str.cstring + discard md5_Init(ctx) + + var i = 0 + while i < str.len: + let L = min(str.len - i, 512) + discard md5_Update(ctx, input[i].addr, cast[csize_t](L)) + i += L + + discard md5_Final(cast[cstring](addr res), ctx) + result = hexStr(cast[cstring](addr res)) + +when defined(nimHasStyleChecks): + {.pop.} + + +# Certificate validation +# On old openSSL version some of these symbols are not available +when not defined(nimDisableCertificateValidation) and not defined(windows): + + # SSL_get_peer_certificate removed in 3.0 + # SSL_get1_peer_certificate added in 3.0 + when useOpenssl3: + proc SSL_get1_peer_certificate*(ssl: SslCtx): PX509 {.cdecl, dynlib: DLLSSLName, importc.} + proc SSL_get_peer_certificate*(ssl: SslCtx): PX509 = + SSL_get1_peer_certificate(ssl) + elif useStaticLink: + proc SSL_get_peer_certificate*(ssl: SslCtx): PX509 {.cdecl, dynlib: DLLSSLName, importc.} + else: + proc SSL_get_peer_certificate*(ssl: SslCtx): PX509 = + let methodSym = sslSymNullable("SSL_get_peer_certificate", "SSL_get1_peer_certificate") + if methodSym.isNil: + raise newException(LibraryError, "Could not load SSL_get_peer_certificate or SSL_get1_peer_certificate") + let method2Proc = cast[proc(ssl: SslCtx): PX509 {.cdecl, gcsafe, raises: [].}](methodSym) + return method2Proc(ssl) + + proc X509_get_subject_name*(a: PX509): PX509_NAME{.cdecl, dynlib: DLLSSLName, importc.} + + proc X509_get_issuer_name*(a: PX509): PX509_NAME{.cdecl, dynlib: DLLUtilName, importc.} + + proc X509_NAME_oneline*(a: PX509_NAME, buf: cstring, size: cint): cstring {. + cdecl, dynlib:DLLSSLName, importc.} + + proc X509_NAME_get_text_by_NID*(subject:cstring, NID: cint, buf: cstring, size: cint): cint{. + cdecl, dynlib:DLLSSLName, importc.} + + proc X509_check_host*(cert: PX509, name: cstring, namelen: cint, flags:cuint, peername: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.} + + proc X509_free*(cert: PX509) {.cdecl, dynlib: DLLSSLName, importc.} + + # Certificates store + + type PX509_STORE* = SslPtr + type PX509_OBJECT* = SslPtr + + {.push callconv:cdecl, dynlib:DLLUtilName, importc.} + + proc X509_OBJECT_new*(): PX509_OBJECT + proc X509_OBJECT_free*(a: PX509_OBJECT) + + proc X509_STORE_new*(): PX509_STORE + proc X509_STORE_free*(v: PX509_STORE) + proc X509_STORE_lock*(ctx: PX509_STORE): cint + proc X509_STORE_unlock*(ctx: PX509_STORE): cint + proc X509_STORE_up_ref*(v: PX509_STORE): cint + proc X509_STORE_set_flags*(ctx: PX509_STORE; flags: culong): cint + proc X509_STORE_set_purpose*(ctx: PX509_STORE; purpose: cint): cint + proc X509_STORE_set_trust*(ctx: PX509_STORE; trust: cint): cint + proc X509_STORE_add_cert*(ctx: PX509_STORE; x: PX509): cint + + {.pop.} + + when isMainModule: + when defined(nimPreviewSlimSystem): + import std/assertions + # A simple certificate test + let certbytes = readFile("certificate.der") + let cert = d2i_X509(certbytes) + let encoded = cert.i2d_X509() + assert encoded == certbytes + +# Application Layer Protocol Negociation extension (TLS-ALPN, RFC7301) +# Available in at least OpenSSL 1.1.1 and later, not sure if earlier +# --Iced Quinn + +proc SSL_CTX_set_alpn_protos*(ctx: SslCtx; protos: cstring; protos_len: cuint): cint {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_set_alpn_protos*(ssl: SslPtr; protos: cstring; protos_len: cuint): cint {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_set_alpn_select_cb*(ctx: SslCtx; cb: proc(ssl: SslPtr; out_proto: ptr cstring; outlen: cstring; in_proto: cstring; inlen: cuint; arg: pointer): cint {.cdecl.}; arg: pointer): cint {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_get0_alpn_selected*(ssl: SslPtr; data: ptr cstring; len: ptr cuint) {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_set_next_protos_advertised_cb*(ctx: SslCtx; cb: proc(ssl: SslPtr; out_proto: ptr cstring; outlen: ptr cuint; arg: pointer): cint {.cdecl.}; arg: pointer) {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_CTX_set_next_proto_select_cb*(ctx: SslCtx; cb: proc(s: SslPtr; out_proto: cstring; outlen: cstring; in_proto: cstring; inlen: cuint; arg: pointer): cint {.cdecl.}; arg: pointer) {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_select_next_proto*(out_proto: ptr cstring; outlen: cstring; server: cstring; server_len: cuint; client: cstring; client_len: cuint): cint {.cdecl, dynlib: DLLSSLName, importc.} +proc SSL_get0_next_proto_negotiated*(s: SslPtr; data: ptr cstring; len: ptr cuint) {.cdecl, dynlib: DLLSSLName, importc.} |