openssl.nim 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860
  1. #
  2. #
  3. # Nim's Runtime Library
  4. # (c) Copyright 2015 Andreas Rumpf
  5. #
  6. # See the file "copying.txt", included in this
  7. # distribution, for details about the copyright.
  8. #
  9. ## OpenSSL wrapper. Supports OpenSSL >= 1.1.0 dynamically (as default) or statically linked
  10. ## using `--dynlibOverride:ssl`.
  11. ##
  12. ## To use openSSL 3, either set `-d:sslVersion=3` or `-d:useOpenssl3`.
  13. ##
  14. ## Build and test examples:
  15. ##
  16. ## .. code-block::
  17. ## ./bin/nim c -d:ssl -p:. -r tests/stdlib/tssl.nim
  18. ## ./bin/nim c -d:ssl --threads:on -p:. -r tests/stdlib/thttpclient_ssl.nim
  19. ## ./bin/nim c -d:ssl -p:. -r tests/untestable/tssl.nim
  20. ## ./bin/nim c -d:ssl -p:. --dynlibOverride:ssl --passl:-lcrypto --passl:-lssl -r tests/untestable/tssl.nim
  21. ## ./bin/nim r --putenv:NIM_TESTAMENT_REMOTE_NETWORKING:1 -d:ssl -p:testament/lib --threads:on tests/untestable/thttpclient_ssl_remotenetwork.nim
  22. # https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
  23. #
  24. from strutils import startsWith
  25. when defined(nimPreviewSlimSystem):
  26. import std/syncio
  27. when defined(nimHasStyleChecks):
  28. {.push styleChecks: off.}
  29. const useWinVersion = defined(windows) or defined(nimdoc)
  30. # To force openSSL version use -d:sslVersion=1.2.3
  31. # See: #10281, #10230
  32. # General issue:
  33. # Other dynamic libraries (like libpg) load different openSSL version then what nim loads.
  34. # Having two different openSSL loaded version causes a crash.
  35. # Use this compile time define to force the openSSL version that your other dynamic libraries want.
  36. const sslVersion {.strdefine.}: string = ""
  37. const useOpenssl3* {.booldefine.} = sslVersion.startsWith('3')
  38. when sslVersion != "":
  39. when defined(macosx):
  40. const
  41. DLLSSLName* = "libssl." & sslVersion & ".dylib"
  42. DLLUtilName* = "libcrypto." & sslVersion & ".dylib"
  43. from posix import SocketHandle
  44. elif defined(windows):
  45. const
  46. DLLSSLName* = "libssl-" & sslVersion & ".dll"
  47. DLLUtilName* = "libcrypto-" & sslVersion & ".dll"
  48. from winlean import SocketHandle
  49. else:
  50. const
  51. DLLSSLName* = "libssl.so." & sslVersion
  52. DLLUtilName* = "libcrypto.so." & sslVersion
  53. from posix import SocketHandle
  54. elif useWinVersion:
  55. when defined(nimOldDlls):
  56. when defined(cpu64):
  57. const
  58. DLLSSLName* = "(ssleay32|ssleay64).dll"
  59. DLLUtilName* = "(libeay32|libeay64).dll"
  60. else:
  61. const
  62. DLLSSLName* = "ssleay32.dll"
  63. DLLUtilName* = "libeay32.dll"
  64. elif defined(cpu64):
  65. const
  66. DLLSSLName* = "(libssl-1_1-x64|ssleay64|libssl64).dll"
  67. DLLUtilName* = "(libcrypto-1_1-x64|libeay64).dll"
  68. else:
  69. const
  70. DLLSSLName* = "(libssl-1_1|ssleay32|libssl32).dll"
  71. DLLUtilName* = "(libcrypto-1_1|libeay32).dll"
  72. from winlean import SocketHandle
  73. else:
  74. # same list of versions but ordered differently?
  75. when defined(osx):
  76. const versions = "(.3|.1.1|.38|.39|.41|.43|.44|.45|.46|.47|.48|.10|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|)"
  77. else:
  78. const versions = "(.3|.1.1|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|.48|.47|.46|.45|.44|.43|.41|.39|.38|.10|)"
  79. when defined(macosx):
  80. const
  81. DLLSSLName* = "libssl" & versions & ".dylib"
  82. DLLUtilName* = "libcrypto" & versions & ".dylib"
  83. elif defined(genode):
  84. const
  85. DLLSSLName* = "libssl.lib.so"
  86. DLLUtilName* = "libcrypto.lib.so"
  87. else:
  88. const
  89. DLLSSLName* = "libssl.so" & versions
  90. DLLUtilName* = "libcrypto.so" & versions
  91. from posix import SocketHandle
  92. import dynlib
  93. {.pragma: lcrypto, cdecl, dynlib: DLLUtilName, importc.}
  94. {.pragma: lssl, cdecl, dynlib: DLLSSLName, importc.}
  95. type
  96. SslStruct {.final, pure.} = object
  97. SslPtr* = ptr SslStruct
  98. PSslPtr* = ptr SslPtr
  99. SslCtx* = SslPtr
  100. PSSL_METHOD* = SslPtr
  101. PSTACK* = SslPtr
  102. PX509* = SslPtr
  103. PX509_NAME* = SslPtr
  104. PBIO_METHOD* = SslPtr
  105. BIO* = SslPtr
  106. EVP_PKEY* = SslPtr
  107. PRSA* = SslPtr
  108. PASN1_UTCTIME* = SslPtr
  109. PASN1_cInt* = SslPtr
  110. PPasswdCb* = SslPtr
  111. EVP_MD* = SslPtr
  112. EVP_MD_CTX* = SslPtr
  113. EVP_PKEY_CTX* = SslPtr
  114. ENGINE* = SslPtr
  115. PFunction* = proc () {.cdecl.}
  116. DES_cblock* = array[0..7, int8]
  117. PDES_cblock* = ptr DES_cblock
  118. des_ks_struct*{.final.} = object
  119. ks*: DES_cblock
  120. weak_key*: cint
  121. des_key_schedule* = array[1..16, des_ks_struct]
  122. pem_password_cb* = proc(buf: cstring, size, rwflag: cint, userdata: pointer): cint {.cdecl.}
  123. PaddingType* = enum
  124. RSA_PKCS1_PADDING = 1.cint,
  125. RSA_SSLV23_PADDING = 2.cint,
  126. RSA_NO_PADDING = 3.cint,
  127. RSA_PKCS1_OAEP_PADDING = 4.cint,
  128. RSA_X931_PADDING = 5.cint,
  129. RSA_PKCS1_PSS_PADDING = 6.cint
  130. const
  131. SSL_SENT_SHUTDOWN* = 1
  132. SSL_RECEIVED_SHUTDOWN* = 2
  133. EVP_MAX_MD_SIZE* = 16 + 20
  134. SSL_ERROR_NONE* = 0
  135. SSL_ERROR_SSL* = 1
  136. SSL_ERROR_WANT_READ* = 2
  137. SSL_ERROR_WANT_WRITE* = 3
  138. SSL_ERROR_WANT_X509_LOOKUP* = 4
  139. SSL_ERROR_SYSCALL* = 5 #look at error stack/return value/errno
  140. SSL_ERROR_ZERO_RETURN* = 6
  141. SSL_ERROR_WANT_CONNECT* = 7
  142. SSL_ERROR_WANT_ACCEPT* = 8
  143. SSL_CTRL_NEED_TMP_RSA* = 1
  144. SSL_CTRL_SET_TMP_RSA* = 2
  145. SSL_CTRL_SET_TMP_DH* = 3
  146. SSL_CTRL_SET_TMP_ECDH* = 4
  147. SSL_CTRL_SET_TMP_RSA_CB* = 5
  148. SSL_CTRL_SET_TMP_DH_CB* = 6
  149. SSL_CTRL_SET_TMP_ECDH_CB* = 7
  150. SSL_CTRL_GET_SESSION_REUSED* = 8
  151. SSL_CTRL_GET_CLIENT_CERT_REQUEST* = 9
  152. SSL_CTRL_GET_NUM_RENEGOTIATIONS* = 10
  153. SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS* = 11
  154. SSL_CTRL_GET_TOTAL_RENEGOTIATIONS* = 12
  155. SSL_CTRL_GET_FLAGS* = 13
  156. SSL_CTRL_EXTRA_CHAIN_CERT* = 14
  157. SSL_CTRL_SET_MSG_CALLBACK* = 15
  158. SSL_CTRL_SET_MSG_CALLBACK_ARG* = 16 # only applies to datagram connections
  159. SSL_CTRL_SET_MTU* = 17 # Stats
  160. SSL_CTRL_SESS_NUMBER* = 20
  161. SSL_CTRL_SESS_CONNECT* = 21
  162. SSL_CTRL_SESS_CONNECT_GOOD* = 22
  163. SSL_CTRL_SESS_CONNECT_RENEGOTIATE* = 23
  164. SSL_CTRL_SESS_ACCEPT* = 24
  165. SSL_CTRL_SESS_ACCEPT_GOOD* = 25
  166. SSL_CTRL_SESS_ACCEPT_RENEGOTIATE* = 26
  167. SSL_CTRL_SESS_HIT* = 27
  168. SSL_CTRL_SESS_CB_HIT* = 28
  169. SSL_CTRL_SESS_MISSES* = 29
  170. SSL_CTRL_SESS_TIMEOUTS* = 30
  171. SSL_CTRL_SESS_CACHE_FULL* = 31
  172. SSL_CTRL_OPTIONS* = 32
  173. SSL_CTRL_MODE* = 33
  174. SSL_CTRL_GET_READ_AHEAD* = 40
  175. SSL_CTRL_SET_READ_AHEAD* = 41
  176. SSL_CTRL_SET_SESS_CACHE_SIZE* = 42
  177. SSL_CTRL_GET_SESS_CACHE_SIZE* = 43
  178. SSL_CTRL_SET_SESS_CACHE_MODE* = 44
  179. SSL_CTRL_GET_SESS_CACHE_MODE* = 45
  180. SSL_CTRL_GET_MAX_CERT_LIST* = 50
  181. SSL_CTRL_SET_MAX_CERT_LIST* = 51 #* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
  182. # * when just a single record has been written): *
  183. SSL_CTRL_SET_TLSEXT_SERVERNAME_CB = 53
  184. SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG = 54
  185. SSL_CTRL_SET_TLSEXT_HOSTNAME = 55
  186. SSL_CTRL_SET_ECDH_AUTO* = 94
  187. TLSEXT_NAMETYPE_host_name* = 0
  188. SSL_TLSEXT_ERR_OK* = 0
  189. SSL_TLSEXT_ERR_ALERT_WARNING* = 1
  190. SSL_TLSEXT_ERR_ALERT_FATAL* = 2
  191. SSL_TLSEXT_ERR_NOACK* = 3
  192. SSL_MODE_ENABLE_PARTIAL_WRITE* = 1 #* Make it possible to retry SSL_write() with changed buffer location
  193. # * (buffer contents must stay the same!); this is not the default to avoid
  194. # * the misconception that non-blocking SSL_write() behaves like
  195. # * non-blocking write(): *
  196. SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER* = 2 #* Never bother the application with retries if the transport
  197. # * is blocking: *
  198. SSL_MODE_AUTO_RETRY* = 4 #* Don't attempt to automatically build certificate chain *
  199. SSL_MODE_NO_AUTO_CHAIN* = 8
  200. SSL_OP_NO_SSLv2* = 0x01000000
  201. SSL_OP_NO_SSLv3* = 0x02000000
  202. SSL_OP_NO_TLSv1* = 0x04000000
  203. SSL_OP_NO_TLSv1_1* = 0x08000000
  204. SSL_OP_ALL* = 0x000FFFFF
  205. SSL_VERIFY_NONE* = 0x00000000
  206. SSL_VERIFY_PEER* = 0x00000001
  207. SSL_ST_CONNECT* = 0x1000
  208. SSL_ST_ACCEPT* = 0x2000
  209. SSL_ST_INIT* = SSL_ST_CONNECT or SSL_ST_ACCEPT
  210. OPENSSL_DES_DECRYPT* = 0
  211. OPENSSL_DES_ENCRYPT* = 1
  212. X509_V_OK* = 0
  213. X509_V_ILLEGAL* = 1
  214. X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT* = 2
  215. X509_V_ERR_UNABLE_TO_GET_CRL* = 3
  216. X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE* = 4
  217. X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE* = 5
  218. X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY* = 6
  219. X509_V_ERR_CERT_SIGNATURE_FAILURE* = 7
  220. X509_V_ERR_CRL_SIGNATURE_FAILURE* = 8
  221. X509_V_ERR_CERT_NOT_YET_VALID* = 9
  222. X509_V_ERR_CERT_HAS_EXPIRED* = 10
  223. X509_V_ERR_CRL_NOT_YET_VALID* = 11
  224. X509_V_ERR_CRL_HAS_EXPIRED* = 12
  225. X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD* = 13
  226. X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD* = 14
  227. X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD* = 15
  228. X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD* = 16
  229. X509_V_ERR_OUT_OF_MEM* = 17
  230. X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT* = 18
  231. X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN* = 19
  232. X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY* = 20
  233. X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE* = 21
  234. X509_V_ERR_CERT_CHAIN_TOO_LONG* = 22
  235. X509_V_ERR_CERT_REVOKED* = 23
  236. X509_V_ERR_INVALID_CA* = 24
  237. X509_V_ERR_PATH_LENGTH_EXCEEDED* = 25
  238. X509_V_ERR_INVALID_PURPOSE* = 26
  239. X509_V_ERR_CERT_UNTRUSTED* = 27
  240. X509_V_ERR_CERT_REJECTED* = 28 #These are 'informational' when looking for issuer cert
  241. X509_V_ERR_SUBJECT_ISSUER_MISMATCH* = 29
  242. X509_V_ERR_AKID_SKID_MISMATCH* = 30
  243. X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH* = 31
  244. X509_V_ERR_KEYUSAGE_NO_CERTSIGN* = 32
  245. X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER* = 33
  246. X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION* = 34 #The application is not happy
  247. X509_V_ERR_APPLICATION_VERIFICATION* = 50
  248. SSL_FILETYPE_ASN1* = 2
  249. SSL_FILETYPE_PEM* = 1
  250. EVP_PKEY_RSA* = 6 # libssl.dll
  251. BIO_C_SET_CONNECT = 100
  252. BIO_C_DO_STATE_MACHINE = 101
  253. BIO_C_GET_SSL = 110
  254. proc TLSv1_method*(): PSSL_METHOD{.cdecl, dynlib: DLLSSLName, importc.}
  255. # TLS_method(), TLS_server_method(), TLS_client_method() are introduced in 1.1.0
  256. # and support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
  257. # SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() are removed in 1.1.0
  258. when compileOption("dynlibOverride", "ssl"):
  259. # Static linking
  260. when not useOpenssl3:
  261. proc OPENSSL_init_ssl*(opts: uint64, settings: uint8): cint {.cdecl, dynlib: DLLSSLName, importc, discardable.}
  262. proc SSL_library_init*(): cint {.discardable.} =
  263. ## Initialize SSL using OPENSSL_init_ssl for OpenSSL >= 1.1.0
  264. return OPENSSL_init_ssl(0.uint64, 0.uint8)
  265. proc TLS_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.}
  266. proc OpenSSL_version_num(): culong {.cdecl, dynlib: DLLUtilName, importc.}
  267. proc getOpenSSLVersion*(): culong =
  268. ## Return OpenSSL version as unsigned long
  269. OpenSSL_version_num()
  270. proc SSL_load_error_strings*() =
  271. ## Removed from OpenSSL 1.1.0
  272. # This proc prevents breaking existing code calling SslLoadErrorStrings
  273. # Static linking against OpenSSL < 1.1.0 is not supported
  274. discard
  275. when defined(libressl):
  276. proc SSL_state(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc.}
  277. proc SSL_in_init*(ssl: SslPtr): cint {.inline.} =
  278. SSl_state(ssl) and SSL_ST_INIT
  279. else:
  280. proc SSL_in_init*(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc.}
  281. proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.}
  282. template OpenSSL_add_all_algorithms*() = discard
  283. else:
  284. # Here we're trying to stay compatible with openssl 1.1.*. Some
  285. # symbols are loaded dynamically and we don't use them if not found.
  286. proc thisModule(): LibHandle {.inline.} =
  287. var thisMod {.global.}: LibHandle
  288. if thisMod.isNil: thisMod = loadLib()
  289. result = thisMod
  290. proc sslModule(): LibHandle {.inline, raises: [LibraryError], tags:[RootEffect].} =
  291. var sslMod {.global.}: LibHandle
  292. try:
  293. if sslMod.isNil: sslMod = loadLibPattern(DLLSSLName)
  294. except:
  295. raise newException(LibraryError, "Could not load SSL using " & DLLSSLName)
  296. result = sslMod
  297. proc utilModule(): LibHandle {.inline.} =
  298. var utilMod {.global.}: LibHandle
  299. if utilMod.isNil: utilMod = loadLibPattern(DLLUtilName)
  300. result = utilMod
  301. proc symNullable(dll: LibHandle, name: string, alternativeName = ""): pointer =
  302. # Load from DLL.
  303. if not dll.isNil:
  304. result = symAddr(dll, name)
  305. if result.isNil and alternativeName.len > 0:
  306. result = symAddr(dll, alternativeName)
  307. # Attempt to load from current exe.
  308. if result.isNil:
  309. let thisDynlib = thisModule()
  310. if thisDynlib.isNil: return nil
  311. result = symAddr(thisDynlib, name)
  312. if result.isNil and alternativeName.len > 0:
  313. result = symAddr(thisDynlib, alternativeName)
  314. proc sslSymNullable(name: string, alternativeName = ""): pointer {.raises: [LibraryError], tags:[RootEffect].} =
  315. sslModule().symNullable(name, alternativeName)
  316. proc sslSymThrows(name: string, alternativeName = ""): pointer {.raises: [LibraryError].} =
  317. result = sslSymNullable(name, alternativeName)
  318. if result.isNil: raiseInvalidLibrary(name)
  319. proc utilSymNullable(name: string, alternativeName = ""): pointer =
  320. utilModule().symNullable(name, alternativeName)
  321. proc loadPSSLMethod(method1, method2: string): PSSL_METHOD {.raises: [LibraryError], tags:[RootEffect].} =
  322. ## Load <method1> from OpenSSL if available, otherwise <method2>
  323. ##
  324. let methodSym = sslSymNullable(method1, method2)
  325. if methodSym.isNil:
  326. raise newException(LibraryError, "Could not load " & method1 & " nor " & method2)
  327. let method2Proc = cast[proc(): PSSL_METHOD {.cdecl, gcsafe, raises: [].}](methodSym)
  328. return method2Proc()
  329. when not useOpenssl3:
  330. proc SSL_library_init*(): cint {.discardable.} =
  331. ## Initialize SSL using OPENSSL_init_ssl for OpenSSL >= 1.1.0 otherwise
  332. ## SSL_library_init
  333. let newInitSym = sslSymNullable("OPENSSL_init_ssl")
  334. if not newInitSym.isNil:
  335. let newInitProc =
  336. cast[proc(opts: uint64, settings: uint8): cint {.cdecl.}](newInitSym)
  337. return newInitProc(0, 0)
  338. let olderProc = cast[proc(): cint {.cdecl.}](sslSymThrows("SSL_library_init"))
  339. if not olderProc.isNil: result = olderProc()
  340. proc SSL_load_error_strings*() =
  341. # TODO: Are we ignoring this on purpose? SSL GitHub CI fails otherwise.
  342. let theProc = cast[proc() {.cdecl.}](sslSymNullable("SSL_load_error_strings"))
  343. if not theProc.isNil: theProc()
  344. proc SSLv3_method*(): PSSL_METHOD =
  345. loadPSSLMethod("SSLv3_method", "TLS_method")
  346. proc TLS_method*(): PSSL_METHOD =
  347. loadPSSLMethod("TLS_method", "SSLv23_method")
  348. proc OpenSSL_add_all_algorithms*() =
  349. # TODO: Are we ignoring this on purpose? SSL GitHub CI fails otherwise.
  350. let theProc = cast[proc() {.cdecl.}](sslSymNullable("OPENSSL_add_all_algorithms_conf"))
  351. if not theProc.isNil: theProc()
  352. proc getOpenSSLVersion*(): culong =
  353. ## Return OpenSSL version as unsigned long or 0 if not available
  354. let theProc = cast[proc(): culong {.cdecl, gcsafe.}](utilSymNullable("OpenSSL_version_num", "SSLeay"))
  355. result =
  356. if theProc.isNil: 0.culong
  357. else: theProc()
  358. proc SSL_in_init*(ssl: SslPtr): cint =
  359. # A compatibility wrapper for `SSL_in_init()` for OpenSSL 1.0, 1.1 and LibreSSL
  360. const MainProc = "SSL_in_init"
  361. let
  362. theProc {.global.} = cast[proc(ssl: SslPtr): cint {.cdecl, gcsafe.}](sslSymNullable(MainProc))
  363. # Fallback
  364. sslState {.global.} = cast[proc(ssl: SslPtr): cint {.cdecl, gcsafe.}](sslSymNullable("SSL_state"))
  365. if not theProc.isNil:
  366. result = theProc(ssl)
  367. elif not sslState.isNil:
  368. result = sslState(ssl) and SSL_ST_INIT
  369. else:
  370. raiseInvalidLibrary MainProc
  371. proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint =
  372. var theProc {.global.}: proc(ctx: SslCtx, str: cstring) {.cdecl, gcsafe.}
  373. if theProc.isNil:
  374. theProc = cast[typeof(theProc)](sslSymThrows("SSL_CTX_set_ciphersuites"))
  375. theProc(ctx, str)
  376. proc ERR_load_BIO_strings*(){.cdecl, dynlib: DLLUtilName, importc.}
  377. proc TLS_client_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.}
  378. proc SSL_new*(context: SslCtx): SslPtr{.cdecl, dynlib: DLLSSLName, importc.}
  379. proc SSL_free*(ssl: SslPtr){.cdecl, dynlib: DLLSSLName, importc.}
  380. proc SSL_get_SSL_CTX*(ssl: SslPtr): SslCtx {.cdecl, dynlib: DLLSSLName, importc.}
  381. proc SSL_set_SSL_CTX*(ssl: SslPtr, ctx: SslCtx): SslCtx {.cdecl, dynlib: DLLSSLName, importc.}
  382. proc SSL_CTX_set_session_id_context*(context: SslCtx, sid_ctx: string, sid_ctx_len: int){.cdecl, dynlib: DLLSSLName, importc.}
  383. proc SSL_get0_verified_chain*(ssl: SslPtr): PSTACK {.cdecl, dynlib: DLLSSLName,
  384. importc.}
  385. proc SSL_CTX_new*(meth: PSSL_METHOD): SslCtx{.cdecl,
  386. dynlib: DLLSSLName, importc.}
  387. proc SSL_CTX_load_verify_locations*(ctx: SslCtx, CAfile: cstring,
  388. CApath: cstring): cint{.cdecl, dynlib: DLLSSLName, importc.}
  389. proc SSL_CTX_free*(arg0: SslCtx){.cdecl, dynlib: DLLSSLName, importc.}
  390. proc SSL_CTX_set_verify*(s: SslCtx, mode: int, cb: proc (a: int, b: pointer): int {.cdecl.}){.cdecl, dynlib: DLLSSLName, importc.}
  391. proc SSL_get_verify_result*(ssl: SslPtr): int{.cdecl,
  392. dynlib: DLLSSLName, importc.}
  393. proc SSL_CTX_set_cipher_list*(s: SslCtx, ciphers: cstring): cint{.cdecl, dynlib: DLLSSLName, importc.}
  394. proc SSL_CTX_use_certificate_file*(ctx: SslCtx, filename: cstring, typ: cint): cint{.
  395. stdcall, dynlib: DLLSSLName, importc.}
  396. proc SSL_CTX_use_certificate_chain_file*(ctx: SslCtx, filename: cstring): cint{.
  397. stdcall, dynlib: DLLSSLName, importc.}
  398. proc SSL_CTX_use_PrivateKey_file*(ctx: SslCtx,
  399. filename: cstring, typ: cint): cint{.cdecl, dynlib: DLLSSLName, importc.}
  400. proc SSL_CTX_check_private_key*(ctx: SslCtx): cint{.cdecl, dynlib: DLLSSLName,
  401. importc.}
  402. proc SSL_CTX_get_ex_new_index*(argl: clong, argp: pointer, new_func: pointer, dup_func: pointer, free_func: pointer): cint {.cdecl, dynlib: DLLSSLName, importc.}
  403. proc SSL_CTX_set_ex_data*(ssl: SslCtx, idx: cint, arg: pointer): cint {.cdecl, dynlib: DLLSSLName, importc.}
  404. proc SSL_CTX_get_ex_data*(ssl: SslCtx, idx: cint): pointer {.cdecl, dynlib: DLLSSLName, importc.}
  405. proc SSL_set_fd*(ssl: SslPtr, fd: SocketHandle): cint{.cdecl, dynlib: DLLSSLName, importc.}
  406. proc SSL_shutdown*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.}
  407. proc SSL_set_shutdown*(ssl: SslPtr, mode: cint) {.cdecl, dynlib: DLLSSLName, importc: "SSL_set_shutdown".}
  408. proc SSL_get_shutdown*(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc: "SSL_get_shutdown".}
  409. proc SSL_connect*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.}
  410. proc SSL_read*(ssl: SslPtr, buf: pointer, num: int): cint{.cdecl, dynlib: DLLSSLName, importc.}
  411. proc SSL_write*(ssl: SslPtr, buf: cstring, num: int): cint{.cdecl, dynlib: DLLSSLName, importc.}
  412. proc SSL_get_error*(s: SslPtr, ret_code: cint): cint{.cdecl, dynlib: DLLSSLName, importc.}
  413. proc SSL_accept*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.}
  414. proc SSL_pending*(ssl: SslPtr): cint{.cdecl, dynlib: DLLSSLName, importc.}
  415. proc BIO_new_mem_buf*(data: pointer, len: cint): BIO{.cdecl,
  416. dynlib: DLLUtilName, importc.}
  417. proc BIO_new_ssl_connect*(ctx: SslCtx): BIO{.cdecl,
  418. dynlib: DLLSSLName, importc.}
  419. proc BIO_ctrl*(bio: BIO, cmd: cint, larg: int, arg: cstring): int{.cdecl,
  420. dynlib: DLLUtilName, importc.}
  421. proc BIO_get_ssl*(bio: BIO, ssl: ptr SslPtr): int =
  422. return BIO_ctrl(bio, BIO_C_GET_SSL, 0, cast[cstring](ssl))
  423. proc BIO_set_conn_hostname*(bio: BIO, name: cstring): int =
  424. return BIO_ctrl(bio, BIO_C_SET_CONNECT, 0, name)
  425. proc BIO_do_handshake*(bio: BIO): int =
  426. return BIO_ctrl(bio, BIO_C_DO_STATE_MACHINE, 0, nil)
  427. proc BIO_do_connect*(bio: BIO): int =
  428. return BIO_do_handshake(bio)
  429. when not defined(nimfix):
  430. proc BIO_read*(b: BIO, data: cstring, length: cint): cint{.cdecl,
  431. dynlib: DLLUtilName, importc.}
  432. proc BIO_write*(b: BIO, data: cstring, length: cint): cint{.cdecl,
  433. dynlib: DLLUtilName, importc.}
  434. proc BIO_free*(b: BIO): cint{.cdecl, dynlib: DLLUtilName, importc.}
  435. proc ERR_print_errors_fp*(fp: File){.cdecl, dynlib: DLLUtilName, importc.}
  436. proc ERR_error_string*(e: culong, buf: cstring): cstring{.cdecl,
  437. dynlib: DLLUtilName, importc.}
  438. proc ERR_get_error*(): culong{.cdecl, dynlib: DLLUtilName, importc.}
  439. proc ERR_peek_last_error*(): culong{.cdecl, dynlib: DLLUtilName, importc.}
  440. proc OPENSSL_config*(configName: cstring){.cdecl, dynlib: DLLUtilName, importc.}
  441. proc OPENSSL_sk_num*(stack: PSTACK): int {.cdecl, dynlib: DLLSSLName, importc.}
  442. proc OPENSSL_sk_value*(stack: PSTACK, index: int): pointer {.cdecl,
  443. dynlib: DLLSSLName, importc.}
  444. proc d2i_X509*(px: ptr PX509, i: ptr ptr uint8, len: cint): PX509 {.cdecl,
  445. dynlib: DLLUtilName, importc.}
  446. proc i2d_X509*(cert: PX509; o: ptr ptr uint8): cint {.cdecl,
  447. dynlib: DLLUtilName, importc.}
  448. proc d2i_X509*(b: string): PX509 =
  449. ## decode DER/BER bytestring into X.509 certificate struct
  450. var bb = b.cstring
  451. let i = cast[ptr ptr uint8](addr bb)
  452. let ret = d2i_X509(addr result, i, b.len.cint)
  453. if ret.isNil:
  454. raise newException(Exception, "X.509 certificate decoding failed")
  455. proc i2d_X509*(cert: PX509): string =
  456. ## encode `cert` to DER string
  457. let encoded_length = i2d_X509(cert, nil)
  458. result = newString(encoded_length)
  459. var q = result.cstring
  460. let o = cast[ptr ptr uint8](addr q)
  461. let length = i2d_X509(cert, o)
  462. if length.int <= 0:
  463. raise newException(Exception, "X.509 certificate encoding failed")
  464. when not useWinVersion and not defined(macosx) and not defined(android) and not defined(nimNoAllocForSSL):
  465. proc CRYPTO_set_mem_functions(a,b,c: pointer){.cdecl,
  466. dynlib: DLLUtilName, importc.}
  467. proc allocWrapper(size: int): pointer {.cdecl.} = allocShared(size)
  468. proc reallocWrapper(p: pointer; newSize: int): pointer {.cdecl.} =
  469. if p == nil:
  470. if newSize > 0: result = allocShared(newSize)
  471. elif newSize == 0: deallocShared(p)
  472. else: result = reallocShared(p, newSize)
  473. proc deallocWrapper(p: pointer) {.cdecl.} =
  474. if p != nil: deallocShared(p)
  475. proc CRYPTO_malloc_init*() =
  476. when not useWinVersion and not defined(macosx) and not defined(android) and not defined(nimNoAllocForSSL):
  477. CRYPTO_set_mem_functions(allocWrapper, reallocWrapper, deallocWrapper)
  478. proc SSL_CTX_ctrl*(ctx: SslCtx, cmd: cint, larg: clong, parg: pointer): clong{.
  479. cdecl, dynlib: DLLSSLName, importc.}
  480. proc SSL_CTX_callback_ctrl(ctx: SslCtx, typ: cint, fp: PFunction): int{.
  481. cdecl, dynlib: DLLSSLName, importc.}
  482. proc SSLCTXSetMode*(ctx: SslCtx, mode: int): int =
  483. result = SSL_CTX_ctrl(ctx, SSL_CTRL_MODE, clong mode, nil)
  484. proc SSL_ctrl*(ssl: SslPtr, cmd: cint, larg: int, parg: pointer): int{.
  485. cdecl, dynlib: DLLSSLName, importc.}
  486. proc SSL_set_tlsext_host_name*(ssl: SslPtr, name: cstring): int =
  487. ## Set the SNI server name extension to be used in a client hello.
  488. ## Returns 1 if SNI was set, 0 if current SSL configuration doesn't support SNI.
  489. result = SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, name)
  490. proc SSL_get_servername*(ssl: SslPtr, typ: cint = TLSEXT_NAMETYPE_host_name): cstring {.cdecl, dynlib: DLLSSLName, importc.}
  491. ## Retrieve the server name requested in the client hello. This can be used
  492. ## in the callback set in `SSL_CTX_set_tlsext_servername_callback` to
  493. ## implement virtual hosting. May return `nil`.
  494. proc SSL_CTX_set_tlsext_servername_callback*(ctx: SslCtx, cb: proc(ssl: SslPtr, cb_id: int, arg: pointer): int {.cdecl.}): int =
  495. ## Set the callback to be used on listening SSL connections when the client hello is received.
  496. ##
  497. ## The callback should return one of:
  498. ## * SSL_TLSEXT_ERR_OK
  499. ## * SSL_TLSEXT_ERR_ALERT_WARNING
  500. ## * SSL_TLSEXT_ERR_ALERT_FATAL
  501. ## * SSL_TLSEXT_ERR_NOACK
  502. result = SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, cast[PFunction](cb))
  503. proc SSL_CTX_set_tlsext_servername_arg*(ctx: SslCtx, arg: pointer): int =
  504. ## Set the pointer to be used in the callback registered to `SSL_CTX_set_tlsext_servername_callback`.
  505. result = SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG, 0, arg)
  506. type
  507. PskClientCallback* = proc (ssl: SslPtr;
  508. hint: cstring; identity: cstring; max_identity_len: cuint; psk: ptr uint8;
  509. max_psk_len: cuint): cuint {.cdecl.}
  510. PskServerCallback* = proc (ssl: SslPtr;
  511. identity: cstring; psk: ptr uint8; max_psk_len: cint): cuint {.cdecl.}
  512. proc SSL_CTX_set_psk_client_callback*(ctx: SslCtx; callback: PskClientCallback) {.cdecl, dynlib: DLLSSLName, importc.}
  513. ## Set callback called when OpenSSL needs PSK (for client).
  514. proc SSL_CTX_set_psk_server_callback*(ctx: SslCtx; callback: PskServerCallback) {.cdecl, dynlib: DLLSSLName, importc.}
  515. ## Set callback called when OpenSSL needs PSK (for server).
  516. proc SSL_CTX_use_psk_identity_hint*(ctx: SslCtx; hint: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.}
  517. ## Set PSK identity hint to use.
  518. proc SSL_get_psk_identity*(ssl: SslPtr): cstring {.cdecl, dynlib: DLLSSLName, importc.}
  519. ## Get PSK identity.
  520. proc SSL_CTX_set_ecdh_auto*(ctx: SslCtx, onoff: cint): cint {.inline.} =
  521. ## Set automatic curve selection.
  522. ##
  523. ## On OpenSSL >= 1.1.0 this is on by default and cannot be disabled.
  524. if getOpenSSLVersion() < 0x010100000 or getOpenSSLVersion() == 0x020000000:
  525. result = cint SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, onoff, nil)
  526. else:
  527. result = 1
  528. proc bioNew*(b: PBIO_METHOD): BIO{.cdecl, dynlib: DLLUtilName, importc: "BIO_new".}
  529. proc bioFreeAll*(b: BIO){.cdecl, dynlib: DLLUtilName, importc: "BIO_free_all".}
  530. proc bioSMem*(): PBIO_METHOD{.cdecl, dynlib: DLLUtilName, importc: "BIO_s_mem".}
  531. proc bioCtrlPending*(b: BIO): cint{.cdecl, dynlib: DLLUtilName, importc: "BIO_ctrl_pending".}
  532. proc bioRead*(b: BIO, Buf: cstring, length: cint): cint{.cdecl,
  533. dynlib: DLLUtilName, importc: "BIO_read".}
  534. proc bioWrite*(b: BIO, Buf: cstring, length: cint): cint{.cdecl,
  535. dynlib: DLLUtilName, importc: "BIO_write".}
  536. proc sslSetConnectState*(s: SslPtr) {.cdecl,
  537. dynlib: DLLSSLName, importc: "SSL_set_connect_state".}
  538. proc sslSetAcceptState*(s: SslPtr) {.cdecl,
  539. dynlib: DLLSSLName, importc: "SSL_set_accept_state".}
  540. proc sslRead*(ssl: SslPtr, buf: cstring, num: cint): cint{.cdecl,
  541. dynlib: DLLSSLName, importc: "SSL_read".}
  542. proc sslPeek*(ssl: SslPtr, buf: cstring, num: cint): cint{.cdecl,
  543. dynlib: DLLSSLName, importc: "SSL_peek".}
  544. proc sslWrite*(ssl: SslPtr, buf: cstring, num: cint): cint{.cdecl,
  545. dynlib: DLLSSLName, importc: "SSL_write".}
  546. proc sslSetBio*(ssl: SslPtr, rbio, wbio: BIO) {.cdecl,
  547. dynlib: DLLSSLName, importc: "SSL_set_bio".}
  548. proc sslDoHandshake*(ssl: SslPtr): cint {.cdecl,
  549. dynlib: DLLSSLName, importc: "SSL_do_handshake".}
  550. proc ErrClearError*(){.cdecl, dynlib: DLLUtilName, importc: "ERR_clear_error".}
  551. proc ErrFreeStrings*(){.cdecl, dynlib: DLLUtilName, importc: "ERR_free_strings".}
  552. proc ErrRemoveState*(pid: cint){.cdecl, dynlib: DLLUtilName, importc: "ERR_remove_state".}
  553. proc PEM_read_bio_RSA_PUBKEY*(bp: BIO, x: ptr PRSA, pw: pem_password_cb, u: pointer): PRSA {.cdecl,
  554. dynlib: DLLUtilName, importc.}
  555. proc PEM_read_RSA_PUBKEY*(fp: pointer; x: ptr PRSA; cb: pem_password_cb, u: pointer): PRSA {.cdecl,
  556. dynlib: DLLUtilName, importc.}
  557. proc RSA_verify*(kind: cint, origMsg: pointer, origMsgLen: cuint, signature: pointer,
  558. signatureLen: cuint, rsa: PRSA): cint {.cdecl, dynlib: DLLUtilName, importc.}
  559. proc PEM_read_RSAPrivateKey*(fp: pointer; x: ptr PRSA; cb: pem_password_cb, u: pointer): PRSA {.cdecl,
  560. dynlib: DLLUtilName, importc.}
  561. proc PEM_read_RSAPublicKey*(fp: pointer; x: ptr PRSA; cb: pem_password_cb, u: pointer): PRSA {.cdecl,
  562. dynlib: DLLUtilName, importc.}
  563. proc PEM_read_bio_RSAPublicKey*(bp: BIO, x: ptr PRSA, cb: pem_password_cb, u: pointer): PRSA {.cdecl,
  564. dynlib: DLLUtilName, importc.}
  565. proc PEM_read_bio_RSAPrivateKey*(bp: BIO, x: ptr PRSA, cb: pem_password_cb, u: pointer): PRSA {.cdecl,
  566. dynlib: DLLUtilName, importc.}
  567. proc RSA_private_encrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl,
  568. dynlib: DLLUtilName, importc.}
  569. proc RSA_public_encrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl,
  570. dynlib: DLLUtilName, importc.}
  571. proc RSA_private_decrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl,
  572. dynlib: DLLUtilName, importc.}
  573. proc RSA_public_decrypt*(flen: cint, fr: ptr uint8, to: ptr uint8, rsa: PRSA, padding: PaddingType): cint {.cdecl,
  574. dynlib: DLLUtilName, importc.}
  575. proc RSA_free*(rsa: PRSA) {.cdecl, dynlib: DLLUtilName, importc.}
  576. proc RSA_size*(rsa: PRSA): cint {.cdecl, dynlib: DLLUtilName, importc.}
  577. # sha types
  578. proc EVP_md_null*(): EVP_MD {.lcrypto.}
  579. proc EVP_md2*(): EVP_MD {.lcrypto.}
  580. proc EVP_md4*(): EVP_MD {.lcrypto.}
  581. proc EVP_md5*(): EVP_MD {.lcrypto.}
  582. proc EVP_sha*(): EVP_MD {.lcrypto.}
  583. proc EVP_sha1*(): EVP_MD {.lcrypto.}
  584. proc EVP_dss*(): EVP_MD {.lcrypto.}
  585. proc EVP_dss1*(): EVP_MD {.lcrypto.}
  586. proc EVP_ecdsa*(): EVP_MD {.lcrypto.}
  587. proc EVP_sha224*(): EVP_MD {.lcrypto.}
  588. proc EVP_sha256*(): EVP_MD {.lcrypto.}
  589. proc EVP_sha384*(): EVP_MD {.lcrypto.}
  590. proc EVP_sha512*(): EVP_MD {.lcrypto.}
  591. proc EVP_mdc2*(): EVP_MD {.lcrypto.}
  592. proc EVP_ripemd160*(): EVP_MD {.lcrypto.}
  593. proc EVP_whirlpool*(): EVP_MD {.lcrypto.}
  594. proc EVP_MD_size*(md: EVP_MD): cint {.lcrypto.}
  595. # hmac functions
  596. proc HMAC*(evp_md: EVP_MD; key: pointer; key_len: cint; d: cstring; n: csize_t; md: cstring; md_len: ptr cuint): cstring {.lcrypto.}
  597. # RSA key functions
  598. proc PEM_read_bio_PrivateKey*(bp: BIO, x: ptr EVP_PKEY, cb: pointer, u: pointer): EVP_PKEY {.lcrypto.}
  599. proc EVP_PKEY_free*(p: EVP_PKEY) {.lcrypto.}
  600. proc EVP_DigestSignInit*(ctx: EVP_MD_CTX, pctx: ptr EVP_PKEY_CTX, typ: EVP_MD, e: ENGINE, pkey: EVP_PKEY): cint {.lcrypto.}
  601. proc EVP_DigestInit_ex*(ctx: EVP_MD_CTX, typ: EVP_MD, engine: SslPtr = nil): cint {.lcrypto.}
  602. proc EVP_DigestUpdate*(ctx: EVP_MD_CTX, data: pointer, len: cuint): cint {.lcrypto.}
  603. proc EVP_DigestFinal_ex*(ctx: EVP_MD_CTX, buffer: pointer, size: ptr cuint): cint {.lcrypto.}
  604. proc EVP_DigestSignFinal*(ctx: EVP_MD_CTX, data: pointer, len: ptr csize_t): cint {.lcrypto.}
  605. proc EVP_PKEY_CTX_new*(pkey: EVP_PKEY, e: ENGINE): EVP_PKEY_CTX {.lcrypto.}
  606. proc EVP_PKEY_CTX_free*(pkeyCtx: EVP_PKEY_CTX) {.lcrypto.}
  607. proc EVP_PKEY_sign_init*(c: EVP_PKEY_CTX): cint {.lcrypto.}
  608. when defined(macosx) or defined(windows):
  609. proc EVP_MD_CTX_create*(): EVP_MD_CTX {.lcrypto.}
  610. proc EVP_MD_CTX_destroy*(ctx: EVP_MD_CTX) {.lcrypto.}
  611. proc EVP_MD_CTX_cleanup*(ctx: EVP_MD_CTX): cint {.lcrypto.}
  612. else:
  613. # some times you will need this instead:
  614. proc EVP_MD_CTX_create*(): EVP_MD_CTX {.cdecl, importc: "EVP_MD_CTX_new", dynlib: DLLUtilName.}
  615. proc EVP_MD_CTX_destroy*(ctx: EVP_MD_CTX) {.cdecl, importc: "EVP_MD_CTX_free", dynlib: DLLUtilName.}
  616. proc EVP_MD_CTX_cleanup*(ctx: EVP_MD_CTX): cint {.cdecl, importc: "EVP_MD_CTX_cleanup", dynlib: DLLUtilName.}
  617. # <openssl/md5.h>
  618. type
  619. MD5_LONG* = cuint
  620. const
  621. MD5_CBLOCK* = 64
  622. MD5_LBLOCK* = int(MD5_CBLOCK div 4)
  623. MD5_DIGEST_LENGTH* = 16
  624. type
  625. MD5_CTX* = object
  626. A,B,C,D,Nl,Nh: MD5_LONG
  627. data: array[MD5_LBLOCK, MD5_LONG]
  628. num: cuint
  629. {.push callconv:cdecl, dynlib:DLLUtilName.}
  630. proc md5_Init*(c: var MD5_CTX): cint{.importc: "MD5_Init".}
  631. proc md5_Update*(c: var MD5_CTX; data: pointer; len: csize_t): cint{.importc: "MD5_Update".}
  632. proc md5_Final*(md: cstring; c: var MD5_CTX): cint{.importc: "MD5_Final".}
  633. proc md5*(d: ptr uint8; n: csize_t; md: ptr uint8): ptr uint8{.importc: "MD5".}
  634. proc md5_Transform*(c: var MD5_CTX; b: ptr uint8){.importc: "MD5_Transform".}
  635. {.pop.}
  636. from strutils import toHex, toLowerAscii
  637. proc hexStr(buf: cstring): string =
  638. # turn md5s output into a nice hex str
  639. result = newStringOfCap(32)
  640. for i in 0 ..< 16:
  641. result.add toHex(buf[i].ord, 2).toLowerAscii
  642. proc md5_File*(file: string): string {.raises: [IOError,Exception].} =
  643. ## Generate MD5 hash for a file. Result is a 32 character
  644. # hex string with lowercase characters (like the output
  645. # of `md5sum`
  646. const
  647. sz = 512
  648. let f = open(file,fmRead)
  649. var
  650. buf: array[sz,char]
  651. ctx: MD5_CTX
  652. discard md5_Init(ctx)
  653. while (let bytes = f.readChars(buf); bytes > 0):
  654. discard md5_Update(ctx, buf[0].addr, cast[csize_t](bytes))
  655. discard md5_Final(buf[0].addr, ctx)
  656. f.close
  657. result = hexStr(addr buf)
  658. proc md5_Str*(str: string): string =
  659. ## Generate MD5 hash for a string. Result is a 32 character
  660. ## hex string with lowercase characters
  661. var
  662. ctx: MD5_CTX
  663. res: array[MD5_DIGEST_LENGTH,char]
  664. input = str.cstring
  665. discard md5_Init(ctx)
  666. var i = 0
  667. while i < str.len:
  668. let L = min(str.len - i, 512)
  669. discard md5_Update(ctx, input[i].addr, cast[csize_t](L))
  670. i += L
  671. discard md5_Final(addr res, ctx)
  672. result = hexStr(addr res)
  673. when defined(nimHasStyleChecks):
  674. {.pop.}
  675. # Certificate validation
  676. # On old openSSL version some of these symbols are not available
  677. when not defined(nimDisableCertificateValidation) and not defined(windows):
  678. # proc SSL_get_peer_certificate*(ssl: SslCtx): PX509 =
  679. # loadPSSLMethod("SSL_get_peer_certificate", "SSL_get1_peer_certificate")
  680. when useOpenssl3:
  681. proc SSL_get1_peer_certificate*(ssl: SslCtx): PX509 {.cdecl, dynlib: DLLSSLName, importc.}
  682. proc SSL_get_peer_certificate*(ssl: SslCtx): PX509 =
  683. SSL_get1_peer_certificate(ssl)
  684. else:
  685. proc SSL_get_peer_certificate*(ssl: SslCtx): PX509 {.cdecl, dynlib: DLLSSLName, importc.}
  686. proc X509_get_subject_name*(a: PX509): PX509_NAME{.cdecl, dynlib: DLLSSLName, importc.}
  687. proc X509_get_issuer_name*(a: PX509): PX509_NAME{.cdecl, dynlib: DLLUtilName, importc.}
  688. proc X509_NAME_oneline*(a: PX509_NAME, buf: cstring, size: cint): cstring {.
  689. cdecl, dynlib:DLLSSLName, importc.}
  690. proc X509_NAME_get_text_by_NID*(subject:cstring, NID: cint, buf: cstring, size: cint): cint{.
  691. cdecl, dynlib:DLLSSLName, importc.}
  692. proc X509_check_host*(cert: PX509, name: cstring, namelen: cint, flags:cuint, peername: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.}
  693. proc X509_free*(cert: PX509) {.cdecl, dynlib: DLLSSLName, importc.}
  694. # Certificates store
  695. type PX509_STORE* = SslPtr
  696. type PX509_OBJECT* = SslPtr
  697. {.push callconv:cdecl, dynlib:DLLUtilName, importc.}
  698. proc X509_OBJECT_new*(): PX509_OBJECT
  699. proc X509_OBJECT_free*(a: PX509_OBJECT)
  700. proc X509_STORE_new*(): PX509_STORE
  701. proc X509_STORE_free*(v: PX509_STORE)
  702. proc X509_STORE_lock*(ctx: PX509_STORE): cint
  703. proc X509_STORE_unlock*(ctx: PX509_STORE): cint
  704. proc X509_STORE_up_ref*(v: PX509_STORE): cint
  705. proc X509_STORE_set_flags*(ctx: PX509_STORE; flags: culong): cint
  706. proc X509_STORE_set_purpose*(ctx: PX509_STORE; purpose: cint): cint
  707. proc X509_STORE_set_trust*(ctx: PX509_STORE; trust: cint): cint
  708. proc X509_STORE_add_cert*(ctx: PX509_STORE; x: PX509): cint
  709. {.pop.}
  710. when isMainModule:
  711. # A simple certificate test
  712. let certbytes = readFile("certificate.der")
  713. let cert = d2i_X509(certbytes)
  714. let encoded = cert.i2d_X509()
  715. assert encoded == certbytes
  716. # Application Layer Protocol Negociation extension (TLS-ALPN, RFC7301)
  717. # Available in at least OpenSSL 1.1.1 and later, not sure if earlier
  718. # --Iced Quinn
  719. proc SSL_CTX_set_alpn_protos*(ctx: SslCtx; protos: cstring; protos_len: cuint): cint {.cdecl, dynlib: DLLSSLName, importc.}
  720. proc SSL_set_alpn_protos*(ssl: SslPtr; protos: cstring; protos_len: cuint): cint {.cdecl, dynlib: DLLSSLName, importc.}
  721. proc SSL_CTX_set_alpn_select_cb*(ctx: SslCtx; cb: proc(ssl: SslPtr; out_proto: ptr cstring; outlen: cstring; in_proto: cstring; inlen: cuint; arg: pointer): cint {.cdecl.}; arg: pointer): cint {.cdecl, dynlib: DLLSSLName, importc.}
  722. proc SSL_get0_alpn_selected*(ssl: SslPtr; data: ptr cstring; len: ptr cuint) {.cdecl, dynlib: DLLSSLName, importc.}
  723. proc SSL_CTX_set_next_protos_advertised_cb*(ctx: SslCtx; cb: proc(ssl: SslPtr; out_proto: ptr cstring; outlen: ptr cuint; arg: pointer): cint {.cdecl.}; arg: pointer) {.cdecl, dynlib: DLLSSLName, importc.}
  724. proc SSL_CTX_set_next_proto_select_cb*(ctx: SslCtx; cb: proc(s: SslPtr; out_proto: cstring; outlen: cstring; in_proto: cstring; inlen: cuint; arg: pointer): cint {.cdecl.}; arg: pointer) {.cdecl, dynlib: DLLSSLName, importc.}
  725. proc SSL_select_next_proto*(out_proto: ptr cstring; outlen: cstring; server: cstring; server_len: cuint; client: cstring; client_len: cuint): cint {.cdecl, dynlib: DLLSSLName, importc.}
  726. proc SSL_get0_next_proto_negotiated*(s: SslPtr; data: ptr cstring; len: ptr cuint) {.cdecl, dynlib: DLLSSLName, importc.}