1 /* 2 * Copyright 2022 XXIV 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 module rustls; 17 18 enum rustls_result { 19 OK = 7000, 20 IO = 7001, 21 NULL_PARAMETER = 7002, 22 INVALID_DNS_NAME_ERROR = 7003, 23 PANIC = 7004, 24 CERTIFICATE_PARSE_ERROR = 7005, 25 PRIVATE_KEY_PARSE_ERROR = 7006, 26 INSUFFICIENT_SIZE = 7007, 27 NOT_FOUND = 7008, 28 INVALID_PARAMETER = 7009, 29 UNEXPECTED_EOF = 7010, 30 PLAINTEXT_EMPTY = 7011, 31 CORRUPT_MESSAGE = 7100, 32 NO_CERTIFICATES_PRESENTED = 7101, 33 DECRYPT_ERROR = 7102, 34 FAILED_TO_GET_CURRENT_TIME = 7103, 35 FAILED_TO_GET_RANDOM_BYTES = 7113, 36 HANDSHAKE_NOT_COMPLETE = 7104, 37 PEER_SENT_OVERSIZED_RECORD = 7105, 38 NO_APPLICATION_PROTOCOL = 7106, 39 BAD_MAX_FRAGMENT_SIZE = 7114, 40 UNSUPPORTED_NAME_TYPE = 7115, 41 ENCRYPT_ERROR = 7116, 42 CERT_INVALID_ENCODING = 7117, 43 CERT_INVALID_SIGNATURE_TYPE = 7118, 44 CERT_INVALID_SIGNATURE = 7119, 45 CERT_INVALID_DATA = 7120, 46 PEER_INCOMPATIBLE_ERROR = 7107, 47 PEER_MISBEHAVED_ERROR = 7108, 48 INAPPROPRIATE_MESSAGE = 7109, 49 INAPPROPRIATE_HANDSHAKE_MESSAGE = 7110, 50 CORRUPT_MESSAGE_PAYLOAD = 7111, 51 GENERAL = 7112, 52 ALERT_CLOSE_NOTIFY = 7200, 53 ALERT_UNEXPECTED_MESSAGE = 7201, 54 ALERT_BAD_RECORD_MAC = 7202, 55 ALERT_DECRYPTION_FAILED = 7203, 56 ALERT_RECORD_OVERFLOW = 7204, 57 ALERT_DECOMPRESSION_FAILURE = 7205, 58 ALERT_HANDSHAKE_FAILURE = 7206, 59 ALERT_NO_CERTIFICATE = 7207, 60 ALERT_BAD_CERTIFICATE = 7208, 61 ALERT_UNSUPPORTED_CERTIFICATE = 7209, 62 ALERT_CERTIFICATE_REVOKED = 7210, 63 ALERT_CERTIFICATE_EXPIRED = 7211, 64 ALERT_CERTIFICATE_UNKNOWN = 7212, 65 ALERT_ILLEGAL_PARAMETER = 7213, 66 ALERT_UNKNOWN_CA = 7214, 67 ALERT_ACCESS_DENIED = 7215, 68 ALERT_DECODE_ERROR = 7216, 69 ALERT_DECRYPT_ERROR = 7217, 70 ALERT_EXPORT_RESTRICTION = 7218, 71 ALERT_PROTOCOL_VERSION = 7219, 72 ALERT_INSUFFICIENT_SECURITY = 7220, 73 ALERT_INTERNAL_ERROR = 7221, 74 ALERT_INAPPROPRIATE_FALLBACK = 7222, 75 ALERT_USER_CANCELED = 7223, 76 ALERT_NO_RENEGOTIATION = 7224, 77 ALERT_MISSING_EXTENSION = 7225, 78 ALERT_UNSUPPORTED_EXTENSION = 7226, 79 ALERT_CERTIFICATE_UNOBTAINABLE = 7227, 80 ALERT_UNRECOGNISED_NAME = 7228, 81 ALERT_BAD_CERTIFICATE_STATUS_RESPONSE = 7229, 82 ALERT_BAD_CERTIFICATE_HASH_VALUE = 7230, 83 ALERT_UNKNOWN_PSK_IDENTITY = 7231, 84 ALERT_CERTIFICATE_REQUIRED = 7232, 85 ALERT_NO_APPLICATION_PROTOCOL = 7233, 86 ALERT_UNKNOWN = 7234, 87 CERT_SCT_MALFORMED = 7319, 88 CERT_SCT_INVALID_SIGNATURE = 7320, 89 CERT_SCT_TIMESTAMP_IN_FUTURE = 7321, 90 CERT_SCT_UNSUPPORTED_VERSION = 7322, 91 CERT_SCT_UNKNOWN_LOG = 7323, 92 } 93 94 /** 95 * Definitions of known TLS protocol versions. 96 */ 97 enum rustls_tls_version { 98 VERSION_SSLV2 = 512, 99 VERSION_SSLV3 = 768, 100 VERSION_TLSV1_0 = 769, 101 VERSION_TLSV1_1 = 770, 102 VERSION_TLSV1_2 = 771, 103 VERSION_TLSV1_3 = 772, 104 } 105 106 /** 107 * An X.509 certificate, as used in rustls. 108 * Corresponds to `Certificate` in the Rust API. 109 * <https://docs.rs/rustls/0.20.0/rustls/struct.Certificate.html> 110 */ 111 struct rustls_certificate; 112 113 /** 114 * The complete chain of certificates to send during a TLS handshake, 115 * plus a private key that matches the end-entity (leaf) certificate. 116 * Corresponds to `CertifiedKey` in the Rust API. 117 * <https://docs.rs/rustls/0.20.0/rustls/sign/struct.CertifiedKey.html> 118 */ 119 struct rustls_certified_key; 120 121 /** 122 * A verifier of client certificates that requires all certificates to be 123 * trusted based on a given `rustls_root_cert_store`. Usable in building server 124 * configurations. Connections without such a client certificate will not 125 * be accepted. 126 */ 127 struct rustls_client_cert_verifier; 128 129 /** 130 * Alternative to `rustls_client_cert_verifier` that allows connections 131 * with or without a client certificate. If the client offers a certificate, 132 * it will be verified (and rejected if it is not valid). If the client 133 * does not offer a certificate, the connection will succeed. 134 * 135 * The application can retrieve the certificate, if any, with 136 * rustls_connection_get_peer_certificate. 137 */ 138 struct rustls_client_cert_verifier_optional; 139 140 /** 141 * A client config that is done being constructed and is now read-only. 142 * Under the hood, this object corresponds to an `Arc<ClientConfig>`. 143 * <https://docs.rs/rustls/0.20.0/rustls/struct.ClientConfig.html> 144 */ 145 struct rustls_client_config; 146 147 /** 148 * A client config being constructed. A builder can be modified by, 149 * e.g. rustls_client_config_builder_load_roots_from_file. Once you're 150 * done configuring settings, call rustls_client_config_builder_build 151 * to turn it into a *rustls_client_config. This object is not safe 152 * for concurrent mutation. Under the hood, it corresponds to a 153 * `Box<ClientConfig>`. 154 * <https://docs.rs/rustls/0.20.0/rustls/struct.ConfigBuilder.html> 155 */ 156 struct rustls_client_config_builder; 157 158 struct rustls_connection; 159 160 /** 161 * An alias for `struct iovec` from uio.h (on Unix) or `WSABUF` on Windows. You should cast 162 * `const struct rustls_iovec *` to `const struct iovec *` on Unix, or `const *LPWSABUF` 163 * on Windows. See [`std::io::IoSlice`] for details on interoperability with platform 164 * specific vectored IO. 165 */ 166 struct rustls_iovec; 167 168 /** 169 * A root certificate store. 170 * <https://docs.rs/rustls/0.20.0/rustls/struct.RootCertStore.html> 171 */ 172 struct rustls_root_cert_store; 173 174 /** 175 * A server config that is done being constructed and is now read-only. 176 * Under the hood, this object corresponds to an `Arc<ServerConfig>`. 177 * <https://docs.rs/rustls/0.20.0/rustls/struct.ServerConfig.html> 178 */ 179 struct rustls_server_config; 180 181 /** 182 * A server config being constructed. A builder can be modified by, 183 * e.g. rustls_server_config_builder_load_native_roots. Once you're 184 * done configuring settings, call rustls_server_config_builder_build 185 * to turn it into a *const rustls_server_config. This object is not safe 186 * for concurrent mutation. 187 * <https://docs.rs/rustls/0.20.0/rustls/struct.ConfigBuilder.html> 188 */ 189 struct rustls_server_config_builder; 190 191 /** 192 * A read-only view of a slice of Rust byte slices. 193 * 194 * This is used to pass data from rustls-ffi to callback functions provided 195 * by the user of the API. Because Vec and slice are not `#[repr(C)]`, we 196 * provide access via a pointer to an opaque struct and an accessor method 197 * that acts on that struct to get entries of type `rustls_slice_bytes`. 198 * Internally, the pointee is a `&[&[u8]]`. 199 * 200 * The memory exposed is available as specified by the function 201 * using this in its signature. For instance, when this is a parameter to a 202 * callback, the lifetime will usually be the duration of the callback. 203 * Functions that receive one of these must not call its methods beyond the 204 * allowed lifetime. 205 */ 206 struct rustls_slice_slice_bytes; 207 208 /** 209 * A read-only view of a slice of multiple Rust `&str`'s (that is, multiple 210 * strings). Like `rustls_str`, this guarantees that each string contains 211 * UTF-8 and no NUL bytes. Strings are not NUL-terminated. 212 * 213 * This is used to pass data from rustls-ffi to callback functions provided 214 * by the user of the API. Because Vec and slice are not `#[repr(C)]`, we 215 * can't provide a straightforward `data` and `len` structure. Instead, we 216 * provide access via a pointer to an opaque struct and accessor methods. 217 * Internally, the pointee is a `&[&str]`. 218 * 219 * The memory exposed is available as specified by the function 220 * using this in its signature. For instance, when this is a parameter to a 221 * callback, the lifetime will usually be the duration of the callback. 222 * Functions that receive one of these must not call its methods beyond the 223 * allowed lifetime. 224 */ 225 struct rustls_slice_str; 226 227 /** 228 * A cipher suite supported by rustls. 229 */ 230 struct rustls_supported_ciphersuite; 231 232 /** 233 * A read-only view on a Rust `&str`. The contents are guaranteed to be valid 234 * UTF-8. As an additional guarantee on top of Rust's normal UTF-8 guarantee, 235 * a `rustls_str` is guaranteed not to contain internal NUL bytes, so it is 236 * safe to interpolate into a C string or compare using strncmp. Keep in mind 237 * that it is not NUL-terminated. 238 * 239 * The memory exposed is available as specified by the function 240 * using this in its signature. For instance, when this is a parameter to a 241 * callback, the lifetime will usually be the duration of the callback. 242 * Functions that receive one of these must not dereference the data pointer 243 * beyond the allowed lifetime. 244 */ 245 struct rustls_str { 246 const char *data; 247 size_t len; 248 } 249 250 /** 251 * A read-only view on a Rust byte slice. 252 * 253 * This is used to pass data from rustls-ffi to callback functions provided 254 * by the user of the API. 255 * `len` indicates the number of bytes than can be safely read. 256 * 257 * The memory exposed is available as specified by the function 258 * using this in its signature. For instance, when this is a parameter to a 259 * callback, the lifetime will usually be the duration of the callback. 260 * Functions that receive one of these must not dereference the data pointer 261 * beyond the allowed lifetime. 262 */ 263 struct rustls_slice_bytes { 264 const ubyte *data; 265 size_t len; 266 } 267 268 /** 269 * User-provided input to a custom certificate verifier callback. See 270 * rustls_client_config_builder_dangerous_set_certificate_verifier(). 271 */ 272 alias rustls_verify_server_cert_user_data = void*; 273 274 /** 275 * Input to a custom certificate verifier callback. See 276 * rustls_client_config_builder_dangerous_set_certificate_verifier(). 277 */ 278 struct rustls_verify_server_cert_params { 279 rustls_slice_bytes end_entity_cert_der; 280 const rustls_slice_slice_bytes *intermediate_certs_der; 281 rustls_str dns_name; 282 rustls_slice_bytes ocsp_response; 283 } 284 285 extern(C) alias rustls_verify_server_cert_callback = uint function(rustls_verify_server_cert_user_data userdata, const rustls_verify_server_cert_params *params); 286 287 alias rustls_log_level = size_t; 288 289 struct rustls_log_params { 290 rustls_log_level level; 291 rustls_str message; 292 } 293 294 extern(C) alias rustls_log_callback = void function(void *userdata, const rustls_log_params *params); 295 296 /** 297 * A return value for a function that may return either success (0) or a 298 * non-zero value representing an error. The values should match socket 299 * error numbers for your operating system - for example, the integers for 300 * ETIMEDOUT, EAGAIN, or similar. 301 */ 302 alias rustls_io_result = int; 303 304 /** 305 * A callback for rustls_connection_read_tls. 306 * An implementation of this callback should attempt to read up to n bytes from the 307 * network, storing them in `buf`. If any bytes were stored, the implementation should 308 * set out_n to the number of bytes stored and return 0. If there was an error, 309 * the implementation should return a nonzero rustls_io_result, which will be 310 * passed through to the caller. On POSIX systems, returning `errno` is convenient. 311 * On other systems, any appropriate error code works. 312 * It's best to make one read attempt to the network per call. Additional reads will 313 * be triggered by subsequent calls to one of the `_read_tls` methods. 314 * `userdata` is set to the value provided to `rustls_connection_set_userdata`. In most 315 * cases that should be a struct that contains, at a minimum, a file descriptor. 316 * The buf and out_n pointers are borrowed and should not be retained across calls. 317 */ 318 extern(C) alias rustls_read_callback = rustls_io_result function(void *userdata, ubyte *buf, size_t n, size_t *out_n); 319 320 /** 321 * A callback for rustls_connection_write_tls. 322 * An implementation of this callback should attempt to write the `n` bytes in buf 323 * to the network. If any bytes were written, the implementation should 324 * set out_n to the number of bytes stored and return 0. If there was an error, 325 * the implementation should return a nonzero rustls_io_result, which will be 326 * passed through to the caller. On POSIX systems, returning `errno` is convenient. 327 * On other systems, any appropriate error code works. 328 * It's best to make one write attempt to the network per call. Additional writes will 329 * be triggered by subsequent calls to rustls_connection_write_tls. 330 * `userdata` is set to the value provided to `rustls_connection_set_userdata`. In most 331 * cases that should be a struct that contains, at a minimum, a file descriptor. 332 * The buf and out_n pointers are borrowed and should not be retained across calls. 333 */ 334 extern(C) alias rustls_write_callback = rustls_io_result function(void *userdata, const ubyte *buf, size_t n, size_t *out_n); 335 336 /** 337 * A callback for rustls_connection_write_tls_vectored. 338 * An implementation of this callback should attempt to write the bytes in 339 * the given `count` iovecs to the network. If any bytes were written, 340 * the implementation should set out_n to the number of bytes written and return 0. 341 * If there was an error, the implementation should return a nonzero rustls_io_result, 342 * which will be passed through to the caller. On POSIX systems, returning `errno` is convenient. 343 * On other systems, any appropriate error code works. 344 * It's best to make one write attempt to the network per call. Additional write will 345 * be triggered by subsequent calls to one of the `_write_tls` methods. 346 * `userdata` is set to the value provided to `rustls_*_session_set_userdata`. In most 347 * cases that should be a struct that contains, at a minimum, a file descriptor. 348 * The buf and out_n pointers are borrowed and should not be retained across calls. 349 */ 350 extern(C) alias rustls_write_vectored_callback = rustls_io_result function(void *userdata, const rustls_iovec *iov, size_t count, size_t *out_n); 351 352 /** 353 * Any context information the callback will receive when invoked. 354 */ 355 alias rustls_client_hello_userdata = void*; 356 357 /** 358 * A read-only view on a Rust slice of 16-bit integers in platform endianness. 359 * 360 * This is used to pass data from rustls-ffi to callback functions provided 361 * by the user of the API. 362 * `len` indicates the number of bytes than can be safely read. 363 * 364 * The memory exposed is available as specified by the function 365 * using this in its signature. For instance, when this is a parameter to a 366 * callback, the lifetime will usually be the duration of the callback. 367 * Functions that receive one of these must not dereference the data pointer 368 * beyond the allowed lifetime. 369 */ 370 struct rustls_slice_u16 { 371 const ushort *data; 372 size_t len; 373 } 374 375 /** 376 * The TLS Client Hello information provided to a ClientHelloCallback function. 377 * `sni_name` is the SNI servername provided by the client. If the client 378 * did not provide an SNI, the length of this `rustls_string` will be 0. The 379 * signature_schemes carries the values supplied by the client or, should 380 * the client not use this TLS extension, the default schemes in the rustls 381 * library. See: <https://docs.rs/rustls/0.20.0/rustls/internal/msgs/enums/enum.SignatureScheme.html>. 382 * `alpn` carries the list of ALPN protocol names that the client proposed to 383 * the server. Again, the length of this list will be 0 if none were supplied. 384 * 385 * All this data, when passed to a callback function, is only accessible during 386 * the call and may not be modified. Users of this API must copy any values that 387 * they want to access when the callback returned. 388 * 389 * EXPERIMENTAL: this feature of rustls-ffi is likely to change in the future, as 390 * the rustls library is re-evaluating their current approach to client hello handling. 391 */ 392 struct rustls_client_hello { 393 rustls_str sni_name; 394 rustls_slice_u16 signature_schemes; 395 const rustls_slice_slice_bytes *alpn; 396 } 397 398 /** 399 * Prototype of a callback that can be installed by the application at the 400 * `rustls_server_config`. This callback will be invoked by a `rustls_connection` 401 * once the TLS client hello message has been received. 402 * `userdata` will be set based on rustls_connection_set_userdata. 403 * `hello` gives the value of the available client announcements, as interpreted 404 * by rustls. See the definition of `rustls_client_hello` for details. 405 * 406 * NOTE: 407 * - the passed in `hello` and all its values are only available during the 408 * callback invocations. 409 * - the passed callback function must be safe to call multiple times concurrently 410 * with the same userdata, unless there is only a single config and connection 411 * where it is installed. 412 * 413 * EXPERIMENTAL: this feature of rustls-ffi is likely to change in the future, as 414 * the rustls library is re-evaluating their current approach to client hello handling. 415 */ 416 extern(C) alias rustls_client_hello_callback = const rustls_certified_key* function(rustls_client_hello_userdata userdata, const rustls_client_hello *hello); 417 418 /** 419 * Any context information the callback will receive when invoked. 420 */ 421 alias rustls_session_store_userdata = void*; 422 423 /** 424 * Prototype of a callback that can be installed by the application at the 425 * `rustls_server_config` or `rustls_client_config`. This callback will be 426 * invoked by a TLS session when looking up the data for a TLS session id. 427 * `userdata` will be supplied based on rustls_{client,server}_session_set_userdata. 428 * 429 * The `buf` points to `count` consecutive bytes where the 430 * callback is expected to copy the result to. The number of copied bytes 431 * needs to be written to `out_n`. The callback should not read any 432 * data from `buf`. 433 * 434 * If the value to copy is larger than `count`, the callback should never 435 * do a partial copy but instead remove the value from its store and 436 * act as if it was never found. 437 * 438 * The callback should return RUSTLS_RESULT_OK to indicate that a value was 439 * retrieved and written in its entirety into `buf`, or RUSTLS_RESULT_NOT_FOUND 440 * if no session was retrieved. 441 * 442 * When `remove_after` is != 0, the returned data needs to be removed 443 * from the store. 444 * 445 * NOTE: the passed in `key` and `buf` are only available during the 446 * callback invocation. 447 * NOTE: callbacks used in several sessions via a common config 448 * must be implemented thread-safe. 449 */ 450 extern(C) alias rustls_session_store_get_callback = uint function(rustls_session_store_userdata userdata, const rustls_slice_bytes *key, int remove_after, ubyte *buf, size_t count, size_t *out_n); 451 452 /** 453 * Prototype of a callback that can be installed by the application at the 454 * `rustls_server_config` or `rustls_client_config`. This callback will be 455 * invoked by a TLS session when a TLS session has been created and an id 456 * for later use is handed to the client/has been received from the server. 457 * `userdata` will be supplied based on rustls_{client,server}_session_set_userdata. 458 * 459 * The callback should return RUSTLS_RESULT_OK to indicate that a value was 460 * successfully stored, or RUSTLS_RESULT_IO on failure. 461 * 462 * NOTE: the passed in `key` and `val` are only available during the 463 * callback invocation. 464 * NOTE: callbacks used in several sessions via a common config 465 * must be implemented thread-safe. 466 */ 467 extern(C) alias rustls_session_store_put_callback = uint function(rustls_session_store_userdata userdata, const rustls_slice_bytes *key, const rustls_slice_bytes *val); 468 469 extern(C) const rustls_supported_ciphersuite[9] *RUSTLS_ALL_CIPHER_SUITES; 470 471 extern(C) const size_t RUSTLS_ALL_CIPHER_SUITES_LEN; 472 473 extern(C) const rustls_supported_ciphersuite[9] *RUSTLS_DEFAULT_CIPHER_SUITES; 474 475 extern(C) const size_t RUSTLS_DEFAULT_CIPHER_SUITES_LEN; 476 477 extern(C) const ushort[2] RUSTLS_ALL_VERSIONS; 478 479 extern(C) const size_t RUSTLS_ALL_VERSIONS_LEN; 480 481 extern(C) const ushort[2] RUSTLS_DEFAULT_VERSIONS; 482 483 extern(C) const size_t RUSTLS_DEFAULT_VERSIONS_LEN; 484 485 /** 486 * Returns a static string containing the rustls-ffi version as well as the 487 * rustls version. The string is alive for the lifetime of the program and does 488 * not need to be freed. 489 */ 490 extern(C) rustls_str rustls_version(); 491 492 /** 493 * Get the DER data of the certificate itself. 494 * The data is owned by the certificate and has the same lifetime. 495 */ 496 extern(C) rustls_result rustls_certificate_get_der(const rustls_certificate *cert, 497 const ubyte **out_der_data, 498 size_t *out_der_len); 499 500 /** 501 * Return a 16-bit unsigned integer corresponding to this cipher suite's assignment from 502 * <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4>. 503 * The bytes from the assignment are interpreted in network order. 504 */ 505 extern(C) ushort rustls_supported_ciphersuite_get_suite(const rustls_supported_ciphersuite *supported_ciphersuite); 506 507 /** 508 * Returns the name of the ciphersuite as a `rustls_str`. If the provided 509 * ciphersuite is invalid, the rustls_str will contain the empty string. The 510 * lifetime of the `rustls_str` is the lifetime of the program, it does not 511 * need to be freed. 512 */ 513 extern(C) rustls_str rustls_supported_ciphersuite_get_name(const rustls_supported_ciphersuite *supported_ciphersuite); 514 515 /** 516 * Return the length of rustls' list of supported cipher suites. 517 */ 518 extern(C) size_t rustls_all_ciphersuites_len(); 519 520 /** 521 * Get a pointer to a member of rustls' list of supported cipher suites. This will return non-NULL 522 * for i < rustls_all_ciphersuites_len(). 523 * The returned pointer is valid for the lifetime of the program and may be used directly when 524 * building a ClientConfig or ServerConfig. 525 */ 526 extern(C) const(rustls_supported_ciphersuite)* rustls_all_ciphersuites_get_entry(size_t i); 527 528 /** 529 * Return the length of rustls' list of default cipher suites. 530 */ 531 extern(C) size_t rustls_default_ciphersuites_len(); 532 533 /** 534 * Get a pointer to a member of rustls' list of supported cipher suites. This will return non-NULL 535 * for i < rustls_default_ciphersuites_len(). 536 * The returned pointer is valid for the lifetime of the program and may be used directly when 537 * building a ClientConfig or ServerConfig. 538 */ 539 extern(C) const(rustls_supported_ciphersuite)* rustls_default_ciphersuites_get_entry(size_t i); 540 541 /** 542 * Build a `rustls_certified_key` from a certificate chain and a private key. 543 * `cert_chain` must point to a buffer of `cert_chain_len` bytes, containing 544 * a series of PEM-encoded certificates, with the end-entity (leaf) 545 * certificate first. 546 * 547 * `private_key` must point to a buffer of `private_key_len` bytes, containing 548 * a PEM-encoded private key in either PKCS#1 or PKCS#8 format. 549 * 550 * On success, this writes a pointer to the newly created 551 * `rustls_certified_key` in `certified_key_out`. That pointer must later 552 * be freed with `rustls_certified_key_free` to avoid memory leaks. Note that 553 * internally, this is an atomically reference-counted pointer, so even after 554 * the original caller has called `rustls_certified_key_free`, other objects 555 * may retain a pointer to the object. The memory will be freed when all 556 * references are gone. 557 * 558 * This function does not take ownership of any of its input pointers. It 559 * parses the pointed-to data and makes a copy of the result. You may 560 * free the cert_chain and private_key pointers after calling it. 561 * 562 * Typically, you will build a `rustls_certified_key`, use it to create a 563 * `rustls_server_config` (which increments the reference count), and then 564 * immediately call `rustls_certified_key_free`. That leaves the 565 * `rustls_server_config` in possession of the sole reference, so the 566 * `rustls_certified_key`'s memory will automatically be released when 567 * the `rustls_server_config` is freed. 568 */ 569 extern(C) rustls_result rustls_certified_key_build(const ubyte *cert_chain, 570 size_t cert_chain_len, 571 const ubyte *private_key, 572 size_t private_key_len, 573 const rustls_certified_key **certified_key_out); 574 575 /** 576 * Return the i-th rustls_certificate in the rustls_certified_key. 0 gives the 577 * end-entity certificate. 1 and higher give certificates from the chain. 578 * Indexes higher than the last available certificate return NULL. 579 * 580 * The returned certificate is valid until the rustls_certified_key is freed. 581 */ 582 extern(C) const(rustls_certificate)* rustls_certified_key_get_certificate(const rustls_certified_key *certified_key, 583 size_t i); 584 585 /** 586 * Create a copy of the rustls_certified_key with the given OCSP response data 587 * as DER encoded bytes. The OCSP response may be given as NULL to clear any 588 * possibly present OCSP data from the cloned key. 589 * The cloned key is independent from its original and needs to be freed 590 * by the application. 591 */ 592 extern(C) rustls_result rustls_certified_key_clone_with_ocsp(const rustls_certified_key *certified_key, 593 const rustls_slice_bytes *ocsp_response, 594 const rustls_certified_key **cloned_key_out); 595 596 /** 597 * "Free" a certified_key previously returned from 598 * rustls_certified_key_build. Since certified_key is actually an 599 * atomically reference-counted pointer, extant certified_key may still 600 * hold an internal reference to the Rust object. However, C code must 601 * consider this pointer unusable after "free"ing it. 602 * Calling with NULL is fine. Must not be called twice with the same value. 603 */ 604 extern(C) void rustls_certified_key_free(const rustls_certified_key *key); 605 606 /** 607 * Create a rustls_root_cert_store. Caller owns the memory and must 608 * eventually call rustls_root_cert_store_free. The store starts out empty. 609 * Caller must add root certificates with rustls_root_cert_store_add_pem. 610 * <https://docs.rs/rustls/0.20.0/rustls/struct.RootCertStore.html#method.empty> 611 */ 612 extern(C) rustls_root_cert_store *rustls_root_cert_store_new(); 613 614 /** 615 * Add one or more certificates to the root cert store using PEM encoded data. 616 * 617 * When `strict` is true an error will return a `CertificateParseError` 618 * result. So will an attempt to parse data that has zero certificates. 619 * 620 * When `strict` is false, unparseable root certificates will be ignored. 621 * This may be useful on systems that have syntactically invalid root 622 * certificates. 623 */ 624 extern(C) rustls_result rustls_root_cert_store_add_pem(rustls_root_cert_store *store, 625 const ubyte *pem, 626 size_t pem_len, 627 bool strict); 628 629 /** 630 * Free a rustls_root_cert_store previously returned from rustls_root_cert_store_builder_build. 631 * Calling with NULL is fine. Must not be called twice with the same value. 632 */ 633 extern(C) void rustls_root_cert_store_free(rustls_root_cert_store *store); 634 635 /** 636 * Create a new client certificate verifier for the root store. The verifier 637 * can be used in several rustls_server_config instances. Must be freed by 638 * the application when no longer needed. See the documentation of 639 * rustls_client_cert_verifier_free for details about lifetime. 640 * This copies the contents of the rustls_root_cert_store. It does not take 641 * ownership of the pointed-to memory. 642 */ 643 extern(C) const(rustls_client_cert_verifier)* rustls_client_cert_verifier_new(const rustls_root_cert_store *store); 644 645 /** 646 * "Free" a verifier previously returned from 647 * rustls_client_cert_verifier_new. Since rustls_client_cert_verifier is actually an 648 * atomically reference-counted pointer, extant server_configs may still 649 * hold an internal reference to the Rust object. However, C code must 650 * consider this pointer unusable after "free"ing it. 651 * Calling with NULL is fine. Must not be called twice with the same value. 652 */ 653 extern(C) void rustls_client_cert_verifier_free(const rustls_client_cert_verifier *verifier); 654 655 /** 656 * Create a new rustls_client_cert_verifier_optional for the root store. The 657 * verifier can be used in several rustls_server_config instances. Must be 658 * freed by the application when no longer needed. See the documentation of 659 * rustls_client_cert_verifier_optional_free for details about lifetime. 660 * This copies the contents of the rustls_root_cert_store. It does not take 661 * ownership of the pointed-to data. 662 */ 663 extern(C) const(rustls_client_cert_verifier_optional)* rustls_client_cert_verifier_optional_new(const rustls_root_cert_store *store); 664 665 /** 666 * "Free" a verifier previously returned from 667 * rustls_client_cert_verifier_optional_new. Since rustls_client_cert_verifier_optional 668 * is actually an atomically reference-counted pointer, extant server_configs may still 669 * hold an internal reference to the Rust object. However, C code must 670 * consider this pointer unusable after "free"ing it. 671 * Calling with NULL is fine. Must not be called twice with the same value. 672 */ 673 extern(C) void rustls_client_cert_verifier_optional_free(const rustls_client_cert_verifier_optional *verifier); 674 675 /** 676 * Create a rustls_client_config_builder. Caller owns the memory and must 677 * eventually call rustls_client_config_builder_build, then free the 678 * resulting rustls_client_config. 679 * This uses rustls safe default values 680 * for the cipher suites, key exchange groups and protocol versions. 681 * This starts out with no trusted roots. 682 * Caller must add roots with rustls_client_config_builder_load_roots_from_file 683 * or provide a custom verifier. 684 */ 685 extern(C) rustls_client_config_builder *rustls_client_config_builder_new(); 686 687 /** 688 * Create a rustls_client_config_builder. Caller owns the memory and must 689 * eventually call rustls_client_config_builder_build, then free the 690 * resulting rustls_client_config. Specify cipher suites in preference 691 * order; the `cipher_suites` parameter must point to an array containing 692 * `len` pointers to `rustls_supported_ciphersuite` previously obtained 693 * from `rustls_all_ciphersuites_get_entry()`, or to a provided array, 694 * RUSTLS_DEFAULT_CIPHER_SUITES or RUSTLS_ALL_CIPHER_SUITES. Set the TLS 695 * protocol versions to use when negotiating a TLS session. 696 * 697 * `tls_version` is the version of the protocol, as defined in rfc8446, 698 * ch. 4.2.1 and end of ch. 5.1. Some values are defined in 699 * `rustls_tls_version` for convenience, and the arrays 700 * RUSTLS_DEFAULT_VERSIONS or RUSTLS_ALL_VERSIONS can be used directly. 701 * 702 * `versions` will only be used during the call and the application retains 703 * ownership. `len` is the number of consecutive `uint16_t` pointed to by `versions`. 704 */ 705 extern(C) rustls_result rustls_client_config_builder_new_custom(const rustls_supported_ciphersuite ** cipher_suites, 706 size_t cipher_suites_len, 707 const ushort *tls_versions, 708 size_t tls_versions_len, 709 rustls_client_config_builder **builder_out); 710 711 /** 712 * Set a custom server certificate verifier. 713 * 714 * The callback must not capture any of the pointers in its 715 * rustls_verify_server_cert_params. 716 * If `userdata` has been set with rustls_connection_set_userdata, it 717 * will be passed to the callback. Otherwise the userdata param passed to 718 * the callback will be NULL. 719 * 720 * The callback must be safe to call on any thread at any time, including 721 * multiple concurrent calls. So, for instance, if the callback mutates 722 * userdata (or other shared state), it must use synchronization primitives 723 * to make such mutation safe. 724 * 725 * The callback receives certificate chain information as raw bytes. 726 * Currently this library offers no functions for C code to parse the 727 * certificates, so you'll need to bring your own certificate parsing library 728 * if you need to parse them. 729 * 730 * If you intend to write a verifier that accepts all certificates, be aware 731 * that special measures are required for IP addresses. Rustls currently 732 * (0.20.0) doesn't support building a ClientConnection with an IP address 733 * (because it's not a valid DnsNameRef). One workaround is to detect IP 734 * addresses and rewrite them to `example.invalid`, and _also_ to disable 735 * SNI via rustls_client_config_builder_set_enable_sni (IP addresses don't 736 * need SNI). 737 * 738 * If the custom verifier accepts the certificate, it should return 739 * RUSTLS_RESULT_OK. Otherwise, it may return any other rustls_result error. 740 * Feel free to use an appropriate error from the RUSTLS_RESULT_CERT_* 741 * section. 742 * 743 * <https://docs.rs/rustls/0.20.0/rustls/client/struct.DangerousClientConfig.html#method.set_certificate_verifier> 744 */ 745 extern(C) rustls_result rustls_client_config_builder_dangerous_set_certificate_verifier(rustls_client_config_builder *config_builder, 746 rustls_verify_server_cert_callback callback); 747 748 /** 749 * Use the trusted root certificates from the provided store. 750 * 751 * This replaces any trusted roots already configured with copies 752 * from `roots`. This adds 1 to the refcount for `roots`. When you 753 * call rustls_client_config_free or rustls_client_config_builder_free, 754 * those will subtract 1 from the refcount for `roots`. 755 */ 756 extern(C) rustls_result rustls_client_config_builder_use_roots(rustls_client_config_builder *config_builder, 757 const rustls_root_cert_store *roots); 758 759 /** 760 * Add trusted root certificates from the named file, which should contain 761 * PEM-formatted certificates. 762 */ 763 extern(C) rustls_result rustls_client_config_builder_load_roots_from_file(rustls_client_config_builder *config_builder, 764 const char *filename); 765 766 /** 767 * Set the ALPN protocol list to the given protocols. `protocols` must point 768 * to a buffer of `rustls_slice_bytes` (built by the caller) with `len` 769 * elements. Each element of the buffer must be a rustls_slice_bytes whose 770 * data field points to a single ALPN protocol ID. Standard ALPN protocol 771 * IDs are defined at 772 * <https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids>. 773 * 774 * This function makes a copy of the data in `protocols` and does not retain 775 * any pointers, so the caller can free the pointed-to memory after calling. 776 * 777 * <https://docs.rs/rustls/0.20.0/rustls/client/struct.ClientConfig.html#structfield.alpn_protocols> 778 */ 779 extern(C) rustls_result rustls_client_config_builder_set_alpn_protocols(rustls_client_config_builder *builder, 780 const rustls_slice_bytes *protocols, 781 size_t len); 782 783 /** 784 * Enable or disable SNI. 785 * <https://docs.rs/rustls/0.20.0/rustls/struct.ClientConfig.html#structfield.enable_sni> 786 */ 787 extern(C) void rustls_client_config_builder_set_enable_sni(rustls_client_config_builder *config, 788 bool enable); 789 790 /** 791 * Provide the configuration a list of certificates where the connection 792 * will select the first one that is compatible with the server's signature 793 * verification capabilities. Clients that want to support both ECDSA and 794 * RSA certificates will want the ECSDA to go first in the list. 795 * 796 * The built configuration will keep a reference to all certified keys 797 * provided. The client may `rustls_certified_key_free()` afterwards 798 * without the configuration losing them. The same certified key may also 799 * be used in multiple configs. 800 * 801 * EXPERIMENTAL: installing a client authentication callback will replace any 802 * configured certified keys and vice versa. 803 */ 804 extern(C) rustls_result rustls_client_config_builder_set_certified_key(rustls_client_config_builder *builder, 805 const rustls_certified_key **certified_keys, 806 size_t certified_keys_len); 807 808 /** 809 * Turn a *rustls_client_config_builder (mutable) into a const *rustls_client_config 810 * (read-only). 811 */ 812 extern(C) const(rustls_client_config)* rustls_client_config_builder_build(rustls_client_config_builder *builder); 813 814 /** 815 * "Free" a client_config_builder without building it into a rustls_client_config. 816 * Normally builders are built into rustls_client_config via `rustls_client_config_builder_build` 817 * and may not be free'd or otherwise used afterwards. 818 * Use free only when the building of a config has to be aborted before a config 819 * was created. 820 */ 821 extern(C) void rustls_client_config_builder_free(rustls_client_config_builder *config); 822 823 /** 824 * "Free" a rustls_client_config previously returned from 825 * rustls_client_config_builder_build. Since rustls_client_config is actually an 826 * atomically reference-counted pointer, extant client connections may still 827 * hold an internal reference to the Rust object. However, C code must 828 * consider this pointer unusable after "free"ing it. 829 * Calling with NULL is fine. Must not be called twice with the same value. 830 */ 831 extern(C) void rustls_client_config_free(const rustls_client_config *config); 832 833 /** 834 * Create a new rustls_connection containing a client connection and return 835 * it in the output parameter `out`. If this returns an error code, the 836 * memory pointed to by `conn_out` remains unchanged. If this returns a 837 * non-error, the memory pointed to by `conn_out` is modified to point at a 838 * valid rustls_connection. The caller now owns the rustls_connection and must 839 * call `rustls_connection_free` when done with it. 840 */ 841 extern(C) rustls_result rustls_client_connection_new(const rustls_client_config *config, 842 const char *hostname, 843 rustls_connection **conn_out); 844 845 /** 846 * Set the userdata pointer associated with this connection. This will be passed 847 * to any callbacks invoked by the connection, if you've set up callbacks in the config. 848 * The pointed-to data must outlive the connection. 849 */ 850 extern(C) void rustls_connection_set_userdata(rustls_connection *conn, void *userdata); 851 852 /** 853 * Set the logging callback for this connection. The log callback will be invoked 854 * with the userdata parameter previously set by rustls_connection_set_userdata, or 855 * NULL if no userdata was set. 856 */ 857 extern(C) void rustls_connection_set_log_callback(rustls_connection *conn, rustls_log_callback cb); 858 859 /** 860 * Read some TLS bytes from the network into internal buffers. The actual network 861 * I/O is performed by `callback`, which you provide. Rustls will invoke your 862 * callback with a suitable buffer to store the read bytes into. You don't have 863 * to fill it up, just fill with as many bytes as you get in one syscall. 864 * The `userdata` parameter is passed through directly to `callback`. Note that 865 * this is distinct from the `userdata` parameter set with 866 * `rustls_connection_set_userdata`. 867 * Returns 0 for success, or an errno value on error. Passes through return values 868 * from callback. See rustls_read_callback for more details. 869 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.read_tls> 870 */ 871 extern(C) rustls_io_result rustls_connection_read_tls(rustls_connection *conn, 872 rustls_read_callback callback, 873 void *userdata, 874 size_t *out_n); 875 876 /** 877 * Write some TLS bytes to the network. The actual network I/O is performed by 878 * `callback`, which you provide. Rustls will invoke your callback with a 879 * suitable buffer containing TLS bytes to send. You don't have to write them 880 * all, just as many as you can in one syscall. 881 * The `userdata` parameter is passed through directly to `callback`. Note that 882 * this is distinct from the `userdata` parameter set with 883 * `rustls_connection_set_userdata`. 884 * Returns 0 for success, or an errno value on error. Passes through return values 885 * from callback. See rustls_write_callback for more details. 886 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.write_tls> 887 */ 888 extern(C) rustls_io_result rustls_connection_write_tls(rustls_connection *conn, 889 rustls_write_callback callback, 890 void *userdata, 891 size_t *out_n); 892 893 /** 894 * Write all available TLS bytes to the network. The actual network I/O is performed by 895 * `callback`, which you provide. Rustls will invoke your callback with an array 896 * of rustls_slice_bytes, each containing a buffer with TLS bytes to send. 897 * You don't have to write them all, just as many as you are willing. 898 * The `userdata` parameter is passed through directly to `callback`. Note that 899 * this is distinct from the `userdata` parameter set with 900 * `rustls_connection_set_userdata`. 901 * Returns 0 for success, or an errno value on error. Passes through return values 902 * from callback. See rustls_write_callback for more details. 903 * <https://docs.rs/rustls/0.20.0/rustls/struct.Writer.html#method.write_vectored> 904 */ 905 extern(C) rustls_io_result rustls_connection_write_tls_vectored(rustls_connection *conn, 906 rustls_write_vectored_callback callback, 907 void *userdata, 908 size_t *out_n); 909 910 /** 911 * Decrypt any available ciphertext from the internal buffer and put it 912 * into the internal plaintext buffer, potentially making bytes available 913 * for rustls_connection_read(). 914 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.process_new_packets> 915 */ 916 extern(C) rustls_result rustls_connection_process_new_packets(rustls_connection *conn); 917 918 /** 919 * <https://docs.rs/rustls/0.20.0/rustls/struct.CommonState.html#method.wants_read> 920 */ 921 extern(C) bool rustls_connection_wants_read(const rustls_connection *conn); 922 923 /** 924 * <https://docs.rs/rustls/0.20.0/rustls/struct.CommonState.html#method.wants_write> 925 */ 926 extern(C) bool rustls_connection_wants_write(const rustls_connection *conn); 927 928 /** 929 * <https://docs.rs/rustls/0.20.0/rustls/struct.CommonState.html#method.is_handshaking> 930 */ 931 extern(C) bool rustls_connection_is_handshaking(const rustls_connection *conn); 932 933 /** 934 * Sets a limit on the internal buffers used to buffer unsent plaintext (prior 935 * to completing the TLS handshake) and unsent TLS records. By default, there 936 * is no limit. The limit can be set at any time, even if the current buffer 937 * use is higher. 938 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.set_buffer_limit> 939 */ 940 extern(C) void rustls_connection_set_buffer_limit(rustls_connection *conn, size_t n); 941 942 /** 943 * Queues a close_notify fatal alert to be sent in the next write_tls call. 944 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.send_close_notify> 945 */ 946 extern(C) void rustls_connection_send_close_notify(rustls_connection *conn); 947 948 /** 949 * Return the i-th certificate provided by the peer. 950 * Index 0 is the end entity certificate. Higher indexes are certificates 951 * in the chain. Requesting an index higher than what is available returns 952 * NULL. 953 * The returned pointer is valid until the next mutating function call 954 * affecting the connection. A mutating function call is one where the 955 * first argument has type `struct rustls_connection *` (as opposed to 956 * `const struct rustls_connection *`). 957 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.peer_certificates> 958 */ 959 extern(C) const(rustls_certificate)* rustls_connection_get_peer_certificate(const rustls_connection *conn, 960 size_t i); 961 962 /** 963 * Get the ALPN protocol that was negotiated, if any. Stores a pointer to a 964 * borrowed buffer of bytes, and that buffer's len, in the output parameters. 965 * The borrow lives as long as the connection. 966 * If the connection is still handshaking, or no ALPN protocol was negotiated, 967 * stores NULL and 0 in the output parameters. 968 * The provided pointer is valid until the next mutating function call 969 * affecting the connection. A mutating function call is one where the 970 * first argument has type `struct rustls_connection *` (as opposed to 971 * `const struct rustls_connection *`). 972 * <https://www.iana.org/assignments/tls-parameters/> 973 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.alpn_protocol> 974 */ 975 extern(C) void rustls_connection_get_alpn_protocol(const rustls_connection *conn, 976 const ubyte **protocol_out, 977 size_t *protocol_out_len); 978 979 /** 980 * Return the TLS protocol version that has been negotiated. Before this 981 * has been decided during the handshake, this will return 0. Otherwise, 982 * the u16 version number as defined in the relevant RFC is returned. 983 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.protocol_version> 984 * <https://docs.rs/rustls/0.20.0/rustls/internal/msgs/enums/enum.ProtocolVersion.html> 985 */ 986 extern(C) ushort rustls_connection_get_protocol_version(const rustls_connection *conn); 987 988 /** 989 * Retrieves the cipher suite agreed with the peer. 990 * This returns NULL until the ciphersuite is agreed. 991 * The returned pointer lives as long as the program. 992 * <https://docs.rs/rustls/0.20.0/rustls/enum.Connection.html#method.negotiated_cipher_suite> 993 */ 994 extern(C) const(rustls_supported_ciphersuite)* rustls_connection_get_negotiated_ciphersuite(const rustls_connection *conn); 995 996 /** 997 * Write up to `count` plaintext bytes from `buf` into the `rustls_connection`. 998 * This will increase the number of output bytes available to 999 * `rustls_connection_write_tls`. 1000 * On success, store the number of bytes actually written in *out_n 1001 * (this may be less than `count`). 1002 * <https://docs.rs/rustls/0.20.0/rustls/struct.Writer.html#method.write> 1003 */ 1004 extern(C) rustls_result rustls_connection_write(rustls_connection *conn, 1005 const ubyte *buf, 1006 size_t count, 1007 size_t *out_n); 1008 1009 /** 1010 * Read up to `count` plaintext bytes from the `rustls_connection` into `buf`. 1011 * On success, store the number of bytes read in *out_n (this may be less 1012 * than `count`). A success with *out_n set to 0 means "all bytes currently 1013 * available have been read, but more bytes may become available after 1014 * subsequent calls to rustls_connection_read_tls and 1015 * rustls_connection_process_new_packets." 1016 * 1017 * Subtle note: Even though this function only writes to `buf` and does not 1018 * read from it, the memory in `buf` must be initialized before the call (for 1019 * Rust-internal reasons). Initializing a buffer once and then using it 1020 * multiple times without zeroizing before each call is fine. 1021 * <https://docs.rs/rustls/0.20.0/rustls/struct.Reader.html#method.read> 1022 */ 1023 extern(C) rustls_result rustls_connection_read(rustls_connection *conn, 1024 ubyte *buf, 1025 size_t count, 1026 size_t *out_n); 1027 1028 version(DEFINE_READ_BUF) 1029 { 1030 /** 1031 * Read up to `count` plaintext bytes from the `rustls_connection` into `buf`. 1032 * On success, store the number of bytes read in *out_n (this may be less 1033 * than `count`). A success with *out_n set to 0 means "all bytes currently 1034 * available have been read, but more bytes may become available after 1035 * subsequent calls to rustls_connection_read_tls and 1036 * rustls_connection_process_new_packets." 1037 * 1038 * This experimental API is only available when using a nightly Rust compiler 1039 * and enabling the `read_buf` Cargo feature. It will be deprecated and later 1040 * removed in future versions. 1041 * 1042 * Unlike with `rustls_connection_read`, this function may be called with `buf` 1043 * pointing to an uninitialized memory buffer. 1044 */ 1045 extern(C) rustls_result rustls_connection_read_2(rustls_connection *conn, 1046 ubyte *buf, 1047 size_t count, 1048 size_t *out_n); 1049 } 1050 1051 /** 1052 * Free a rustls_connection. Calling with NULL is fine. 1053 * Must not be called twice with the same value. 1054 */ 1055 extern(C) void rustls_connection_free(rustls_connection *conn); 1056 1057 /** 1058 * After a rustls function returns an error, you may call 1059 * this to get a pointer to a buffer containing a detailed error 1060 * message. The contents of the error buffer will be out_n bytes long, 1061 * UTF-8 encoded, and not NUL-terminated. 1062 */ 1063 extern(C) void rustls_error(uint result, char *buf, size_t len, size_t *out_n); 1064 1065 extern(C) bool rustls_result_is_cert_error(uint result); 1066 1067 /** 1068 * Return a rustls_str containing the stringified version of a log level. 1069 */ 1070 extern(C) rustls_str rustls_log_level_str(rustls_log_level level); 1071 1072 /** 1073 * Return the length of the outer slice. If the input pointer is NULL, 1074 * returns 0. 1075 */ 1076 extern(C) size_t rustls_slice_slice_bytes_len(const rustls_slice_slice_bytes *input); 1077 1078 /** 1079 * Retrieve the nth element from the input slice of slices. If the input 1080 * pointer is NULL, or n is greater than the length of the 1081 * rustls_slice_slice_bytes, returns rustls_slice_bytes{NULL, 0}. 1082 */ 1083 extern(C) rustls_slice_bytes rustls_slice_slice_bytes_get(const rustls_slice_slice_bytes *input, 1084 size_t n); 1085 1086 /** 1087 * Return the length of the outer slice. If the input pointer is NULL, 1088 * returns 0. 1089 */ 1090 extern(C) size_t rustls_slice_str_len(const rustls_slice_str *input); 1091 1092 /** 1093 * Retrieve the nth element from the input slice of `&str`s. If the input 1094 * pointer is NULL, or n is greater than the length of the 1095 * rustls_slice_str, returns rustls_str{NULL, 0}. 1096 */ 1097 extern(C) rustls_str rustls_slice_str_get(const rustls_slice_str *input, size_t n); 1098 1099 /** 1100 * Create a rustls_server_config_builder. Caller owns the memory and must 1101 * eventually call rustls_server_config_builder_build, then free the 1102 * resulting rustls_server_config. This uses rustls safe default values 1103 * for the cipher suites, key exchange groups and protocol versions. 1104 */ 1105 extern(C) rustls_server_config_builder *rustls_server_config_builder_new(); 1106 1107 /** 1108 * Create a rustls_server_config_builder. Caller owns the memory and must 1109 * eventually call rustls_server_config_builder_build, then free the 1110 * resulting rustls_server_config. Specify cipher suites in preference 1111 * order; the `cipher_suites` parameter must point to an array containing 1112 * `len` pointers to `rustls_supported_ciphersuite` previously obtained 1113 * from `rustls_all_ciphersuites_get_entry()`. Set the TLS protocol 1114 * versions to use when negotiating a TLS session. 1115 * 1116 * `tls_version` is the version of the protocol, as defined in rfc8446, 1117 * ch. 4.2.1 and end of ch. 5.1. Some values are defined in 1118 * `rustls_tls_version` for convenience. 1119 * 1120 * `versions` will only be used during the call and the application retains 1121 * ownership. `len` is the number of consecutive `uint16_t` pointed to by `versions`. 1122 */ 1123 extern(C) rustls_result rustls_server_config_builder_new_custom(const rustls_supported_ciphersuite **cipher_suites, 1124 size_t cipher_suites_len, 1125 const ushort *tls_versions, 1126 size_t tls_versions_len, 1127 rustls_server_config_builder **builder_out); 1128 1129 /** 1130 * Create a rustls_server_config_builder for TLS sessions that require 1131 * valid client certificates. The passed rustls_client_cert_verifier may 1132 * be used in several builders. 1133 * For memory lifetime, see rustls_server_config_builder_new. 1134 */ 1135 extern(C) void rustls_server_config_builder_set_client_verifier(rustls_server_config_builder *builder, 1136 const rustls_client_cert_verifier *verifier); 1137 1138 /** 1139 * Create a rustls_server_config_builder for TLS sessions that accept 1140 * valid client certificates, but do not require them. The passed 1141 * rustls_client_cert_verifier_optional may be used in several builders. 1142 * For memory lifetime, see rustls_server_config_builder_new. 1143 */ 1144 extern(C) void rustls_server_config_builder_set_client_verifier_optional(rustls_server_config_builder *builder, 1145 const rustls_client_cert_verifier_optional *verifier); 1146 1147 /** 1148 * "Free" a server_config_builder without building it into a rustls_server_config. 1149 * Normally builders are built into rustls_server_configs via `rustls_server_config_builder_build` 1150 * and may not be free'd or otherwise used afterwards. 1151 * Use free only when the building of a config has to be aborted before a config 1152 * was created. 1153 */ 1154 extern(C) void rustls_server_config_builder_free(rustls_server_config_builder *config); 1155 1156 /** 1157 * With `ignore` != 0, the server will ignore the client ordering of cipher 1158 * suites, aka preference, during handshake and respect its own ordering 1159 * as configured. 1160 * <https://docs.rs/rustls/0.20.0/rustls/struct.ServerConfig.html#structfield.ignore_client_order> 1161 */ 1162 extern(C) rustls_result rustls_server_config_builder_set_ignore_client_order(rustls_server_config_builder *builder, 1163 bool ignore); 1164 1165 /** 1166 * Set the ALPN protocol list to the given protocols. `protocols` must point 1167 * to a buffer of `rustls_slice_bytes` (built by the caller) with `len` 1168 * elements. Each element of the buffer must point to a slice of bytes that 1169 * contains a single ALPN protocol from 1170 * <https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids>. 1171 * 1172 * This function makes a copy of the data in `protocols` and does not retain 1173 * any pointers, so the caller can free the pointed-to memory after calling. 1174 * 1175 * <https://docs.rs/rustls/0.20.0/rustls/server/struct.ServerConfig.html#structfield.alpn_protocols> 1176 */ 1177 extern(C) rustls_result rustls_server_config_builder_set_alpn_protocols(rustls_server_config_builder *builder, 1178 const rustls_slice_bytes *protocols, 1179 size_t len); 1180 1181 /** 1182 * Provide the configuration a list of certificates where the connection 1183 * will select the first one that is compatible with the client's signature 1184 * verification capabilities. Servers that want to support both ECDSA and 1185 * RSA certificates will want the ECSDA to go first in the list. 1186 * 1187 * The built configuration will keep a reference to all certified keys 1188 * provided. The client may `rustls_certified_key_free()` afterwards 1189 * without the configuration losing them. The same certified key may also 1190 * be used in multiple configs. 1191 * 1192 * EXPERIMENTAL: installing a client_hello callback will replace any 1193 * configured certified keys and vice versa. 1194 */ 1195 extern(C) rustls_result rustls_server_config_builder_set_certified_keys(rustls_server_config_builder *builder, 1196 const rustls_certified_key **certified_keys, 1197 size_t certified_keys_len); 1198 1199 /** 1200 * Turn a *rustls_server_config_builder (mutable) into a const *rustls_server_config 1201 * (read-only). 1202 */ 1203 extern(C) const(rustls_server_config)* rustls_server_config_builder_build(rustls_server_config_builder *builder); 1204 1205 /** 1206 * "Free" a rustls_server_config previously returned from 1207 * rustls_server_config_builder_build. Since rustls_server_config is actually an 1208 * atomically reference-counted pointer, extant server connections may still 1209 * hold an internal reference to the Rust object. However, C code must 1210 * consider this pointer unusable after "free"ing it. 1211 * Calling with NULL is fine. Must not be called twice with the same value. 1212 */ 1213 extern(C) void rustls_server_config_free(const rustls_server_config *config); 1214 1215 /** 1216 * Create a new rustls_connection containing a server connection, and return it 1217 * in the output parameter `out`. If this returns an error code, the memory 1218 * pointed to by `conn_out` remains unchanged. If this returns a non-error, 1219 * the memory pointed to by `conn_out` is modified to point 1220 * at a valid rustls_connection. The caller now owns the rustls_connection 1221 * and must call `rustls_connection_free` when done with it. 1222 */ 1223 extern(C) rustls_result rustls_server_connection_new(const rustls_server_config *config, 1224 rustls_connection **conn_out); 1225 1226 /** 1227 * Copy the SNI hostname to `buf` which can hold up to `count` bytes, 1228 * and the length of that hostname in `out_n`. The string is stored in UTF-8 1229 * with no terminating NUL byte. 1230 * Returns RUSTLS_RESULT_INSUFFICIENT_SIZE if the SNI hostname is longer than `count`. 1231 * Returns Ok with *out_n == 0 if there is no SNI hostname available on this connection 1232 * because it hasn't been processed yet, or because the client did not send SNI. 1233 * <https://docs.rs/rustls/0.20.0/rustls/server/struct.ServerConnection.html#method.sni_hostname> 1234 */ 1235 extern(C) rustls_result rustls_server_connection_get_sni_hostname(const rustls_connection *conn, 1236 ubyte *buf, 1237 size_t count, 1238 size_t *out_n); 1239 1240 /** 1241 * Register a callback to be invoked when a connection created from this config 1242 * sees a TLS ClientHello message. If `userdata` has been set with 1243 * rustls_connection_set_userdata, it will be passed to the callback. 1244 * Otherwise the userdata param passed to the callback will be NULL. 1245 * 1246 * Any existing `ResolvesServerCert` implementation currently installed in the 1247 * `rustls_server_config` will be replaced. This also means registering twice 1248 * will overwrite the first registration. It is not permitted to pass a NULL 1249 * value for `callback`. 1250 * 1251 * EXPERIMENTAL: this feature of rustls-ffi is likely to change in the future, as 1252 * the rustls library is re-evaluating their current approach to client hello handling. 1253 * Installing a client_hello callback will replace any configured certified keys 1254 * and vice versa. Same holds true for the set_certified_keys variant. 1255 */ 1256 extern(C) rustls_result rustls_server_config_builder_set_hello_callback(rustls_server_config_builder *builder, 1257 rustls_client_hello_callback callback); 1258 1259 /** 1260 * Select a `rustls_certified_key` from the list that matches the cryptographic 1261 * parameters of a TLS client hello. Note that this does not do any SNI matching. 1262 * The input certificates should already have been filtered to ones matching the 1263 * SNI from the client hello. 1264 * 1265 * This is intended for servers that are configured with several keys for the 1266 * same domain name(s), for example ECDSA and RSA types. The presented keys are 1267 * inspected in the order given and keys first in the list are given preference, 1268 * all else being equal. However rustls is free to choose whichever it considers 1269 * to be the best key with its knowledge about security issues and possible future 1270 * extensions of the protocol. 1271 * 1272 * Return RUSTLS_RESULT_OK if a key was selected and RUSTLS_RESULT_NOT_FOUND 1273 * if none was suitable. 1274 */ 1275 extern(C) rustls_result rustls_client_hello_select_certified_key(const rustls_client_hello *hello, 1276 const rustls_certified_key **certified_keys, 1277 size_t certified_keys_len, 1278 const rustls_certified_key **out_key); 1279 1280 /** 1281 * Register callbacks for persistence of TLS session IDs and secrets. Both 1282 * keys and values are highly sensitive data, containing enough information 1283 * to break the security of the connections involved. 1284 * 1285 * If `userdata` has been set with rustls_connection_set_userdata, it 1286 * will be passed to the callbacks. Otherwise the userdata param passed to 1287 * the callbacks will be NULL. 1288 */ 1289 extern(C) rustls_result rustls_server_config_builder_set_persistence(rustls_server_config_builder *builder, 1290 rustls_session_store_get_callback get_cb, 1291 rustls_session_store_put_callback put_cb);