/*
 *  Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
 *
 *  Author: Shawn Webb
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2 as
 *  published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 *  MA 02110-1301, USA.
 *
 *  In addition, as a special exception, the copyright holders give
 *  permission to link the code of portions of this program with the
 *  OpenSSL library under certain conditions as described in each
 *  individual source file, and distribute linked combinations
 *  including the two.
 *
 *  You must obey the GNU General Public License in all respects
 *  for all of the code used other than OpenSSL.  If you modify
 *  file(s) with this exception, you may extend this exception to your
 *  version of the file(s), but you are not obligated to do so.  If you
 *  do not wish to do so, delete this exception statement from your
 *  version.  If you delete this exception statement from all source
 *  files in the program, then also delete it here.
 */

#if !defined(_CLAMAV_CRYPTO_H)
#define _CLAMAV_CRYPTO_H

/**
 * \defgroup CryptoAPI ClamAV Crypto API
 * @{
 */

#define SHA1_HASH_SIZE 20
#define SHA256_HASH_SIZE 32

/**
 * Initialize the crypto system.
 * @return Always returns 0
 */
int cl_initialize_crypto(void);

/** Clean up the crypto system prior to program exit.
 */
void cl_cleanup_crypto(void);

/** Generate a hash of data.
 @param[in] alg The hashing algorithm to use
 @param[in] buf The data to be hashed
 @param[in] len The length of the to-be-hashed data
 @param[out] obuf An optional buffer to store the generated hash. Use NULL to dynamically allocate buffer.
 @param[out] olen An optional pointer that stores how long the generated hash is.
 @return A pointer to the generated hash or obuf if obuf is not NULL.
 */
unsigned char *cl_hash_data(char *alg, const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);

/** Generate a hash of a file.
 @param[in] ctx A pointer to the OpenSSL EVP_MD_CTX object
 @param[in] fd The file descriptor
 @param[out] olen An optional pointer that stores how long the generated hash is
 @return A pointer to a dynamically-created buffer that holds the generated hash
 */
unsigned char *cl_hash_file_fd_ctx(EVP_MD_CTX *ctx, int fd, unsigned int *olen);

/** Generate a hash of a file.
 @param[in] fd The file descriptor
 @param[in] alg The hashing algorithm to use
 @param[out] olen An optional pointer that stores how long the generated hash is
 @return A pointer to a dynamically-created buffer that holds the generated hash
 */
unsigned char *cl_hash_file_fd(int fd, char *alg, unsigned int *olen);

/** Generate a hash of a file.
 @param[in] fp A pointer to a FILE object
 @param[in] alg The hashing algorithm to use
 @param[out] olen An optional pointer that stores how long the generated hash is
 @return A pointer to a dynamically-created buffer that holds the generated hash
 */
unsigned char *cl_hash_file_fp(FILE *fp, char *alg, unsigned int *olen);

/** Generate a sha256 hash of data
 @param[in] buf The data to hash
 @param[in] len The length of the to-be-hashed data
 @param[out] obuf An optional pointer to store the generated hash. Use NULL to dynamically allocate buffer.
 @param[out] olen An optional pointer that stores how long the generated hash is.
 @return A pointer to the buffer that holds the generated hash
 */
unsigned char *cl_sha256(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);

/** Generate a sha1 hash of data
 @param[in] buf The data to hash
 @param[in] len The length of the to-be-hashed data
 @param[out] obuf An optional pointer to store the generated hash. Use NULL to dynamically allocate buffer.
 @param[out] olen An optional pointer that stores how long the generated hash is.
 @return A pointer to the buffer that holds the generated hash or obuf if obuf is not NULL
 */
unsigned char *cl_sha1(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);

/** Verify validity of signed data
 @param[in] pkey The public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] data The data that was signed
 @param[in] datalen The length of the data
 @param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);

/** Verify validity of signed data
 @param[in] pkey The public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] digest The hash of the signed data
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_hash(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);

/** Verify validity of signed data
 @param[in] pkey The public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] fd The file descriptor
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_fd(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, int fd);

/** Verify validity of signed data
 @param[in] x509path The path to the public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] digest The hash of the signed data
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_hash_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);

/** Verify validity of signed data
 @param[in] x509path The path to the public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] fd The file descriptor
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_fd_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, int fd);

/** Verify validity of signed data
 @param[in] x509path The path to the public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] data The data that was signed
 @param[in] datalen The length of the data
 @param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);

/** Verify validity of signed data
 @param[in] x509 The X509 object of the public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] digest The hash of the signed data
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_hash_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);

/** Verify validity of signed data
 @param[in] x509 The X509 object of the public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] fd The file descriptor
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_fd_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, int fd);

/** Verify validity of signed data
 @param[in] x509 The X509 object of the public key of the keypair that signed the data
 @param[in] alg The algorithm used to hash the data
 @param[in] sig The signature block
 @param[in] siglen The length of the signature
 @param[in] data The data that was signed
 @param[in] datalen The length of the data
 @param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
 @return 0 for success, -1 for error or invalid signature
 */
int cl_verify_signature_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);

/** Get an X509 object from memory
 * @param[in] data A pointer to a spot in memory that contains the PEM X509 cert
 * @param[in] len The length of the data
 * @return a pointer to the X509 object on success, NULL on error
 */
X509 *cl_get_x509_from_mem(void *data, unsigned int len);

/** Validate an X509 certificate chain, with the chain being located in a directory
 @param[in] tsdir The path to the trust store directory
 @param[in] certpath The path to the X509 certificate to be validated.
 @return 0 for success, -1 for error or invalid certificate.
 */
int cl_validate_certificate_chain_ts_dir(char *tsdir, char *certpath);

/** Validate an X509 certificate chain with support for a CRL
 @param[in] authorities A NULL-terminated array of strings that hold the path of the CA's X509 certificate
 @param[in] crlpath An optional path to the CRL file. NULL if no CRL.
 @param[in] certpath The path to the X509 certificate to be validated.
 @return 0 for success, -1 for error or invalid certificate.
 */
int cl_validate_certificate_chain(char **authorities, char *crlpath, char *certpath);

/** Load an X509 certificate from a file
 @param[in] certpath The path to the X509 certificate
 */
X509 *cl_load_cert(const char *certpath);

/** Parse an ASN1_TIME object
 @param[in] timeobj The ASN1_TIME object
 @return A pointer to a (struct tm). Adjusted for time zone and daylight savings time.
 */
struct tm *cl_ASN1_GetTimeT(ASN1_TIME *timeobj);

/** Load a CRL file into an X509_CRL object
 @param[in] file The path to the CRL
 @return A pointer to an X509_CRL object or NULL on error.
 */
X509_CRL *cl_load_crl(const char *timeobj);

/** Sign data with a key stored on disk
 @param[in] keypath The path to the RSA private key
 @param[in] alg The hash/signature algorithm to use
 @param[in] hash The hash to sign
 @param[out] olen A pointer that stores the size of the signature
 @param[in] Whether or not to base64-encode the signature. 1 for yes, 0 for no.
 @return The generated signature
 */
unsigned char *cl_sign_data_keyfile(char *keypath, char *alg, unsigned char *hash, unsigned int *olen, int encode);

/** Sign data with an RSA private key object
 @param[in] pkey The RSA private key object
 @param[in] alg The hash/signature algorithm to use
 @param[in] hash The hash to sign
 @param[out] olen A pointer that stores the size of the signature
 @param[in] Whether or not to base64-encode the signature. 1 for yes, 0 for no.
 @return The generated signature
 */
unsigned char *cl_sign_data(EVP_PKEY *pkey, char *alg, unsigned char *hash, unsigned int *olen, int encode);

/** Sign a file with an RSA private key object
 @param[in] fd The file descriptor
 @param[in] pkey The RSA private key object
 @param[in] alg The hash/signature algorithm to use
 @param[out] olen A pointer that stores the size of the signature
 @param[in] encode Whether or not to base64-encode the signature. 1 for yes, 0 for no.
 */
unsigned char *cl_sign_file_fd(int fd, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode);

/** Sign a file with an RSA private key object
 @param[in] fp A pointer to a FILE object
 @param[in] pkey The RSA private key object
 @param[in] alg The hash/signature algorithm to use
 @param[out] olen A pointer that stores the size of the signature
 @param[in] encode Whether or not to base64-encode the signature. 1 for yes, 0 for no.
 */
unsigned char *cl_sign_file_fp(FILE *fp, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode);

/** Get the Private Key stored on disk
 * @param[in] keypath The path on disk where the private key is stored
 * @return A pointer to the EVP_PKEY object that contains the private key in memory
 */
EVP_PKEY *cl_get_pkey_file(char *keypath);

void *cl_hash_init(const char *alg);
int cl_update_hash(void *ctx, void *data, size_t sz);
int cl_finish_hash(void *ctx, void *buf);
void cl_hash_destroy(void *ctx);

/**
 * @}
 */

#endif