/*

* Copyright (c) 2010-2018 Isode Limited.

* All rights reserved.

* See the COPYING file for more information.

*/

#include <Swiften/Base/Platform.h>

#ifdef SWIFTEN_PLATFORM_WINDOWS

#include <windows.h>

#include <wincrypt.h>

#endif

#include <cassert>

#include <memory>

#include <vector>

#include <openssl/err.h>

#include <openssl/pkcs12.h>

#if defined(SWIFTEN_PLATFORM_MACOSX)

#include <Security/Security.h>

#endif

#include <Swiften/Base/Log.h>

#include <Swiften/Base/Algorithm.h>

#include <Swiften/TLS/OpenSSL/OpenSSLContext.h>

#include <Swiften/TLS/OpenSSL/OpenSSLCertificate.h>

#include <Swiften/TLS/CertificateWithKey.h>

#include <Swiften/TLS/PKCS12Certificate.h>

#pragma GCC diagnostic ignored "-Wold-style-cast"

#pragma GCC diagnostic ignored "-Wdeprecated-declarations"

#pragma clang diagnostic ignored "-Wshorten-64-to-32"

#pragma clang diagnostic ignored "-Wcast-align"

#pragma clang diagnostic ignored "-Wsign-conversion"

namespace Swift {

static const int MAX_FINISHED_SIZE = 4096;

static const int SSL_READ_BUFFERSIZE = 8192;

static void freeX509Stack(STACK_OF(X509)* stack) {

sk_X509_free(stack);

}

namespace {

std::unique_ptr<SSL_CTX> createSSL_CTX(OpenSSLContext::Mode mode) {

std::unique_ptr<SSL_CTX> sslCtx;

switch (mode) {

case OpenSSLContext::Mode::Client:

sslCtx = std::unique_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_client_method()));

break;

case OpenSSLContext::Mode::Server:

sslCtx = std::unique_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_server_method()));

break;

}

return sslCtx;

}

std::string openSSLInternalErrorToString() {

auto bio = std::shared_ptr<BIO>(BIO_new(BIO_s_mem()), BIO_free);

ERR_print_errors(bio.get());

std::string errorString;

errorString.resize(BIO_pending(bio.get()));

BIO_read(bio.get(), (void*)errorString.data(), errorString.size());

return errorString;

}

}

OpenSSLContext::OpenSSLContext(Mode mode) : mode_(mode), state_(State::Start) {

ensureLibraryInitialized();

context_ = createSSL_CTX(mode_);

SSL_CTX_set_options(context_.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

if (mode_ == Mode::Server) {

SSL_CTX_set_tlsext_servername_arg(context_.get(), this);

SSL_CTX_set_tlsext_servername_callback(context_.get(), OpenSSLContext::handleServerNameCallback);

}

// TODO: implement CRL checking

// TODO: download CRL (HTTP transport)

// TODO: cache CRL downloads for configurable time period

// TODO: implement OCSP support

// TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt

// Load system certs

#if defined(SWIFTEN_PLATFORM_WINDOWS)

X509_STORE* store = SSL_CTX_get_cert_store(context_.get());

HCERTSTORE systemStore = CertOpenSystemStore(0, "ROOT");

if (systemStore) {

PCCERT_CONTEXT certContext = NULL;

while (true) {

certContext = CertFindCertificateInStore(systemStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, certContext);

if (!certContext) {

break;

}

OpenSSLCertificate cert(createByteArray(certContext->pbCertEncoded, certContext->cbCertEncoded));

if (store && cert.getInternalX509()) {

X509_STORE_add_cert(store, cert.getInternalX509().get());

}

}

}

#elif !defined(SWIFTEN_PLATFORM_MACOSX)

SSL_CTX_set_default_verify_paths(context_.get());

#elif defined(SWIFTEN_PLATFORM_MACOSX) && !defined(SWIFTEN_PLATFORM_IPHONE)

return false;

}

// Parse PKCS12

X509 *certPtr = nullptr;

EVP_PKEY* privateKeyPtr = nullptr;

STACK_OF(X509)* caCertsPtr = nullptr;

SafeByteArray password(pkcs12Certificate->getPassword());

password.push_back(0);

int result = PKCS12_parse(pkcs12.get(), reinterpret_cast<const char*>(vecptr(password)), &privateKeyPtr, &certPtr, &caCertsPtr);

if (result != 1) {

return false;

}

std::shared_ptr<X509> cert(certPtr, X509_free);

std::shared_ptr<EVP_PKEY> privateKey(privateKeyPtr, EVP_PKEY_free);

std::shared_ptr<STACK_OF(X509)> caCerts(caCertsPtr, freeX509Stack);

// Use the key & certificates

if (SSL_CTX_use_certificate(context_.get(), cert.get()) != 1) {

return false;

}

if (SSL_CTX_use_PrivateKey(context_.get(), privateKey.get()) != 1) {

return false;

}

for (int i = 0; i < sk_X509_num(caCerts.get()); ++i) {

SSL_CTX_add_extra_chain_cert(context_.get(), sk_X509_value(caCerts.get(), i));

}

return true;

}

std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const {

std::vector<Certificate::ref> result;

STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_.get());

for (int i = 0; i < sk_X509_num(chain); ++i) {

std::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free);

Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert);

result.push_back(cert);

}

return result;

}

std::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const {

int verifyResult = SSL_get_verify_result(handle_.get());

if (verifyResult != X509_V_OK) {

return std::make_shared<CertificateVerificationError>(getVerificationErrorTypeForResult(verifyResult));

}

else {

return std::shared_ptr<CertificateVerificationError>();

}

}

ByteArray OpenSSLContext::getFinishMessage() const {

ByteArray data;

data.resize(MAX_FINISHED_SIZE);

auto size = SSL_get_finished(handle_.get(), vecptr(data), data.size());

data.resize(size);

return data;

}