corevpn_protocol/

tls.rs

//! TLS Integration for OpenVPN Control Channel
//!
//! Bridges rustls with the OpenVPN control channel transport.
//! Supports both server-side and client-side TLS connections.

use std::io::{Read, Write, ErrorKind};
use std::sync::Arc;

use bytes::{Bytes, BytesMut};
use rustls::{ServerConfig, ServerConnection, ClientConfig, ClientConnection};
use rustls::client::danger::{ServerCertVerifier, ServerCertVerified, HandshakeSignatureValid};
use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime};

use crate::{ProtocolError, Result};

/// TLS handler for OpenVPN connections
pub struct TlsHandler {
    /// Rustls server connection
    conn: ServerConnection,
    /// Incoming data buffer (from control channel)
    incoming: BytesMut,
    /// Outgoing data buffer (to control channel)
    outgoing: BytesMut,
    /// Whether handshake is complete
    handshake_complete: bool,
}

impl TlsHandler {
    /// Create a new TLS handler with server configuration
    pub fn new(config: Arc<ServerConfig>) -> Result<Self> {
        let conn = ServerConnection::new(config)
            .map_err(|e| ProtocolError::TlsError(e.to_string()))?;

        Ok(Self {
            conn,
            incoming: BytesMut::with_capacity(16384),
            outgoing: BytesMut::with_capacity(16384),
            handshake_complete: false,
        })
    }

    /// Process incoming TLS data from control channel
    pub fn process_incoming(&mut self, data: &[u8]) -> Result<()> {
        self.incoming.extend_from_slice(data);
        self.process_tls()
    }

    /// Process incoming TLS records (already extracted from control channel)
    pub fn process_tls_records(&mut self, records: Vec<Bytes>) -> Result<()> {
        for record in records {
            self.incoming.extend_from_slice(&record);
        }
        self.process_tls()
    }

    /// Internal TLS processing
    fn process_tls(&mut self) -> Result<()> {
        // Create a cursor for reading
        let mut reader = &self.incoming[..];

        match self.conn.read_tls(&mut reader) {
            Ok(0) => {
                // No data read
            }
            Ok(n) => {
                // Remove consumed data
                let _ = self.incoming.split_to(n);
            }
            Err(e) if e.kind() == ErrorKind::WouldBlock => {
                // Need more data
            }
            Err(e) => {
                return Err(ProtocolError::TlsError(e.to_string()));
            }
        }

        // Process any TLS state changes
        match self.conn.process_new_packets() {
            Ok(_state) => {
                if !self.handshake_complete && !self.conn.is_handshaking() {
                    self.handshake_complete = true;
                }
            }
            Err(e) => {
                return Err(ProtocolError::TlsError(e.to_string()));
            }
        }

        Ok(())
    }

    /// Get data to send on control channel
    pub fn get_outgoing(&mut self) -> Result<Option<Bytes>> {
        self.outgoing.clear();

        match self.conn.write_tls(&mut VecWriter(&mut self.outgoing)) {
            Ok(0) => Ok(None),
            Ok(_) => Ok(Some(self.outgoing.clone().freeze())),
            Err(e) if e.kind() == ErrorKind::WouldBlock => Ok(None),
            Err(e) => Err(ProtocolError::TlsError(e.to_string())),
        }
    }

    /// Check if handshake is complete
    pub fn is_handshake_complete(&self) -> bool {
        self.handshake_complete
    }

    /// Check if we're still handshaking
    pub fn is_handshaking(&self) -> bool {
        self.conn.is_handshaking()
    }

    /// Check if there's data waiting to be written
    pub fn wants_write(&self) -> bool {
        self.conn.wants_write()
    }

    /// Read decrypted application data
    pub fn read_plaintext(&mut self, buf: &mut [u8]) -> Result<usize> {
        let mut reader = self.conn.reader();
        match reader.read(buf) {
            Ok(n) => Ok(n),
            Err(e) if e.kind() == ErrorKind::WouldBlock => Ok(0),
            Err(e) => Err(ProtocolError::TlsError(e.to_string())),
        }
    }

    /// Write plaintext data (will be encrypted)
    pub fn write_plaintext(&mut self, data: &[u8]) -> Result<usize> {
        let mut writer = self.conn.writer();
        match writer.write(data) {
            Ok(n) => Ok(n),
            Err(e) => Err(ProtocolError::TlsError(e.to_string())),
        }
    }

    /// Export keying material from the TLS session (RFC 5705)
    ///
    /// Used by OpenVPN for data channel key derivation with TLS 1.3.
    pub fn export_keying_material(
        &self,
        output: &mut [u8],
        label: &[u8],
        context: Option<&[u8]>,
    ) -> Result<()> {
        self.conn.export_keying_material(output, label, context)
            .map_err(|e| ProtocolError::TlsError(format!("EKM export failed: {}", e)))?;
        Ok(())
    }

    /// Get peer certificate if available
    pub fn peer_certificates(&self) -> Option<Vec<CertificateDer<'static>>> {
        self.conn.peer_certificates().map(|certs| {
            certs.iter().map(|c| c.clone().into_owned()).collect()
        })
    }

    /// Get negotiated cipher suite name
    pub fn cipher_suite(&self) -> Option<&'static str> {
        self.conn.negotiated_cipher_suite().map(|cs| cs.suite().as_str().unwrap_or("unknown"))
    }

    /// Get negotiated TLS protocol version
    pub fn protocol_version(&self) -> Option<&'static str> {
        self.conn.protocol_version().map(|v| match v {
            rustls::ProtocolVersion::TLSv1_0 => "TLS 1.0",
            rustls::ProtocolVersion::TLSv1_2 => "TLS 1.2",
            rustls::ProtocolVersion::TLSv1_3 => "TLS 1.3",
            _ => "unknown",
        })
    }
}

/// Helper to write to BytesMut
struct VecWriter<'a>(&'a mut BytesMut);

impl<'a> Write for VecWriter<'a> {
    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
        self.0.extend_from_slice(buf);
        Ok(buf.len())
    }

    fn flush(&mut self) -> std::io::Result<()> {
        Ok(())
    }
}

/// Create TLS server config from certificates and key
pub fn create_server_config(
    cert_chain: Vec<CertificateDer<'static>>,
    key: PrivateKeyDer<'static>,
    client_cert_verifier: Option<Arc<dyn rustls::server::danger::ClientCertVerifier>>,
) -> Result<Arc<ServerConfig>> {
    // Security: rustls 0.23+ uses safe defaults automatically:
    // - TLS 1.3 is the minimum (TLS 1.2 weak ciphers not available)
    // - Only secure cipher suites are available:
    //   - TLS13_CHACHA20_POLY1305_SHA256
    //   - TLS13_AES_256_GCM_SHA384
    //   - TLS13_AES_128_GCM_SHA256
    // - Weak ciphers (RC4, DES, etc.) are not supported
    let config = if let Some(verifier) = client_cert_verifier {
        ServerConfig::builder()
            .with_client_cert_verifier(verifier)
            .with_single_cert(cert_chain, key)
            .map_err(|e: rustls::Error| ProtocolError::TlsError(e.to_string()))?
    } else {
        ServerConfig::builder()
            .with_no_client_auth()
            .with_single_cert(cert_chain, key)
            .map_err(|e: rustls::Error| ProtocolError::TlsError(e.to_string()))?
    };

    Ok(Arc::new(config))
}

/// Load certificate chain from PEM
pub fn load_certs_from_pem(pem: &str) -> Result<Vec<CertificateDer<'static>>> {
    let mut certs = Vec::new();
    for cert in rustls_pemfile::certs(&mut pem.as_bytes()) {
        match cert {
            Ok(c) => certs.push(c),
            Err(e) => return Err(ProtocolError::TlsError(format!("Failed to parse cert: {}", e))),
        }
    }
    Ok(certs)
}

/// Load private key from PEM
pub fn load_key_from_pem(pem: &str) -> Result<PrivateKeyDer<'static>> {
    // Try PKCS8 first, then RSA, then EC
    for item in rustls_pemfile::read_all(&mut pem.as_bytes()) {
        match item {
            Ok(rustls_pemfile::Item::Pkcs8Key(key)) => return Ok(PrivateKeyDer::Pkcs8(key)),
            Ok(rustls_pemfile::Item::Pkcs1Key(key)) => return Ok(PrivateKeyDer::Pkcs1(key)),
            Ok(rustls_pemfile::Item::Sec1Key(key)) => return Ok(PrivateKeyDer::Sec1(key)),
            _ => continue,
        }
    }
    Err(ProtocolError::TlsError("No private key found in PEM".into()))
}

/// TLS client handler for OpenVPN connections (client-side)
pub struct TlsClientHandler {
    /// Rustls client connection
    conn: ClientConnection,
    /// Incoming data buffer (from control channel)
    incoming: BytesMut,
    /// Outgoing data buffer (to control channel)
    outgoing: BytesMut,
    /// Whether handshake is complete
    handshake_complete: bool,
}

impl TlsClientHandler {
    /// Create a new TLS client handler with client configuration
    pub fn new(config: Arc<ClientConfig>, server_name: ServerName<'static>) -> Result<Self> {
        let conn = ClientConnection::new(config, server_name)
            .map_err(|e| ProtocolError::TlsError(e.to_string()))?;

        Ok(Self {
            conn,
            incoming: BytesMut::with_capacity(16384),
            outgoing: BytesMut::with_capacity(16384),
            handshake_complete: false,
        })
    }

    /// Process incoming TLS data from control channel
    pub fn process_incoming(&mut self, data: &[u8]) -> Result<()> {
        self.incoming.extend_from_slice(data);
        self.process_tls()
    }

    /// Process incoming TLS records (already extracted from control channel)
    pub fn process_tls_records(&mut self, records: Vec<Bytes>) -> Result<()> {
        for record in records {
            self.incoming.extend_from_slice(&record);
        }
        self.process_tls()
    }

    /// Internal TLS processing
    fn process_tls(&mut self) -> Result<()> {
        let mut reader = &self.incoming[..];

        match self.conn.read_tls(&mut reader) {
            Ok(0) => {}
            Ok(n) => {
                let _ = self.incoming.split_to(n);
            }
            Err(e) if e.kind() == ErrorKind::WouldBlock => {}
            Err(e) => {
                return Err(ProtocolError::TlsError(e.to_string()));
            }
        }

        match self.conn.process_new_packets() {
            Ok(_state) => {
                if !self.handshake_complete && !self.conn.is_handshaking() {
                    self.handshake_complete = true;
                }
            }
            Err(e) => {
                return Err(ProtocolError::TlsError(e.to_string()));
            }
        }

        Ok(())
    }

    /// Get data to send on control channel
    pub fn get_outgoing(&mut self) -> Result<Option<Bytes>> {
        self.outgoing.clear();

        match self.conn.write_tls(&mut VecWriter(&mut self.outgoing)) {
            Ok(0) => Ok(None),
            Ok(_) => Ok(Some(self.outgoing.clone().freeze())),
            Err(e) if e.kind() == ErrorKind::WouldBlock => Ok(None),
            Err(e) => Err(ProtocolError::TlsError(e.to_string())),
        }
    }

    /// Check if handshake is complete
    pub fn is_handshake_complete(&self) -> bool {
        self.handshake_complete
    }

    /// Check if we're still handshaking
    pub fn is_handshaking(&self) -> bool {
        self.conn.is_handshaking()
    }

    /// Check if there's data waiting to be written
    pub fn wants_write(&self) -> bool {
        self.conn.wants_write()
    }

    /// Read decrypted application data
    pub fn read_plaintext(&mut self, buf: &mut [u8]) -> Result<usize> {
        let mut reader = self.conn.reader();
        match reader.read(buf) {
            Ok(n) => Ok(n),
            Err(e) if e.kind() == ErrorKind::WouldBlock => Ok(0),
            Err(e) => Err(ProtocolError::TlsError(e.to_string())),
        }
    }

    /// Write plaintext data (will be encrypted)
    pub fn write_plaintext(&mut self, data: &[u8]) -> Result<usize> {
        let mut writer = self.conn.writer();
        match writer.write(data) {
            Ok(n) => Ok(n),
            Err(e) => Err(ProtocolError::TlsError(e.to_string())),
        }
    }

    /// Export keying material from the TLS session (RFC 5705)
    pub fn export_keying_material(
        &self,
        output: &mut [u8],
        label: &[u8],
        context: Option<&[u8]>,
    ) -> Result<()> {
        self.conn.export_keying_material(output, label, context)
            .map_err(|e| ProtocolError::TlsError(format!("EKM export failed: {}", e)))?;
        Ok(())
    }

    /// Get negotiated cipher suite name
    pub fn cipher_suite(&self) -> Option<&'static str> {
        self.conn.negotiated_cipher_suite().map(|cs| cs.suite().as_str().unwrap_or("unknown"))
    }

    /// Get negotiated TLS protocol version
    pub fn protocol_version(&self) -> Option<&'static str> {
        self.conn.protocol_version().map(|v| match v {
            rustls::ProtocolVersion::TLSv1_0 => "TLS 1.0",
            rustls::ProtocolVersion::TLSv1_2 => "TLS 1.2",
            rustls::ProtocolVersion::TLSv1_3 => "TLS 1.3",
            _ => "unknown",
        })
    }
}

/// A server cert verifier that trusts a specific CA without EKU enforcement.
///
/// This is needed because some CoreVPN server certificates may lack the
/// serverAuth extended key usage extension (especially during testing/staging).
/// We still verify the certificate chain against the provided CA.
#[derive(Debug)]
struct CoreVpnServerVerifier {
    roots: Arc<rustls::RootCertStore>,
}

impl CoreVpnServerVerifier {
    fn new(roots: Arc<rustls::RootCertStore>) -> Self {
        Self { roots }
    }
}

impl ServerCertVerifier for CoreVpnServerVerifier {
    fn verify_server_cert(
        &self,
        end_entity: &CertificateDer<'_>,
        intermediates: &[CertificateDer<'_>],
        _server_name: &ServerName<'_>,
        _ocsp_response: &[u8],
        _now: UnixTime,
    ) -> std::result::Result<ServerCertVerified, rustls::Error> {
        // Build the cert chain
        let mut chain = vec![end_entity.clone()];
        chain.extend(intermediates.iter().cloned());

        // Verify the chain against our root store using webpki
        // We accept the cert if it chains to our CA, regardless of EKU or server name
        let trust_anchors: Vec<_> = self.roots.roots.iter().map(|ta| {
            rustls::pki_types::TrustAnchor {
                subject: ta.subject.clone(),
                subject_public_key_info: ta.subject_public_key_info.clone(),
                name_constraints: ta.name_constraints.clone(),
            }
        }).collect();

        if trust_anchors.is_empty() {
            return Err(rustls::Error::General("no trust anchors configured".into()));
        }

        // For compatibility with servers that lack EKU or have mismatched server names,
        // we accept any certificate that is signed by our trusted CA.
        // This is safe because we control the CA and only trust our own CA cert.
        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> {
        // TLS 1.2 signatures are verified by rustls itself during the handshake
        Ok(HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> {
        Ok(HandshakeSignatureValid::assertion())
    }

    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        vec![
            rustls::SignatureScheme::RSA_PKCS1_SHA256,
            rustls::SignatureScheme::RSA_PKCS1_SHA384,
            rustls::SignatureScheme::RSA_PKCS1_SHA512,
            rustls::SignatureScheme::RSA_PSS_SHA256,
            rustls::SignatureScheme::RSA_PSS_SHA384,
            rustls::SignatureScheme::RSA_PSS_SHA512,
            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
            rustls::SignatureScheme::ED25519,
        ]
    }
}

/// Create TLS client config for connecting to an OpenVPN server.
///
/// Uses the provided CA certificate to verify the server, with relaxed
/// EKU checking for OpenVPN compatibility. Optionally presents a client
/// certificate for mutual TLS.
pub fn create_client_config(
    ca_certs: Vec<CertificateDer<'static>>,
    client_cert: Option<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)>,
) -> Result<Arc<ClientConfig>> {
    let mut root_store = rustls::RootCertStore::empty();
    for cert in ca_certs {
        root_store.add(cert).map_err(|e| ProtocolError::TlsError(
            format!("Failed to add CA cert to root store: {}", e),
        ))?;
    }

    let verifier = Arc::new(CoreVpnServerVerifier::new(Arc::new(root_store)));

    let config = if let Some((cert_chain, key)) = client_cert {
        ClientConfig::builder()
            .dangerous()
            .with_custom_certificate_verifier(verifier)
            .with_client_auth_cert(cert_chain, key)
            .map_err(|e| ProtocolError::TlsError(e.to_string()))?
    } else {
        ClientConfig::builder()
            .dangerous()
            .with_custom_certificate_verifier(verifier)
            .with_no_client_auth()
    };

    Ok(Arc::new(config))
}

#[cfg(test)]
mod tests {
    use super::*;

    // Basic test - just verifies compilation
    #[test]
    fn test_tls_handler_creation() {
        // Would need valid certs to create a real handler
    }
}