openssl 0.10.45

use cfg_if::cfg_if;
use std::io::{Read, Write};
use std::ops::{Deref, DerefMut};

use crate::dh::Dh;
use crate::error::ErrorStack;
#[cfg(any(ossl111, libressl340))]
use crate::ssl::SslVersion;
use crate::ssl::{
    HandshakeError, Ssl, SslContext, SslContextBuilder, SslContextRef, SslMethod, SslMode,
    SslOptions, SslRef, SslStream, SslVerifyMode,
};
use crate::version;

const FFDHE_2048: &str = "
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
";

#[allow(clippy::inconsistent_digit_grouping, clippy::unusual_byte_groupings)]
fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
    let mut ctx = SslContextBuilder::new(method)?;

    cfg_if! {
        if #[cfg(not(boringssl))] {
            let mut opts = SslOptions::ALL
                | SslOptions::NO_COMPRESSION
                | SslOptions::NO_SSLV2
                | SslOptions::NO_SSLV3
                | SslOptions::SINGLE_DH_USE
                | SslOptions::SINGLE_ECDH_USE;
            opts &= !SslOptions::DONT_INSERT_EMPTY_FRAGMENTS;

            ctx.set_options(opts);
        }
    }

    let mut mode =
        SslMode::AUTO_RETRY | SslMode::ACCEPT_MOVING_WRITE_BUFFER | SslMode::ENABLE_PARTIAL_WRITE;

    // This is quite a useful optimization for saving memory, but historically
    // caused CVEs in OpenSSL pre-1.0.1h, according to
    // https://bugs.python.org/issue25672
    if version::number() >= 0x1_00_01_08_0 {
        mode |= SslMode::RELEASE_BUFFERS;
    }

    ctx.set_mode(mode);

    Ok(ctx)
}

/// A type which wraps client-side streams in a TLS session.
///
/// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
/// structures, configuring cipher suites, session options, hostname verification, and more.
///
/// OpenSSL's built-in hostname verification is used when linking against OpenSSL 1.0.2 or 1.1.0,
/// and a custom implementation is used when linking against OpenSSL 1.0.1.
#[derive(Clone, Debug)]
pub struct SslConnector(SslContext);

impl SslConnector {
    /// Creates a new builder for TLS connections.
    ///
    /// The default configuration is subject to change, and is currently derived from Python.
    pub fn builder(method: SslMethod) -> Result<SslConnectorBuilder, ErrorStack> {
        let mut ctx = ctx(method)?;
        ctx.set_default_verify_paths()?;
        ctx.set_cipher_list(
            "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK",
        )?;
        setup_verify(&mut ctx);

        Ok(SslConnectorBuilder(ctx))
    }

    /// Initiates a client-side TLS session on a stream.
    ///
    /// The domain is used for SNI and hostname verification.
    pub fn connect<S>(&self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
    where
        S: Read + Write,
    {
        self.configure()?.connect(domain, stream)
    }

    /// Returns a structure allowing for configuration of a single TLS session before connection.
    pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
        Ssl::new(&self.0).map(|ssl| ConnectConfiguration {
            ssl,
            sni: true,
            verify_hostname: true,
        })
    }

    /// Consumes the `SslConnector`, returning the inner raw `SslContext`.
    pub fn into_context(self) -> SslContext {
        self.0
    }

    /// Returns a shared reference to the inner raw `SslContext`.
    pub fn context(&self) -> &SslContextRef {
        &self.0
    }
}

/// A builder for `SslConnector`s.
pub struct SslConnectorBuilder(SslContextBuilder);

impl SslConnectorBuilder {
    /// Consumes the builder, returning an `SslConnector`.
    pub fn build(self) -> SslConnector {
        SslConnector(self.0.build())
    }
}

impl Deref for SslConnectorBuilder {
    type Target = SslContextBuilder;

    fn deref(&self) -> &SslContextBuilder {
        &self.0
    }
}

impl DerefMut for SslConnectorBuilder {
    fn deref_mut(&mut self) -> &mut SslContextBuilder {
        &mut self.0
    }
}

/// A type which allows for configuration of a client-side TLS session before connection.
pub struct ConnectConfiguration {
    ssl: Ssl,
    sni: bool,
    verify_hostname: bool,
}

impl ConnectConfiguration {
    /// A builder-style version of `set_use_server_name_indication`.
    pub fn use_server_name_indication(mut self, use_sni: bool) -> ConnectConfiguration {
        self.set_use_server_name_indication(use_sni);
        self
    }

    /// Configures the use of Server Name Indication (SNI) when connecting.
    ///
    /// Defaults to `true`.
    pub fn set_use_server_name_indication(&mut self, use_sni: bool) {
        self.sni = use_sni;
    }

    /// A builder-style version of `set_verify_hostname`.
    pub fn verify_hostname(mut self, verify_hostname: bool) -> ConnectConfiguration {
        self.set_verify_hostname(verify_hostname);
        self
    }

    /// Configures the use of hostname verification when connecting.
    ///
    /// Defaults to `true`.
    ///
    /// # Warning
    ///
    /// You should think very carefully before you use this method. If hostname verification is not
    /// used, *any* valid certificate for *any* site will be trusted for use from any other. This
    /// introduces a significant vulnerability to man-in-the-middle attacks.
    pub fn set_verify_hostname(&mut self, verify_hostname: bool) {
        self.verify_hostname = verify_hostname;
    }

    /// Returns an `Ssl` configured to connect to the provided domain.
    ///
    /// The domain is used for SNI and hostname verification if enabled.
    pub fn into_ssl(mut self, domain: &str) -> Result<Ssl, ErrorStack> {
        if self.sni {
            self.ssl.set_hostname(domain)?;
        }

        if self.verify_hostname {
            setup_verify_hostname(&mut self.ssl, domain)?;
        }

        Ok(self.ssl)
    }

    /// Initiates a client-side TLS session on a stream.
    ///
    /// The domain is used for SNI and hostname verification if enabled.
    pub fn connect<S>(self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
    where
        S: Read + Write,
    {
        self.into_ssl(domain)?.connect(stream)
    }
}

impl Deref for ConnectConfiguration {
    type Target = SslRef;

    fn deref(&self) -> &SslRef {
        &self.ssl
    }
}

impl DerefMut for ConnectConfiguration {
    fn deref_mut(&mut self) -> &mut SslRef {
        &mut self.ssl
    }
}

/// A type which wraps server-side streams in a TLS session.
///
/// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
/// structures, configuring cipher suites, session options, and more.
#[derive(Clone)]
pub struct SslAcceptor(SslContext);

impl SslAcceptor {
    /// Creates a new builder configured to connect to non-legacy clients. This should generally be
    /// considered a reasonable default choice.
    ///
    /// This corresponds to the intermediate configuration of version 5 of Mozilla's server side TLS
    /// recommendations. See its [documentation][docs] for more details on specifics.
    ///
    /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
    pub fn mozilla_intermediate_v5(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
        let mut ctx = ctx(method)?;
        ctx.set_options(SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1);
        let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
        ctx.set_tmp_dh(&dh)?;
        setup_curves(&mut ctx)?;
        ctx.set_cipher_list(
            "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:\
             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
             DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
        )?;
        #[cfg(any(ossl111, libressl340))]
        ctx.set_ciphersuites(
            "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
        )?;
        Ok(SslAcceptorBuilder(ctx))
    }

    /// Creates a new builder configured to connect to modern clients.
    ///
    /// This corresponds to the modern configuration of version 5 of Mozilla's server side TLS recommendations.
    /// See its [documentation][docs] for more details on specifics.
    ///
    /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer.
    ///
    /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
    #[cfg(any(ossl111, libressl340))]
    pub fn mozilla_modern_v5(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
        let mut ctx = ctx(method)?;
        ctx.set_min_proto_version(Some(SslVersion::TLS1_3))?;
        ctx.set_ciphersuites(
            "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
        )?;
        Ok(SslAcceptorBuilder(ctx))
    }

    /// Creates a new builder configured to connect to non-legacy clients. This should generally be
    /// considered a reasonable default choice.
    ///
    /// This corresponds to the intermediate configuration of version 4 of Mozilla's server side TLS
    /// recommendations. See its [documentation][docs] for more details on specifics.
    ///
    /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
    // FIXME remove in next major version
    pub fn mozilla_intermediate(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
        let mut ctx = ctx(method)?;
        ctx.set_options(SslOptions::CIPHER_SERVER_PREFERENCE);
        #[cfg(any(ossl111, libressl340))]
        ctx.set_options(SslOptions::NO_TLSV1_3);
        let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
        ctx.set_tmp_dh(&dh)?;
        setup_curves(&mut ctx)?;
        ctx.set_cipher_list(
            "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:\
             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
             DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:\
             ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:\
             ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:\
             DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
             EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:\
             AES256-SHA:DES-CBC3-SHA:!DSS",
        )?;
        Ok(SslAcceptorBuilder(ctx))
    }

    /// Creates a new builder configured to connect to modern clients.
    ///
    /// This corresponds to the modern configuration of version 4 of Mozilla's server side TLS recommendations.
    /// See its [documentation][docs] for more details on specifics.
    ///
    /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
    // FIXME remove in next major version
    pub fn mozilla_modern(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
        let mut ctx = ctx(method)?;
        ctx.set_options(
            SslOptions::CIPHER_SERVER_PREFERENCE | SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1,
        );
        #[cfg(any(ossl111, libressl340))]
        ctx.set_options(SslOptions::NO_TLSV1_3);
        setup_curves(&mut ctx)?;
        ctx.set_cipher_list(
            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:\
             ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
             ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
        )?;
        Ok(SslAcceptorBuilder(ctx))
    }

    /// Initiates a server-side TLS session on a stream.
    pub fn accept<S>(&self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
    where
        S: Read + Write,
    {
        let ssl = Ssl::new(&self.0)?;
        ssl.accept(stream)
    }

    /// Consumes the `SslAcceptor`, returning the inner raw `SslContext`.
    pub fn into_context(self) -> SslContext {
        self.0
    }

    /// Returns a shared reference to the inner raw `SslContext`.
    pub fn context(&self) -> &SslContextRef {
        &self.0
    }
}

/// A builder for `SslAcceptor`s.
pub struct SslAcceptorBuilder(SslContextBuilder);

impl SslAcceptorBuilder {
    /// Consumes the builder, returning a `SslAcceptor`.
    pub fn build(self) -> SslAcceptor {
        SslAcceptor(self.0.build())
    }
}

impl Deref for SslAcceptorBuilder {
    type Target = SslContextBuilder;

    fn deref(&self) -> &SslContextBuilder {
        &self.0
    }
}

impl DerefMut for SslAcceptorBuilder {
    fn deref_mut(&mut self) -> &mut SslContextBuilder {
        &mut self.0
    }
}

cfg_if! {
    if #[cfg(ossl110)] {
        #[allow(clippy::unnecessary_wraps)]
        fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
            Ok(())
        }
    } else if #[cfg(any(ossl102, libressl))] {
        fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
            ctx.set_ecdh_auto(true)
        }
    } else {
        fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
            use crate::ec::EcKey;
            use crate::nid::Nid;

            let curve = EcKey::from_curve_name(Nid::X9_62_PRIME256V1)?;
            ctx.set_tmp_ecdh(&curve)
        }
    }
}

cfg_if! {
    if #[cfg(any(ossl102, libressl261))] {
        fn setup_verify(ctx: &mut SslContextBuilder) {
            ctx.set_verify(SslVerifyMode::PEER);
        }

        fn setup_verify_hostname(ssl: &mut SslRef, domain: &str) -> Result<(), ErrorStack> {
            use crate::x509::verify::X509CheckFlags;

            let param = ssl.param_mut();
            param.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
            match domain.parse() {
                Ok(ip) => param.set_ip(ip),
                Err(_) => param.set_host(domain),
            }
        }
    } else {
        fn setup_verify(ctx: &mut SslContextBuilder) {
            ctx.set_verify_callback(SslVerifyMode::PEER, verify::verify_callback);
        }

        fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
            let domain = domain.to_string();
            let hostname_idx = verify::try_get_hostname_idx()?;
            ssl.set_ex_data(*hostname_idx, domain);
            Ok(())
        }

        mod verify {
            use std::net::IpAddr;
            use std::str;
            use once_cell::sync::OnceCell;

            use crate::error::ErrorStack;
            use crate::ex_data::Index;
            use crate::nid::Nid;
            use crate::ssl::Ssl;
            use crate::stack::Stack;
            use crate::x509::{
                GeneralName, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef,
                X509VerifyResult,
            };

            static HOSTNAME_IDX: OnceCell<Index<Ssl, String>> = OnceCell::new();

            pub fn try_get_hostname_idx() -> Result<&'static Index<Ssl, String>, ErrorStack> {
                HOSTNAME_IDX.get_or_try_init(Ssl::new_ex_index)
            }

            pub fn verify_callback(preverify_ok: bool, x509_ctx: &mut X509StoreContextRef) -> bool {
                if !preverify_ok || x509_ctx.error_depth() != 0 {
                    return preverify_ok;
                }

                let hostname_idx =
                    try_get_hostname_idx().expect("failed to initialize hostname index");
                let ok = match (
                    x509_ctx.current_cert(),
                    X509StoreContext::ssl_idx()
                        .ok()
                        .and_then(|idx| x509_ctx.ex_data(idx))
                        .and_then(|ssl| ssl.ex_data(*hostname_idx)),
                ) {
                    (Some(x509), Some(domain)) => verify_hostname(domain, &x509),
                    _ => true,
                };

                if !ok {
                    x509_ctx.set_error(X509VerifyResult::APPLICATION_VERIFICATION);
                }

                ok
            }

            fn verify_hostname(domain: &str, cert: &X509Ref) -> bool {
                match cert.subject_alt_names() {
                    Some(names) => verify_subject_alt_names(domain, names),
                    None => verify_subject_name(domain, &cert.subject_name()),
                }
            }

            fn verify_subject_alt_names(domain: &str, names: Stack<GeneralName>) -> bool {
                let ip = domain.parse();

                for name in &names {
                    match ip {
                        Ok(ip) => {
                            if let Some(actual) = name.ipaddress() {
                                if matches_ip(&ip, actual) {
                                    return true;
                                }
                            }
                        }
                        Err(_) => {
                            if let Some(pattern) = name.dnsname() {
                                if matches_dns(pattern, domain) {
                                    return true;
                                }
                            }
                        }
                    }
                }

                false
            }

            fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
                match subject_name.entries_by_nid(Nid::COMMONNAME).next() {
                    Some(pattern) => {
                        let pattern = match str::from_utf8(pattern.data().as_slice()) {
                            Ok(pattern) => pattern,
                            Err(_) => return false,
                        };

                        // Unlike SANs, IP addresses in the subject name don't have a
                        // different encoding.
                        match domain.parse::<IpAddr>() {
                            Ok(ip) => pattern
                                .parse::<IpAddr>()
                                .ok()
                                .map_or(false, |pattern| pattern == ip),
                            Err(_) => matches_dns(pattern, domain),
                        }
                    }
                    None => false,
                }
            }

            fn matches_dns(mut pattern: &str, mut hostname: &str) -> bool {
                // first strip trailing . off of pattern and hostname to normalize
                if pattern.ends_with('.') {
                    pattern = &pattern[..pattern.len() - 1];
                }
                if hostname.ends_with('.') {
                    hostname = &hostname[..hostname.len() - 1];
                }

                matches_wildcard(pattern, hostname).unwrap_or_else(|| pattern.eq_ignore_ascii_case(hostname))
            }

            fn matches_wildcard(pattern: &str, hostname: &str) -> Option<bool> {
                let wildcard_location = match pattern.find('*') {
                    Some(l) => l,
                    None => return None,
                };

                let mut dot_idxs = pattern.match_indices('.').map(|(l, _)| l);
                let wildcard_end = match dot_idxs.next() {
                    Some(l) => l,
                    None => return None,
                };

                // Never match wildcards if the pattern has less than 2 '.'s (no *.com)
                //
                // This is a bit dubious, as it doesn't disallow other TLDs like *.co.uk.
                // Chrome has a black- and white-list for this, but Firefox (via NSS) does
                // the same thing we do here.
                //
                // The Public Suffix (https://www.publicsuffix.org/) list could
                // potentially be used here, but it's both huge and updated frequently
                // enough that management would be a PITA.
                if dot_idxs.next().is_none() {
                    return None;
                }

                // Wildcards can only be in the first component, and must be the entire first label
                if wildcard_location != 0 || wildcard_end != wildcard_location + 1 {
                    return None;
                }

                let hostname_label_end = match hostname.find('.') {
                    Some(l) => l,
                    None => return None,
                };

                let pattern_after_wildcard = &pattern[wildcard_end..];
                let hostname_after_wildcard = &hostname[hostname_label_end..];

                Some(pattern_after_wildcard.eq_ignore_ascii_case(hostname_after_wildcard))
            }

            fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool {
                match *expected {
                    IpAddr::V4(ref addr) => actual == addr.octets(),
                    IpAddr::V6(ref addr) => actual == addr.octets(),
                }
            }

            #[test]
            fn test_dns_match() {
                use crate::ssl::connector::verify::matches_dns;
                assert!(matches_dns("website.tld", "website.tld")); // A name should match itself.
                assert!(matches_dns("website.tld", "wEbSiTe.tLd")); // DNS name matching ignores case of hostname.
                assert!(matches_dns("wEbSiTe.TlD", "website.tld")); // DNS name matching ignores case of subject.

                assert!(matches_dns("xn--bcher-kva.tld", "xn--bcher-kva.tld")); // Likewise, nothing special to punycode names.
                assert!(matches_dns("xn--bcher-kva.tld", "xn--BcHer-Kva.tLd")); // And punycode must be compared similarly case-insensitively.

                assert!(matches_dns("*.example.com", "subdomain.example.com")); // Wildcard matching works.
                assert!(matches_dns("*.eXaMpLe.cOm", "subdomain.example.com")); // Wildcard matching ignores case of subject.
                assert!(matches_dns("*.example.com", "sUbDoMaIn.eXaMpLe.cOm")); // Wildcard matching ignores case of hostname.

                assert!(!matches_dns("prefix*.example.com", "p.example.com")); // Prefix longer than the label works and does not match.
                assert!(!matches_dns("*suffix.example.com", "s.example.com")); // Suffix longer than the label works and does not match.

                assert!(!matches_dns("prefix*.example.com", "prefix.example.com")); // Partial wildcards do not work.
                assert!(!matches_dns("*suffix.example.com", "suffix.example.com")); // Partial wildcards do not work.

                assert!(!matches_dns("prefix*.example.com", "prefixdomain.example.com")); // Partial wildcards do not work.
                assert!(!matches_dns("*suffix.example.com", "domainsuffix.example.com")); // Partial wildcards do not work.

                assert!(!matches_dns("xn--*.example.com", "subdomain.example.com")); // Punycode domains with wildcard parts do not match.
                assert!(!matches_dns("xN--*.example.com", "subdomain.example.com")); // And we can't bypass a punycode test with weird casing.
                assert!(!matches_dns("Xn--*.example.com", "subdomain.example.com")); // And we can't bypass a punycode test with weird casing.
                assert!(!matches_dns("XN--*.example.com", "subdomain.example.com")); // And we can't bypass a punycode test with weird casing.
            }
        }
    }
}