/**

 * FreeRDP: A Remote Desktop Protocol Implementation

 * Certificate Handling

 *

 * Copyright 2011 Jiten Pathy

 * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#ifdef HAVE_CONFIG_H

#include "config.h"

#endif

#include <errno.h>

#include <stdio.h>

#include <string.h>

#include <ctype.h>

#include <winpr/crypto.h>

#include <winpr/crt.h>

#include <winpr/file.h>

#include <winpr/path.h>

#include <openssl/pem.h>

#include <openssl/rsa.h>

static const char certificate_store_dir[] = "certs";

static const char certificate_server_dir[] = "server";

static const char certificate_known_hosts_file[] = "known_hosts2";

static const char certificate_legacy_hosts_file[] = "known_hosts";

#include <freerdp/log.h>

#include <freerdp/crypto/certificate.h>

#define TAG FREERDP_TAG("crypto")

static BOOL certificate_split_line(char* line, char** host, UINT16* port, char** subject,

                                   char** issuer, char** fingerprint);

static BOOL certificate_line_is_comment(const char* line, size_t length)

{

	while (length > 0)

	{

		switch (*line)

		{

			case ' ':

			case '\t':

				line++;

				length--;

				break;

			case '#':

				return TRUE;

			default:

				return FALSE;

		}

	}

	return TRUE;

}

static BOOL certificate_store_init(rdpCertificateStore* certificate_store)

{

	char* server_path = NULL;

	rdpSettings* settings;

	settings = certificate_store->settings;

	if (!PathFileExistsA(settings->ConfigPath))

	{

		if (!PathMakePathA(settings->ConfigPath, 0))

		{

			WLog_ERR(TAG, "error creating directory '%s'", settings->ConfigPath);

			goto fail;

		}

		WLog_INFO(TAG, "creating directory %s", settings->ConfigPath);

	}

	if (!(certificate_store->path =

	          GetCombinedPath(settings->ConfigPath, (char*)certificate_store_dir)))

		goto fail;

	if (!PathFileExistsA(certificate_store->path))

	{

		if (!PathMakePathA(certificate_store->path, 0))

		{

			WLog_ERR(TAG, "error creating directory [%s]", certificate_store->path);

			goto fail;

		}

		WLog_INFO(TAG, "creating directory [%s]", certificate_store->path);

	}

	if (!(server_path = GetCombinedPath(settings->ConfigPath, (char*)certificate_server_dir)))

		goto fail;

	if (!PathFileExistsA(server_path))

	{

		if (!PathMakePathA(server_path, 0))

		{

			WLog_ERR(TAG, "error creating directory [%s]", server_path);

			goto fail;

		}

		WLog_INFO(TAG, "created directory [%s]", server_path);

	}

	if (!(certificate_store->file =

	          GetCombinedPath(settings->ConfigPath, (char*)certificate_known_hosts_file)))

		goto fail;

	if (!(certificate_store->legacy_file =

	          GetCombinedPath(settings->ConfigPath, (char*)certificate_legacy_hosts_file)))

		goto fail;

	free(server_path);

	return TRUE;

fail:

	WLog_ERR(TAG, "certificate store initialization failed");

	free(server_path);

	free(certificate_store->path);

	free(certificate_store->file);

	certificate_store->path = NULL;

	certificate_store->file = NULL;

	return FALSE;

}

static int certificate_data_match_legacy(rdpCertificateStore* certificate_store,

                                         rdpCertificateData* certificate_data)

{

	HANDLE fp;

	int match = 1;

	char* data;

	char* mdata;

	char* pline;

	char* hostname = NULL;

	DWORD lowSize, highSize;

	UINT64 size;

	size_t length;

	DWORD read;

	/* Assure POSIX style paths, CreateFile expects either '/' or '\\' */

	PathCchConvertStyleA(certificate_store->legacy_file, strlen(certificate_store->legacy_file),

	                     PATH_STYLE_UNIX);

	fp = CreateFileA(certificate_store->legacy_file, GENERIC_READ, FILE_SHARE_READ, NULL,

	                 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (fp == INVALID_HANDLE_VALUE)

		return match;

	if ((lowSize = GetFileSize(fp, &highSize)) == INVALID_FILE_SIZE)

	{

		WLog_ERR(TAG, "GetFileSize(%s) returned %s [0x%08" PRIX32 "]",

		         certificate_store->legacy_file, strerror(errno), GetLastError());

		CloseHandle(fp);

		return match;

	}

	size = (UINT64)lowSize | ((UINT64)highSize << 32);

	if (size < 1)

	{

		CloseHandle(fp);

		return match;

	}

	mdata = (char*)malloc(size + 2);

	if (!mdata)

	{

		CloseHandle(fp);

		return match;

	}

	data = mdata;

	if (!ReadFile(fp, data, size, &read, NULL) || (read != size))

	{

		free(data);

		CloseHandle(fp);

		return match;

	}

	CloseHandle(fp);

	data[size] = '\n';

	data[size + 1] = '\0';

	pline = StrSep(&data, "\r\n");

	while (pline != NULL)

	{

		length = strlen(pline);

		if (length > 0)

		{

			hostname = StrSep(&pline, " \t");

			if (!hostname || !pline)

				WLog_WARN(TAG, "Invalid %s entry %s %s!", certificate_legacy_hosts_file, hostname,

				          pline);

			else if (strcmp(hostname, certificate_data->hostname) == 0)

			{

				const int diff = strcmp(pline, certificate_data->fingerprint);

				match = (diff == 0) ? 0 : -1;

				break;

			}

		}

		pline = StrSep(&data, "\r\n");

	}

	/* Found a valid fingerprint in legacy file,

	 * copy to new file in new format. */

	if (0 == match)

	{

		rdpCertificateData* data = certificate_data_new(hostname, certificate_data->port, NULL,

		                                                NULL, certificate_data->fingerprint);

		if (data)

		{

			free(data->subject);

			free(data->issuer);

			data->subject = NULL;

			data->issuer = NULL;

			if (certificate_data->subject)

			{

				data->subject = _strdup(certificate_data->subject);

				if (!data->subject)

					goto out;

			}

			if (certificate_data->issuer)

			{

				data->issuer = _strdup(certificate_data->issuer);

				if (!data->issuer)

					goto out;

			}

			match = certificate_data_print(certificate_store, data) ? 0 : 1;

		}

	out:

		certificate_data_free(data);

	}

	free(mdata);

	return match;

}

static int certificate_data_match_raw(rdpCertificateStore* certificate_store,

                                      rdpCertificateData* certificate_data, char** psubject,

                                      char** pissuer, char** fprint)

{

	BOOL found = FALSE;

	HANDLE fp;

	size_t length;

	char* data;

	char* mdata;

	char* pline;

	int match = 1;

	DWORD lowSize, highSize;

	UINT64 size;

	char* hostname = NULL;

	char* subject = NULL;

	char* issuer = NULL;

	char* fingerprint = NULL;

	unsigned short port = 0;

	DWORD read;

	/* Assure POSIX style paths, CreateFile expects either '/' or '\\' */

	PathCchConvertStyleA(certificate_store->file, strlen(certificate_store->file), PATH_STYLE_UNIX);

	fp = CreateFileA(certificate_store->file, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_ALWAYS,

	                 FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_NORMAL, NULL);

	if (fp == INVALID_HANDLE_VALUE)

		return match;

	if ((lowSize = GetFileSize(fp, &highSize)) == INVALID_FILE_SIZE)

	{

		WLog_ERR(TAG, "GetFileSize(%s) returned %s [0x%08" PRIX32 "]",

		         certificate_store->legacy_file, strerror(errno), GetLastError());

		CloseHandle(fp);

		return match;

	}

	size = (UINT64)lowSize | ((UINT64)highSize << 32);

	if (size < 1)

	{

		CloseHandle(fp);

		return match;

	}

	mdata = (char*)malloc(size + 2);

	if (!mdata)

	{

		CloseHandle(fp);

		return match;

	}

	data = mdata;

	if (!ReadFile(fp, data, size, &read, NULL) || (read != size))

	{

		free(data);

		CloseHandle(fp);

		return match;

	}

	CloseHandle(fp);

	data[size] = '\n';

	data[size + 1] = '\0';

	pline = StrSep(&data, "\r\n");

	while (pline != NULL)

	{

		length = strlen(pline);

		if (length > 0)

		{

			if (certificate_line_is_comment(pline, length))

			{

			}

			else if (!certificate_split_line(pline, &hostname, &port, &subject, &issuer,

			                                 &fingerprint))

				WLog_WARN(TAG, "Invalid %s entry %s!", certificate_known_hosts_file, pline);

			else if (strcmp(pline, certificate_data->hostname) == 0)

			{

				int outLen;

				if (port == certificate_data->port)

				{

					found = TRUE;

					if (fingerprint)

					{

						match = (strcmp(certificate_data->fingerprint, fingerprint) == 0) ? 0 : -1;

						if (fprint)

							*fprint = _strdup(fingerprint);

					}

					if (subject && psubject)

						crypto_base64_decode(subject, strlen(subject), (BYTE**)psubject, &outLen);

					if (issuer && pissuer)

						crypto_base64_decode(issuer, strlen(issuer), (BYTE**)pissuer, &outLen);

					break;

				}

			}

		}

		pline = StrSep(&data, "\r\n");

	}

	free(mdata);

	if ((match != 0) && !found)

		match = certificate_data_match_legacy(certificate_store, certificate_data);

	return match;

}

BOOL certificate_get_stored_data(rdpCertificateStore* certificate_store,

                                 rdpCertificateData* certificate_data, char** subject,

                                 char** issuer, char** fingerprint)

{

	int rc = certificate_data_match_raw(certificate_store, certificate_data, subject, issuer,

	                                    fingerprint);

	if ((rc == 0) || (rc == -1))

		return TRUE;

	return FALSE;

}

int certificate_data_match(rdpCertificateStore* certificate_store,

                           rdpCertificateData* certificate_data)

{

	return certificate_data_match_raw(certificate_store, certificate_data, NULL, NULL, NULL);

}

BOOL certificate_data_replace(rdpCertificateStore* certificate_store,

                              rdpCertificateData* certificate_data)

{

	HANDLE fp;

	BOOL rc = FALSE;

	size_t length;

	char* data;

	char* sdata;

	char* pline;

	UINT64 size;

	DWORD read, written;

	DWORD lowSize, highSize;

	/* Assure POSIX style paths, CreateFile expects either '/' or '\\' */

	PathCchConvertStyleA(certificate_store->file, strlen(certificate_store->file), PATH_STYLE_UNIX);

	fp = CreateFileA(certificate_store->file, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING,

	                 FILE_ATTRIBUTE_NORMAL, NULL);

	if (fp == INVALID_HANDLE_VALUE)

		return FALSE;

	if ((lowSize = GetFileSize(fp, &highSize)) == INVALID_FILE_SIZE)

	{

		WLog_ERR(TAG, "GetFileSize(%s) returned %s [0x%08" PRIX32 "]",

		         certificate_store->legacy_file, strerror(errno), GetLastError());

		CloseHandle(fp);

		return FALSE;

	}

	size = (UINT64)lowSize | ((UINT64)highSize << 32);

	if (size < 1)

	{

		CloseHandle(fp);

		return FALSE;

	}

	data = (char*)malloc(size + 2);

	if (!data)

	{

		CloseHandle(fp);

		return FALSE;

	}

	if (!ReadFile(fp, data, size, &read, NULL) || (read != size))

	{

		free(data);

		CloseHandle(fp);

		return FALSE;

	}

	if (SetFilePointer(fp, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)

	{

		WLog_ERR(TAG, "SetFilePointer(%s) returned %s [0x%08" PRIX32 "]", certificate_store->file,

		         strerror(errno), GetLastError());

		free(data);

		CloseHandle(fp);

		return FALSE;

	}

	if (!SetEndOfFile(fp))

	{

		WLog_ERR(TAG, "SetEndOfFile(%s) returned %s [0x%08" PRIX32 "]", certificate_store->file,

		         strerror(errno), GetLastError());

		free(data);

		CloseHandle(fp);

		return FALSE;

	}

	/* Write the file back out, with appropriate fingerprint substitutions */

	data[size] = '\n';

	data[size + 1] = '\0';

	sdata = data;

	pline = StrSep(&sdata, "\r\n");

	while (pline != NULL)

	{

		length = strlen(pline);

		if (length > 0)

		{

			UINT16 port = 0;

			char* hostname = NULL;

			char* fingerprint = NULL;

			char* subject = NULL;

			char* issuer = NULL;

			char* tdata;

			if (certificate_line_is_comment(pline, length))

			{

			}

			else if (!certificate_split_line(pline, &hostname, &port, &subject, &issuer,

			                                 &fingerprint))

				WLog_WARN(TAG, "Skipping invalid %s entry %s!", certificate_known_hosts_file,

				          pline);

			else

			{

				int res;

				/* If this is the replaced hostname, use the updated fingerprint. */

				if ((strcmp(hostname, certificate_data->hostname) == 0) &&

				    (port == certificate_data->port))

				{

					fingerprint = certificate_data->fingerprint;

					rc = TRUE;

				}

				res = _snprintf(NULL, 0, "%s %" PRIu16 " %s %s %s\n", hostname, port, fingerprint,

				                subject, issuer);

				if (res < 0)

				{

					free(data);

					CloseHandle(fp);

					return FALSE;

				}

				size = (size_t)res;

				tdata = malloc(size + 1);

				if (!tdata)

				{

					WLog_ERR(TAG, "malloc(%s) returned %s [0x%08X]", certificate_store->file,

					         strerror(errno), errno);

					free(data);

					CloseHandle(fp);

					return FALSE;

				}

				res = _snprintf(tdata, size + 1, "%s %" PRIu16 " %s %s %s\n", hostname, port,

				                fingerprint, subject, issuer);

				if (res < 0)

				{

					free(tdata);

					free(data);

					CloseHandle(fp);

					return FALSE;

				}

				if ((size_t)res != size)

				{

					WLog_ERR(TAG, "_snprintf(%s) returned %s [0x%08X]", certificate_store->file,

					         strerror(errno), errno);

					free(tdata);

					free(data);

					CloseHandle(fp);

					return FALSE;

				}

				if (!WriteFile(fp, tdata, size, &written, NULL) || (written != size))

				{

					WLog_ERR(TAG, "WriteFile(%s) returned %s [0x%08X]", certificate_store->file,

					         strerror(errno), errno);

					free(tdata);

					free(data);

					CloseHandle(fp);

					return FALSE;

				}

				free(tdata);

			}

		}

		pline = StrSep(&sdata, "\r\n");

	}

	CloseHandle(fp);

	free(data);

	return rc;

}

BOOL certificate_split_line(char* line, char** host, UINT16* port, char** subject, char** issuer,

                            char** fingerprint)

{

	char* cur;

	size_t length = strlen(line);

	if (length <= 0)

		return FALSE;

	cur = StrSep(&line, " \t");

	if (!cur)

		return FALSE;

	*host = cur;

	cur = StrSep(&line, " \t");

	if (!cur)

		return FALSE;

	if (sscanf(cur, "%hu", port) != 1)

		return FALSE;

	cur = StrSep(&line, " \t");

	if (!cur)

		return FALSE;

	*fingerprint = cur;

	cur = StrSep(&line, " \t");

	if (!cur)

		return FALSE;

	*subject = cur;

	cur = StrSep(&line, " \t");

	if (!cur)

		return FALSE;

	*issuer = cur;

	return TRUE;

}

BOOL certificate_data_print(rdpCertificateStore* certificate_store,

                            rdpCertificateData* certificate_data)

{

	int rc;

	HANDLE fp;

	char* tdata;

	size_t size;

	DWORD written;

	/* reopen in append mode */

	/* Assure POSIX style paths, CreateFile expects either '/' or '\\' */

	PathCchConvertStyleA(certificate_store->file, strlen(certificate_store->file), PATH_STYLE_UNIX);

	fp = CreateFileA(certificate_store->file, GENERIC_WRITE, 0, NULL, OPEN_EXISTING,

	                 FILE_ATTRIBUTE_NORMAL, NULL);

	if (fp == INVALID_HANDLE_VALUE)

		return FALSE;

	if (SetFilePointer(fp, 0, NULL, FILE_END) == INVALID_SET_FILE_POINTER)

	{

		WLog_ERR(TAG, "SetFilePointer(%s) returned %s [0x%08" PRIX32 "]", certificate_store->file,

		         strerror(errno), GetLastError());

		CloseHandle(fp);

		return FALSE;

	}

	rc = _snprintf(NULL, 0, "%s %" PRIu16 " %s %s %s\n", certificate_data->hostname,

	               certificate_data->port, certificate_data->fingerprint, certificate_data->subject,

	               certificate_data->issuer);

	if (rc < 0)

		return FALSE;

	size = (size_t)rc;

	tdata = malloc(size + 1);

	if (!tdata)

	{

		WLog_ERR(TAG, "malloc(%s) returned %s [0x%08X]", certificate_store->file, strerror(errno),

		         errno);

		CloseHandle(fp);

		return FALSE;

	}

	rc = _snprintf(tdata, size + 1, "%s %" PRIu16 " %s %s %s\n", certificate_data->hostname,

	               certificate_data->port, certificate_data->fingerprint, certificate_data->subject,

	               certificate_data->issuer);

	if ((rc < 0) || ((size_t)rc != size))

	{

		WLog_ERR(TAG, "_snprintf(%s) returned %s [0x%08X]", certificate_store->file,

		         strerror(errno), errno);

		free(tdata);

		CloseHandle(fp);

		return FALSE;

	}

	if (!WriteFile(fp, tdata, size, &written, NULL) || (written != size))

	{

		WLog_ERR(TAG, "WriteFile(%s) returned %s [0x%08X]", certificate_store->file,

		         strerror(errno), errno);

		free(tdata);

		CloseHandle(fp);

		return FALSE;

	}

	free(tdata);

	CloseHandle(fp);

	return TRUE;

}

rdpCertificateData* certificate_data_new(const char* hostname, UINT16 port, const char* subject,

                                         const char* issuer, const char* fingerprint)

{

	size_t i;

	rdpCertificateData* certdata;

	if (!hostname)

		return NULL;

	if (!fingerprint)

		return NULL;

	certdata = (rdpCertificateData*)calloc(1, sizeof(rdpCertificateData));

	if (!certdata)

		return NULL;

	certdata->port = port;

	certdata->hostname = _strdup(hostname);

	if (subject)

		certdata->subject = crypto_base64_encode((const BYTE*)subject, strlen(subject));

	else

		certdata->subject = crypto_base64_encode((const BYTE*)"", 0);

	if (issuer)

		certdata->issuer = crypto_base64_encode((const BYTE*)issuer, strlen(issuer));

	else

		certdata->issuer = crypto_base64_encode((const BYTE*)"", 0);

	certdata->fingerprint = _strdup(fingerprint);

	if (!certdata->hostname || !certdata->subject || !certdata->issuer || !certdata->fingerprint)

		goto fail;

	for (i = 0; i < strlen(hostname); i++)

		certdata->hostname[i] = tolower(certdata->hostname[i]);

	return certdata;

fail:

	free(certdata->hostname);

	free(certdata->subject);

	free(certdata->issuer);

	free(certdata->fingerprint);

	free(certdata);

	return NULL;

}

void certificate_data_free(rdpCertificateData* certificate_data)

{

	if (certificate_data != NULL)

	{

		free(certificate_data->hostname);

		free(certificate_data->subject);

		free(certificate_data->issuer);

		free(certificate_data->fingerprint);

		free(certificate_data);

	}

}

rdpCertificateStore* certificate_store_new(rdpSettings* settings)

{

	rdpCertificateStore* certificate_store;

	certificate_store = (rdpCertificateStore*)calloc(1, sizeof(rdpCertificateStore));

	if (!certificate_store)

		return NULL;

	certificate_store->settings = settings;

	if (!certificate_store_init(certificate_store))

	{

		free(certificate_store);

		return NULL;

	}

	return certificate_store;

}

void certificate_store_free(rdpCertificateStore* certstore)

{

	if (certstore != NULL)

	{

		free(certstore->path);

		free(certstore->file);

		free(certstore->legacy_file);

		free(certstore);

	}

}