]> git.ipfire.org Git - thirdparty/cups.git/blob - cups/tls-sspi.c
projects / thirdparty / cups.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix builds with VC++ 2008
[thirdparty/cups.git] / cups / tls-sspi.c
1 /*
2 * "$Id$"
3 *
4 * TLS support for CUPS on Windows using the Security Support Provider
5 * Interface (SSPI).
6 *
7 * Copyright 2010-2014 by Apple Inc.
8 *
9 * These coded instructions, statements, and computer programs are the
10 * property of Apple Inc. and are protected by Federal copyright
11 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
12 * which should have been included with this file. If this file is
13 * file is missing or damaged, see the license at "http://www.cups.org/".
14 *
15 * This file is subject to the Apple OS-Developed Software exception.
16 */
17
18 /**** This file is included from tls.c ****/
19
20 /*
21 * Include necessary headers...
22 */
23
24 #include "debug-private.h"
25
26
27 /*
28 * Include necessary libraries...
29 */
30
31 #pragma comment(lib, "Crypt32.lib")
32 #pragma comment(lib, "Secur32.lib")
33 #pragma comment(lib, "Ws2_32.lib")
34
35
36 /*
37 * Constants...
38 */
39
40 #ifndef SECURITY_FLAG_IGNORE_UNKNOWN_CA
41 # define SECURITY_FLAG_IGNORE_UNKNOWN_CA 0x00000100 /* Untrusted root */
42 #endif /* SECURITY_FLAG_IGNORE_UNKNOWN_CA */
43
44 #ifndef SECURITY_FLAG_IGNORE_CERT_CN_INVALID
45 # define SECURITY_FLAG_IGNORE_CERT_CN_INVALID 0x00001000 /* Common name does not match */
46 #endif /* !SECURITY_FLAG_IGNORE_CERT_CN_INVALID */
47
48 #ifndef SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
49 # define SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 0x00002000 /* Expired X509 Cert. */
50 #endif /* !SECURITY_FLAG_IGNORE_CERT_DATE_INVALID */
51
52
53 /*
54 * Local globals...
55 */
56
57 static int tls_options = 0;/* Options for TLS connections */
58
59
60 /*
61 * Local functions...
62 */
63
64 static _http_sspi_t *http_sspi_alloc(void);
65 static int http_sspi_client(http_t *http, const char *hostname);
66 static PCCERT_CONTEXT http_sspi_create_credential(http_credential_t *cred);
67 static BOOL http_sspi_find_credentials(http_t *http, const LPWSTR containerName, const char *common_name);
68 static void http_sspi_free(_http_sspi_t *sspi);
69 static BOOL http_sspi_make_credentials(_http_sspi_t *sspi, const LPWSTR containerName, const char *common_name, _http_mode_t mode, int years);
70 static int http_sspi_server(http_t *http, const char *hostname);
71 static void http_sspi_set_allows_any_root(_http_sspi_t *sspi, BOOL allow);
72 static void http_sspi_set_allows_expired_certs(_http_sspi_t *sspi, BOOL allow);
73 static const char *http_sspi_strerror(char *buffer, size_t bufsize, DWORD code);
74 static DWORD http_sspi_verify(PCCERT_CONTEXT cert, const char *common_name, DWORD dwCertFlags);
75
76
77 /*
78 * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
79 *
80 * @since CUPS 2.0/OS 10.10@
81 */
82
83 int /* O - 1 on success, 0 on failure */
84 cupsMakeServerCredentials(
85 const char *path, /* I - Keychain path or @code NULL@ for default */
86 const char *common_name, /* I - Common name */
87 int num_alt_names, /* I - Number of subject alternate names */
88 const char **alt_names, /* I - Subject Alternate Names */
89 time_t expiration_date) /* I - Expiration date */
90 {
91 _http_sspi_t *sspi; /* SSPI data */
92 int ret; /* Return value */
93
94
95 DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
96
97 (void)path;
98 (void)num_alt_names;
99 (void)alt_names;
100
101 sspi = http_sspi_alloc();
102 ret = http_sspi_make_credentials(sspi, L"ServerContainer", common_name, _HTTP_MODE_SERVER, (int)((expiration_date - time(NULL) + 86399) / 86400 / 365));
103
104 http_sspi_free(sspi);
105
106 return (ret);
107 }
108
109
110 /*
111 * 'cupsSetServerCredentials()' - Set the default server credentials.
112 *
113 * Note: The server credentials are used by all threads in the running process.
114 * This function is threadsafe.
115 *
116 * @since CUPS 2.0/OS 10.10@
117 */
118
119 int /* O - 1 on success, 0 on failure */
120 cupsSetServerCredentials(
121 const char *path, /* I - Keychain path or @code NULL@ for default */
122 const char *common_name, /* I - Default common name for server */
123 int auto_create) /* I - 1 = automatically create self-signed certificates */
124 {
125 DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
126
127 (void)path;
128 (void)common_name;
129 (void)auto_create;
130
131 return (0);
132 }
133
134
135 /*
136 * 'httpCopyCredentials()' - Copy the credentials associated with the peer in
137 * an encrypted connection.
138 *
139 * @since CUPS 1.5/OS X 10.7@
140 */
141
142 int /* O - Status of call (0 = success) */
143 httpCopyCredentials(
144 http_t *http, /* I - Connection to server */
145 cups_array_t **credentials) /* O - Array of credentials */
146 {
147 DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
148
149 if (!http || !http->tls || !http->tls->remoteCert || !credentials)
150 {
151 if (credentials)
152 *credentials = NULL;
153
154 return (-1);
155 }
156
157 *credentials = cupsArrayNew(NULL, NULL);
158 httpAddCredential(*credentials, http->tls->remoteCert->pbCertEncoded, http->tls->remoteCert->cbCertEncoded);
159
160 return (0);
161 }
162
163
164 /*
165 * '_httpCreateCredentials()' - Create credentials in the internal format.
166 */
167
168 http_tls_credentials_t /* O - Internal credentials */
169 _httpCreateCredentials(
170 cups_array_t *credentials) /* I - Array of credentials */
171 {
172 return (http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials)));
173 }
174
175
176 /*
177 * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
178 *
179 * @since CUPS 2.0/OS 10.10@
180 */
181
182 int /* O - 1 if valid, 0 otherwise */
183 httpCredentialsAreValidForName(
184 cups_array_t *credentials, /* I - Credentials */
185 const char *common_name) /* I - Name to check */
186 {
187 int valid = 1; /* Valid name? */
188 PCCERT_CONTEXT cert = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
189 /* Certificate */
190 char cert_name[1024]; /* Name from certificate */
191
192
193 if (cert)
194 {
195 if (CertNameToStr(X509_ASN_ENCODING, &(cert->pCertInfo->Subject), CERT_SIMPLE_NAME_STR, cert_name, sizeof(cert_name)))
196 {
197 /*
198 * Extract common name at end...
199 */
200
201 char *ptr = strrchr(cert_name, ',');
202 if (ptr && ptr[1])
203 _cups_strcpy(cert_name, ptr + 2);
204 }
205 else
206 strlcpy(cert_name, "unknown", sizeof(cert_name));
207
208 CertFreeCertificateContext(cert);
209 }
210 else
211 strlcpy(cert_name, "unknown", sizeof(cert_name));
212
213 /*
214 * Compare the common names...
215 */
216
217 if (_cups_strcasecmp(common_name, cert_name))
218 {
219 /*
220 * Not an exact match for the common name, check for wildcard certs...
221 */
222
223 const char *domain = strchr(common_name, '.');
224 /* Domain in common name */
225
226 if (strncmp(cert_name, "*.", 2) || !domain || _cups_strcasecmp(domain, cert_name + 1))
227 {
228 /*
229 * Not a wildcard match.
230 */
231
232 /* TODO: Check subject alternate names */
233 valid = 0;
234 }
235 }
236
237 return (valid);
238 }
239
240
241 /*
242 * 'httpCredentialsGetTrust()' - Return the trust of credentials.
243 *
244 * @since CUPS 2.0/OS 10.10@
245 */
246
247 http_trust_t /* O - Level of trust */
248 httpCredentialsGetTrust(
249 cups_array_t *credentials, /* I - Credentials */
250 const char *common_name) /* I - Common name for trust lookup */
251 {
252 http_trust_t trust = HTTP_TRUST_OK; /* Level of trust */
253 PCCERT_CONTEXT cert = NULL; /* Certificate to validate */
254 DWORD certFlags = 0; /* Cert verification flags */
255 _cups_globals_t *cg = _cupsGlobals(); /* Per-thread global data */
256
257
258 if (!common_name)
259 return (HTTP_TRUST_UNKNOWN);
260
261 cert = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
262 if (!cert)
263 return (HTTP_TRUST_UNKNOWN);
264
265 if (cg->any_root)
266 certFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
267
268 if (cg->expired_certs)
269 certFlags |= SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
270
271 if (!cg->validate_certs)
272 certFlags |= SECURITY_FLAG_IGNORE_CERT_CN_INVALID;
273
274 if (http_sspi_verify(cert, common_name, certFlags) != SEC_E_OK)
275 trust = HTTP_TRUST_INVALID;
276
277 CertFreeCertificateContext(cert);
278
279 return (trust);
280 }
281
282
283 /*
284 * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
285 *
286 * @since CUPS 2.0/OS 10.10@
287 */
288
289 time_t /* O - Expiration date of credentials */
290 httpCredentialsGetExpiration(
291 cups_array_t *credentials) /* I - Credentials */
292 {
293 time_t expiration_date = 0; /* Expiration data of credentials */
294 PCCERT_CONTEXT cert = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
295 /* Certificate */
296
297 if (cert)
298 {
299 SYSTEMTIME systime; /* System time */
300 struct tm tm; /* UNIX date/time */
301
302 FileTimeToSystemTime(&(cert->pCertInfo->NotAfter), &systime);
303
304 tm.tm_year = systime.wYear - 1900;
305 tm.tm_mon = systime.wMonth - 1;
306 tm.tm_mday = systime.wDay;
307 tm.tm_hour = systime.wHour;
308 tm.tm_min = systime.wMinute;
309 tm.tm_sec = systime.wSecond;
310
311 expiration_date = mktime(&tm);
312
313 CertFreeCertificateContext(cert);
314 }
315
316 return (expiration_date);
317 }
318
319
320 /*
321 * 'httpCredentialsString()' - Return a string representing the credentials.
322 *
323 * @since CUPS 2.0/OS 10.10@
324 */
325
326 size_t /* O - Total size of credentials string */
327 httpCredentialsString(
328 cups_array_t *credentials, /* I - Credentials */
329 char *buffer, /* I - Buffer or @code NULL@ */
330 size_t bufsize) /* I - Size of buffer */
331 {
332 http_credential_t *first = (http_credential_t *)cupsArrayFirst(credentials);
333 /* First certificate */
334 PCCERT_CONTEXT cert; /* Certificate */
335
336
337 DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
338
339 if (!buffer)
340 return (0);
341
342 if (buffer && bufsize > 0)
343 *buffer = '\0';
344
345 cert = http_sspi_create_credential(first);
346
347 if (cert)
348 {
349 char cert_name[256]; /* Common name */
350 SYSTEMTIME systime; /* System time */
351 struct tm tm; /* UNIX date/time */
352 time_t expiration; /* Expiration date of cert */
353 _cups_md5_state_t md5_state; /* MD5 state */
354 unsigned char md5_digest[16]; /* MD5 result */
355
356 FileTimeToSystemTime(&(cert->pCertInfo->NotAfter), &systime);
357
358 tm.tm_year = systime.wYear - 1900;
359 tm.tm_mon = systime.wMonth - 1;
360 tm.tm_mday = systime.wDay;
361 tm.tm_hour = systime.wHour;
362 tm.tm_min = systime.wMinute;
363 tm.tm_sec = systime.wSecond;
364
365 expiration = mktime(&tm);
366
367 if (CertNameToStr(X509_ASN_ENCODING, &(cert->pCertInfo->Subject), CERT_SIMPLE_NAME_STR, cert_name, sizeof(cert_name)))
368 {
369 /*
370 * Extract common name at end...
371 */
372
373 char *ptr = strrchr(cert_name, ',');
374 if (ptr && ptr[1])
375 _cups_strcpy(cert_name, ptr + 2);
376 }
377 else
378 strlcpy(cert_name, "unknown", sizeof(cert_name));
379
380 _cupsMD5Init(&md5_state);
381 _cupsMD5Append(&md5_state, first->data, (int)first->datalen);
382 _cupsMD5Finish(&md5_state, md5_digest);
383
384 snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", cert_name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
385
386 CertFreeCertificateContext(cert);
387 }
388
389 DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
390
391 return (strlen(buffer));
392 }
393
394
395 /*
396 * '_httpFreeCredentials()' - Free internal credentials.
397 */
398
399 void
400 _httpFreeCredentials(
401 http_tls_credentials_t credentials) /* I - Internal credentials */
402 {
403 if (!credentials)
404 return;
405
406 CertFreeCertificateContext(credentials);
407 }
408
409
410 /*
411 * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
412 *
413 * @since CUPS 2.0/OS 10.10@
414 */
415
416 int /* O - 0 on success, -1 on error */
417 httpLoadCredentials(
418 const char *path, /* I - Keychain path or @code NULL@ for default */
419 cups_array_t **credentials, /* IO - Credentials */
420 const char *common_name) /* I - Common name for credentials */
421 {
422 HCERTSTORE store = NULL; /* Certificate store */
423 PCCERT_CONTEXT storedContext = NULL; /* Context created from the store */
424 DWORD dwSize = 0; /* 32 bit size */
425 PBYTE p = NULL; /* Temporary storage */
426 HCRYPTPROV hProv = (HCRYPTPROV)NULL;
427 /* Handle to a CSP */
428 CERT_NAME_BLOB sib; /* Arbitrary array of bytes */
429 #ifdef DEBUG
430 char error[1024]; /* Error message buffer */
431 #endif /* DEBUG */
432
433
434 DEBUG_printf(("httpLoadCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, credentials, common_name));
435
436 (void)path;
437
438 if (credentials)
439 {
440 *credentials = NULL;
441 }
442 else
443 {
444 DEBUG_puts("1httpLoadCredentials: NULL credentials pointer, returning -1.");
445 return (-1);
446 }
447
448 if (!common_name)
449 {
450 DEBUG_puts("1httpLoadCredentials: Bad common name, returning -1.");
451 return (-1);
452 }
453
454 if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
455 {
456 if (GetLastError() == NTE_EXISTS)
457 {
458 if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
459 {
460 DEBUG_printf(("1httpLoadCredentials: CryptAcquireContext failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
461 goto cleanup;
462 }
463 }
464 }
465
466 store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
467
468 if (!store)
469 {
470 DEBUG_printf(("1httpLoadCredentials: CertOpenSystemStore failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
471 goto cleanup;
472 }
473
474 dwSize = 0;
475
476 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
477 {
478 DEBUG_printf(("1httpLoadCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
479 goto cleanup;
480 }
481
482 p = (PBYTE)malloc(dwSize);
483
484 if (!p)
485 {
486 DEBUG_printf(("1httpLoadCredentials: malloc failed for %d bytes.", dwSize));
487 goto cleanup;
488 }
489
490 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
491 {
492 DEBUG_printf(("1httpLoadCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
493 goto cleanup;
494 }
495
496 sib.cbData = dwSize;
497 sib.pbData = p;
498
499 storedContext = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_NAME, &sib, NULL);
500
501 if (!storedContext)
502 {
503 DEBUG_printf(("1httpLoadCredentials: Unable to find credentials for \"%s\".", common_name));
504 goto cleanup;
505 }
506
507 *credentials = cupsArrayNew(NULL, NULL);
508 httpAddCredential(*credentials, storedContext->pbCertEncoded, storedContext->cbCertEncoded);
509
510 cleanup:
511
512 /*
513 * Cleanup
514 */
515
516 if (storedContext)
517 CertFreeCertificateContext(storedContext);
518
519 if (p)
520 free(p);
521
522 if (store)
523 CertCloseStore(store, 0);
524
525 if (hProv)
526 CryptReleaseContext(hProv, 0);
527
528 DEBUG_printf(("1httpLoadCredentials: Returning %d.", *credentials ? 0 : -1));
529
530 return (*credentials ? 0 : -1);
531 }
532
533
534 /*
535 * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
536 *
537 * @since CUPS 2.0/OS 10.10@
538 */
539
540 int /* O - -1 on error, 0 on success */
541 httpSaveCredentials(
542 const char *path, /* I - Keychain path or @code NULL@ for default */
543 cups_array_t *credentials, /* I - Credentials */
544 const char *common_name) /* I - Common name for credentials */
545 {
546 HCERTSTORE store = NULL; /* Certificate store */
547 PCCERT_CONTEXT storedContext = NULL; /* Context created from the store */
548 PCCERT_CONTEXT createdContext = NULL; /* Context created by us */
549 DWORD dwSize = 0; /* 32 bit size */
550 PBYTE p = NULL; /* Temporary storage */
551 HCRYPTPROV hProv = (HCRYPTPROV)NULL;
552 /* Handle to a CSP */
553 CRYPT_KEY_PROV_INFO ckp; /* Handle to crypto key */
554 int ret = -1; /* Return value */
555 #ifdef DEBUG
556 char error[1024]; /* Error message buffer */
557 #endif /* DEBUG */
558
559
560 DEBUG_printf(("httpSaveCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, credentials, common_name));
561
562 (void)path;
563
564 if (!common_name)
565 {
566 DEBUG_puts("1httpSaveCredentials: Bad common name, returning -1.");
567 return (-1);
568 }
569
570 createdContext = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
571 if (!createdContext)
572 {
573 DEBUG_puts("1httpSaveCredentials: Bad credentials, returning -1.");
574 return (-1);
575 }
576
577 if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
578 {
579 if (GetLastError() == NTE_EXISTS)
580 {
581 if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
582 {
583 DEBUG_printf(("1httpSaveCredentials: CryptAcquireContext failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
584 goto cleanup;
585 }
586 }
587 }
588
589 store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
590
591 if (!store)
592 {
593 DEBUG_printf(("1httpSaveCredentials: CertOpenSystemStore failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
594 goto cleanup;
595 }
596
597 dwSize = 0;
598
599 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
600 {
601 DEBUG_printf(("1httpSaveCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
602 goto cleanup;
603 }
604
605 p = (PBYTE)malloc(dwSize);
606
607 if (!p)
608 {
609 DEBUG_printf(("1httpSaveCredentials: malloc failed for %d bytes.", dwSize));
610 goto cleanup;
611 }
612
613 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
614 {
615 DEBUG_printf(("1httpSaveCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
616 goto cleanup;
617 }
618
619 /*
620 * Add the created context to the named store, and associate it with the named
621 * container...
622 */
623
624 if (!CertAddCertificateContextToStore(store, createdContext, CERT_STORE_ADD_REPLACE_EXISTING, &storedContext))
625 {
626 DEBUG_printf(("1httpSaveCredentials: CertAddCertificateContextToStore failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
627 goto cleanup;
628 }
629
630 ZeroMemory(&ckp, sizeof(ckp));
631 ckp.pwszContainerName = L"RememberedContainer";
632 ckp.pwszProvName = MS_DEF_PROV_W;
633 ckp.dwProvType = PROV_RSA_FULL;
634 ckp.dwFlags = CRYPT_MACHINE_KEYSET;
635 ckp.dwKeySpec = AT_KEYEXCHANGE;
636
637 if (!CertSetCertificateContextProperty(storedContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &ckp))
638 {
639 DEBUG_printf(("1httpSaveCredentials: CertSetCertificateContextProperty failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
640 goto cleanup;
641 }
642
643 ret = 0;
644
645 cleanup:
646
647 /*
648 * Cleanup
649 */
650
651 if (createdContext)
652 CertFreeCertificateContext(createdContext);
653
654 if (storedContext)
655 CertFreeCertificateContext(storedContext);
656
657 if (p)
658 free(p);
659
660 if (store)
661 CertCloseStore(store, 0);
662
663 if (hProv)
664 CryptReleaseContext(hProv, 0);
665
666 DEBUG_printf(("1httpSaveCredentials: Returning %d.", ret));
667 return (ret);
668 }
669
670
671 /*
672 * '_httpTLSInitialize()' - Initialize the TLS stack.
673 */
674
675 void
676 _httpTLSInitialize(void)
677 {
678 /*
679 * Nothing to do...
680 */
681 }
682
683
684 /*
685 * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
686 */
687
688 size_t /* O - Bytes available */
689 _httpTLSPending(http_t *http) /* I - HTTP connection */
690 {
691 if (http->tls)
692 return (http->tls->readBufferUsed);
693 else
694 return (0);
695 }
696
697
698 /*
699 * '_httpTLSRead()' - Read from a SSL/TLS connection.
700 */
701
702 int /* O - Bytes read */
703 _httpTLSRead(http_t *http, /* I - HTTP connection */
704 char *buf, /* I - Buffer to store data */
705 int len) /* I - Length of buffer */
706 {
707 int i; /* Looping var */
708 _http_sspi_t *sspi = http->tls; /* SSPI data */
709 SecBufferDesc message; /* Array of SecBuffer struct */
710 SecBuffer buffers[4] = { 0 }; /* Security package buffer */
711 int num = 0; /* Return value */
712 PSecBuffer pDataBuffer; /* Data buffer */
713 PSecBuffer pExtraBuffer; /* Excess data buffer */
714 SECURITY_STATUS scRet; /* SSPI status */
715
716
717 DEBUG_printf(("4_httpTLSRead(http=%p, buf=%p, len=%d)", http, buf, len));
718
719 /*
720 * If there are bytes that have already been decrypted and have not yet been
721 * read, return those...
722 */
723
724 if (sspi->readBufferUsed > 0)
725 {
726 int bytesToCopy = min(sspi->readBufferUsed, len);
727 /* Number of bytes to copy */
728
729 memcpy(buf, sspi->readBuffer, bytesToCopy);
730 sspi->readBufferUsed -= bytesToCopy;
731
732 if (sspi->readBufferUsed > 0)
733 memmove(sspi->readBuffer, sspi->readBuffer + bytesToCopy, sspi->readBufferUsed);
734
735 DEBUG_printf(("5_httpTLSRead: Returning %d bytes previously decrypted.", bytesToCopy));
736
737 return (bytesToCopy);
738 }
739
740 /*
741 * Initialize security buffer structs
742 */
743
744 message.ulVersion = SECBUFFER_VERSION;
745 message.cBuffers = 4;
746 message.pBuffers = buffers;
747
748 do
749 {
750 /*
751 * If there is not enough space in the buffer, then increase its size...
752 */
753
754 if (sspi->decryptBufferLength <= sspi->decryptBufferUsed)
755 {
756 BYTE *temp; /* New buffer */
757
758 if (sspi->decryptBufferLength >= 262144)
759 {
760 WSASetLastError(E_OUTOFMEMORY);
761 DEBUG_puts("_httpTLSRead: Decryption buffer too large (>256k)");
762 return (-1);
763 }
764
765 if ((temp = realloc(sspi->decryptBuffer, sspi->decryptBufferLength + 4096)) == NULL)
766 {
767 DEBUG_printf(("_httpTLSRead: Unable to allocate %d byte decryption buffer.", sspi->decryptBufferLength + 4096));
768 WSASetLastError(E_OUTOFMEMORY);
769 return (-1);
770 }
771
772 sspi->decryptBufferLength += 4096;
773 sspi->decryptBuffer = temp;
774
775 DEBUG_printf(("_httpTLSRead: Resized decryption buffer to %d bytes.", sspi->decryptBufferLength));
776 }
777
778 buffers[0].pvBuffer = sspi->decryptBuffer;
779 buffers[0].cbBuffer = (unsigned long)sspi->decryptBufferUsed;
780 buffers[0].BufferType = SECBUFFER_DATA;
781 buffers[1].BufferType = SECBUFFER_EMPTY;
782 buffers[2].BufferType = SECBUFFER_EMPTY;
783 buffers[3].BufferType = SECBUFFER_EMPTY;
784
785 DEBUG_printf(("5_httpTLSRead: decryptBufferUsed=%d", sspi->decryptBufferUsed));
786
787 scRet = DecryptMessage(&sspi->context, &message, 0, NULL);
788
789 if (scRet == SEC_E_INCOMPLETE_MESSAGE)
790 {
791 num = recv(http->fd, sspi->decryptBuffer + sspi->decryptBufferUsed, (int)(sspi->decryptBufferLength - sspi->decryptBufferUsed), 0);
792 if (num < 0)
793 {
794 DEBUG_printf(("5_httpTLSRead: recv failed: %d", WSAGetLastError()));
795 return (-1);
796 }
797 else if (num == 0)
798 {
799 DEBUG_puts("5_httpTLSRead: Server disconnected.");
800 return (0);
801 }
802
803 DEBUG_printf(("5_httpTLSRead: Read %d bytes into decryption buffer.", num));
804
805 sspi->decryptBufferUsed += num;
806 }
807 }
808 while (scRet == SEC_E_INCOMPLETE_MESSAGE);
809
810 if (scRet == SEC_I_CONTEXT_EXPIRED)
811 {
812 DEBUG_puts("5_httpTLSRead: Context expired.");
813 WSASetLastError(WSAECONNRESET);
814 return (-1);
815 }
816 else if (scRet != SEC_E_OK)
817 {
818 DEBUG_printf(("5_httpTLSRead: DecryptMessage failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
819 WSASetLastError(WSASYSCALLFAILURE);
820 return (-1);
821 }
822
823 /*
824 * The decryption worked. Now, locate data buffer.
825 */
826
827 pDataBuffer = NULL;
828 pExtraBuffer = NULL;
829
830 for (i = 1; i < 4; i++)
831 {
832 if (buffers[i].BufferType == SECBUFFER_DATA)
833 pDataBuffer = &buffers[i];
834 else if (!pExtraBuffer && (buffers[i].BufferType == SECBUFFER_EXTRA))
835 pExtraBuffer = &buffers[i];
836 }
837
838 /*
839 * If a data buffer is found, then copy the decrypted bytes to the passed-in
840 * buffer...
841 */
842
843 if (pDataBuffer)
844 {
845 int bytesToCopy = min((int)pDataBuffer->cbBuffer, len);
846 /* Number of bytes to copy into buf */
847 int bytesToSave = pDataBuffer->cbBuffer - bytesToCopy;
848 /* Number of bytes to save in our read buffer */
849
850 if (bytesToCopy)
851 memcpy(buf, pDataBuffer->pvBuffer, bytesToCopy);
852
853 /*
854 * If there are more decrypted bytes than can be copied to the passed in
855 * buffer, then save them...
856 */
857
858 if (bytesToSave)
859 {
860 if ((sspi->readBufferLength - sspi->readBufferUsed) < bytesToSave)
861 {
862 BYTE *temp; /* New buffer pointer */
863
864 if ((temp = realloc(sspi->readBuffer, sspi->readBufferUsed + bytesToSave)) == NULL)
865 {
866 DEBUG_printf(("_httpTLSRead: Unable to allocate %d bytes.", sspi->readBufferUsed + bytesToSave));
867 WSASetLastError(E_OUTOFMEMORY);
868 return (-1);
869 }
870
871 sspi->readBufferLength = sspi->readBufferUsed + bytesToSave;
872 sspi->readBuffer = temp;
873 }
874
875 memcpy(((BYTE *)sspi->readBuffer) + sspi->readBufferUsed, ((BYTE *)pDataBuffer->pvBuffer) + bytesToCopy, bytesToSave);
876
877 sspi->readBufferUsed += bytesToSave;
878 }
879
880 num = bytesToCopy;
881 }
882 else
883 {
884 DEBUG_puts("_httpTLSRead: Unable to find data buffer.");
885 WSASetLastError(WSASYSCALLFAILURE);
886 return (-1);
887 }
888
889 /*
890 * If the decryption process left extra bytes, then save those back in
891 * decryptBuffer. They will be processed the next time through the loop.
892 */
893
894 if (pExtraBuffer)
895 {
896 memmove(sspi->decryptBuffer, pExtraBuffer->pvBuffer, pExtraBuffer->cbBuffer);
897 sspi->decryptBufferUsed = pExtraBuffer->cbBuffer;
898 }
899 else
900 {
901 sspi->decryptBufferUsed = 0;
902 }
903
904 return (num);
905 }
906
907
908 /*
909 * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
910 */
911
912 void
913 _httpTLSSetOptions(int options) /* I - Options */
914 {
915 tls_options = options;
916 }
917
918
919 /*
920 * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
921 */
922
923 int /* O - 0 on success, -1 on failure */
924 _httpTLSStart(http_t *http) /* I - HTTP connection */
925 {
926 char hostname[256], /* Hostname */
927 *hostptr; /* Pointer into hostname */
928
929
930 DEBUG_printf(("7_httpTLSStart(http=%p)", http));
931
932 if ((http->tls = http_sspi_alloc()) == NULL)
933 return (-1);
934
935 if (http->mode == _HTTP_MODE_CLIENT)
936 {
937 /*
938 * Client: determine hostname...
939 */
940
941 if (httpAddrLocalhost(http->hostaddr))
942 {
943 strlcpy(hostname, "localhost", sizeof(hostname));
944 }
945 else
946 {
947 /*
948 * Otherwise make sure the hostname we have does not end in a trailing dot.
949 */
950
951 strlcpy(hostname, http->hostname, sizeof(hostname));
952 if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
953 *hostptr == '.')
954 *hostptr = '\0';
955 }
956
957 return (http_sspi_client(http, hostname));
958 }
959 else
960 {
961 /*
962 * Server: determine hostname to use...
963 */
964
965 if (http->fields[HTTP_FIELD_HOST][0])
966 {
967 /*
968 * Use hostname for TLS upgrade...
969 */
970
971 strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
972 }
973 else
974 {
975 /*
976 * Resolve hostname from connection address...
977 */
978
979 http_addr_t addr; /* Connection address */
980 socklen_t addrlen; /* Length of address */
981
982 addrlen = sizeof(addr);
983 if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
984 {
985 DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
986 hostname[0] = '\0';
987 }
988 else if (httpAddrLocalhost(&addr))
989 hostname[0] = '\0';
990 else
991 {
992 httpAddrLookup(&addr, hostname, sizeof(hostname));
993 DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
994 }
995 }
996
997 return (http_sspi_server(http, hostname));
998 }
999 }
1000
1001
1002 /*
1003 * '_httpTLSStop()' - Shut down SSL/TLS on a connection.
1004 */
1005
1006 void
1007 _httpTLSStop(http_t *http) /* I - HTTP connection */
1008 {
1009 _http_sspi_t *sspi = http->tls; /* SSPI data */
1010
1011
1012 if (sspi->contextInitialized && http->fd >= 0)
1013 {
1014 SecBufferDesc message; /* Array of SecBuffer struct */
1015 SecBuffer buffers[1] = { 0 };
1016 /* Security package buffer */
1017 DWORD dwType; /* Type */
1018 DWORD status; /* Status */
1019
1020 /*
1021 * Notify schannel that we are about to close the connection.
1022 */
1023
1024 dwType = SCHANNEL_SHUTDOWN;
1025
1026 buffers[0].pvBuffer = &dwType;
1027 buffers[0].BufferType = SECBUFFER_TOKEN;
1028 buffers[0].cbBuffer = sizeof(dwType);
1029
1030 message.cBuffers = 1;
1031 message.pBuffers = buffers;
1032 message.ulVersion = SECBUFFER_VERSION;
1033
1034 status = ApplyControlToken(&sspi->context, &message);
1035
1036 if (SUCCEEDED(status))
1037 {
1038 PBYTE pbMessage; /* Message buffer */
1039 DWORD cbMessage; /* Message buffer count */
1040 DWORD cbData; /* Data count */
1041 DWORD dwSSPIFlags; /* SSL attributes we requested */
1042 DWORD dwSSPIOutFlags; /* SSL attributes we received */
1043 TimeStamp tsExpiry; /* Time stamp */
1044
1045 dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT |
1046 ASC_REQ_REPLAY_DETECT |
1047 ASC_REQ_CONFIDENTIALITY |
1048 ASC_REQ_EXTENDED_ERROR |
1049 ASC_REQ_ALLOCATE_MEMORY |
1050 ASC_REQ_STREAM;
1051
1052 buffers[0].pvBuffer = NULL;
1053 buffers[0].BufferType = SECBUFFER_TOKEN;
1054 buffers[0].cbBuffer = 0;
1055
1056 message.cBuffers = 1;
1057 message.pBuffers = buffers;
1058 message.ulVersion = SECBUFFER_VERSION;
1059
1060 status = AcceptSecurityContext(&sspi->creds, &sspi->context, NULL,
1061 dwSSPIFlags, SECURITY_NATIVE_DREP, NULL,
1062 &message, &dwSSPIOutFlags, &tsExpiry);
1063
1064 if (SUCCEEDED(status))
1065 {
1066 pbMessage = buffers[0].pvBuffer;
1067 cbMessage = buffers[0].cbBuffer;
1068
1069 /*
1070 * Send the close notify message to the client.
1071 */
1072
1073 if (pbMessage && cbMessage)
1074 {
1075 cbData = send(http->fd, pbMessage, cbMessage, 0);
1076 if ((cbData == SOCKET_ERROR) || (cbData == 0))
1077 {
1078 status = WSAGetLastError();
1079 DEBUG_printf(("_httpTLSStop: sending close notify failed: %d", status));
1080 }
1081 else
1082 {
1083 FreeContextBuffer(pbMessage);
1084 }
1085 }
1086 }
1087 else
1088 {
1089 DEBUG_printf(("_httpTLSStop: AcceptSecurityContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), status)));
1090 }
1091 }
1092 else
1093 {
1094 DEBUG_printf(("_httpTLSStop: ApplyControlToken failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), status)));
1095 }
1096 }
1097
1098 http_sspi_free(sspi);
1099
1100 http->tls = NULL;
1101 }
1102
1103
1104 /*
1105 * '_httpTLSWrite()' - Write to a SSL/TLS connection.
1106 */
1107
1108 int /* O - Bytes written */
1109 _httpTLSWrite(http_t *http, /* I - HTTP connection */
1110 const char *buf, /* I - Buffer holding data */
1111 int len) /* I - Length of buffer */
1112 {
1113 _http_sspi_t *sspi = http->tls; /* SSPI data */
1114 SecBufferDesc message; /* Array of SecBuffer struct */
1115 SecBuffer buffers[4] = { 0 }; /* Security package buffer */
1116 int bufferLen; /* Buffer length */
1117 int bytesLeft; /* Bytes left to write */
1118 const char *bufptr; /* Pointer into buffer */
1119 int num = 0; /* Return value */
1120
1121
1122 bufferLen = sspi->streamSizes.cbMaximumMessage + sspi->streamSizes.cbHeader + sspi->streamSizes.cbTrailer;
1123
1124 if (bufferLen > sspi->writeBufferLength)
1125 {
1126 BYTE *temp; /* New buffer pointer */
1127
1128 if ((temp = (BYTE *)realloc(sspi->writeBuffer, bufferLen)) == NULL)
1129 {
1130 DEBUG_printf(("_httpTLSWrite: Unable to allocate buffer of %d bytes.", bufferLen));
1131 WSASetLastError(E_OUTOFMEMORY);
1132 return (-1);
1133 }
1134
1135 sspi->writeBuffer = temp;
1136 sspi->writeBufferLength = bufferLen;
1137 }
1138
1139 bytesLeft = len;
1140 bufptr = buf;
1141
1142 while (bytesLeft)
1143 {
1144 int chunk = min((int)sspi->streamSizes.cbMaximumMessage, bytesLeft);
1145 /* Size of data to write */
1146 SECURITY_STATUS scRet; /* SSPI status */
1147
1148 /*
1149 * Copy user data into the buffer, starting just past the header...
1150 */
1151
1152 memcpy(sspi->writeBuffer + sspi->streamSizes.cbHeader, bufptr, chunk);
1153
1154 /*
1155 * Setup the SSPI buffers
1156 */
1157
1158 message.ulVersion = SECBUFFER_VERSION;
1159 message.cBuffers = 4;
1160 message.pBuffers = buffers;
1161
1162 buffers[0].pvBuffer = sspi->writeBuffer;
1163 buffers[0].cbBuffer = sspi->streamSizes.cbHeader;
1164 buffers[0].BufferType = SECBUFFER_STREAM_HEADER;
1165 buffers[1].pvBuffer = sspi->writeBuffer + sspi->streamSizes.cbHeader;
1166 buffers[1].cbBuffer = (unsigned long) chunk;
1167 buffers[1].BufferType = SECBUFFER_DATA;
1168 buffers[2].pvBuffer = sspi->writeBuffer + sspi->streamSizes.cbHeader + chunk;
1169 buffers[2].cbBuffer = sspi->streamSizes.cbTrailer;
1170 buffers[2].BufferType = SECBUFFER_STREAM_TRAILER;
1171 buffers[3].BufferType = SECBUFFER_EMPTY;
1172
1173 /*
1174 * Encrypt the data
1175 */
1176
1177 scRet = EncryptMessage(&sspi->context, 0, &message, 0);
1178
1179 if (FAILED(scRet))
1180 {
1181 DEBUG_printf(("_httpTLSWrite: EncryptMessage failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
1182 WSASetLastError(WSASYSCALLFAILURE);
1183 return (-1);
1184 }
1185
1186 /*
1187 * Send the data. Remember the size of the total data to send is the size
1188 * of the header, the size of the data the caller passed in and the size
1189 * of the trailer...
1190 */
1191
1192 num = send(http->fd, sspi->writeBuffer, buffers[0].cbBuffer + buffers[1].cbBuffer + buffers[2].cbBuffer, 0);
1193
1194 if (num <= 0)
1195 {
1196 DEBUG_printf(("_httpTLSWrite: send failed: %ld", WSAGetLastError()));
1197 return (num);
1198 }
1199
1200 bytesLeft -= chunk;
1201 bufptr += chunk;
1202 }
1203
1204 return (len);
1205 }
1206
1207
1208 #if 0
1209 /*
1210 * 'http_setup_ssl()' - Set up SSL/TLS support on a connection.
1211 */
1212
1213 static int /* O - 0 on success, -1 on failure */
1214 http_setup_ssl(http_t *http) /* I - Connection to server */
1215 {
1216 char hostname[256], /* Hostname */
1217 *hostptr; /* Pointer into hostname */
1218
1219 TCHAR username[256]; /* Username returned from GetUserName() */
1220 TCHAR commonName[256];/* Common name for certificate */
1221 DWORD dwSize; /* 32 bit size */
1222
1223
1224 DEBUG_printf(("7http_setup_ssl(http=%p)", http));
1225
1226 /*
1227 * Get the hostname to use for SSL...
1228 */
1229
1230 if (httpAddrLocalhost(http->hostaddr))
1231 {
1232 strlcpy(hostname, "localhost", sizeof(hostname));
1233 }
1234 else
1235 {
1236 /*
1237 * Otherwise make sure the hostname we have does not end in a trailing dot.
1238 */
1239
1240 strlcpy(hostname, http->hostname, sizeof(hostname));
1241 if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
1242 *hostptr == '.')
1243 *hostptr = '\0';
1244 }
1245
1246 http->tls = http_sspi_alloc();
1247
1248 if (!http->tls)
1249 {
1250 _cupsSetHTTPError(HTTP_STATUS_ERROR);
1251 return (-1);
1252 }
1253
1254 dwSize = sizeof(username) / sizeof(TCHAR);
1255 GetUserName(username, &dwSize);
1256 _sntprintf_s(commonName, sizeof(commonName) / sizeof(TCHAR),
1257 sizeof(commonName) / sizeof(TCHAR), TEXT("CN=%s"), username);
1258
1259 if (!_sspiGetCredentials(http->tls, L"ClientContainer",
1260 commonName, FALSE))
1261 {
1262 _sspiFree(http->tls);
1263 http->tls = NULL;
1264
1265 http->error = EIO;
1266 http->status = HTTP_STATUS_ERROR;
1267
1268 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI,
1269 _("Unable to establish a secure connection to host."), 1);
1270
1271 return (-1);
1272 }
1273
1274 _sspiSetAllowsAnyRoot(http->tls, TRUE);
1275 _sspiSetAllowsExpiredCerts(http->tls, TRUE);
1276
1277 if (!_sspiConnect(http->tls, hostname))
1278 {
1279 _sspiFree(http->tls);
1280 http->tls = NULL;
1281
1282 http->error = EIO;
1283 http->status = HTTP_STATUS_ERROR;
1284
1285 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI,
1286 _("Unable to establish a secure connection to host."), 1);
1287
1288 return (-1);
1289 }
1290
1291 return (0);
1292 }
1293 #endif // 0
1294
1295
1296 /*
1297 * 'http_sspi_alloc()' - Allocate SSPI object.
1298 */
1299
1300 static _http_sspi_t * /* O - New SSPI/SSL object */
1301 http_sspi_alloc(void)
1302 {
1303 return ((_http_sspi_t *)calloc(sizeof(_http_sspi_t), 1));
1304 }
1305
1306
1307 /*
1308 * 'http_sspi_client()' - Negotiate a TLS connection as a client.
1309 */
1310
1311 static int /* O - 0 on success, -1 on failure */
1312 http_sspi_client(http_t *http, /* I - Client connection */
1313 const char *hostname) /* I - Server hostname */
1314 {
1315 _http_sspi_t *sspi = http->tls; /* SSPI data */
1316 DWORD dwSize; /* Size for buffer */
1317 DWORD dwSSPIFlags; /* SSL connection attributes we want */
1318 DWORD dwSSPIOutFlags; /* SSL connection attributes we got */
1319 TimeStamp tsExpiry; /* Time stamp */
1320 SECURITY_STATUS scRet; /* Status */
1321 int cbData; /* Data count */
1322 SecBufferDesc inBuffer; /* Array of SecBuffer structs */
1323 SecBuffer inBuffers[2]; /* Security package buffer */
1324 SecBufferDesc outBuffer; /* Array of SecBuffer structs */
1325 SecBuffer outBuffers[1]; /* Security package buffer */
1326 int ret = 0; /* Return value */
1327 char username[1024], /* Current username */
1328 common_name[1024]; /* CN=username */
1329
1330
1331 DEBUG_printf(("4http_sspi_client(http=%p, hostname=\"%s\")", http, hostname));
1332
1333 dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT |
1334 ISC_REQ_REPLAY_DETECT |
1335 ISC_REQ_CONFIDENTIALITY |
1336 ISC_RET_EXTENDED_ERROR |
1337 ISC_REQ_ALLOCATE_MEMORY |
1338 ISC_REQ_STREAM;
1339
1340 /*
1341 * Lookup the client certificate...
1342 */
1343
1344 dwSize = sizeof(username);
1345 GetUserName(username, &dwSize);
1346 snprintf(common_name, sizeof(common_name), "CN=%s", username);
1347
1348 if (!http_sspi_find_credentials(http, L"ClientContainer", common_name))
1349 if (!http_sspi_make_credentials(http->tls, L"ClientContainer", common_name, _HTTP_MODE_CLIENT, 10))
1350 {
1351 DEBUG_puts("5http_sspi_client: Unable to get client credentials.");
1352 return (-1);
1353 }
1354
1355 /*
1356 * Initiate a ClientHello message and generate a token.
1357 */
1358
1359 outBuffers[0].pvBuffer = NULL;
1360 outBuffers[0].BufferType = SECBUFFER_TOKEN;
1361 outBuffers[0].cbBuffer = 0;
1362
1363 outBuffer.cBuffers = 1;
1364 outBuffer.pBuffers = outBuffers;
1365 outBuffer.ulVersion = SECBUFFER_VERSION;
1366
1367 scRet = InitializeSecurityContext(&sspi->creds, NULL, TEXT(""), dwSSPIFlags, 0, SECURITY_NATIVE_DREP, NULL, 0, &sspi->context, &outBuffer, &dwSSPIOutFlags, &tsExpiry);
1368
1369 if (scRet != SEC_I_CONTINUE_NEEDED)
1370 {
1371 DEBUG_printf(("5http_sspi_client: InitializeSecurityContext(1) failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
1372 return (-1);
1373 }
1374
1375 /*
1376 * Send response to server if there is one.
1377 */
1378
1379 if (outBuffers[0].cbBuffer && outBuffers[0].pvBuffer)
1380 {
1381 if ((cbData = send(http->fd, outBuffers[0].pvBuffer, outBuffers[0].cbBuffer, 0)) <= 0)
1382 {
1383 DEBUG_printf(("5http_sspi_client: send failed: %d", WSAGetLastError()));
1384 FreeContextBuffer(outBuffers[0].pvBuffer);
1385 DeleteSecurityContext(&sspi->context);
1386 return (-1);
1387 }
1388
1389 DEBUG_printf(("5http_sspi_client: %d bytes of handshake data sent.", cbData));
1390
1391 FreeContextBuffer(outBuffers[0].pvBuffer);
1392 outBuffers[0].pvBuffer = NULL;
1393 }
1394
1395 dwSSPIFlags = ISC_REQ_MANUAL_CRED_VALIDATION |
1396 ISC_REQ_SEQUENCE_DETECT |
1397 ISC_REQ_REPLAY_DETECT |
1398 ISC_REQ_CONFIDENTIALITY |
1399 ISC_RET_EXTENDED_ERROR |
1400 ISC_REQ_ALLOCATE_MEMORY |
1401 ISC_REQ_STREAM;
1402
1403 sspi->decryptBufferUsed = 0;
1404
1405 /*
1406 * Loop until the handshake is finished or an error occurs.
1407 */
1408
1409 scRet = SEC_I_CONTINUE_NEEDED;
1410
1411 while(scRet == SEC_I_CONTINUE_NEEDED ||
1412 scRet == SEC_E_INCOMPLETE_MESSAGE ||
1413 scRet == SEC_I_INCOMPLETE_CREDENTIALS)
1414 {
1415 if (sspi->decryptBufferUsed == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE)
1416 {
1417 if (sspi->decryptBufferLength <= sspi->decryptBufferUsed)
1418 {
1419 BYTE *temp; /* New buffer */
1420
1421 if (sspi->decryptBufferLength >= 262144)
1422 {
1423 WSASetLastError(E_OUTOFMEMORY);
1424 DEBUG_puts("5http_sspi_client: Decryption buffer too large (>256k)");
1425 return (-1);
1426 }
1427
1428 if ((temp = realloc(sspi->decryptBuffer, sspi->decryptBufferLength + 4096)) == NULL)
1429 {
1430 DEBUG_printf(("5http_sspi_client: Unable to allocate %d byte buffer.", sspi->decryptBufferLength + 4096));
1431 WSASetLastError(E_OUTOFMEMORY);
1432 return (-1);
1433 }
1434
1435 sspi->decryptBufferLength += 4096;
1436 sspi->decryptBuffer = temp;
1437 }
1438
1439 cbData = recv(http->fd, sspi->decryptBuffer + sspi->decryptBufferUsed, (int)(sspi->decryptBufferLength - sspi->decryptBufferUsed), 0);
1440
1441 if (cbData < 0)
1442 {
1443 DEBUG_printf(("5http_sspi_client: recv failed: %d", WSAGetLastError()));
1444 return (-1);
1445 }
1446 else if (cbData == 0)
1447 {
1448 DEBUG_printf(("5http_sspi_client: Server unexpectedly disconnected."));
1449 return (-1);
1450 }
1451
1452 DEBUG_printf(("5http_sspi_client: %d bytes of handshake data received", cbData));
1453
1454 sspi->decryptBufferUsed += cbData;
1455 }
1456
1457 /*
1458 * Set up the input buffers. Buffer 0 is used to pass in data received from
1459 * the server. Schannel will consume some or all of this. Leftover data
1460 * (if any) will be placed in buffer 1 and given a buffer type of
1461 * SECBUFFER_EXTRA.
1462 */
1463
1464 inBuffers[0].pvBuffer = sspi->decryptBuffer;
1465 inBuffers[0].cbBuffer = (unsigned long)sspi->decryptBufferUsed;
1466 inBuffers[0].BufferType = SECBUFFER_TOKEN;
1467
1468 inBuffers[1].pvBuffer = NULL;
1469 inBuffers[1].cbBuffer = 0;
1470 inBuffers[1].BufferType = SECBUFFER_EMPTY;
1471
1472 inBuffer.cBuffers = 2;
1473 inBuffer.pBuffers = inBuffers;
1474 inBuffer.ulVersion = SECBUFFER_VERSION;
1475
1476 /*
1477 * Set up the output buffers. These are initialized to NULL so as to make it
1478 * less likely we'll attempt to free random garbage later.
1479 */
1480
1481 outBuffers[0].pvBuffer = NULL;
1482 outBuffers[0].BufferType = SECBUFFER_TOKEN;
1483 outBuffers[0].cbBuffer = 0;
1484
1485 outBuffer.cBuffers = 1;
1486 outBuffer.pBuffers = outBuffers;
1487 outBuffer.ulVersion = SECBUFFER_VERSION;
1488
1489 /*
1490 * Call InitializeSecurityContext.
1491 */
1492
1493 scRet = InitializeSecurityContext(&sspi->creds, &sspi->context, NULL, dwSSPIFlags, 0, SECURITY_NATIVE_DREP, &inBuffer, 0, NULL, &outBuffer, &dwSSPIOutFlags, &tsExpiry);
1494
1495 /*
1496 * If InitializeSecurityContext was successful (or if the error was one of
1497 * the special extended ones), send the contents of the output buffer to the
1498 * server.
1499 */
1500
1501 if (scRet == SEC_E_OK ||
1502 scRet == SEC_I_CONTINUE_NEEDED ||
1503 FAILED(scRet) && (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR))
1504 {
1505 if (outBuffers[0].cbBuffer && outBuffers[0].pvBuffer)
1506 {
1507 cbData = send(http->fd, outBuffers[0].pvBuffer, outBuffers[0].cbBuffer, 0);
1508
1509 if (cbData <= 0)
1510 {
1511 DEBUG_printf(("5http_sspi_client: send failed: %d", WSAGetLastError()));
1512 FreeContextBuffer(outBuffers[0].pvBuffer);
1513 DeleteSecurityContext(&sspi->context);
1514 return (-1);
1515 }
1516
1517 DEBUG_printf(("5http_sspi_client: %d bytes of handshake data sent.", cbData));
1518
1519 /*
1520 * Free output buffer.
1521 */
1522
1523 FreeContextBuffer(outBuffers[0].pvBuffer);
1524 outBuffers[0].pvBuffer = NULL;
1525 }
1526 }
1527
1528 /*
1529 * If InitializeSecurityContext returned SEC_E_INCOMPLETE_MESSAGE, then we
1530 * need to read more data from the server and try again.
1531 */
1532
1533 if (scRet == SEC_E_INCOMPLETE_MESSAGE)
1534 continue;
1535
1536 /*
1537 * If InitializeSecurityContext returned SEC_E_OK, then the handshake
1538 * completed successfully.
1539 */
1540
1541 if (scRet == SEC_E_OK)
1542 {
1543 /*
1544 * If the "extra" buffer contains data, this is encrypted application
1545 * protocol layer stuff. It needs to be saved. The application layer will
1546 * later decrypt it with DecryptMessage.
1547 */
1548
1549 DEBUG_puts("5http_sspi_client: Handshake was successful.");
1550
1551 if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
1552 {
1553 memmove(sspi->decryptBuffer, sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer, inBuffers[1].cbBuffer);
1554
1555 sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
1556
1557 DEBUG_printf(("5http_sspi_client: %d bytes of app data was bundled with handshake data", sspi->decryptBufferUsed));
1558 }
1559 else
1560 sspi->decryptBufferUsed = 0;
1561
1562 /*
1563 * Bail out to quit
1564 */
1565
1566 break;
1567 }
1568
1569 /*
1570 * Check for fatal error.
1571 */
1572
1573 if (FAILED(scRet))
1574 {
1575 DEBUG_printf(("5http_sspi_client: InitializeSecurityContext(2) failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
1576 ret = -1;
1577 break;
1578 }
1579
1580 /*
1581 * If InitializeSecurityContext returned SEC_I_INCOMPLETE_CREDENTIALS,
1582 * then the server just requested client authentication.
1583 */
1584
1585 if (scRet == SEC_I_INCOMPLETE_CREDENTIALS)
1586 {
1587 /*
1588 * Unimplemented
1589 */
1590
1591 DEBUG_printf(("5http_sspi_client: server requested client credentials."));
1592 ret = -1;
1593 break;
1594 }
1595
1596 /*
1597 * Copy any leftover data from the "extra" buffer, and go around again.
1598 */
1599
1600 if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
1601 {
1602 memmove(sspi->decryptBuffer, sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer, inBuffers[1].cbBuffer);
1603
1604 sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
1605 }
1606 else
1607 {
1608 sspi->decryptBufferUsed = 0;
1609 }
1610 }
1611
1612 if (!ret)
1613 {
1614 /*
1615 * Success! Get the server cert
1616 */
1617
1618 sspi->contextInitialized = TRUE;
1619
1620 scRet = QueryContextAttributes(&sspi->context, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (VOID *)&(sspi->remoteCert));
1621
1622 if (scRet != SEC_E_OK)
1623 {
1624 DEBUG_printf(("5http_sspi_client: QueryContextAttributes failed(SECPKG_ATTR_REMOTE_CERT_CONTEXT): %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
1625 return (-1);
1626 }
1627
1628 /*
1629 * Find out how big the header/trailer will be:
1630 */
1631
1632 scRet = QueryContextAttributes(&sspi->context, SECPKG_ATTR_STREAM_SIZES, &sspi->streamSizes);
1633
1634 if (scRet != SEC_E_OK)
1635 {
1636 DEBUG_printf(("5http_sspi_client: QueryContextAttributes failed(SECPKG_ATTR_STREAM_SIZES): %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
1637 ret = -1;
1638 }
1639 }
1640
1641 return (ret);
1642 }
1643
1644
1645 /*
1646 * 'http_sspi_create_credential()' - Create an SSPI certificate context.
1647 */
1648
1649 static PCCERT_CONTEXT /* O - Certificate context */
1650 http_sspi_create_credential(
1651 http_credential_t *cred) /* I - Credential */
1652 {
1653 if (cred)
1654 return (CertCreateCertificateContext(X509_ASN_ENCODING, cred->data, cred->datalen));
1655 else
1656 return (NULL);
1657 }
1658
1659
1660 /*
1661 * 'http_sspi_find_credentials()' - Retrieve a TLS certificate from the system store.
1662 */
1663
1664 static BOOL /* O - 1 on success, 0 on failure */
1665 http_sspi_find_credentials(
1666 http_t *http, /* I - HTTP connection */
1667 const LPWSTR container, /* I - Cert container name */
1668 const char *common_name) /* I - Common name of certificate */
1669 {
1670 _http_sspi_t *sspi = http->tls; /* SSPI data */
1671 HCERTSTORE store = NULL; /* Certificate store */
1672 PCCERT_CONTEXT storedContext = NULL; /* Context created from the store */
1673 DWORD dwSize = 0; /* 32 bit size */
1674 PBYTE p = NULL; /* Temporary storage */
1675 HCRYPTPROV hProv = (HCRYPTPROV)NULL;
1676 /* Handle to a CSP */
1677 CERT_NAME_BLOB sib; /* Arbitrary array of bytes */
1678 SCHANNEL_CRED SchannelCred; /* Schannel credential data */
1679 TimeStamp tsExpiry; /* Time stamp */
1680 SECURITY_STATUS Status; /* Status */
1681 BOOL ok = TRUE; /* Return value */
1682
1683
1684 if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
1685 {
1686 if (GetLastError() == NTE_EXISTS)
1687 {
1688 if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
1689 {
1690 DEBUG_printf(("5http_sspi_find_credentials: CryptAcquireContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1691 ok = FALSE;
1692 goto cleanup;
1693 }
1694 }
1695 }
1696
1697 store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
1698
1699 if (!store)
1700 {
1701 DEBUG_printf(("5http_sspi_find_credentials: CertOpenSystemStore failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1702 ok = FALSE;
1703 goto cleanup;
1704 }
1705
1706 dwSize = 0;
1707
1708 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
1709 {
1710 DEBUG_printf(("5http_sspi_find_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1711 ok = FALSE;
1712 goto cleanup;
1713 }
1714
1715 p = (PBYTE)malloc(dwSize);
1716
1717 if (!p)
1718 {
1719 DEBUG_printf(("5http_sspi_find_credentials: malloc failed for %d bytes.", dwSize));
1720 ok = FALSE;
1721 goto cleanup;
1722 }
1723
1724 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
1725 {
1726 DEBUG_printf(("5http_sspi_find_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1727 ok = FALSE;
1728 goto cleanup;
1729 }
1730
1731 sib.cbData = dwSize;
1732 sib.pbData = p;
1733
1734 storedContext = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_NAME, &sib, NULL);
1735
1736 if (!storedContext)
1737 {
1738 DEBUG_printf(("5http_sspi_find_credentials: Unable to find credentials for \"%s\".", common_name));
1739 ok = FALSE;
1740 goto cleanup;
1741 }
1742
1743 ZeroMemory(&SchannelCred, sizeof(SchannelCred));
1744
1745 SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
1746 SchannelCred.cCreds = 1;
1747 SchannelCred.paCred = &storedContext;
1748
1749 /*
1750 * Set supported protocols (can also be overriden in the registry...)
1751 */
1752
1753 #ifdef SP_PROT_TLS1_2_SERVER
1754 if (http->mode == _HTTP_MODE_SERVER)
1755 {
1756 if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1757 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER;
1758 else
1759 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER;
1760 }
1761 else
1762 {
1763 if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1764 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT;
1765 else
1766 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT;
1767 }
1768
1769 #else
1770 if (http->mode == _HTTP_MODE_SERVER)
1771 {
1772 if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1773 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
1774 else
1775 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
1776 }
1777 else
1778 {
1779 if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1780 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
1781 else
1782 SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
1783 }
1784 #endif /* SP_PROT_TLS1_2_SERVER */
1785
1786 /* TODO: Support _HTTP_TLS_ALLOW_RC4 option; right now we'll rely on Windows registry to enable/disable RC4... */
1787
1788 /*
1789 * Create an SSPI credential.
1790 */
1791
1792 Status = AcquireCredentialsHandle(NULL, UNISP_NAME, http->mode == _HTTP_MODE_SERVER ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND, NULL, &SchannelCred, NULL, NULL, &sspi->creds, &tsExpiry);
1793 if (Status != SEC_E_OK)
1794 {
1795 DEBUG_printf(("5http_sspi_find_credentials: AcquireCredentialsHandle failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), Status)));
1796 ok = FALSE;
1797 goto cleanup;
1798 }
1799
1800 cleanup:
1801
1802 /*
1803 * Cleanup
1804 */
1805
1806 if (storedContext)
1807 CertFreeCertificateContext(storedContext);
1808
1809 if (p)
1810 free(p);
1811
1812 if (store)
1813 CertCloseStore(store, 0);
1814
1815 if (hProv)
1816 CryptReleaseContext(hProv, 0);
1817
1818 return (ok);
1819 }
1820
1821
1822 /*
1823 * 'http_sspi_free()' - Close a connection and free resources.
1824 */
1825
1826 static void
1827 http_sspi_free(_http_sspi_t *sspi) /* I - SSPI data */
1828 {
1829 if (!sspi)
1830 return;
1831
1832 if (sspi->contextInitialized)
1833 DeleteSecurityContext(&sspi->context);
1834
1835 if (sspi->decryptBuffer)
1836 free(sspi->decryptBuffer);
1837
1838 if (sspi->readBuffer)
1839 free(sspi->readBuffer);
1840
1841 if (sspi->writeBuffer)
1842 free(sspi->writeBuffer);
1843
1844 if (sspi->localCert)
1845 CertFreeCertificateContext(sspi->localCert);
1846
1847 if (sspi->remoteCert)
1848 CertFreeCertificateContext(sspi->remoteCert);
1849
1850 free(sspi);
1851 }
1852
1853
1854 /*
1855 * 'http_sspi_make_credentials()' - Create a TLS certificate in the system store.
1856 */
1857
1858 static BOOL /* O - 1 on success, 0 on failure */
1859 http_sspi_make_credentials(
1860 _http_sspi_t *sspi, /* I - SSPI data */
1861 const LPWSTR container, /* I - Cert container name */
1862 const char *common_name, /* I - Common name of certificate */
1863 _http_mode_t mode, /* I - Client or server? */
1864 int years) /* I - Years until expiration */
1865 {
1866 HCERTSTORE store = NULL; /* Certificate store */
1867 PCCERT_CONTEXT storedContext = NULL; /* Context created from the store */
1868 PCCERT_CONTEXT createdContext = NULL; /* Context created by us */
1869 DWORD dwSize = 0; /* 32 bit size */
1870 PBYTE p = NULL; /* Temporary storage */
1871 HCRYPTPROV hProv = (HCRYPTPROV)NULL;
1872 /* Handle to a CSP */
1873 CERT_NAME_BLOB sib; /* Arbitrary array of bytes */
1874 SCHANNEL_CRED SchannelCred; /* Schannel credential data */
1875 TimeStamp tsExpiry; /* Time stamp */
1876 SECURITY_STATUS Status; /* Status */
1877 HCRYPTKEY hKey = (HCRYPTKEY)NULL; /* Handle to crypto key */
1878 CRYPT_KEY_PROV_INFO kpi; /* Key container info */
1879 SYSTEMTIME et; /* System time */
1880 CERT_EXTENSIONS exts; /* Array of cert extensions */
1881 CRYPT_KEY_PROV_INFO ckp; /* Handle to crypto key */
1882 BOOL ok = TRUE; /* Return value */
1883
1884
1885 DEBUG_printf(("4http_sspi_make_credentials(sspi=%p, container=%p, common_name=\"%s\", mode=%d, years=%d)", sspi, container, common_name, mode, years));
1886
1887 if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
1888 {
1889 if (GetLastError() == NTE_EXISTS)
1890 {
1891 if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
1892 {
1893 DEBUG_printf(("5http_sspi_make_credentials: CryptAcquireContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1894 ok = FALSE;
1895 goto cleanup;
1896 }
1897 }
1898 }
1899
1900 store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
1901
1902 if (!store)
1903 {
1904 DEBUG_printf(("5http_sspi_make_credentials: CertOpenSystemStore failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1905 ok = FALSE;
1906 goto cleanup;
1907 }
1908
1909 dwSize = 0;
1910
1911 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
1912 {
1913 DEBUG_printf(("5http_sspi_make_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1914 ok = FALSE;
1915 goto cleanup;
1916 }
1917
1918 p = (PBYTE)malloc(dwSize);
1919
1920 if (!p)
1921 {
1922 DEBUG_printf(("5http_sspi_make_credentials: malloc failed for %d bytes", dwSize));
1923 ok = FALSE;
1924 goto cleanup;
1925 }
1926
1927 if (!CertStrToName(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
1928 {
1929 DEBUG_printf(("5http_sspi_make_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1930 ok = FALSE;
1931 goto cleanup;
1932 }
1933
1934 /*
1935 * Create a private key and self-signed certificate...
1936 */
1937
1938 if (!CryptGenKey(hProv, AT_KEYEXCHANGE, CRYPT_EXPORTABLE, &hKey))
1939 {
1940 DEBUG_printf(("5http_sspi_make_credentials: CryptGenKey failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1941 ok = FALSE;
1942 goto cleanup;
1943 }
1944
1945 ZeroMemory(&kpi, sizeof(kpi));
1946 kpi.pwszContainerName = (LPWSTR)container;
1947 kpi.pwszProvName = MS_DEF_PROV_W;
1948 kpi.dwProvType = PROV_RSA_FULL;
1949 kpi.dwFlags = CERT_SET_KEY_CONTEXT_PROP_ID;
1950 kpi.dwKeySpec = AT_KEYEXCHANGE;
1951
1952 GetSystemTime(&et);
1953 et.wYear += years;
1954
1955 ZeroMemory(&exts, sizeof(exts));
1956
1957 createdContext = CertCreateSelfSignCertificate(hProv, &sib, 0, &kpi, NULL, NULL, &et, &exts);
1958
1959 if (!createdContext)
1960 {
1961 DEBUG_printf(("5http_sspi_make_credentials: CertCreateSelfSignCertificate failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1962 ok = FALSE;
1963 goto cleanup;
1964 }
1965
1966 /*
1967 * Add the created context to the named store, and associate it with the named
1968 * container...
1969 */
1970
1971 if (!CertAddCertificateContextToStore(store, createdContext, CERT_STORE_ADD_REPLACE_EXISTING, &storedContext))
1972 {
1973 DEBUG_printf(("5http_sspi_make_credentials: CertAddCertificateContextToStore failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1974 ok = FALSE;
1975 goto cleanup;
1976 }
1977
1978 ZeroMemory(&ckp, sizeof(ckp));
1979 ckp.pwszContainerName = (LPWSTR) container;
1980 ckp.pwszProvName = MS_DEF_PROV_W;
1981 ckp.dwProvType = PROV_RSA_FULL;
1982 ckp.dwFlags = CRYPT_MACHINE_KEYSET;
1983 ckp.dwKeySpec = AT_KEYEXCHANGE;
1984
1985 if (!CertSetCertificateContextProperty(storedContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &ckp))
1986 {
1987 DEBUG_printf(("5http_sspi_make_credentials: CertSetCertificateContextProperty failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
1988 ok = FALSE;
1989 goto cleanup;
1990 }
1991
1992 /*
1993 * Get a handle to use the certificate...
1994 */
1995
1996 ZeroMemory(&SchannelCred, sizeof(SchannelCred));
1997
1998 SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
1999 SchannelCred.cCreds = 1;
2000 SchannelCred.paCred = &storedContext;
2001
2002 /*
2003 * SSPI doesn't seem to like it if grbitEnabledProtocols is set for a client.
2004 */
2005
2006 if (mode == _HTTP_MODE_SERVER)
2007 SchannelCred.grbitEnabledProtocols = SP_PROT_SSL3TLS1;
2008
2009 /*
2010 * Create an SSPI credential.
2011 */
2012
2013 Status = AcquireCredentialsHandle(NULL, UNISP_NAME, mode == _HTTP_MODE_SERVER ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND, NULL, &SchannelCred, NULL, NULL, &sspi->creds, &tsExpiry);
2014 if (Status != SEC_E_OK)
2015 {
2016 DEBUG_printf(("5http_sspi_make_credentials: AcquireCredentialsHandle failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), Status)));
2017 ok = FALSE;
2018 goto cleanup;
2019 }
2020
2021 cleanup:
2022
2023 /*
2024 * Cleanup
2025 */
2026
2027 if (hKey)
2028 CryptDestroyKey(hKey);
2029
2030 if (createdContext)
2031 CertFreeCertificateContext(createdContext);
2032
2033 if (storedContext)
2034 CertFreeCertificateContext(storedContext);
2035
2036 if (p)
2037 free(p);
2038
2039 if (store)
2040 CertCloseStore(store, 0);
2041
2042 if (hProv)
2043 CryptReleaseContext(hProv, 0);
2044
2045 return (ok);
2046 }
2047
2048
2049 /*
2050 * 'http_sspi_server()' - Negotiate a TLS connection as a server.
2051 */
2052
2053 static int /* O - 0 on success, -1 on failure */
2054 http_sspi_server(http_t *http, /* I - HTTP connection */
2055 const char *hostname) /* I - Hostname of server */
2056 {
2057 _http_sspi_t *sspi = http->tls; /* I - SSPI data */
2058 char common_name[512]; /* Common name for cert */
2059 DWORD dwSSPIFlags; /* SSL connection attributes we want */
2060 DWORD dwSSPIOutFlags; /* SSL connection attributes we got */
2061 TimeStamp tsExpiry; /* Time stamp */
2062 SECURITY_STATUS scRet; /* SSPI Status */
2063 SecBufferDesc inBuffer; /* Array of SecBuffer structs */
2064 SecBuffer inBuffers[2]; /* Security package buffer */
2065 SecBufferDesc outBuffer; /* Array of SecBuffer structs */
2066 SecBuffer outBuffers[1]; /* Security package buffer */
2067 int num = 0; /* 32 bit status value */
2068 BOOL fInitContext = TRUE; /* Has the context been init'd? */
2069 int ret = 0; /* Return value */
2070
2071
2072 DEBUG_printf(("4http_sspi_server(http=%p, hostname=\"%s\")", http, hostname));
2073
2074 dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT |
2075 ASC_REQ_REPLAY_DETECT |
2076 ASC_REQ_CONFIDENTIALITY |
2077 ASC_REQ_EXTENDED_ERROR |
2078 ASC_REQ_ALLOCATE_MEMORY |
2079 ASC_REQ_STREAM;
2080
2081 sspi->decryptBufferUsed = 0;
2082
2083 /*
2084 * Lookup the server certificate...
2085 */
2086
2087 snprintf(common_name, sizeof(common_name), "CN=%s", hostname);
2088
2089 if (!http_sspi_find_credentials(http, L"ServerContainer", common_name))
2090 if (!http_sspi_make_credentials(http->tls, L"ServerContainer", common_name, _HTTP_MODE_SERVER, 10))
2091 {
2092 DEBUG_puts("5http_sspi_server: Unable to get server credentials.");
2093 return (-1);
2094 }
2095
2096 /*
2097 * Set OutBuffer for AcceptSecurityContext call
2098 */
2099
2100 outBuffer.cBuffers = 1;
2101 outBuffer.pBuffers = outBuffers;
2102 outBuffer.ulVersion = SECBUFFER_VERSION;
2103
2104 scRet = SEC_I_CONTINUE_NEEDED;
2105
2106 while (scRet == SEC_I_CONTINUE_NEEDED ||
2107 scRet == SEC_E_INCOMPLETE_MESSAGE ||
2108 scRet == SEC_I_INCOMPLETE_CREDENTIALS)
2109 {
2110 if (sspi->decryptBufferUsed == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE)
2111 {
2112 if (sspi->decryptBufferLength <= sspi->decryptBufferUsed)
2113 {
2114 BYTE *temp; /* New buffer */
2115
2116 if (sspi->decryptBufferLength >= 262144)
2117 {
2118 WSASetLastError(E_OUTOFMEMORY);
2119 DEBUG_puts("5http_sspi_server: Decryption buffer too large (>256k)");
2120 return (-1);
2121 }
2122
2123 if ((temp = realloc(sspi->decryptBuffer, sspi->decryptBufferLength + 4096)) == NULL)
2124 {
2125 DEBUG_printf(("5http_sspi_server: Unable to allocate %d byte buffer.", sspi->decryptBufferLength + 4096));
2126 WSASetLastError(E_OUTOFMEMORY);
2127 return (-1);
2128 }
2129
2130 sspi->decryptBufferLength += 4096;
2131 sspi->decryptBuffer = temp;
2132 }
2133
2134 for (;;)
2135 {
2136 num = recv(http->fd, sspi->decryptBuffer + sspi->decryptBufferUsed, (int)(sspi->decryptBufferLength - sspi->decryptBufferUsed), 0);
2137
2138 if (num == -1 && WSAGetLastError() == WSAEWOULDBLOCK)
2139 Sleep(1);
2140 else
2141 break;
2142 }
2143
2144 if (num < 0)
2145 {
2146 DEBUG_printf(("5http_sspi_server: recv failed: %d", WSAGetLastError()));
2147 return (-1);
2148 }
2149 else if (num == 0)
2150 {
2151 DEBUG_puts("5http_sspi_server: client disconnected");
2152 return (-1);
2153 }
2154
2155 DEBUG_printf(("5http_sspi_server: received %d (handshake) bytes from client.", num));
2156 sspi->decryptBufferUsed += num;
2157 }
2158
2159 /*
2160 * InBuffers[1] is for getting extra data that SSPI/SCHANNEL doesn't process
2161 * on this run around the loop.
2162 */
2163
2164 inBuffers[0].pvBuffer = sspi->decryptBuffer;
2165 inBuffers[0].cbBuffer = (unsigned long)sspi->decryptBufferUsed;
2166 inBuffers[0].BufferType = SECBUFFER_TOKEN;
2167
2168 inBuffers[1].pvBuffer = NULL;
2169 inBuffers[1].cbBuffer = 0;
2170 inBuffers[1].BufferType = SECBUFFER_EMPTY;
2171
2172 inBuffer.cBuffers = 2;
2173 inBuffer.pBuffers = inBuffers;
2174 inBuffer.ulVersion = SECBUFFER_VERSION;
2175
2176 /*
2177 * Initialize these so if we fail, pvBuffer contains NULL, so we don't try to
2178 * free random garbage at the quit.
2179 */
2180
2181 outBuffers[0].pvBuffer = NULL;
2182 outBuffers[0].BufferType = SECBUFFER_TOKEN;
2183 outBuffers[0].cbBuffer = 0;
2184
2185 scRet = AcceptSecurityContext(&sspi->creds, (fInitContext?NULL:&sspi->context), &inBuffer, dwSSPIFlags, SECURITY_NATIVE_DREP, (fInitContext?&sspi->context:NULL), &outBuffer, &dwSSPIOutFlags, &tsExpiry);
2186
2187 fInitContext = FALSE;
2188
2189 if (scRet == SEC_E_OK ||
2190 scRet == SEC_I_CONTINUE_NEEDED ||
2191 (FAILED(scRet) && ((dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR) != 0)))
2192 {
2193 if (outBuffers[0].cbBuffer && outBuffers[0].pvBuffer)
2194 {
2195 /*
2196 * Send response to server if there is one.
2197 */
2198
2199 num = send(http->fd, outBuffers[0].pvBuffer, outBuffers[0].cbBuffer, 0);
2200
2201 if (num <= 0)
2202 {
2203 DEBUG_printf(("5http_sspi_server: handshake send failed: %d", WSAGetLastError()));
2204 return (-1);
2205 }
2206
2207 DEBUG_printf(("5http_sspi_server: sent %d handshake bytes to client.", outBuffers[0].cbBuffer));
2208
2209 FreeContextBuffer(outBuffers[0].pvBuffer);
2210 outBuffers[0].pvBuffer = NULL;
2211 }
2212 }
2213
2214 if (scRet == SEC_E_OK)
2215 {
2216 /*
2217 * If there's extra data then save it for next time we go to decrypt.
2218 */
2219
2220 if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
2221 {
2222 memcpy(sspi->decryptBuffer, (LPBYTE)(sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer), inBuffers[1].cbBuffer);
2223 sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
2224 }
2225 else
2226 {
2227 sspi->decryptBufferUsed = 0;
2228 }
2229 break;
2230 }
2231 else if (FAILED(scRet) && scRet != SEC_E_INCOMPLETE_MESSAGE)
2232 {
2233 DEBUG_printf(("5http_sspi_server: AcceptSecurityContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
2234 ret = -1;
2235 break;
2236 }
2237
2238 if (scRet != SEC_E_INCOMPLETE_MESSAGE &&
2239 scRet != SEC_I_INCOMPLETE_CREDENTIALS)
2240 {
2241 if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
2242 {
2243 memcpy(sspi->decryptBuffer, (LPBYTE)(sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer), inBuffers[1].cbBuffer);
2244 sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
2245 }
2246 else
2247 {
2248 sspi->decryptBufferUsed = 0;
2249 }
2250 }
2251 }
2252
2253 if (!ret)
2254 {
2255 sspi->contextInitialized = TRUE;
2256
2257 /*
2258 * Find out how big the header will be:
2259 */
2260
2261 scRet = QueryContextAttributes(&sspi->context, SECPKG_ATTR_STREAM_SIZES, &sspi->streamSizes);
2262
2263 if (scRet != SEC_E_OK)
2264 {
2265 DEBUG_printf(("5http_sspi_server: QueryContextAttributes failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
2266 ret = -1;
2267 }
2268 }
2269
2270 return (ret);
2271 }
2272
2273
2274 /*
2275 * 'http_sspi_strerror()' - Return a string for the specified error code.
2276 */
2277
2278 static const char * /* O - String for error */
2279 http_sspi_strerror(char *buffer, /* I - Error message buffer */
2280 size_t bufsize, /* I - Size of buffer */
2281 DWORD code) /* I - Error code */
2282 {
2283 if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, code, 0, buffer, bufsize, NULL))
2284 {
2285 /*
2286 * Strip trailing CR + LF...
2287 */
2288
2289 char *ptr; /* Pointer into error message */
2290
2291 for (ptr = buffer + strlen(buffer) - 1; ptr >= buffer; ptr --)
2292 if (*ptr == '\n' || *ptr == '\r')
2293 *ptr = '\0';
2294 else
2295 break;
2296 }
2297 else
2298 snprintf(buffer, bufsize, "Unknown error %x", code);
2299
2300 return (buffer);
2301 }
2302
2303
2304 /*
2305 * 'http_sspi_verify()' - Verify a certificate.
2306 */
2307
2308 static DWORD /* O - Error code (0 == No error) */
2309 http_sspi_verify(
2310 PCCERT_CONTEXT cert, /* I - Server certificate */
2311 const char *common_name, /* I - Common name */
2312 DWORD dwCertFlags) /* I - Verification flags */
2313 {
2314 HTTPSPolicyCallbackData httpsPolicy; /* HTTPS Policy Struct */
2315 CERT_CHAIN_POLICY_PARA policyPara; /* Cert chain policy parameters */
2316 CERT_CHAIN_POLICY_STATUS policyStatus;/* Cert chain policy status */
2317 CERT_CHAIN_PARA chainPara; /* Used for searching and matching criteria */
2318 PCCERT_CHAIN_CONTEXT chainContext = NULL;
2319 /* Certificate chain */
2320 PWSTR commonNameUnicode = NULL;
2321 /* Unicode common name */
2322 LPSTR rgszUsages[] = { szOID_PKIX_KP_SERVER_AUTH,
2323 szOID_SERVER_GATED_CRYPTO,
2324 szOID_SGC_NETSCAPE };
2325 /* How are we using this certificate? */
2326 DWORD cUsages = sizeof(rgszUsages) / sizeof(LPSTR);
2327 /* Number of ites in rgszUsages */
2328 DWORD count; /* 32 bit count variable */
2329 DWORD status; /* Return value */
2330 #ifdef DEBUG
2331 char error[1024]; /* Error message string */
2332 #endif /* DEBUG */
2333
2334
2335 if (!cert)
2336 return (SEC_E_WRONG_PRINCIPAL);
2337
2338 /*
2339 * Convert common name to Unicode.
2340 */
2341
2342 if (!common_name || !*common_name)
2343 return (SEC_E_WRONG_PRINCIPAL);
2344
2345 count = MultiByteToWideChar(CP_ACP, 0, common_name, -1, NULL, 0);
2346 commonNameUnicode = LocalAlloc(LMEM_FIXED, count * sizeof(WCHAR));
2347 if (!commonNameUnicode)
2348 return (SEC_E_INSUFFICIENT_MEMORY);
2349
2350 if (!MultiByteToWideChar(CP_ACP, 0, common_name, -1, commonNameUnicode, count))
2351 {
2352 LocalFree(commonNameUnicode);
2353 return (SEC_E_WRONG_PRINCIPAL);
2354 }
2355
2356 /*
2357 * Build certificate chain.
2358 */
2359
2360 ZeroMemory(&chainPara, sizeof(chainPara));
2361
2362 chainPara.cbSize = sizeof(chainPara);
2363 chainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
2364 chainPara.RequestedUsage.Usage.cUsageIdentifier = cUsages;
2365 chainPara.RequestedUsage.Usage.rgpszUsageIdentifier = rgszUsages;
2366
2367 if (!CertGetCertificateChain(NULL, cert, NULL, cert->hCertStore, &chainPara, 0, NULL, &chainContext))
2368 {
2369 status = GetLastError();
2370
2371 DEBUG_printf(("CertGetCertificateChain returned: %s", http_sspi_strerror(error, sizeof(error), status)));
2372
2373 LocalFree(commonNameUnicode);
2374 return (status);
2375 }
2376
2377 /*
2378 * Validate certificate chain.
2379 */
2380
2381 ZeroMemory(&httpsPolicy, sizeof(HTTPSPolicyCallbackData));
2382 httpsPolicy.cbStruct = sizeof(HTTPSPolicyCallbackData);
2383 httpsPolicy.dwAuthType = AUTHTYPE_SERVER;
2384 httpsPolicy.fdwChecks = dwCertFlags;
2385 httpsPolicy.pwszServerName = commonNameUnicode;
2386
2387 memset(&policyPara, 0, sizeof(policyPara));
2388 policyPara.cbSize = sizeof(policyPara);
2389 policyPara.pvExtraPolicyPara = &httpsPolicy;
2390
2391 memset(&policyStatus, 0, sizeof(policyStatus));
2392 policyStatus.cbSize = sizeof(policyStatus);
2393
2394 if (!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, chainContext, &policyPara, &policyStatus))
2395 {
2396 status = GetLastError();
2397
2398 DEBUG_printf(("CertVerifyCertificateChainPolicy returned %s", http_sspi_strerror(error, sizeof(error), status)));
2399 }
2400 else if (policyStatus.dwError)
2401 status = policyStatus.dwError;
2402 else
2403 status = SEC_E_OK;
2404
2405 if (chainContext)
2406 CertFreeCertificateChain(chainContext);
2407
2408 if (commonNameUnicode)
2409 LocalFree(commonNameUnicode);
2410
2411 return (status);
2412 }
2413
2414
2415 /*
2416 * End of "$Id$".
2417 */
Unnamed repository; edit this file 'description' to name the repository.