[SECUR32]
[reactos.git] / reactos / dll / win32 / schannel / schannel_gnutls.c
1 /*
2 * GnuTLS-based implementation of the schannel (SSL/TLS) provider.
3 *
4 * Copyright 2005 Juan Lang
5 * Copyright 2008 Henri Verbeet
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include "precomp.h"
23
24 #include <wine/config.h>
25 #include <wine/port.h>
26 #include <strsafe.h>
27
28 #ifdef SONAME_LIBGNUTLS
29 #include <gnutls/gnutls.h>
30 #include <gnutls/crypto.h>
31 #endif
32
33 #define __wine_dbch_secur32 __wine_dbch_schannel
34
35 #if defined(SONAME_LIBGNUTLS) && !defined(HAVE_SECURITY_SECURITY_H)
36
37 static void *libgnutls_handle;
38
39 #ifdef _MSC_VER
40 #include "msvc_typeof_hack.h"
41 #endif
42
43 #define MAKE_FUNCPTR(f) static typeof(f) * p##f
44 MAKE_FUNCPTR(gnutls_alert_get);
45 MAKE_FUNCPTR(gnutls_alert_get_name);
46 MAKE_FUNCPTR(gnutls_certificate_allocate_credentials);
47 MAKE_FUNCPTR(gnutls_certificate_free_credentials);
48 MAKE_FUNCPTR(gnutls_certificate_get_peers);
49 MAKE_FUNCPTR(gnutls_cipher_get);
50 MAKE_FUNCPTR(gnutls_cipher_get_key_size);
51 MAKE_FUNCPTR(gnutls_credentials_set);
52 MAKE_FUNCPTR(gnutls_deinit);
53 MAKE_FUNCPTR(gnutls_global_deinit);
54 MAKE_FUNCPTR(gnutls_global_init);
55 MAKE_FUNCPTR(gnutls_global_set_log_function);
56 MAKE_FUNCPTR(gnutls_global_set_log_level);
57 MAKE_FUNCPTR(gnutls_handshake);
58 MAKE_FUNCPTR(gnutls_init);
59 MAKE_FUNCPTR(gnutls_kx_get);
60 MAKE_FUNCPTR(gnutls_mac_get);
61 MAKE_FUNCPTR(gnutls_mac_get_key_size);
62 MAKE_FUNCPTR(gnutls_perror);
63 MAKE_FUNCPTR(gnutls_protocol_get_version);
64 MAKE_FUNCPTR(gnutls_priority_set_direct);
65 MAKE_FUNCPTR(gnutls_record_get_max_size);
66 MAKE_FUNCPTR(gnutls_record_recv);
67 MAKE_FUNCPTR(gnutls_record_send);
68 MAKE_FUNCPTR(gnutls_server_name_set);
69 MAKE_FUNCPTR(gnutls_transport_get_ptr);
70 MAKE_FUNCPTR(gnutls_transport_set_errno);
71 MAKE_FUNCPTR(gnutls_transport_set_ptr);
72 MAKE_FUNCPTR(gnutls_transport_set_pull_function);
73 MAKE_FUNCPTR(gnutls_transport_set_push_function);
74 #undef MAKE_FUNCPTR
75
76
77
78 static ssize_t schan_pull_adapter(gnutls_transport_ptr_t transport,
79 void *buff, size_t buff_len)
80 {
81 struct schan_transport *t = (struct schan_transport*)transport;
82 gnutls_session_t s = (gnutls_session_t)schan_session_for_transport(t);
83
84 int ret = schan_pull(transport, buff, &buff_len);
85 if (ret)
86 {
87 pgnutls_transport_set_errno(s, ret);
88 return -1;
89 }
90
91 return buff_len;
92 }
93
94 static ssize_t schan_push_adapter(gnutls_transport_ptr_t transport,
95 const void *buff, size_t buff_len)
96 {
97 struct schan_transport *t = (struct schan_transport*)transport;
98 gnutls_session_t s = (gnutls_session_t)schan_session_for_transport(t);
99
100 int ret = schan_push(transport, buff, &buff_len);
101 if (ret)
102 {
103 pgnutls_transport_set_errno(s, ret);
104 return -1;
105 }
106
107 return buff_len;
108 }
109
110 static const struct {
111 DWORD enable_flag;
112 const char *gnutls_flag;
113 } protocol_priority_flags[] = {
114 {SP_PROT_TLS1_2_CLIENT, "VERS-TLS1.2"},
115 {SP_PROT_TLS1_1_CLIENT, "VERS-TLS1.1"},
116 {SP_PROT_TLS1_0_CLIENT, "VERS-TLS1.0"},
117 {SP_PROT_SSL3_CLIENT, "VERS-SSL3.0"}
118 /* {SP_PROT_SSL2_CLIENT} is not supported by GnuTLS */
119 };
120
121 DWORD schan_imp_enabled_protocols(void)
122 {
123 /* NOTE: No support for SSL 2.0 */
124 return SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT;
125 }
126
127 BOOL schan_imp_create_session(schan_imp_session *session, schan_credentials *cred)
128 {
129 gnutls_session_t *s = (gnutls_session_t*)session;
130 char priority[64] = "NORMAL", *p;
131 unsigned i;
132
133 int err = pgnutls_init(s, cred->credential_use == SECPKG_CRED_INBOUND ? GNUTLS_SERVER : GNUTLS_CLIENT);
134 if (err != GNUTLS_E_SUCCESS)
135 {
136 pgnutls_perror(err);
137 return FALSE;
138 }
139
140 p = priority + strlen(priority);
141 for(i=0; i < sizeof(protocol_priority_flags)/sizeof(*protocol_priority_flags); i++) {
142 *p++ = ':';
143 *p++ = (cred->enabled_protocols & protocol_priority_flags[i].enable_flag) ? '+' : '-';
144 strcpy(p, protocol_priority_flags[i].gnutls_flag);
145 p += strlen(p);
146 }
147
148 TRACE("Using %s priority\n", debugstr_a(priority));
149 err = pgnutls_priority_set_direct(*s, priority, NULL);
150 if (err != GNUTLS_E_SUCCESS)
151 {
152 pgnutls_perror(err);
153 pgnutls_deinit(*s);
154 return FALSE;
155 }
156
157 err = pgnutls_credentials_set(*s, GNUTLS_CRD_CERTIFICATE,
158 (gnutls_certificate_credentials_t)cred->credentials);
159 if (err != GNUTLS_E_SUCCESS)
160 {
161 pgnutls_perror(err);
162 pgnutls_deinit(*s);
163 return FALSE;
164 }
165
166 pgnutls_transport_set_pull_function(*s, schan_pull_adapter);
167 pgnutls_transport_set_push_function(*s, schan_push_adapter);
168
169 return TRUE;
170 }
171
172 void schan_imp_dispose_session(schan_imp_session session)
173 {
174 gnutls_session_t s = (gnutls_session_t)session;
175 pgnutls_deinit(s);
176 }
177
178 void schan_imp_set_session_transport(schan_imp_session session,
179 struct schan_transport *t)
180 {
181 gnutls_session_t s = (gnutls_session_t)session;
182 pgnutls_transport_set_ptr(s, (gnutls_transport_ptr_t)t);
183 }
184
185 void schan_imp_set_session_target(schan_imp_session session, const char *target)
186 {
187 gnutls_session_t s = (gnutls_session_t)session;
188
189 pgnutls_server_name_set( s, GNUTLS_NAME_DNS, target, strlen(target) );
190 }
191
192 SECURITY_STATUS schan_imp_handshake(schan_imp_session session)
193 {
194 gnutls_session_t s = (gnutls_session_t)session;
195 int err;
196
197 while(1) {
198 err = pgnutls_handshake(s);
199 switch(err) {
200 case GNUTLS_E_SUCCESS:
201 TRACE("Handshake completed\n");
202 return SEC_E_OK;
203
204 case GNUTLS_E_AGAIN:
205 TRACE("Continue...\n");
206 return SEC_I_CONTINUE_NEEDED;
207
208 case GNUTLS_E_WARNING_ALERT_RECEIVED:
209 {
210 gnutls_alert_description_t alert = pgnutls_alert_get(s);
211
212 WARN("WARNING ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
213
214 switch(alert) {
215 case GNUTLS_A_UNRECOGNIZED_NAME:
216 TRACE("Ignoring\n");
217 continue;
218 default:
219 return SEC_E_INTERNAL_ERROR;
220 }
221 }
222
223 case GNUTLS_E_FATAL_ALERT_RECEIVED:
224 {
225 gnutls_alert_description_t alert = pgnutls_alert_get(s);
226 WARN("FATAL ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
227 return SEC_E_INTERNAL_ERROR;
228 }
229
230 default:
231 pgnutls_perror(err);
232 return SEC_E_INTERNAL_ERROR;
233 }
234 }
235
236 /* Never reached */
237 return SEC_E_OK;
238 }
239
240 static unsigned int schannel_get_cipher_block_size(gnutls_cipher_algorithm_t cipher)
241 {
242 const struct
243 {
244 gnutls_cipher_algorithm_t cipher;
245 unsigned int block_size;
246 }
247 algorithms[] =
248 {
249 {GNUTLS_CIPHER_3DES_CBC, 8},
250 {GNUTLS_CIPHER_AES_128_CBC, 16},
251 {GNUTLS_CIPHER_AES_256_CBC, 16},
252 {GNUTLS_CIPHER_ARCFOUR_128, 1},
253 {GNUTLS_CIPHER_ARCFOUR_40, 1},
254 {GNUTLS_CIPHER_DES_CBC, 8},
255 {GNUTLS_CIPHER_NULL, 1},
256 {GNUTLS_CIPHER_RC2_40_CBC, 8},
257 };
258 unsigned int i;
259
260 for (i = 0; i < sizeof(algorithms) / sizeof(*algorithms); ++i)
261 {
262 if (algorithms[i].cipher == cipher)
263 return algorithms[i].block_size;
264 }
265
266 FIXME("Unknown cipher %#x, returning 1\n", cipher);
267
268 return 1;
269 }
270
271 static DWORD schannel_get_protocol(gnutls_protocol_t proto)
272 {
273 /* FIXME: currently schannel only implements client connections, but
274 * there's no reason it couldn't be used for servers as well. The
275 * context doesn't tell us which it is, so assume client for now.
276 */
277 switch (proto)
278 {
279 case GNUTLS_SSL3: return SP_PROT_SSL3_CLIENT;
280 case GNUTLS_TLS1_0: return SP_PROT_TLS1_0_CLIENT;
281 case GNUTLS_TLS1_1: return SP_PROT_TLS1_1_CLIENT;
282 case GNUTLS_TLS1_2: return SP_PROT_TLS1_2_CLIENT;
283 default:
284 FIXME("unknown protocol %d\n", proto);
285 return 0;
286 }
287 }
288
289 static ALG_ID schannel_get_cipher_algid(gnutls_cipher_algorithm_t cipher)
290 {
291 switch (cipher)
292 {
293 case GNUTLS_CIPHER_UNKNOWN:
294 case GNUTLS_CIPHER_NULL: return 0;
295 case GNUTLS_CIPHER_ARCFOUR_40:
296 case GNUTLS_CIPHER_ARCFOUR_128: return CALG_RC4;
297 case GNUTLS_CIPHER_DES_CBC:
298 case GNUTLS_CIPHER_3DES_CBC: return CALG_DES;
299 case GNUTLS_CIPHER_AES_128_CBC:
300 case GNUTLS_CIPHER_AES_256_CBC: return CALG_AES;
301 case GNUTLS_CIPHER_RC2_40_CBC: return CALG_RC2;
302 default:
303 FIXME("unknown algorithm %d\n", cipher);
304 return 0;
305 }
306 }
307
308 static ALG_ID schannel_get_mac_algid(gnutls_mac_algorithm_t mac)
309 {
310 switch (mac)
311 {
312 case GNUTLS_MAC_UNKNOWN:
313 case GNUTLS_MAC_NULL: return 0;
314 case GNUTLS_MAC_MD5: return CALG_MD5;
315 case GNUTLS_MAC_SHA1:
316 case GNUTLS_MAC_SHA256:
317 case GNUTLS_MAC_SHA384:
318 case GNUTLS_MAC_SHA512: return CALG_SHA;
319 default:
320 FIXME("unknown algorithm %d\n", mac);
321 return 0;
322 }
323 }
324
325 static ALG_ID schannel_get_kx_algid(gnutls_kx_algorithm_t kx)
326 {
327 switch (kx)
328 {
329 case GNUTLS_KX_RSA: return CALG_RSA_KEYX;
330 case GNUTLS_KX_DHE_DSS:
331 case GNUTLS_KX_DHE_RSA: return CALG_DH_EPHEM;
332 default:
333 FIXME("unknown algorithm %d\n", kx);
334 return 0;
335 }
336 }
337
338 unsigned int schan_imp_get_session_cipher_block_size(schan_imp_session session)
339 {
340 gnutls_session_t s = (gnutls_session_t)session;
341 gnutls_cipher_algorithm_t cipher = pgnutls_cipher_get(s);
342 return schannel_get_cipher_block_size(cipher);
343 }
344
345 unsigned int schan_imp_get_max_message_size(schan_imp_session session)
346 {
347 return pgnutls_record_get_max_size((gnutls_session_t)session);
348 }
349
350 SECURITY_STATUS schan_imp_get_connection_info(schan_imp_session session,
351 SecPkgContext_ConnectionInfo *info)
352 {
353 gnutls_session_t s = (gnutls_session_t)session;
354 gnutls_protocol_t proto = pgnutls_protocol_get_version(s);
355 gnutls_cipher_algorithm_t alg = pgnutls_cipher_get(s);
356 gnutls_mac_algorithm_t mac = pgnutls_mac_get(s);
357 gnutls_kx_algorithm_t kx = pgnutls_kx_get(s);
358
359 info->dwProtocol = schannel_get_protocol(proto);
360 info->aiCipher = schannel_get_cipher_algid(alg);
361 info->dwCipherStrength = pgnutls_cipher_get_key_size(alg) * 8;
362 info->aiHash = schannel_get_mac_algid(mac);
363 info->dwHashStrength = pgnutls_mac_get_key_size(mac) * 8;
364 info->aiExch = schannel_get_kx_algid(kx);
365 /* FIXME: info->dwExchStrength? */
366 info->dwExchStrength = 0;
367 return SEC_E_OK;
368 }
369
370 SECURITY_STATUS schan_imp_get_session_peer_certificate(schan_imp_session session, HCERTSTORE store,
371 PCCERT_CONTEXT *ret)
372 {
373 gnutls_session_t s = (gnutls_session_t)session;
374 PCCERT_CONTEXT cert = NULL;
375 const gnutls_datum_t *datum;
376 unsigned list_size, i;
377 BOOL res;
378
379 datum = pgnutls_certificate_get_peers(s, &list_size);
380 if(!datum)
381 return SEC_E_INTERNAL_ERROR;
382
383 for(i = 0; i < list_size; i++) {
384 res = CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING, datum[i].data, datum[i].size,
385 CERT_STORE_ADD_REPLACE_EXISTING, i ? NULL : &cert);
386 if(!res) {
387 if(i)
388 CertFreeCertificateContext(cert);
389 return GetLastError();
390 }
391 }
392
393 *ret = cert;
394 return SEC_E_OK;
395 }
396
397 SECURITY_STATUS schan_imp_send(schan_imp_session session, const void *buffer,
398 SIZE_T *length)
399 {
400 gnutls_session_t s = (gnutls_session_t)session;
401 ssize_t ret;
402
403 again:
404 ret = pgnutls_record_send(s, buffer, *length);
405
406 if (ret >= 0)
407 *length = ret;
408 else if (ret == GNUTLS_E_AGAIN)
409 {
410 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
411 SIZE_T count = 0;
412
413 if (schan_get_buffer(t, &t->out, &count))
414 goto again;
415
416 return SEC_I_CONTINUE_NEEDED;
417 }
418 else
419 {
420 pgnutls_perror(ret);
421 return SEC_E_INTERNAL_ERROR;
422 }
423
424 return SEC_E_OK;
425 }
426
427 SECURITY_STATUS schan_imp_recv(schan_imp_session session, void *buffer,
428 SIZE_T *length)
429 {
430 gnutls_session_t s = (gnutls_session_t)session;
431 ssize_t ret;
432
433 again:
434 ret = pgnutls_record_recv(s, buffer, *length);
435
436 if (ret >= 0)
437 *length = ret;
438 else if (ret == GNUTLS_E_AGAIN)
439 {
440 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
441 SIZE_T count = 0;
442
443 if (schan_get_buffer(t, &t->in, &count))
444 goto again;
445
446 return SEC_I_CONTINUE_NEEDED;
447 }
448 else
449 {
450 pgnutls_perror(ret);
451 return SEC_E_INTERNAL_ERROR;
452 }
453
454 return SEC_E_OK;
455 }
456
457 BOOL schan_imp_allocate_certificate_credentials(schan_credentials *c)
458 {
459 int ret = pgnutls_certificate_allocate_credentials((gnutls_certificate_credentials_t*)&c->credentials);
460 if (ret != GNUTLS_E_SUCCESS)
461 pgnutls_perror(ret);
462 return (ret == GNUTLS_E_SUCCESS);
463 }
464
465 void schan_imp_free_certificate_credentials(schan_credentials *c)
466 {
467 pgnutls_certificate_free_credentials(c->credentials);
468 }
469
470 static void schan_gnutls_log(int level, const char *msg)
471 {
472 TRACE("<%d> %s", level, msg);
473 }
474
475 BOOL schan_imp_init(void)
476 {
477 int ret;
478
479 #ifndef __REACTOS__
480 libgnutls_handle = wine_dlopen(SONAME_LIBGNUTLS, RTLD_NOW, NULL, 0);
481 if (!libgnutls_handle)
482 {
483 WARN("Failed to load libgnutls.\n");
484 return FALSE;
485 }
486
487 #define LOAD_FUNCPTR(f) \
488 if (!(p##f = wine_dlsym(libgnutls_handle, #f, NULL, 0))) \
489 { \
490 ERR("Failed to load %s\n", #f); \
491 goto fail; \
492 }
493 #else
494 /*
495 static const WCHAR RosSchannelKey[] = L"Software\\ReactOS\\Schannel";
496 static const WCHAR PathValue[] = L"GnuTLSPath";
497 WCHAR Path[MAX_PATH];
498 DWORD PathSize = sizeof(Path), ValueType;
499 HKEY Key;
500 DWORD Error;
501
502 Error = RegOpenKeyW(HKEY_LOCAL_MACHINE, RosSchannelKey, &Key);
503 if(Error != ERROR_SUCCESS)
504 return FALSE;
505
506 Error = RegQueryValueExW(Key, PathValue, NULL, &ValueType, (LPBYTE)Path, &PathSize);
507 RegCloseKey(Key);
508 if ((Error != ERROR_SUCCESS) || (ValueType != REG_SZ))
509 return FALSE;
510 wcscat(Path, L"\\");
511 wcscat(Path, SONAME_LIBGNUTLS);
512 */
513 static const WCHAR Path[] = L"C:\\Reactos\\system32\\gnutls\\libgnutls-28.dll";
514
515 libgnutls_handle = LoadLibraryExW(Path, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
516 if (!libgnutls_handle)
517 {
518 ERR("Could not load %S.\n", Path);
519 return FALSE;
520 }
521
522 #define LOAD_FUNCPTR(f) \
523 if (!(p##f = (void*)GetProcAddress(libgnutls_handle, #f))) \
524 { \
525 ERR("Failed to load %s\n", #f); \
526 goto fail; \
527 }
528 #endif // __REACTOS__
529
530 LOAD_FUNCPTR(gnutls_alert_get)
531 LOAD_FUNCPTR(gnutls_alert_get_name)
532 LOAD_FUNCPTR(gnutls_certificate_allocate_credentials)
533 LOAD_FUNCPTR(gnutls_certificate_free_credentials)
534 LOAD_FUNCPTR(gnutls_certificate_get_peers)
535 LOAD_FUNCPTR(gnutls_cipher_get)
536 LOAD_FUNCPTR(gnutls_cipher_get_key_size)
537 LOAD_FUNCPTR(gnutls_credentials_set)
538 LOAD_FUNCPTR(gnutls_deinit)
539 LOAD_FUNCPTR(gnutls_global_deinit)
540 LOAD_FUNCPTR(gnutls_global_init)
541 LOAD_FUNCPTR(gnutls_global_set_log_function)
542 LOAD_FUNCPTR(gnutls_global_set_log_level)
543 LOAD_FUNCPTR(gnutls_handshake)
544 LOAD_FUNCPTR(gnutls_init)
545 LOAD_FUNCPTR(gnutls_kx_get)
546 LOAD_FUNCPTR(gnutls_mac_get)
547 LOAD_FUNCPTR(gnutls_mac_get_key_size)
548 LOAD_FUNCPTR(gnutls_perror)
549 LOAD_FUNCPTR(gnutls_protocol_get_version)
550 LOAD_FUNCPTR(gnutls_priority_set_direct)
551 LOAD_FUNCPTR(gnutls_record_get_max_size);
552 LOAD_FUNCPTR(gnutls_record_recv);
553 LOAD_FUNCPTR(gnutls_record_send);
554 LOAD_FUNCPTR(gnutls_server_name_set)
555 LOAD_FUNCPTR(gnutls_transport_get_ptr)
556 LOAD_FUNCPTR(gnutls_transport_set_errno)
557 LOAD_FUNCPTR(gnutls_transport_set_ptr)
558 LOAD_FUNCPTR(gnutls_transport_set_pull_function)
559 LOAD_FUNCPTR(gnutls_transport_set_push_function)
560 #undef LOAD_FUNCPTR
561
562 ret = pgnutls_global_init();
563 if (ret != GNUTLS_E_SUCCESS)
564 {
565 pgnutls_perror(ret);
566 goto fail;
567 }
568
569 if (TRACE_ON(secur32))
570 {
571 pgnutls_global_set_log_level(4);
572 pgnutls_global_set_log_function(schan_gnutls_log);
573 }
574
575 return TRUE;
576
577 fail:
578 #ifndef __REACTOS__
579 wine_dlclose(libgnutls_handle, NULL, 0);
580 #else
581 FreeLibrary(libgnutls_handle);
582 #endif
583 libgnutls_handle = NULL;
584 return FALSE;
585 }
586
587 void schan_imp_deinit(void)
588 {
589 pgnutls_global_deinit();
590 #ifndef __REACTOS__
591 wine_dlclose(libgnutls_handle, NULL, 0);
592 #else
593 FreeLibrary(libgnutls_handle);
594 #endif
595 libgnutls_handle = NULL;
596 }
597
598 #endif /* SONAME_LIBGNUTLS && !HAVE_SECURITY_SECURITY_H */