c6911af8c5796358611d06f89b5204b834be959d
[reactos.git] / reactos / dll / win32 / schannel / schannel_gnutls.c
1 /*
2 * GnuTLS-based implementation of the schannel (SSL/TLS) provider.
3 *
4 * Copyright 2005 Juan Lang
5 * Copyright 2008 Henri Verbeet
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include "precomp.h"
23
24 #include <wine/config.h>
25 #include <wine/port.h>
26 #include <strsafe.h>
27
28 #ifdef SONAME_LIBGNUTLS
29 #include <gnutls/gnutls.h>
30 #include <gnutls/crypto.h>
31 #endif
32
33 #define __wine_dbch_secur32 __wine_dbch_schannel
34
35 #if defined(SONAME_LIBGNUTLS) && !defined(HAVE_SECURITY_SECURITY_H)
36
37 static void *libgnutls_handle;
38 #if (_MSC_VER >= 1600)
39 #define MAKE_FUNCPTR(f) static decltype(f) p##f
40 #else
41 #define MAKE_FUNCPTR(f) static typeof(f) * p##f
42 #endif
43 MAKE_FUNCPTR(gnutls_alert_get);
44 MAKE_FUNCPTR(gnutls_alert_get_name);
45 MAKE_FUNCPTR(gnutls_certificate_allocate_credentials);
46 MAKE_FUNCPTR(gnutls_certificate_free_credentials);
47 MAKE_FUNCPTR(gnutls_certificate_get_peers);
48 MAKE_FUNCPTR(gnutls_cipher_get);
49 MAKE_FUNCPTR(gnutls_cipher_get_key_size);
50 MAKE_FUNCPTR(gnutls_credentials_set);
51 MAKE_FUNCPTR(gnutls_deinit);
52 MAKE_FUNCPTR(gnutls_global_deinit);
53 MAKE_FUNCPTR(gnutls_global_init);
54 MAKE_FUNCPTR(gnutls_global_set_log_function);
55 MAKE_FUNCPTR(gnutls_global_set_log_level);
56 MAKE_FUNCPTR(gnutls_handshake);
57 MAKE_FUNCPTR(gnutls_init);
58 MAKE_FUNCPTR(gnutls_kx_get);
59 MAKE_FUNCPTR(gnutls_mac_get);
60 MAKE_FUNCPTR(gnutls_mac_get_key_size);
61 MAKE_FUNCPTR(gnutls_perror);
62 MAKE_FUNCPTR(gnutls_protocol_get_version);
63 MAKE_FUNCPTR(gnutls_priority_set_direct);
64 MAKE_FUNCPTR(gnutls_record_get_max_size);
65 MAKE_FUNCPTR(gnutls_record_recv);
66 MAKE_FUNCPTR(gnutls_record_send);
67 MAKE_FUNCPTR(gnutls_server_name_set);
68 MAKE_FUNCPTR(gnutls_transport_get_ptr);
69 MAKE_FUNCPTR(gnutls_transport_set_errno);
70 MAKE_FUNCPTR(gnutls_transport_set_ptr);
71 MAKE_FUNCPTR(gnutls_transport_set_pull_function);
72 MAKE_FUNCPTR(gnutls_transport_set_push_function);
73 #undef MAKE_FUNCPTR
74
75
76
77 static ssize_t schan_pull_adapter(gnutls_transport_ptr_t transport,
78 void *buff, size_t buff_len)
79 {
80 struct schan_transport *t = (struct schan_transport*)transport;
81 gnutls_session_t s = (gnutls_session_t)schan_session_for_transport(t);
82
83 int ret = schan_pull(transport, buff, &buff_len);
84 if (ret)
85 {
86 pgnutls_transport_set_errno(s, ret);
87 return -1;
88 }
89
90 return buff_len;
91 }
92
93 static ssize_t schan_push_adapter(gnutls_transport_ptr_t transport,
94 const void *buff, size_t buff_len)
95 {
96 struct schan_transport *t = (struct schan_transport*)transport;
97 gnutls_session_t s = (gnutls_session_t)schan_session_for_transport(t);
98
99 int ret = schan_push(transport, buff, &buff_len);
100 if (ret)
101 {
102 pgnutls_transport_set_errno(s, ret);
103 return -1;
104 }
105
106 return buff_len;
107 }
108
109 static const struct {
110 DWORD enable_flag;
111 const char *gnutls_flag;
112 } protocol_priority_flags[] = {
113 {SP_PROT_TLS1_2_CLIENT, "VERS-TLS1.2"},
114 {SP_PROT_TLS1_1_CLIENT, "VERS-TLS1.1"},
115 {SP_PROT_TLS1_0_CLIENT, "VERS-TLS1.0"},
116 {SP_PROT_SSL3_CLIENT, "VERS-SSL3.0"}
117 /* {SP_PROT_SSL2_CLIENT} is not supported by GnuTLS */
118 };
119
120 DWORD schan_imp_enabled_protocols(void)
121 {
122 /* NOTE: No support for SSL 2.0 */
123 return SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT;
124 }
125
126 BOOL schan_imp_create_session(schan_imp_session *session, schan_credentials *cred)
127 {
128 gnutls_session_t *s = (gnutls_session_t*)session;
129 char priority[64] = "NORMAL", *p;
130 unsigned i;
131
132 int err = pgnutls_init(s, cred->credential_use == SECPKG_CRED_INBOUND ? GNUTLS_SERVER : GNUTLS_CLIENT);
133 if (err != GNUTLS_E_SUCCESS)
134 {
135 pgnutls_perror(err);
136 return FALSE;
137 }
138
139 p = priority + strlen(priority);
140 for(i=0; i < sizeof(protocol_priority_flags)/sizeof(*protocol_priority_flags); i++) {
141 *p++ = ':';
142 *p++ = (cred->enabled_protocols & protocol_priority_flags[i].enable_flag) ? '+' : '-';
143 strcpy(p, protocol_priority_flags[i].gnutls_flag);
144 p += strlen(p);
145 }
146
147 TRACE("Using %s priority\n", debugstr_a(priority));
148 err = pgnutls_priority_set_direct(*s, priority, NULL);
149 if (err != GNUTLS_E_SUCCESS)
150 {
151 pgnutls_perror(err);
152 pgnutls_deinit(*s);
153 return FALSE;
154 }
155
156 err = pgnutls_credentials_set(*s, GNUTLS_CRD_CERTIFICATE,
157 (gnutls_certificate_credentials_t)cred->credentials);
158 if (err != GNUTLS_E_SUCCESS)
159 {
160 pgnutls_perror(err);
161 pgnutls_deinit(*s);
162 return FALSE;
163 }
164
165 pgnutls_transport_set_pull_function(*s, schan_pull_adapter);
166 pgnutls_transport_set_push_function(*s, schan_push_adapter);
167
168 return TRUE;
169 }
170
171 void schan_imp_dispose_session(schan_imp_session session)
172 {
173 gnutls_session_t s = (gnutls_session_t)session;
174 pgnutls_deinit(s);
175 }
176
177 void schan_imp_set_session_transport(schan_imp_session session,
178 struct schan_transport *t)
179 {
180 gnutls_session_t s = (gnutls_session_t)session;
181 pgnutls_transport_set_ptr(s, (gnutls_transport_ptr_t)t);
182 }
183
184 void schan_imp_set_session_target(schan_imp_session session, const char *target)
185 {
186 gnutls_session_t s = (gnutls_session_t)session;
187
188 pgnutls_server_name_set( s, GNUTLS_NAME_DNS, target, strlen(target) );
189 }
190
191 SECURITY_STATUS schan_imp_handshake(schan_imp_session session)
192 {
193 gnutls_session_t s = (gnutls_session_t)session;
194 int err;
195
196 while(1) {
197 err = pgnutls_handshake(s);
198 switch(err) {
199 case GNUTLS_E_SUCCESS:
200 TRACE("Handshake completed\n");
201 return SEC_E_OK;
202
203 case GNUTLS_E_AGAIN:
204 TRACE("Continue...\n");
205 return SEC_I_CONTINUE_NEEDED;
206
207 case GNUTLS_E_WARNING_ALERT_RECEIVED:
208 {
209 gnutls_alert_description_t alert = pgnutls_alert_get(s);
210
211 WARN("WARNING ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
212
213 switch(alert) {
214 case GNUTLS_A_UNRECOGNIZED_NAME:
215 TRACE("Ignoring\n");
216 continue;
217 default:
218 return SEC_E_INTERNAL_ERROR;
219 }
220 }
221
222 case GNUTLS_E_FATAL_ALERT_RECEIVED:
223 {
224 gnutls_alert_description_t alert = pgnutls_alert_get(s);
225 WARN("FATAL ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
226 return SEC_E_INTERNAL_ERROR;
227 }
228
229 default:
230 pgnutls_perror(err);
231 return SEC_E_INTERNAL_ERROR;
232 }
233 }
234
235 /* Never reached */
236 return SEC_E_OK;
237 }
238
239 static unsigned int schannel_get_cipher_block_size(gnutls_cipher_algorithm_t cipher)
240 {
241 const struct
242 {
243 gnutls_cipher_algorithm_t cipher;
244 unsigned int block_size;
245 }
246 algorithms[] =
247 {
248 {GNUTLS_CIPHER_3DES_CBC, 8},
249 {GNUTLS_CIPHER_AES_128_CBC, 16},
250 {GNUTLS_CIPHER_AES_256_CBC, 16},
251 {GNUTLS_CIPHER_ARCFOUR_128, 1},
252 {GNUTLS_CIPHER_ARCFOUR_40, 1},
253 {GNUTLS_CIPHER_DES_CBC, 8},
254 {GNUTLS_CIPHER_NULL, 1},
255 {GNUTLS_CIPHER_RC2_40_CBC, 8},
256 };
257 unsigned int i;
258
259 for (i = 0; i < sizeof(algorithms) / sizeof(*algorithms); ++i)
260 {
261 if (algorithms[i].cipher == cipher)
262 return algorithms[i].block_size;
263 }
264
265 FIXME("Unknown cipher %#x, returning 1\n", cipher);
266
267 return 1;
268 }
269
270 static DWORD schannel_get_protocol(gnutls_protocol_t proto)
271 {
272 /* FIXME: currently schannel only implements client connections, but
273 * there's no reason it couldn't be used for servers as well. The
274 * context doesn't tell us which it is, so assume client for now.
275 */
276 switch (proto)
277 {
278 case GNUTLS_SSL3: return SP_PROT_SSL3_CLIENT;
279 case GNUTLS_TLS1_0: return SP_PROT_TLS1_0_CLIENT;
280 case GNUTLS_TLS1_1: return SP_PROT_TLS1_1_CLIENT;
281 case GNUTLS_TLS1_2: return SP_PROT_TLS1_2_CLIENT;
282 default:
283 FIXME("unknown protocol %d\n", proto);
284 return 0;
285 }
286 }
287
288 static ALG_ID schannel_get_cipher_algid(gnutls_cipher_algorithm_t cipher)
289 {
290 switch (cipher)
291 {
292 case GNUTLS_CIPHER_UNKNOWN:
293 case GNUTLS_CIPHER_NULL: return 0;
294 case GNUTLS_CIPHER_ARCFOUR_40:
295 case GNUTLS_CIPHER_ARCFOUR_128: return CALG_RC4;
296 case GNUTLS_CIPHER_DES_CBC:
297 case GNUTLS_CIPHER_3DES_CBC: return CALG_DES;
298 case GNUTLS_CIPHER_AES_128_CBC:
299 case GNUTLS_CIPHER_AES_256_CBC: return CALG_AES;
300 case GNUTLS_CIPHER_RC2_40_CBC: return CALG_RC2;
301 default:
302 FIXME("unknown algorithm %d\n", cipher);
303 return 0;
304 }
305 }
306
307 static ALG_ID schannel_get_mac_algid(gnutls_mac_algorithm_t mac)
308 {
309 switch (mac)
310 {
311 case GNUTLS_MAC_UNKNOWN:
312 case GNUTLS_MAC_NULL: return 0;
313 case GNUTLS_MAC_MD5: return CALG_MD5;
314 case GNUTLS_MAC_SHA1:
315 case GNUTLS_MAC_SHA256:
316 case GNUTLS_MAC_SHA384:
317 case GNUTLS_MAC_SHA512: return CALG_SHA;
318 default:
319 FIXME("unknown algorithm %d\n", mac);
320 return 0;
321 }
322 }
323
324 static ALG_ID schannel_get_kx_algid(gnutls_kx_algorithm_t kx)
325 {
326 switch (kx)
327 {
328 case GNUTLS_KX_RSA: return CALG_RSA_KEYX;
329 case GNUTLS_KX_DHE_DSS:
330 case GNUTLS_KX_DHE_RSA: return CALG_DH_EPHEM;
331 default:
332 FIXME("unknown algorithm %d\n", kx);
333 return 0;
334 }
335 }
336
337 unsigned int schan_imp_get_session_cipher_block_size(schan_imp_session session)
338 {
339 gnutls_session_t s = (gnutls_session_t)session;
340 gnutls_cipher_algorithm_t cipher = pgnutls_cipher_get(s);
341 return schannel_get_cipher_block_size(cipher);
342 }
343
344 unsigned int schan_imp_get_max_message_size(schan_imp_session session)
345 {
346 return pgnutls_record_get_max_size((gnutls_session_t)session);
347 }
348
349 SECURITY_STATUS schan_imp_get_connection_info(schan_imp_session session,
350 SecPkgContext_ConnectionInfo *info)
351 {
352 gnutls_session_t s = (gnutls_session_t)session;
353 gnutls_protocol_t proto = pgnutls_protocol_get_version(s);
354 gnutls_cipher_algorithm_t alg = pgnutls_cipher_get(s);
355 gnutls_mac_algorithm_t mac = pgnutls_mac_get(s);
356 gnutls_kx_algorithm_t kx = pgnutls_kx_get(s);
357
358 info->dwProtocol = schannel_get_protocol(proto);
359 info->aiCipher = schannel_get_cipher_algid(alg);
360 info->dwCipherStrength = pgnutls_cipher_get_key_size(alg) * 8;
361 info->aiHash = schannel_get_mac_algid(mac);
362 info->dwHashStrength = pgnutls_mac_get_key_size(mac) * 8;
363 info->aiExch = schannel_get_kx_algid(kx);
364 /* FIXME: info->dwExchStrength? */
365 info->dwExchStrength = 0;
366 return SEC_E_OK;
367 }
368
369 SECURITY_STATUS schan_imp_get_session_peer_certificate(schan_imp_session session, HCERTSTORE store,
370 PCCERT_CONTEXT *ret)
371 {
372 gnutls_session_t s = (gnutls_session_t)session;
373 PCCERT_CONTEXT cert = NULL;
374 const gnutls_datum_t *datum;
375 unsigned list_size, i;
376 BOOL res;
377
378 datum = pgnutls_certificate_get_peers(s, &list_size);
379 if(!datum)
380 return SEC_E_INTERNAL_ERROR;
381
382 for(i = 0; i < list_size; i++) {
383 res = CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING, datum[i].data, datum[i].size,
384 CERT_STORE_ADD_REPLACE_EXISTING, i ? NULL : &cert);
385 if(!res) {
386 if(i)
387 CertFreeCertificateContext(cert);
388 return GetLastError();
389 }
390 }
391
392 *ret = cert;
393 return SEC_E_OK;
394 }
395
396 SECURITY_STATUS schan_imp_send(schan_imp_session session, const void *buffer,
397 SIZE_T *length)
398 {
399 gnutls_session_t s = (gnutls_session_t)session;
400 ssize_t ret;
401
402 again:
403 ret = pgnutls_record_send(s, buffer, *length);
404
405 if (ret >= 0)
406 *length = ret;
407 else if (ret == GNUTLS_E_AGAIN)
408 {
409 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
410 SIZE_T count = 0;
411
412 if (schan_get_buffer(t, &t->out, &count))
413 goto again;
414
415 return SEC_I_CONTINUE_NEEDED;
416 }
417 else
418 {
419 pgnutls_perror(ret);
420 return SEC_E_INTERNAL_ERROR;
421 }
422
423 return SEC_E_OK;
424 }
425
426 SECURITY_STATUS schan_imp_recv(schan_imp_session session, void *buffer,
427 SIZE_T *length)
428 {
429 gnutls_session_t s = (gnutls_session_t)session;
430 ssize_t ret;
431
432 again:
433 ret = pgnutls_record_recv(s, buffer, *length);
434
435 if (ret >= 0)
436 *length = ret;
437 else if (ret == GNUTLS_E_AGAIN)
438 {
439 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
440 SIZE_T count = 0;
441
442 if (schan_get_buffer(t, &t->in, &count))
443 goto again;
444
445 return SEC_I_CONTINUE_NEEDED;
446 }
447 else
448 {
449 pgnutls_perror(ret);
450 return SEC_E_INTERNAL_ERROR;
451 }
452
453 return SEC_E_OK;
454 }
455
456 BOOL schan_imp_allocate_certificate_credentials(schan_credentials *c)
457 {
458 int ret = pgnutls_certificate_allocate_credentials((gnutls_certificate_credentials_t*)&c->credentials);
459 if (ret != GNUTLS_E_SUCCESS)
460 pgnutls_perror(ret);
461 return (ret == GNUTLS_E_SUCCESS);
462 }
463
464 void schan_imp_free_certificate_credentials(schan_credentials *c)
465 {
466 pgnutls_certificate_free_credentials(c->credentials);
467 }
468
469 static void schan_gnutls_log(int level, const char *msg)
470 {
471 TRACE("<%d> %s", level, msg);
472 }
473
474 BOOL schan_imp_init(void)
475 {
476 int ret;
477
478 #ifndef __REACTOS__
479 libgnutls_handle = wine_dlopen(SONAME_LIBGNUTLS, RTLD_NOW, NULL, 0);
480 if (!libgnutls_handle)
481 {
482 WARN("Failed to load libgnutls.\n");
483 return FALSE;
484 }
485
486 #define LOAD_FUNCPTR(f) \
487 if (!(p##f = wine_dlsym(libgnutls_handle, #f, NULL, 0))) \
488 { \
489 ERR("Failed to load %s\n", #f); \
490 goto fail; \
491 }
492 #else
493 /*
494 static const WCHAR RosSchannelKey[] = L"Software\\ReactOS\\Schannel";
495 static const WCHAR PathValue[] = L"GnuTLSPath";
496 WCHAR Path[MAX_PATH];
497 DWORD PathSize = sizeof(Path), ValueType;
498 HKEY Key;
499 DWORD Error;
500
501 Error = RegOpenKeyW(HKEY_LOCAL_MACHINE, RosSchannelKey, &Key);
502 if(Error != ERROR_SUCCESS)
503 return FALSE;
504
505 Error = RegQueryValueExW(Key, PathValue, NULL, &ValueType, (LPBYTE)Path, &PathSize);
506 RegCloseKey(Key);
507 if ((Error != ERROR_SUCCESS) || (ValueType != REG_SZ))
508 return FALSE;
509 wcscat(Path, L"\\");
510 wcscat(Path, SONAME_LIBGNUTLS);
511 */
512 static const WCHAR Path[] = L"C:\\Reactos\\system32\\gnutls\\libgnutls-28.dll";
513
514 libgnutls_handle = LoadLibraryExW(Path, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
515 if (!libgnutls_handle)
516 {
517 ERR("Could not load %S.\n", Path);
518 return FALSE;
519 }
520
521 #define LOAD_FUNCPTR(f) \
522 if (!(p##f = (void*)GetProcAddress(libgnutls_handle, #f))) \
523 { \
524 ERR("Failed to load %s\n", #f); \
525 goto fail; \
526 }
527 #endif // __REACTOS__
528
529 LOAD_FUNCPTR(gnutls_alert_get)
530 LOAD_FUNCPTR(gnutls_alert_get_name)
531 LOAD_FUNCPTR(gnutls_certificate_allocate_credentials)
532 LOAD_FUNCPTR(gnutls_certificate_free_credentials)
533 LOAD_FUNCPTR(gnutls_certificate_get_peers)
534 LOAD_FUNCPTR(gnutls_cipher_get)
535 LOAD_FUNCPTR(gnutls_cipher_get_key_size)
536 LOAD_FUNCPTR(gnutls_credentials_set)
537 LOAD_FUNCPTR(gnutls_deinit)
538 LOAD_FUNCPTR(gnutls_global_deinit)
539 LOAD_FUNCPTR(gnutls_global_init)
540 LOAD_FUNCPTR(gnutls_global_set_log_function)
541 LOAD_FUNCPTR(gnutls_global_set_log_level)
542 LOAD_FUNCPTR(gnutls_handshake)
543 LOAD_FUNCPTR(gnutls_init)
544 LOAD_FUNCPTR(gnutls_kx_get)
545 LOAD_FUNCPTR(gnutls_mac_get)
546 LOAD_FUNCPTR(gnutls_mac_get_key_size)
547 LOAD_FUNCPTR(gnutls_perror)
548 LOAD_FUNCPTR(gnutls_protocol_get_version)
549 LOAD_FUNCPTR(gnutls_priority_set_direct)
550 LOAD_FUNCPTR(gnutls_record_get_max_size);
551 LOAD_FUNCPTR(gnutls_record_recv);
552 LOAD_FUNCPTR(gnutls_record_send);
553 LOAD_FUNCPTR(gnutls_server_name_set)
554 LOAD_FUNCPTR(gnutls_transport_get_ptr)
555 LOAD_FUNCPTR(gnutls_transport_set_errno)
556 LOAD_FUNCPTR(gnutls_transport_set_ptr)
557 LOAD_FUNCPTR(gnutls_transport_set_pull_function)
558 LOAD_FUNCPTR(gnutls_transport_set_push_function)
559 #undef LOAD_FUNCPTR
560
561 ret = pgnutls_global_init();
562 if (ret != GNUTLS_E_SUCCESS)
563 {
564 pgnutls_perror(ret);
565 goto fail;
566 }
567
568 if (TRACE_ON(secur32))
569 {
570 pgnutls_global_set_log_level(4);
571 pgnutls_global_set_log_function(schan_gnutls_log);
572 }
573
574 return TRUE;
575
576 fail:
577 #ifndef __REACTOS__
578 wine_dlclose(libgnutls_handle, NULL, 0);
579 #else
580 FreeLibrary(libgnutls_handle);
581 #endif
582 libgnutls_handle = NULL;
583 return FALSE;
584 }
585
586 void schan_imp_deinit(void)
587 {
588 pgnutls_global_deinit();
589 #ifndef __REACTOS__
590 wine_dlclose(libgnutls_handle, NULL, 0);
591 #else
592 FreeLibrary(libgnutls_handle);
593 #endif
594 libgnutls_handle = NULL;
595 }
596
597 #endif /* SONAME_LIBGNUTLS && !HAVE_SECURITY_SECURITY_H */