search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libs: Import code from upstream openldap 2.5.13.
[wine.git] / libs / ldap / libldap / tls_w.c
blob137fb58a27a38e9d8cc8696befcbc5522aee1fbc
1 /* tls_w.c - Handle tls/ssl using Windows SSPI SChannel provider. */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 *
5 * Copyright 2008-2022 The OpenLDAP Foundation.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
10 * Public License.
11 *
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
15 */
16
17 #include "portable.h"
18 #include "ldap_config.h"
19
20 #include <stdio.h>
21
22 #include <ac/stdlib.h>
23 #include <ac/errno.h>
24 #include <ac/socket.h>
25 #include <ac/string.h>
26 #include <ac/ctype.h>
27 #include <ac/time.h>
28 #include <ac/unistd.h>
29 #include <ac/param.h>
30 #include <ac/dirent.h>
31 #include <sys/stat.h>
32 #include <fcntl.h>
33
34 #include "ldap-int.h"
35 #include "ldap-tls.h"
36
37 #include <sspi.h>
38 #include <schannel.h>
39
40 typedef struct tlsw_ctx {
41 int refcount;
42 int reqcert;
43 #ifdef LDAP_R_COMPILE
44 ldap_pvt_thread_mutex_t ref_mutex;
45 #endif
46 } tlsw_ctx;
47
48 typedef struct tlsw_session {
49 CredHandle cred_handle;
50 CtxtHandle ctxt_handle;
51 Sockbuf_IO_Desc *sbiod;
52 struct berval peer_der_dn;
53 } tlsw_session;
54
55 #ifdef LDAP_R_COMPILE
56
57 static void
58 tlsw_thr_init( void )
59 {
60 /* do nothing */
61 }
62 #endif /* LDAP_R_COMPILE */
63
64 /*
65 * Initialize TLS subsystem. Should be called only once.
66 */
67 static int
68 tlsw_init( void )
69 {
70 struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
71 lo->ldo_debug = -1;
72 /* do nothing */
73 return 0;
74 }
75
76 /*
77 * Tear down the TLS subsystem. Should only be called once.
78 */
79 static void
80 tlsw_destroy( void )
81 {
82 /* do nothing */
83 }
84
85 static tls_ctx *
86 tlsw_ctx_new( struct ldapoptions *lo )
87 {
88 tlsw_ctx *ctx;
89
90 ctx = ber_memcalloc ( 1, sizeof (*ctx) );
91 if ( ctx ) {
92 ctx->refcount = 1;
93 #ifdef LDAP_R_COMPILE
94 ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
95 #endif
96 }
97 return (tls_ctx *)ctx;
98 }
99
100 static void
101 tlsw_ctx_ref( tls_ctx *ctx )
102 {
103 tlsw_ctx *c = (tlsw_ctx *)ctx;
104 LDAP_MUTEX_LOCK( &c->ref_mutex );
105 c->refcount++;
106 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
107 }
108
109 static void
110 tlsw_ctx_free( tls_ctx *ctx )
111 {
112 tlsw_ctx *c = (tlsw_ctx *)ctx;
113 int refcount;
114
115 if ( !c ) return;
116
117 LDAP_MUTEX_LOCK( &c->ref_mutex );
118 refcount = --c->refcount;
119 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
120 if ( refcount )
121 return;
122 ber_memfree ( c );
123 }
124
125 /*
126 * initialize a new TLS context
127 */
128 static int
129 tlsw_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
130 {
131 tlsw_ctx *ctx = lo->ldo_tls_ctx;
132
133 ctx->reqcert = lo->ldo_tls_require_cert;
134 return 0;
135 }
136
137 static tls_session *
138 tlsw_session_new( tls_ctx * ctx, int is_server )
139 {
140 tlsw_session *session;
141 SCHANNEL_CRED cred;
142
143 session = ber_memcalloc ( 1, sizeof (*session) );
144 if ( !session )
145 return NULL;
146
147 memset( &cred, 0, sizeof(cred) );
148 cred.dwVersion = SCHANNEL_CRED_VERSION; /* FIXME set other fields */
149 if ( AcquireCredentialsHandleA( NULL, (SEC_CHAR *)UNISP_NAME_A,
150 is_server ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND, NULL,
151 &cred, NULL, NULL, &session->cred_handle, NULL )) {
152 ber_memfree( session );
153 return NULL;
154 }
155 return (tls_session *)session;
156 }
157
158 static int
159 tlsw_session_accept( tls_session *session )
160 {
161 return -1;
162 }
163
164 static ssize_t
165 tlsw_recv( Sockbuf_IO_Desc *sbiod, void *buf, size_t len )
166 {
167 tlsw_session *session;
168
169 if ( sbiod == NULL || buf == NULL || len <= 0 ) return 0;
170
171 return LBER_SBIOD_READ_NEXT( sbiod, buf, len );
172 }
173
174 static ssize_t
175 tlsw_send( Sockbuf_IO_Desc *sbiod, const void *buf, size_t len )
176 {
177 tlsw_session *session;
178
179 if ( sbiod == NULL || buf == NULL || len <= 0 ) return 0;
180
181 return LBER_SBIOD_WRITE_NEXT( sbiod, (char *)buf, len );
182 }
183
184 #define TLS_HEADER_SIZE 5
185 static int
186 tlsw_session_connect( LDAP *ld, tls_session *session, const char *name_in )
187 {
188 tlsw_session *s = (tlsw_session *)session;
189 SecBuffer in_bufs[] = { { 0, SECBUFFER_TOKEN, NULL }, { 0, SECBUFFER_EMPTY, NULL } };
190 SecBuffer out_bufs[] = { { 0, SECBUFFER_TOKEN, NULL }, { 0, SECBUFFER_ALERT, NULL } };
191 SecBufferDesc in_buf_desc = { SECBUFFER_VERSION, ARRAYSIZE(in_bufs), in_bufs };
192 SecBufferDesc out_buf_desc = { SECBUFFER_VERSION, ARRAYSIZE(out_bufs), out_bufs };
193 ULONG attrs, flags = ISC_REQ_CONFIDENTIALITY | ISC_REQ_STREAM |
194 ISC_REQ_USE_SUPPLIED_CREDS | ISC_REQ_ALLOCATE_MEMORY;
195 SECURITY_STATUS status;
196 ssize_t size, max_token, recv_offset = 0, expected = TLS_HEADER_SIZE;
197 SecPkgInfoA *info;
198
199 status = QuerySecurityPackageInfoA( UNISP_NAME_A, &info );
200 if ( status != SEC_E_OK )
201 return -1;
202 expected = max_token = info->cbMaxToken;
203 FreeContextBuffer( info );
204
205 in_bufs[0].cbBuffer = max_token;
206 in_bufs[0].pvBuffer = ber_memalloc( in_bufs[0].cbBuffer );
207 if ( !in_bufs[0].pvBuffer )
208 return -1;
209
210 status = InitializeSecurityContextA( &s->cred_handle, NULL, (SEC_CHAR *)name_in,
211 flags, 0, 0, NULL, 0, &s->ctxt_handle, &out_buf_desc, &attrs, NULL );
212 while ( status == SEC_I_CONTINUE_NEEDED || status == SEC_E_INCOMPLETE_MESSAGE )
213 {
214 if ( status == SEC_I_CONTINUE_NEEDED ) {
215 size = tlsw_send( s->sbiod, out_bufs[0].pvBuffer, out_bufs[0].cbBuffer );
216 if ( size < 0 )
217 break;
218 expected = TLS_HEADER_SIZE;
219 in_bufs[0].cbBuffer = recv_offset = 0;
220 }
221
222 while ( expected > 0 ) {
223 size = tlsw_recv( s->sbiod, (char *)in_bufs[0].pvBuffer + recv_offset, expected );
224 if ( size < 0 )
225 break;
226 in_bufs[0].cbBuffer += size;
227 recv_offset += size;
228 expected -= size;
229 }
230
231 out_bufs[0].cbBuffer = max_token;
232 status = InitializeSecurityContextA( &s->cred_handle, &s->ctxt_handle, (SEC_CHAR *)name_in,
233 flags, 0, 0, &in_buf_desc, 0, NULL, &out_buf_desc, &attrs, NULL );
234 if ( status == SEC_E_INCOMPLETE_MESSAGE ) {
235 assert( in_bufs[1].BufferType == SECBUFFER_MISSING );
236 expected = in_bufs[1].cbBuffer;
237 in_bufs[1].BufferType = SECBUFFER_EMPTY;
238 in_bufs[1].cbBuffer = 0;
239 }
240 }
241
242 ber_memfree( in_bufs[0].pvBuffer );
243 FreeContextBuffer( out_bufs[0].pvBuffer );
244 return status == SEC_E_OK ? 0 : -1;
245 }
246
247 static int
248 tlsw_session_upflags( Sockbuf *sb, tls_session *session, int rc )
249 {
250 return -1;
251 }
252
253 static char *
254 tlsw_session_errmsg( tls_session *session, int rc, char *buf, size_t len )
255 {
256 return NULL;
257 }
258
259 static void
260 tlsw_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
261 {
262 BerElementBuffer berbuf;
263 BerElement *ber = (BerElement *)&berbuf;
264 ber_tag_t tag;
265 ber_len_t len;
266 ber_int_t i;
267
268 ber_init2( ber, cert, LBER_USE_DER );
269 tag = ber_skip_tag( ber, &len ); /* Sequence */
270 tag = ber_skip_tag( ber, &len ); /* Sequence */
271 tag = ber_peek_tag( ber, &len ); /* Context + Constructed (version) */
272 if ( tag == 0xa0 ) { /* Version is optional */
273 tag = ber_skip_tag( ber, &len );
274 tag = ber_get_int( ber, &i ); /* Int: Version */
275 }
276 tag = ber_skip_tag( ber, &len ); /* Int: Serial (can be longer than ber_int_t) */
277 ber_skip_data( ber, len );
278 tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
279 ber_skip_data( ber, len );
280 if ( !get_subject ) {
281 tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
282 } else {
283 tag = ber_skip_tag( ber, &len );
284 ber_skip_data( ber, len );
285 tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
286 ber_skip_data( ber, len );
287 tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
288 }
289 len = ber_ptrlen( ber );
290 dn->bv_val = cert->bv_val + len;
291 dn->bv_len = cert->bv_len - len;
292 }
293
294 static int
295 tlsw_session_my_dn( tls_session *session, struct berval *der_dn )
296 {
297 return -1;
298 }
299
300 static int
301 tlsw_session_peer_dn( tls_session *session, struct berval *der_dn )
302 {
303 return -1;
304 }
305
306 static int
307 tlsw_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
308 {
309 return 0;
310 }
311
312 static int
313 tlsw_session_strength( tls_session *session )
314 {
315 return 0;
316 }
317
318 static int
319 tlsw_session_unique( tls_session *session, struct berval *buf, int is_server )
320 {
321 return -1;
322 }
323
324 static int
325 tlsw_session_endpoint( tls_session *session, struct berval *buf, int is_server )
326 {
327 return 0;
328 }
329
330 static const char *
331 tlsw_session_version( tls_session *session )
332 {
333 return NULL;
334 }
335
336 static const char *
337 tlsw_session_cipher( tls_session *session )
338 {
339 return NULL;
340 }
341
342 static int
343 tlsw_session_peercert( tls_session *session, struct berval *der )
344 {
345 return -1;
346 }
347
348 static int
349 tlsw_session_pinning( LDAP *ld, tls_session *session, char *hashalg, struct berval *hash )
350 {
351 return -1;
352 }
353
354 /*
355 * TLS support for LBER Sockbufs
356 */
357
358 struct buffer
359 {
360 char *buf;
361 size_t size;
362 size_t offset;
363 };
364
365 struct tls_data {
366 tlsw_session *session;
367 struct buffer header;
368 struct buffer data;
369 struct buffer trailer;
370 struct buffer recv;
371 };
372
373 static int
374 tlsw_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
375 {
376 struct tls_data *tls;
377 tlsw_session *session = arg;
378 SECURITY_STATUS status;
379
380 assert( sbiod != NULL );
381
382 tls = ber_memcalloc( 1, sizeof( *tls ) );
383 if ( tls == NULL ) {
384 return -1;
385 }
386
387 tls->session = session;
388 sbiod->sbiod_pvt = tls;
389 session->sbiod = sbiod;
390 return 0;
391 }
392
393 static int
394 tlsw_sb_remove( Sockbuf_IO_Desc *sbiod )
395 {
396 struct tls_data *tls;
397
398 assert( sbiod != NULL );
399 assert( sbiod->sbiod_pvt != NULL );
400
401 tls = (struct tls_data *)sbiod->sbiod_pvt;
402 ber_memfree( tls->header.buf );
403 ber_memfree( tls->data.buf );
404 ber_memfree( tls->trailer.buf );
405 ber_memfree( tls->recv.buf );
406 DeleteSecurityContext( &tls->session->ctxt_handle );
407 FreeCredentialsHandle( &tls->session->cred_handle );
408 ber_memfree( tls->session );
409 ber_memfree( sbiod->sbiod_pvt );
410 sbiod->sbiod_pvt = NULL;
411 return 0;
412 }
413
414 static int
415 tlsw_sb_close( Sockbuf_IO_Desc *sbiod )
416 {
417 /* FIXME: send close_notify message */
418 return 0;
419 }
420
421 static int
422 tlsw_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
423 {
424 struct tls_data *tls;
425
426 assert( sbiod != NULL );
427 assert( sbiod->sbiod_pvt != NULL );
428
429 tls = (struct tls_data *)sbiod->sbiod_pvt;
430
431 if ( opt == LBER_SB_OPT_GET_SSL ) {
432 *((tlsw_session **)arg) = tls->session;
433 return 1;
434 }
435 else if ( opt == LBER_SB_OPT_DATA_READY ) {
436 if ( tls->data.offset > 0 || tls->recv.offset > 0 ) {
437 return 1;
438 }
439 }
440
441 return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
442 }
443
444 static int alloc_buffer( struct buffer *buf, size_t size )
445 {
446 buf->size = size;
447 buf->offset = 0;
448 buf->buf = ber_memalloc( buf->size );
449 return buf->buf != NULL;
450 }
451
452 static int setup_buffers( struct tls_data *tls )
453 {
454 SecPkgContext_StreamSizes sizes;
455 SECURITY_STATUS status;
456
457 if ( tls->header.buf )
458 return 0;
459
460 status = QueryContextAttributesA( &tls->session->ctxt_handle, SECPKG_ATTR_STREAM_SIZES, &sizes );
461 if ( status != SEC_E_OK )
462 return -1;
463
464 if ( !alloc_buffer( &tls->header, sizes.cbHeader ) )
465 return -1;
466
467 if ( !alloc_buffer( &tls->data, sizes.cbMaximumMessage ) ) {
468 ber_memfree( tls->header.buf );
469 return -1;
470 }
471
472 if ( !alloc_buffer( &tls->trailer, sizes.cbTrailer ) ) {
473 ber_memfree( tls->header.buf );
474 ber_memfree( tls->data.buf );
475 return -1;
476 }
477
478 if ( !alloc_buffer( &tls->recv, sizes.cbMaximumMessage ) ) {
479 ber_memfree( tls->header.buf );
480 ber_memfree( tls->data.buf );
481 ber_memfree( tls->trailer.buf );
482 return -1;
483 }
484
485 return 0;
486 }
487
488 static void init_secbuf( SecBuffer *secbuf, DWORD type, void *buf, DWORD size ) {
489 secbuf->BufferType = type;
490 secbuf->cbBuffer = size;
491 secbuf->pvBuffer = buf;
492 }
493
494 static ber_len_t remove_data( struct tls_data *tls, ber_len_t len )
495 {
496 tls->data.offset -= len;
497 memmove( tls->data.buf, tls->data.buf + len, tls->data.offset );
498 return len;
499 }
500
501 static int grow_buffer( struct buffer *buf, size_t min_size )
502 {
503 size_t size = max( min_size, buf->size * 2 );
504 char *tmp;
505
506 if ( buf->size >= min_size )
507 return 0;
508
509 tmp = ber_memrealloc( buf->buf, size );
510 if ( !tmp )
511 return -1;
512 buf->buf = tmp;
513 buf->size = size;
514 return 0;
515 }
516
517 static ber_slen_t
518 tlsw_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
519 {
520 struct tls_data *tls = sbiod->sbiod_pvt;
521 SecBuffer bufs[4];
522 SecBufferDesc buf_desc = { SECBUFFER_VERSION, 4, bufs };
523 SECURITY_STATUS status = SEC_E_OK;
524 ssize_t size, expected = max( len, tls->header.size ), ret = -1;
525
526 if ( !len )
527 return 0;
528 if ( setup_buffers( tls ) < 0 )
529 return -1;
530
531 if ( tls->data.offset >= len ) {
532 memcpy( buf, tls->data.buf, len );
533 return remove_data( tls, len );
534 }
535
536 restart:
537 if ( grow_buffer( &tls->recv, expected ) < 0 )
538 return -1;
539 while ( tls->recv.offset < expected ) {
540 size = tlsw_recv( sbiod, tls->recv.buf + tls->recv.offset, expected - tls->recv.offset );
541 if ( size < 0 )
542 return size;
543 tls->recv.offset += size;
544 }
545
546 if ( grow_buffer( &tls->data, tls->data.offset + tls->recv.offset ) < 0 )
547 return -1;
548 memcpy( tls->data.buf + tls->data.offset, tls->recv.buf, tls->recv.offset );
549
550 init_secbuf( &bufs[0], SECBUFFER_DATA, tls->data.buf + tls->data.offset, tls->recv.offset );
551 init_secbuf( &bufs[1], SECBUFFER_EMPTY, NULL, 0 );
552 init_secbuf( &bufs[2], SECBUFFER_EMPTY, NULL, 0 );
553 init_secbuf( &bufs[3], SECBUFFER_EMPTY, NULL, 0 );
554
555 status = DecryptMessage( &tls->session->ctxt_handle, &buf_desc, 0, NULL );
556 if ( status == SEC_E_OK ) {
557 assert( bufs[0].BufferType == SECBUFFER_STREAM_HEADER );
558 assert( bufs[1].BufferType == SECBUFFER_DATA );
559 assert( (char *)bufs[1].pvBuffer == (char *)bufs[0].pvBuffer + tls->header.size );
560
561 tls->recv.offset = 0;
562 memmove( tls->data.buf, tls->data.buf + tls->header.size, bufs[1].cbBuffer );
563 tls->data.offset += bufs[1].cbBuffer;
564 if ( tls->data.offset >= len ) {
565 memcpy( buf, tls->data.buf, len );
566 ret = remove_data( tls, len );
567 }
568 }
569 else if ( status == SEC_E_INCOMPLETE_MESSAGE ) {
570 assert( bufs[1].BufferType == SECBUFFER_MISSING );
571 expected = bufs[1].cbBuffer;
572 goto restart;
573 }
574
575 return ret;
576 }
577
578 static ber_slen_t
579 tlsw_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
580 {
581 struct tls_data *tls = sbiod->sbiod_pvt;
582 SecBuffer bufs[3];
583 SecBufferDesc buf_desc = { SECBUFFER_VERSION, 3, bufs };
584 SECURITY_STATUS status;
585 ssize_t size, ret = len;
586 unsigned int i;
587
588 if ( !len )
589 return 0;
590 if ( setup_buffers( tls ) < 0 )
591 return -1;
592
593 init_secbuf( &bufs[0], SECBUFFER_STREAM_HEADER, tls->header.buf, tls->header.size );
594 init_secbuf( &bufs[1], SECBUFFER_DATA, buf, len );
595 init_secbuf( &bufs[2], SECBUFFER_STREAM_TRAILER, tls->trailer.buf, tls->trailer.size );
596
597 status = EncryptMessage( &tls->session->ctxt_handle, 0, &buf_desc, 0 );
598 if ( status != SEC_E_OK )
599 ret = -1;
600 else {
601 for ( i = 0; i < 3; i++ ) {
602 size = tlsw_send( sbiod, bufs[i].pvBuffer, bufs[i].cbBuffer );
603 if ( size < 0 ) {
604 ret = -1;
605 break;
606 }
607 }
608 }
609
610 return ret;
611 }
612
613 static Sockbuf_IO tlsw_sbio =
614 {
615 tlsw_sb_setup, /* sbi_setup */
616 tlsw_sb_remove, /* sbi_remove */
617 tlsw_sb_ctrl, /* sbi_ctrl */
618 tlsw_sb_read, /* sbi_read */
619 tlsw_sb_write, /* sbi_write */
620 tlsw_sb_close /* sbi_close */
621 };
622
623 tls_impl ldap_int_tls_impl = {
624 "Windows SSPI SChannel",
625
626 tlsw_init,
627 tlsw_destroy,
628
629 tlsw_ctx_new,
630 tlsw_ctx_ref,
631 tlsw_ctx_free,
632 tlsw_ctx_init,
633
634 tlsw_session_new,
635 tlsw_session_connect,
636 tlsw_session_accept,
637 tlsw_session_upflags,
638 tlsw_session_errmsg,
639 tlsw_session_my_dn,
640 tlsw_session_peer_dn,
641 tlsw_session_chkhost,
642 tlsw_session_strength,
643 tlsw_session_unique,
644 tlsw_session_endpoint,
645 tlsw_session_version,
646 tlsw_session_cipher,
647 tlsw_session_peercert,
648 tlsw_session_pinning,
649
650 &tlsw_sbio,
651
652 #ifdef LDAP_R_COMPILE
653 tlsw_thr_init,
654 #else
655 NULL,
656 #endif
657
658 0
659 };
Windows API implementation