search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
secur32: Implement SECPKG_ATTR_CIPHER_INFO.
[wine.git] / dlls / secur32 / schannel_gnutls.c
blob58e787b76001eeb2bb74622d451befb5f3e39c93
1 /*
2 * GnuTLS-based implementation of the schannel (SSL/TLS) provider.
3 *
4 * Copyright 2005 Juan Lang
5 * Copyright 2008 Henri Verbeet
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #if 0
23 #pragma makedep unix
24 #endif
25
26 #include "config.h"
27
28 #include <assert.h>
29 #include <stdarg.h>
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <errno.h>
33 #include <sys/types.h>
34 #include <dlfcn.h>
35 #ifdef SONAME_LIBGNUTLS
36 #include <gnutls/gnutls.h>
37 #include <gnutls/crypto.h>
38 #include <gnutls/abstract.h>
39 #endif
40
41 #include "ntstatus.h"
42 #define WIN32_NO_STATUS
43 #include "windef.h"
44 #include "winbase.h"
45 #include "winternl.h"
46 #include "sspi.h"
47 #include "secur32_priv.h"
48
49 #include "wine/unixlib.h"
50 #include "wine/debug.h"
51
52 #if defined(SONAME_LIBGNUTLS)
53
54 WINE_DEFAULT_DEBUG_CHANNEL(secur32);
55 WINE_DECLARE_DEBUG_CHANNEL(winediag);
56
57 /* Not present in gnutls version < 2.9.10. */
58 static int (*pgnutls_cipher_get_block_size)(gnutls_cipher_algorithm_t);
59
60 /* Not present in gnutls version < 3.0. */
61 static void (*pgnutls_transport_set_pull_timeout_function)(gnutls_session_t,
62 int (*)(gnutls_transport_ptr_t, unsigned int));
63 static void (*pgnutls_dtls_set_mtu)(gnutls_session_t, unsigned int);
64 static void (*pgnutls_dtls_set_timeouts)(gnutls_session_t, unsigned int, unsigned int);
65
66 /* Not present in gnutls version < 3.2.0. */
67 static int (*pgnutls_alpn_get_selected_protocol)(gnutls_session_t, gnutls_datum_t *);
68 static int (*pgnutls_alpn_set_protocols)(gnutls_session_t, const gnutls_datum_t *,
69 unsigned, unsigned int);
70
71 /* Not present in gnutls version < 3.3.0. */
72 static int (*pgnutls_privkey_import_rsa_raw)(gnutls_privkey_t, const gnutls_datum_t *,
73 const gnutls_datum_t *, const gnutls_datum_t *,
74 const gnutls_datum_t *, const gnutls_datum_t *,
75 const gnutls_datum_t *, const gnutls_datum_t *,
76 const gnutls_datum_t *);
77
78 /* Not present in gnutls version < 3.4.0. */
79 static int (*pgnutls_privkey_export_x509)(gnutls_privkey_t, gnutls_x509_privkey_t *);
80
81 static void *libgnutls_handle;
82 #define MAKE_FUNCPTR(f) static typeof(f) * p##f
83 MAKE_FUNCPTR(gnutls_alert_get);
84 MAKE_FUNCPTR(gnutls_alert_get_name);
85 MAKE_FUNCPTR(gnutls_certificate_allocate_credentials);
86 MAKE_FUNCPTR(gnutls_certificate_free_credentials);
87 MAKE_FUNCPTR(gnutls_certificate_get_peers);
88 MAKE_FUNCPTR(gnutls_certificate_set_x509_key);
89 MAKE_FUNCPTR(gnutls_cipher_get);
90 MAKE_FUNCPTR(gnutls_cipher_get_key_size);
91 MAKE_FUNCPTR(gnutls_credentials_set);
92 MAKE_FUNCPTR(gnutls_deinit);
93 MAKE_FUNCPTR(gnutls_global_deinit);
94 MAKE_FUNCPTR(gnutls_global_init);
95 MAKE_FUNCPTR(gnutls_global_set_log_function);
96 MAKE_FUNCPTR(gnutls_global_set_log_level);
97 MAKE_FUNCPTR(gnutls_handshake);
98 MAKE_FUNCPTR(gnutls_init);
99 MAKE_FUNCPTR(gnutls_kx_get);
100 MAKE_FUNCPTR(gnutls_mac_get);
101 MAKE_FUNCPTR(gnutls_mac_get_key_size);
102 MAKE_FUNCPTR(gnutls_perror);
103 MAKE_FUNCPTR(gnutls_protocol_get_version);
104 MAKE_FUNCPTR(gnutls_priority_set_direct);
105 MAKE_FUNCPTR(gnutls_privkey_deinit);
106 MAKE_FUNCPTR(gnutls_privkey_init);
107 MAKE_FUNCPTR(gnutls_record_get_max_size);
108 MAKE_FUNCPTR(gnutls_record_recv);
109 MAKE_FUNCPTR(gnutls_record_send);
110 MAKE_FUNCPTR(gnutls_server_name_set);
111 MAKE_FUNCPTR(gnutls_session_channel_binding);
112 MAKE_FUNCPTR(gnutls_transport_get_ptr);
113 MAKE_FUNCPTR(gnutls_transport_set_errno);
114 MAKE_FUNCPTR(gnutls_transport_set_ptr);
115 MAKE_FUNCPTR(gnutls_transport_set_pull_function);
116 MAKE_FUNCPTR(gnutls_transport_set_push_function);
117 MAKE_FUNCPTR(gnutls_x509_crt_deinit);
118 MAKE_FUNCPTR(gnutls_x509_crt_import);
119 MAKE_FUNCPTR(gnutls_x509_crt_init);
120 MAKE_FUNCPTR(gnutls_x509_privkey_deinit);
121 #undef MAKE_FUNCPTR
122
123 #if GNUTLS_VERSION_MAJOR < 3
124 #define GNUTLS_CIPHER_AES_192_CBC 92
125 #define GNUTLS_CIPHER_AES_128_GCM 93
126 #define GNUTLS_CIPHER_AES_256_GCM 94
127
128 #define GNUTLS_MAC_AEAD 200
129
130 #define GNUTLS_KX_ANON_ECDH 11
131 #define GNUTLS_KX_ECDHE_RSA 12
132 #define GNUTLS_KX_ECDHE_ECDSA 13
133 #define GNUTLS_KX_ECDHE_PSK 14
134 #endif
135
136 #if GNUTLS_VERSION_MAJOR < 3 || (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR < 5)
137 #define GNUTLS_ALPN_SERVER_PRECEDENCE (1<<1)
138 #endif
139
140 static inline gnutls_session_t session_from_handle(UINT64 handle)
141 {
142 return (gnutls_session_t)(ULONG_PTR)handle;
143 }
144
145 static inline gnutls_certificate_credentials_t certificate_creds_from_handle(UINT64 handle)
146 {
147 return (gnutls_certificate_credentials_t)(ULONG_PTR)handle;
148 }
149
150 struct schan_buffers
151 {
152 SIZE_T offset;
153 SIZE_T limit;
154 const SecBufferDesc *desc;
155 int current_buffer_idx;
156 };
157
158 struct schan_transport
159 {
160 gnutls_session_t session;
161 struct schan_buffers in;
162 struct schan_buffers out;
163 };
164
165 static int compat_cipher_get_block_size(gnutls_cipher_algorithm_t cipher)
166 {
167 switch(cipher) {
168 case GNUTLS_CIPHER_3DES_CBC:
169 return 8;
170 case GNUTLS_CIPHER_AES_128_CBC:
171 case GNUTLS_CIPHER_AES_256_CBC:
172 return 16;
173 case GNUTLS_CIPHER_ARCFOUR_128:
174 case GNUTLS_CIPHER_ARCFOUR_40:
175 return 1;
176 case GNUTLS_CIPHER_DES_CBC:
177 return 8;
178 case GNUTLS_CIPHER_NULL:
179 return 1;
180 case GNUTLS_CIPHER_RC2_40_CBC:
181 return 8;
182 default:
183 FIXME("Unknown cipher %#x, returning 1\n", cipher);
184 return 1;
185 }
186 }
187
188 static void compat_gnutls_transport_set_pull_timeout_function(gnutls_session_t session,
189 int (*func)(gnutls_transport_ptr_t, unsigned int))
190 {
191 FIXME("\n");
192 }
193
194 static int compat_gnutls_privkey_export_x509(gnutls_privkey_t privkey, gnutls_x509_privkey_t *key)
195 {
196 FIXME("\n");
197 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
198 }
199
200 static int compat_gnutls_privkey_import_rsa_raw(gnutls_privkey_t key, const gnutls_datum_t *p1,
201 const gnutls_datum_t *p2, const gnutls_datum_t *p3,
202 const gnutls_datum_t *p4, const gnutls_datum_t *p5,
203 const gnutls_datum_t *p6, const gnutls_datum_t *p7,
204 const gnutls_datum_t *p8)
205 {
206 FIXME("\n");
207 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
208 }
209
210 static int compat_gnutls_alpn_get_selected_protocol(gnutls_session_t session, gnutls_datum_t *protocol)
211 {
212 FIXME("\n");
213 return GNUTLS_E_INVALID_REQUEST;
214 }
215
216 static int compat_gnutls_alpn_set_protocols(gnutls_session_t session, const gnutls_datum_t *protocols,
217 unsigned size, unsigned int flags)
218 {
219 FIXME("\n");
220 return GNUTLS_E_INVALID_REQUEST;
221 }
222
223 static void compat_gnutls_dtls_set_mtu(gnutls_session_t session, unsigned int mtu)
224 {
225 FIXME("\n");
226 }
227
228 static void compat_gnutls_dtls_set_timeouts(gnutls_session_t session, unsigned int retrans_timeout,
229 unsigned int total_timeout)
230 {
231 FIXME("\n");
232 }
233
234 static void init_schan_buffers(struct schan_buffers *s, const PSecBufferDesc desc)
235 {
236 s->offset = 0;
237 s->limit = ~0UL;
238 s->desc = desc;
239 s->current_buffer_idx = -1;
240 }
241
242 static int get_next_buffer(struct schan_buffers *s)
243 {
244 if (s->current_buffer_idx == -1)
245 return s->desc->cBuffers ? 0 : -1;
246 if (s->current_buffer_idx == s->desc->cBuffers - 1)
247 return -1;
248 return s->current_buffer_idx + 1;
249 }
250
251 static char *get_buffer(struct schan_buffers *s, SIZE_T *count)
252 {
253 SIZE_T max_count;
254 PSecBuffer buffer;
255
256 if (!s->desc)
257 {
258 TRACE("No desc\n");
259 return NULL;
260 }
261
262 if (s->current_buffer_idx == -1)
263 {
264 /* Initial buffer */
265 int buffer_idx = get_next_buffer(s);
266 if (buffer_idx == -1)
267 {
268 TRACE("No next buffer\n");
269 return NULL;
270 }
271 s->current_buffer_idx = buffer_idx;
272 }
273
274 buffer = &s->desc->pBuffers[s->current_buffer_idx];
275 TRACE("Using buffer %d: cbBuffer %d, BufferType %#x, pvBuffer %p\n",
276 s->current_buffer_idx, (unsigned)buffer->cbBuffer, (unsigned)buffer->BufferType, buffer->pvBuffer);
277
278 max_count = buffer->cbBuffer - s->offset;
279 if (s->limit != ~0UL && s->limit < max_count)
280 max_count = s->limit;
281
282 while (!max_count)
283 {
284 int buffer_idx;
285
286 buffer_idx = get_next_buffer(s);
287 if (buffer_idx == -1)
288 {
289 TRACE("No next buffer\n");
290 return NULL;
291 }
292 s->current_buffer_idx = buffer_idx;
293 s->offset = 0;
294 buffer = &s->desc->pBuffers[buffer_idx];
295 max_count = buffer->cbBuffer;
296 if (s->limit != ~0UL && s->limit < max_count)
297 max_count = s->limit;
298 }
299
300 if (*count > max_count)
301 *count = max_count;
302 if (s->limit != ~0UL)
303 s->limit -= *count;
304
305 return (char *)buffer->pvBuffer + s->offset;
306 }
307
308 static ssize_t pull_adapter(gnutls_transport_ptr_t transport, void *buff, size_t buff_len)
309 {
310 struct schan_transport *t = (struct schan_transport*)transport;
311 SIZE_T len = buff_len;
312 char *b;
313
314 TRACE("Pull %lu bytes\n", len);
315
316 b = get_buffer(&t->in, &len);
317 if (!b)
318 {
319 pgnutls_transport_set_errno(t->session, EAGAIN);
320 return -1;
321 }
322 memcpy(buff, b, len);
323 t->in.offset += len;
324 TRACE("Read %lu bytes\n", len);
325 return len;
326 }
327
328 static ssize_t push_adapter(gnutls_transport_ptr_t transport, const void *buff, size_t buff_len)
329 {
330 struct schan_transport *t = (struct schan_transport*)transport;
331 SIZE_T len = buff_len;
332 char *b;
333
334 TRACE("Push %lu bytes\n", len);
335
336 b = get_buffer(&t->out, &len);
337 if (!b)
338 {
339 pgnutls_transport_set_errno(t->session, EAGAIN);
340 return -1;
341 }
342 memcpy(b, buff, len);
343 t->out.offset += len;
344 TRACE("Wrote %lu bytes\n", len);
345 return len;
346 }
347
348 static const struct {
349 DWORD enable_flag;
350 const char *gnutls_flag;
351 } protocol_priority_flags[] = {
352 {SP_PROT_DTLS1_2_CLIENT, "VERS-DTLS1.2"},
353 {SP_PROT_DTLS1_0_CLIENT, "VERS-DTLS1.0"},
354 {SP_PROT_TLS1_3_CLIENT, "VERS-TLS1.3"},
355 {SP_PROT_TLS1_2_CLIENT, "VERS-TLS1.2"},
356 {SP_PROT_TLS1_1_CLIENT, "VERS-TLS1.1"},
357 {SP_PROT_TLS1_0_CLIENT, "VERS-TLS1.0"},
358 {SP_PROT_SSL3_CLIENT, "VERS-SSL3.0"}
359 /* {SP_PROT_SSL2_CLIENT} is not supported by GnuTLS */
360 };
361
362 static DWORD supported_protocols;
363
364 static void check_supported_protocols(void)
365 {
366 gnutls_session_t session;
367 char priority[64];
368 unsigned i;
369 int err;
370
371 err = pgnutls_init(&session, GNUTLS_CLIENT);
372 if (err != GNUTLS_E_SUCCESS)
373 {
374 pgnutls_perror(err);
375 return;
376 }
377
378 for(i = 0; i < ARRAY_SIZE(protocol_priority_flags); i++)
379 {
380 sprintf(priority, "NORMAL:-%s", protocol_priority_flags[i].gnutls_flag);
381 err = pgnutls_priority_set_direct(session, priority, NULL);
382 if (err == GNUTLS_E_SUCCESS)
383 {
384 TRACE("%s is supported\n", protocol_priority_flags[i].gnutls_flag);
385 supported_protocols |= protocol_priority_flags[i].enable_flag;
386 }
387 else
388 TRACE("%s is not supported\n", protocol_priority_flags[i].gnutls_flag);
389 }
390
391 pgnutls_deinit(session);
392 }
393
394 static NTSTATUS schan_get_enabled_protocols( void *args )
395 {
396 return supported_protocols;
397 }
398
399 static int pull_timeout(gnutls_transport_ptr_t transport, unsigned int timeout)
400 {
401 struct schan_transport *t = (struct schan_transport*)transport;
402 SIZE_T count = 0;
403
404 TRACE("\n");
405
406 if (get_buffer(&t->in, &count)) return 1;
407
408 return 0;
409 }
410
411 static NTSTATUS schan_create_session( void *args )
412 {
413 const struct create_session_params *params = args;
414 schan_credentials *cred = params->cred;
415 char priority[128] = "NORMAL:%LATEST_RECORD_VERSION", *p;
416 BOOL using_vers_all = FALSE, disabled;
417 unsigned int i, flags = (cred->credential_use == SECPKG_CRED_INBOUND) ? GNUTLS_SERVER : GNUTLS_CLIENT;
418 struct schan_transport *transport;
419 gnutls_session_t s;
420 int err;
421
422 *params->session = 0;
423
424 if (cred->enabled_protocols & (SP_PROT_DTLS1_0_CLIENT | SP_PROT_DTLS1_2_CLIENT))
425 {
426 flags |= GNUTLS_DATAGRAM | GNUTLS_NONBLOCK;
427 }
428
429 err = pgnutls_init(&s, flags);
430 if (err != GNUTLS_E_SUCCESS)
431 {
432 pgnutls_perror(err);
433 return STATUS_INTERNAL_ERROR;
434 }
435
436 if (!(transport = calloc(1, sizeof(*transport))))
437 {
438 pgnutls_deinit(s);
439 return STATUS_INTERNAL_ERROR;
440 }
441 transport->session = s;
442
443 p = priority + strlen(priority);
444
445 /* VERS-ALL is nice to use for forward compatibility. It was introduced before support for TLS1.3,
446 * so if TLS1.3 is supported, we may safely use it. Otherwise explicitly disable all known
447 * disabled protocols. */
448 if (supported_protocols & SP_PROT_TLS1_3_CLIENT)
449 {
450 strcpy(p, ":-VERS-ALL");
451 p += strlen(p);
452 using_vers_all = TRUE;
453 }
454
455 for (i = 0; i < ARRAY_SIZE(protocol_priority_flags); i++)
456 {
457 if (!(supported_protocols & protocol_priority_flags[i].enable_flag)) continue;
458
459 disabled = !(cred->enabled_protocols & protocol_priority_flags[i].enable_flag);
460 if (using_vers_all && disabled) continue;
461
462 *p++ = ':';
463 *p++ = disabled ? '-' : '+';
464 strcpy(p, protocol_priority_flags[i].gnutls_flag);
465 p += strlen(p);
466 }
467
468 TRACE("Using %s priority\n", debugstr_a(priority));
469 err = pgnutls_priority_set_direct(s, priority, NULL);
470 if (err != GNUTLS_E_SUCCESS)
471 {
472 pgnutls_perror(err);
473 pgnutls_deinit(s);
474 free(transport);
475 return STATUS_INTERNAL_ERROR;
476 }
477
478 err = pgnutls_credentials_set(s, GNUTLS_CRD_CERTIFICATE, certificate_creds_from_handle(cred->credentials));
479 if (err != GNUTLS_E_SUCCESS)
480 {
481 pgnutls_perror(err);
482 pgnutls_deinit(s);
483 free(transport);
484 return STATUS_INTERNAL_ERROR;
485 }
486
487 pgnutls_transport_set_pull_function(s, pull_adapter);
488 if (flags & GNUTLS_DATAGRAM) pgnutls_transport_set_pull_timeout_function(s, pull_timeout);
489 pgnutls_transport_set_push_function(s, push_adapter);
490 pgnutls_transport_set_ptr(s, (gnutls_transport_ptr_t)transport);
491 *params->session = (ULONG_PTR)s;
492
493 return STATUS_SUCCESS;
494 }
495
496 static NTSTATUS schan_dispose_session( void *args )
497 {
498 const struct session_params *params = args;
499 gnutls_session_t s = session_from_handle(params->session);
500 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
501 pgnutls_transport_set_ptr(s, NULL);
502 pgnutls_deinit(s);
503 free(t);
504 return STATUS_SUCCESS;
505 }
506
507 static NTSTATUS schan_set_session_target( void *args )
508 {
509 const struct set_session_target_params *params = args;
510 gnutls_session_t s = session_from_handle(params->session);
511 pgnutls_server_name_set( s, GNUTLS_NAME_DNS, params->target, strlen(params->target) );
512 return STATUS_SUCCESS;
513 }
514
515 static NTSTATUS schan_handshake( void *args )
516 {
517 const struct handshake_params *params = args;
518 gnutls_session_t s = session_from_handle(params->session);
519 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
520 NTSTATUS status;
521 int err;
522
523 init_schan_buffers(&t->in, params->input);
524 t->in.limit = params->input_size;
525 init_schan_buffers(&t->out, params->output);
526
527 while (1)
528 {
529 err = pgnutls_handshake(s);
530 if (err == GNUTLS_E_SUCCESS)
531 {
532 TRACE("Handshake completed\n");
533 status = SEC_E_OK;
534 }
535 else if (err == GNUTLS_E_AGAIN)
536 {
537 TRACE("Continue...\n");
538 status = SEC_I_CONTINUE_NEEDED;
539 }
540 else if (err == GNUTLS_E_WARNING_ALERT_RECEIVED)
541 {
542 gnutls_alert_description_t alert = pgnutls_alert_get(s);
543
544 WARN("WARNING ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
545
546 if (alert == GNUTLS_A_UNRECOGNIZED_NAME)
547 {
548 TRACE("Ignoring\n");
549 continue;
550 }
551 else
552 status = SEC_E_INTERNAL_ERROR;
553 }
554 else if (err == GNUTLS_E_FATAL_ALERT_RECEIVED)
555 {
556 gnutls_alert_description_t alert = pgnutls_alert_get(s);
557 WARN("FATAL ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
558 status = SEC_E_INTERNAL_ERROR;
559 }
560 else
561 {
562 pgnutls_perror(err);
563 status = SEC_E_INTERNAL_ERROR;
564 }
565 break;
566 }
567
568 *params->input_offset = t->in.offset;
569 *params->output_buffer_idx = t->out.current_buffer_idx;
570 *params->output_offset = t->out.offset;
571
572 return status;
573 }
574
575 static DWORD get_protocol(gnutls_protocol_t proto)
576 {
577 /* FIXME: currently schannel only implements client connections, but
578 * there's no reason it couldn't be used for servers as well. The
579 * context doesn't tell us which it is, so assume client for now.
580 */
581 switch (proto)
582 {
583 case GNUTLS_SSL3: return SP_PROT_SSL3_CLIENT;
584 case GNUTLS_TLS1_0: return SP_PROT_TLS1_0_CLIENT;
585 case GNUTLS_TLS1_1: return SP_PROT_TLS1_1_CLIENT;
586 case GNUTLS_TLS1_2: return SP_PROT_TLS1_2_CLIENT;
587 case GNUTLS_DTLS1_0: return SP_PROT_DTLS1_0_CLIENT;
588 case GNUTLS_DTLS1_2: return SP_PROT_DTLS1_2_CLIENT;
589 default:
590 FIXME("unknown protocol %d\n", proto);
591 return 0;
592 }
593 }
594
595 static ALG_ID get_cipher_algid(gnutls_cipher_algorithm_t cipher)
596 {
597 switch (cipher)
598 {
599 case GNUTLS_CIPHER_UNKNOWN:
600 case GNUTLS_CIPHER_NULL: return 0;
601 case GNUTLS_CIPHER_ARCFOUR_40:
602 case GNUTLS_CIPHER_ARCFOUR_128: return CALG_RC4;
603 case GNUTLS_CIPHER_DES_CBC: return CALG_DES;
604 case GNUTLS_CIPHER_3DES_CBC: return CALG_3DES;
605 case GNUTLS_CIPHER_AES_128_CBC:
606 case GNUTLS_CIPHER_AES_128_GCM: return CALG_AES_128;
607 case GNUTLS_CIPHER_AES_192_CBC: return CALG_AES_192;
608 case GNUTLS_CIPHER_AES_256_GCM:
609 case GNUTLS_CIPHER_AES_256_CBC: return CALG_AES_256;
610 case GNUTLS_CIPHER_RC2_40_CBC: return CALG_RC2;
611 default:
612 FIXME("unknown algorithm %d\n", cipher);
613 return 0;
614 }
615 }
616
617 static ALG_ID get_mac_algid(gnutls_mac_algorithm_t mac, gnutls_cipher_algorithm_t cipher)
618 {
619 switch (mac)
620 {
621 case GNUTLS_MAC_UNKNOWN:
622 case GNUTLS_MAC_NULL: return 0;
623 case GNUTLS_MAC_MD2: return CALG_MD2;
624 case GNUTLS_MAC_MD5: return CALG_MD5;
625 case GNUTLS_MAC_SHA1: return CALG_SHA1;
626 case GNUTLS_MAC_SHA256: return CALG_SHA_256;
627 case GNUTLS_MAC_SHA384: return CALG_SHA_384;
628 case GNUTLS_MAC_SHA512: return CALG_SHA_512;
629 case GNUTLS_MAC_AEAD:
630 /* When using AEAD (such as GCM), we return PRF algorithm instead
631 which is defined in RFC 5289. */
632 switch (cipher)
633 {
634 case GNUTLS_CIPHER_AES_128_GCM: return CALG_SHA_256;
635 case GNUTLS_CIPHER_AES_256_GCM: return CALG_SHA_384;
636 default:
637 break;
638 }
639 /* fall through */
640 default:
641 FIXME("unknown algorithm %d, cipher %d\n", mac, cipher);
642 return 0;
643 }
644 }
645
646 static ALG_ID get_kx_algid(int kx)
647 {
648 switch (kx)
649 {
650 case GNUTLS_KX_UNKNOWN: return 0;
651 case GNUTLS_KX_RSA:
652 case GNUTLS_KX_RSA_EXPORT: return CALG_RSA_KEYX;
653 case GNUTLS_KX_DHE_PSK:
654 case GNUTLS_KX_DHE_DSS:
655 case GNUTLS_KX_DHE_RSA: return CALG_DH_EPHEM;
656 case GNUTLS_KX_ANON_ECDH: return CALG_ECDH;
657 case GNUTLS_KX_ECDHE_RSA:
658 case GNUTLS_KX_ECDHE_PSK:
659 case GNUTLS_KX_ECDHE_ECDSA: return CALG_ECDH_EPHEM;
660 default:
661 FIXME("unknown algorithm %d\n", kx);
662 return 0;
663 }
664 }
665
666 static NTSTATUS schan_get_session_cipher_block_size( void *args )
667 {
668 const struct session_params *params = args;
669 gnutls_session_t s = session_from_handle(params->session);
670 return pgnutls_cipher_get_block_size(pgnutls_cipher_get(s));
671 }
672
673 static NTSTATUS schan_get_max_message_size( void *args )
674 {
675 const struct session_params *params = args;
676 gnutls_session_t s = session_from_handle(params->session);
677 return pgnutls_record_get_max_size(s);
678 }
679
680 static NTSTATUS schan_get_connection_info( void *args )
681 {
682 const struct get_connection_info_params *params = args;
683 gnutls_session_t s = session_from_handle(params->session);
684 SecPkgContext_ConnectionInfo *info = params->info;
685 gnutls_protocol_t proto = pgnutls_protocol_get_version(s);
686 gnutls_cipher_algorithm_t alg = pgnutls_cipher_get(s);
687 gnutls_mac_algorithm_t mac = pgnutls_mac_get(s);
688 gnutls_kx_algorithm_t kx = pgnutls_kx_get(s);
689
690 info->dwProtocol = get_protocol(proto);
691 info->aiCipher = get_cipher_algid(alg);
692 info->dwCipherStrength = pgnutls_cipher_get_key_size(alg) * 8;
693 info->aiHash = get_mac_algid(mac, alg);
694 info->dwHashStrength = pgnutls_mac_get_key_size(mac) * 8;
695 info->aiExch = get_kx_algid(kx);
696 /* FIXME: info->dwExchStrength? */
697 info->dwExchStrength = 0;
698 return SEC_E_OK;
699 }
700
701 static DWORD get_protocol_version( gnutls_session_t session )
702 {
703 gnutls_protocol_t proto = pgnutls_protocol_get_version( session );
704
705 switch (proto)
706 {
707 case GNUTLS_SSL3: return 0x300;
708 case GNUTLS_TLS1_0: return 0x301;
709 case GNUTLS_TLS1_1: return 0x302;
710 case GNUTLS_TLS1_2: return 0x303;
711 case GNUTLS_DTLS1_0: return 0x201;
712 case GNUTLS_DTLS1_2: return 0x202;
713 default:
714 FIXME( "unknown protocol %u\n", proto );
715 return 0;
716 }
717 }
718
719 static const WCHAR *get_cipher_str( gnutls_session_t session )
720 {
721 static const WCHAR aesW[] = {'A','E','S',0};
722 static const WCHAR unknownW[] = {'<','u','n','k','n','o','w','n','>',0};
723 gnutls_cipher_algorithm_t cipher = pgnutls_cipher_get( session );
724
725 switch (cipher)
726 {
727 case GNUTLS_CIPHER_AES_128_CBC:
728 case GNUTLS_CIPHER_AES_192_CBC:
729 case GNUTLS_CIPHER_AES_256_CBC:
730 case GNUTLS_CIPHER_AES_128_GCM:
731 case GNUTLS_CIPHER_AES_256_GCM:
732 case GNUTLS_CIPHER_AES_128_CCM:
733 case GNUTLS_CIPHER_AES_256_CCM:
734 return aesW;
735 default:
736 FIXME( "unknown cipher %u\n", cipher );
737 return unknownW;
738 }
739 }
740
741 static DWORD get_cipher_len( gnutls_session_t session )
742 {
743 gnutls_cipher_algorithm_t cipher = pgnutls_cipher_get( session );
744
745 switch (cipher)
746 {
747 case GNUTLS_CIPHER_AES_128_CBC:
748 case GNUTLS_CIPHER_AES_128_GCM:
749 case GNUTLS_CIPHER_AES_128_CCM:
750 return 128;
751 case GNUTLS_CIPHER_AES_192_CBC:
752 return 192;
753 case GNUTLS_CIPHER_AES_256_CBC:
754 case GNUTLS_CIPHER_AES_256_GCM:
755 case GNUTLS_CIPHER_AES_256_CCM:
756 return 256;
757 default:
758 FIXME( "unknown cipher %u\n", cipher );
759 return 0;
760 }
761 }
762
763 static DWORD get_cipher_block_len( gnutls_session_t session )
764 {
765 gnutls_cipher_algorithm_t cipher = pgnutls_cipher_get( session );
766 return pgnutls_cipher_get_block_size( cipher );
767 }
768
769 static const WCHAR *get_hash_str( gnutls_session_t session, BOOL full )
770 {
771 static const WCHAR shaW[] = {'S','H','A',0};
772 static const WCHAR sha1W[] = {'S','H','A','1',0};
773 static const WCHAR sha224W[] = {'S','H','A','2','2','4',0};
774 static const WCHAR sha256W[] = {'S','H','A','2','5','6',0};
775 static const WCHAR sha384W[] = {'S','H','A','3','8','4',0};
776 static const WCHAR sha512W[] = {'S','H','A','5','1','2',0};
777 static const WCHAR unknownW[] = {'<','u','n','k','n','o','w','n','>',0};
778 gnutls_mac_algorithm_t mac = pgnutls_mac_get( session );
779
780 switch (mac)
781 {
782 case GNUTLS_MAC_SHA1: return full ? sha1W : shaW;
783 case GNUTLS_MAC_SHA224: return sha224W;
784 case GNUTLS_MAC_SHA256: return sha256W;
785 case GNUTLS_MAC_SHA384: return sha384W;
786 case GNUTLS_MAC_SHA512: return sha512W;
787 default:
788 FIXME( "unknown mac %u\n", mac );
789 return unknownW;
790 }
791 }
792
793 static DWORD get_hash_len( gnutls_session_t session )
794 {
795 gnutls_mac_algorithm_t mac = pgnutls_mac_get( session );
796 return pgnutls_mac_get_key_size( mac ) * 8;
797 }
798
799 static const WCHAR *get_exchange_str( gnutls_session_t session, BOOL full )
800 {
801 static const WCHAR ecdhW[] = {'E','C','D','H',0};
802 static const WCHAR ecdheW[] = {'E','C','D','H','E',0};
803 static const WCHAR unknownW[] = {'<','u','n','k','n','o','w','n','>',0};
804 gnutls_kx_algorithm_t kx = pgnutls_kx_get( session );
805
806 switch (kx)
807 {
808 case GNUTLS_KX_ECDHE_RSA:
809 case GNUTLS_KX_ECDHE_ECDSA:
810 return full ? ecdheW : ecdhW;
811 default:
812 FIXME( "unknown kx %u\n", kx );
813 return unknownW;
814 }
815 }
816
817 static const WCHAR *get_certificate_str( gnutls_session_t session )
818 {
819 static const WCHAR rsaW[] = {'R','S','A',0};
820 static const WCHAR ecdsaW[] = {'E','C','D','S','A',0};
821 static const WCHAR unknownW[] = {'<','u','n','k','n','o','w','n','>',0};
822 gnutls_kx_algorithm_t kx = pgnutls_kx_get( session );
823
824 switch (kx)
825 {
826 case GNUTLS_KX_RSA:
827 case GNUTLS_KX_RSA_EXPORT:
828 case GNUTLS_KX_DHE_RSA:
829 case GNUTLS_KX_ECDHE_RSA: return rsaW;
830 case GNUTLS_KX_ECDHE_ECDSA: return ecdsaW;
831 default:
832 FIXME( "unknown kx %u\n", kx );
833 return unknownW;
834 }
835 }
836
837 static const WCHAR *get_chaining_mode_str( gnutls_session_t session )
838 {
839 static const WCHAR cbcW[] = {'C','B','C',0};
840 static const WCHAR ccmW[] = {'C','C','M',0};
841 static const WCHAR gcmW[] = {'G','C','M',0};
842 static const WCHAR unknownW[] = {'<','u','n','k','n','o','w','n','>',0};
843 gnutls_cipher_algorithm_t cipher = pgnutls_cipher_get( session );
844
845 switch (cipher)
846 {
847 case GNUTLS_CIPHER_AES_128_CBC:
848 case GNUTLS_CIPHER_AES_192_CBC:
849 case GNUTLS_CIPHER_AES_256_CBC:
850 return cbcW;
851 case GNUTLS_CIPHER_AES_128_GCM:
852 case GNUTLS_CIPHER_AES_256_GCM:
853 return gcmW;
854 case GNUTLS_CIPHER_AES_128_CCM:
855 case GNUTLS_CIPHER_AES_256_CCM:
856 return ccmW;
857 default:
858 FIXME( "unknown cipher %u\n", cipher );
859 return unknownW;
860 }
861 }
862
863 static NTSTATUS schan_get_cipher_info( void *args )
864 {
865 const WCHAR tlsW[] = {'T','L','S','_',0};
866 const WCHAR underscoreW[] = {'_',0};
867 const WCHAR widthW[] = {'_','W','I','T','H','_',0};
868 const struct get_cipher_info_params *params = args;
869 gnutls_session_t session = session_from_handle( params->session );
870 SecPkgContext_CipherInfo *info = params->info;
871 char buf[11];
872 WCHAR *ptr;
873 int len;
874
875 info->dwProtocol = get_protocol_version( session );
876 info->dwCipherSuite = 0; /* FIXME */
877 info->dwBaseCipherSuite = 0; /* FIXME */
878 wcscpy( info->szCipher, get_cipher_str( session ) );
879 info->dwCipherLen = get_cipher_len( session );
880 info->dwCipherBlockLen = get_cipher_block_len( session );
881 wcscpy( info->szHash, get_hash_str( session, TRUE ) );
882 info->dwHashLen = get_hash_len( session );
883 wcscpy( info->szExchange, get_exchange_str( session, FALSE ) );
884 info->dwMinExchangeLen = 0;
885 info->dwMaxExchangeLen = 65536;
886 wcscpy( info->szCertificate, get_certificate_str( session ) );
887 info->dwKeyType = 0; /* FIXME */
888
889 wcscpy( info->szCipherSuite, tlsW );
890 wcscat( info->szCipherSuite, get_exchange_str( session, TRUE ) );
891 wcscat( info->szCipherSuite, underscoreW );
892 wcscat( info->szCipherSuite, info->szCertificate );
893 wcscat( info->szCipherSuite, widthW );
894 wcscat( info->szCipherSuite, info->szCipher );
895 wcscat( info->szCipherSuite, underscoreW );
896 len = sprintf( buf, "%u", (unsigned int)info->dwCipherLen ) + 1;
897 ptr = info->szCipherSuite + wcslen( info->szCipherSuite );
898 ntdll_umbstowcs( buf, len, ptr, len );
899 wcscat( info->szCipherSuite, underscoreW );
900 wcscat( info->szCipherSuite, get_chaining_mode_str( session ) );
901 wcscat( info->szCipherSuite, underscoreW );
902 wcscat( info->szCipherSuite, get_hash_str( session, FALSE ) );
903 return SEC_E_OK;
904 }
905
906 static NTSTATUS schan_get_unique_channel_binding( void *args )
907 {
908 const struct get_unique_channel_binding_params *params = args;
909 gnutls_session_t s = session_from_handle(params->session);
910 gnutls_datum_t datum;
911 int rc;
912 SECURITY_STATUS ret;
913
914 rc = pgnutls_session_channel_binding(s, GNUTLS_CB_TLS_UNIQUE, &datum);
915 if (rc)
916 {
917 pgnutls_perror(rc);
918 return SEC_E_INTERNAL_ERROR;
919 }
920 if (params->buffer && *params->bufsize >= datum.size)
921 {
922 memcpy( params->buffer, datum.data, datum.size );
923 ret = SEC_E_OK;
924 }
925 else ret = SEC_E_BUFFER_TOO_SMALL;
926
927 *params->bufsize = datum.size;
928 free(datum.data);
929 return ret;
930 }
931
932 static NTSTATUS schan_get_key_signature_algorithm( void *args )
933 {
934 const struct session_params *params = args;
935 gnutls_session_t s = session_from_handle(params->session);
936 gnutls_kx_algorithm_t kx = pgnutls_kx_get(s);
937
938 TRACE("(%p)\n", s);
939
940 switch (kx)
941 {
942 case GNUTLS_KX_UNKNOWN: return 0;
943 case GNUTLS_KX_RSA:
944 case GNUTLS_KX_RSA_EXPORT:
945 case GNUTLS_KX_DHE_RSA:
946 case GNUTLS_KX_ECDHE_RSA: return CALG_RSA_SIGN;
947 case GNUTLS_KX_ECDHE_ECDSA: return CALG_ECDSA;
948 default:
949 FIXME("unknown algorithm %d\n", kx);
950 return 0;
951 }
952 }
953
954 static NTSTATUS schan_get_session_peer_certificate( void *args )
955 {
956 const struct get_session_peer_certificate_params *params = args;
957 gnutls_session_t s = session_from_handle(params->session);
958 const gnutls_datum_t *datum;
959 unsigned int i, size;
960 BYTE *ptr;
961 unsigned int count;
962 ULONG *sizes;
963
964 if (!(datum = pgnutls_certificate_get_peers(s, &count))) return SEC_E_INTERNAL_ERROR;
965
966 size = count * sizeof(*sizes);
967 for (i = 0; i < count; i++) size += datum[i].size;
968
969 if (!params->buffer || *params->bufsize < size)
970 {
971 *params->bufsize = size;
972 return SEC_E_BUFFER_TOO_SMALL;
973 }
974 sizes = (ULONG *)params->buffer;
975 ptr = params->buffer + count * sizeof(*sizes);
976 for (i = 0; i < count; i++)
977 {
978 sizes[i] = datum[i].size;
979 memcpy(ptr, datum[i].data, datum[i].size);
980 ptr += datum[i].size;
981 }
982
983 *params->bufsize = size;
984 *params->retcount = count;
985 return SEC_E_OK;
986 }
987
988 static NTSTATUS schan_send( void *args )
989 {
990 const struct send_params *params = args;
991 gnutls_session_t s = session_from_handle(params->session);
992 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
993 SSIZE_T ret, total = 0;
994
995 init_schan_buffers(&t->out, params->output);
996
997 for (;;)
998 {
999 ret = pgnutls_record_send(s, (const char *)params->buffer + total, params->length - total);
1000 if (ret >= 0)
1001 {
1002 total += ret;
1003 TRACE( "sent %ld now %ld/%u\n", ret, total, (unsigned)params->length );
1004 if (total == params->length) break;
1005 }
1006 else if (ret == GNUTLS_E_AGAIN)
1007 {
1008 SIZE_T count = 0;
1009
1010 if (get_buffer(&t->out, &count)) continue;
1011 return SEC_I_CONTINUE_NEEDED;
1012 }
1013 else
1014 {
1015 pgnutls_perror(ret);
1016 return SEC_E_INTERNAL_ERROR;
1017 }
1018 }
1019
1020 *params->output_buffer_idx = t->out.current_buffer_idx;
1021 *params->output_offset = t->out.offset;
1022 return SEC_E_OK;
1023 }
1024
1025 static NTSTATUS schan_recv( void *args )
1026 {
1027 const struct recv_params *params = args;
1028 gnutls_session_t s = session_from_handle(params->session);
1029 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
1030 size_t data_size = *params->length;
1031 size_t received = 0;
1032 ssize_t ret;
1033 SECURITY_STATUS status = SEC_E_OK;
1034
1035 init_schan_buffers(&t->in, params->input);
1036 t->in.limit = params->input_size;
1037
1038 while (received < data_size)
1039 {
1040 ret = pgnutls_record_recv(s, (char *)params->buffer + received, data_size - received);
1041
1042 if (ret > 0) received += ret;
1043 else if (!ret) break;
1044 else if (ret == GNUTLS_E_AGAIN)
1045 {
1046 SIZE_T count = 0;
1047
1048 if (!get_buffer(&t->in, &count)) break;
1049 }
1050 else if (ret == GNUTLS_E_REHANDSHAKE)
1051 {
1052 TRACE("Rehandshake requested\n");
1053 status = SEC_I_RENEGOTIATE;
1054 break;
1055 }
1056 else
1057 {
1058 pgnutls_perror(ret);
1059 return SEC_E_INTERNAL_ERROR;
1060 }
1061 }
1062
1063 *params->length = received;
1064 return status;
1065 }
1066
1067 static unsigned int parse_alpn_protocol_list(unsigned char *buffer, unsigned int buflen, gnutls_datum_t *list)
1068 {
1069 unsigned int len, offset = 0, count = 0;
1070
1071 while (buflen)
1072 {
1073 len = buffer[offset++];
1074 buflen--;
1075 if (!len || len > buflen) return 0;
1076 if (list)
1077 {
1078 list[count].data = &buffer[offset];
1079 list[count].size = len;
1080 }
1081 buflen -= len;
1082 offset += len;
1083 count++;
1084 }
1085
1086 return count;
1087 }
1088
1089 static NTSTATUS schan_set_application_protocols( void *args )
1090 {
1091 const struct set_application_protocols_params *params = args;
1092 gnutls_session_t s = session_from_handle(params->session);
1093 unsigned int extension_len, extension, count = 0, offset = 0;
1094 unsigned short list_len;
1095 gnutls_datum_t *protocols;
1096 int ret;
1097
1098 if (sizeof(extension_len) > params->buflen) return STATUS_INVALID_PARAMETER;
1099 extension_len = *(unsigned int *)&params->buffer[offset];
1100 offset += sizeof(extension_len);
1101
1102 if (offset + sizeof(extension) > params->buflen) return STATUS_INVALID_PARAMETER;
1103 extension = *(unsigned int *)&params->buffer[offset];
1104 if (extension != SecApplicationProtocolNegotiationExt_ALPN)
1105 {
1106 FIXME("extension %u not supported\n", extension);
1107 return STATUS_NOT_SUPPORTED;
1108 }
1109 offset += sizeof(extension);
1110
1111 if (offset + sizeof(list_len) > params->buflen) return STATUS_INVALID_PARAMETER;
1112 list_len = *(unsigned short *)&params->buffer[offset];
1113 offset += sizeof(list_len);
1114
1115 if (offset + list_len > params->buflen) return STATUS_INVALID_PARAMETER;
1116 count = parse_alpn_protocol_list(&params->buffer[offset], list_len, NULL);
1117 if (!count || !(protocols = malloc(count * sizeof(*protocols)))) return STATUS_NO_MEMORY;
1118
1119 parse_alpn_protocol_list(&params->buffer[offset], list_len, protocols);
1120 if ((ret = pgnutls_alpn_set_protocols(s, protocols, count, GNUTLS_ALPN_SERVER_PRECEDENCE) < 0))
1121 {
1122 pgnutls_perror(ret);
1123 }
1124
1125 free(protocols);
1126 return STATUS_SUCCESS;
1127 }
1128
1129 static NTSTATUS schan_get_application_protocol( void *args )
1130 {
1131 const struct get_application_protocol_params *params = args;
1132 gnutls_session_t s = session_from_handle(params->session);
1133 SecPkgContext_ApplicationProtocol *protocol = params->protocol;
1134 gnutls_datum_t selected;
1135
1136 memset(protocol, 0, sizeof(*protocol));
1137 if (pgnutls_alpn_get_selected_protocol(s, &selected) < 0) return SEC_E_OK;
1138
1139 if (selected.size <= sizeof(protocol->ProtocolId))
1140 {
1141 protocol->ProtoNegoStatus = SecApplicationProtocolNegotiationStatus_Success;
1142 protocol->ProtoNegoExt = SecApplicationProtocolNegotiationExt_ALPN;
1143 protocol->ProtocolIdSize = selected.size;
1144 memcpy(protocol->ProtocolId, selected.data, selected.size);
1145 TRACE("returning %s\n", wine_dbgstr_an((const char *)selected.data, selected.size));
1146 }
1147 return SEC_E_OK;
1148 }
1149
1150 static NTSTATUS schan_set_dtls_mtu( void *args )
1151 {
1152 const struct set_dtls_mtu_params *params = args;
1153 gnutls_session_t s = session_from_handle(params->session);
1154
1155 pgnutls_dtls_set_mtu(s, params->mtu);
1156 TRACE("MTU set to %u\n", params->mtu);
1157 return SEC_E_OK;
1158 }
1159
1160 static NTSTATUS schan_set_dtls_timeouts( void *args )
1161 {
1162 const struct set_dtls_timeouts_params *params = args;
1163 gnutls_session_t s = session_from_handle(params->session);
1164
1165 pgnutls_dtls_set_timeouts(s, params->retrans_timeout, params->total_timeout);
1166 return SEC_E_OK;
1167 }
1168
1169 static inline void reverse_bytes(BYTE *buf, ULONG len)
1170 {
1171 BYTE tmp;
1172 ULONG i;
1173 for (i = 0; i < len / 2; i++)
1174 {
1175 tmp = buf[i];
1176 buf[i] = buf[len - i - 1];
1177 buf[len - i - 1] = tmp;
1178 }
1179 }
1180
1181 static ULONG set_component(gnutls_datum_t *comp, BYTE *data, ULONG len, ULONG *buflen)
1182 {
1183 comp->data = data;
1184 comp->size = len;
1185 reverse_bytes(comp->data, comp->size);
1186 if (comp->data[0] & 0x80) /* add leading 0 byte if most significant bit is set */
1187 {
1188 memmove(comp->data + 1, comp->data, *buflen);
1189 comp->data[0] = 0;
1190 comp->size++;
1191 }
1192 *buflen -= comp->size;
1193 return comp->size;
1194 }
1195
1196 static gnutls_x509_privkey_t get_x509_key(ULONG key_size, const BYTE *key_blob)
1197 {
1198 gnutls_privkey_t key = NULL;
1199 gnutls_x509_privkey_t x509key = NULL;
1200 gnutls_datum_t m, e, d, p, q, u, e1, e2;
1201 BYTE *ptr;
1202 RSAPUBKEY *rsakey;
1203 DWORD size = key_size;
1204 int ret;
1205
1206 if (size < sizeof(BLOBHEADER)) return NULL;
1207
1208 rsakey = (RSAPUBKEY *)(key_blob + sizeof(BLOBHEADER));
1209 TRACE("RSA key bitlen %u pubexp %u\n", (unsigned)rsakey->bitlen, (unsigned)rsakey->pubexp);
1210
1211 size -= sizeof(BLOBHEADER) + FIELD_OFFSET(RSAPUBKEY, pubexp);
1212 set_component(&e, (BYTE *)&rsakey->pubexp, sizeof(rsakey->pubexp), &size);
1213
1214 ptr = (BYTE *)(rsakey + 1);
1215 ptr += set_component(&m, ptr, rsakey->bitlen / 8, &size);
1216 ptr += set_component(&p, ptr, rsakey->bitlen / 16, &size);
1217 ptr += set_component(&q, ptr, rsakey->bitlen / 16, &size);
1218 ptr += set_component(&e1, ptr, rsakey->bitlen / 16, &size);
1219 ptr += set_component(&e2, ptr, rsakey->bitlen / 16, &size);
1220 ptr += set_component(&u, ptr, rsakey->bitlen / 16, &size);
1221 ptr += set_component(&d, ptr, rsakey->bitlen / 8, &size);
1222
1223 if ((ret = pgnutls_privkey_init(&key)) < 0)
1224 {
1225 pgnutls_perror(ret);
1226 return NULL;
1227 }
1228
1229 if (((ret = pgnutls_privkey_import_rsa_raw(key, &m, &e, &d, &p, &q, &u, &e1, &e2)) < 0) ||
1230 (ret = pgnutls_privkey_export_x509(key, &x509key)) < 0)
1231 {
1232 pgnutls_perror(ret);
1233 pgnutls_privkey_deinit(key);
1234 return NULL;
1235 }
1236
1237 return x509key;
1238 }
1239
1240 static gnutls_x509_crt_t get_x509_crt(const struct allocate_certificate_credentials_params *params)
1241 {
1242 gnutls_datum_t data;
1243 gnutls_x509_crt_t crt;
1244 int ret;
1245
1246 if (params->cert_encoding != X509_ASN_ENCODING)
1247 {
1248 FIXME("encoding type %u not supported\n", (unsigned)params->cert_encoding);
1249 return NULL;
1250 }
1251
1252 if ((ret = pgnutls_x509_crt_init(&crt)) < 0)
1253 {
1254 pgnutls_perror(ret);
1255 return NULL;
1256 }
1257
1258 data.data = params->cert_blob;
1259 data.size = params->cert_size;
1260 if ((ret = pgnutls_x509_crt_import(crt, &data, GNUTLS_X509_FMT_DER)) < 0)
1261 {
1262 pgnutls_perror(ret);
1263 pgnutls_x509_crt_deinit(crt);
1264 return NULL;
1265 }
1266
1267 return crt;
1268 }
1269
1270 static NTSTATUS schan_allocate_certificate_credentials( void *args )
1271 {
1272 const struct allocate_certificate_credentials_params *params = args;
1273 gnutls_certificate_credentials_t creds;
1274 gnutls_x509_crt_t crt;
1275 gnutls_x509_privkey_t key;
1276 int ret;
1277
1278 ret = pgnutls_certificate_allocate_credentials(&creds);
1279 if (ret != GNUTLS_E_SUCCESS)
1280 {
1281 pgnutls_perror(ret);
1282 return STATUS_INTERNAL_ERROR;
1283 }
1284
1285 if (!params->cert_blob)
1286 {
1287 params->c->credentials = (ULONG_PTR)creds;
1288 return STATUS_SUCCESS;
1289 }
1290
1291 if (!(crt = get_x509_crt(params)))
1292 {
1293 pgnutls_certificate_free_credentials(creds);
1294 return STATUS_INTERNAL_ERROR;
1295 }
1296
1297 if (!(key = get_x509_key(params->key_size, params->key_blob)))
1298 {
1299 pgnutls_x509_crt_deinit(crt);
1300 pgnutls_certificate_free_credentials(creds);
1301 return STATUS_INTERNAL_ERROR;
1302 }
1303
1304 ret = pgnutls_certificate_set_x509_key(creds, &crt, 1, key);
1305 pgnutls_x509_privkey_deinit(key);
1306 pgnutls_x509_crt_deinit(crt);
1307 if (ret != GNUTLS_E_SUCCESS)
1308 {
1309 pgnutls_perror(ret);
1310 pgnutls_certificate_free_credentials(creds);
1311 return STATUS_INTERNAL_ERROR;
1312 }
1313
1314 params->c->credentials = (ULONG_PTR)creds;
1315 return STATUS_SUCCESS;
1316 }
1317
1318 static NTSTATUS schan_free_certificate_credentials( void *args )
1319 {
1320 const struct free_certificate_credentials_params *params = args;
1321 pgnutls_certificate_free_credentials(certificate_creds_from_handle(params->c->credentials));
1322 return STATUS_SUCCESS;
1323 }
1324
1325 static void gnutls_log(int level, const char *msg)
1326 {
1327 TRACE("<%d> %s", level, msg);
1328 }
1329
1330 static NTSTATUS process_attach( void *args )
1331 {
1332 const char *env_str;
1333 int ret;
1334
1335 if ((env_str = getenv("GNUTLS_SYSTEM_PRIORITY_FILE")))
1336 {
1337 WARN("GNUTLS_SYSTEM_PRIORITY_FILE is %s.\n", debugstr_a(env_str));
1338 }
1339 else
1340 {
1341 WARN("Setting GNUTLS_SYSTEM_PRIORITY_FILE to \"/dev/null\".\n");
1342 setenv("GNUTLS_SYSTEM_PRIORITY_FILE", "/dev/null", 0);
1343 }
1344
1345 libgnutls_handle = dlopen(SONAME_LIBGNUTLS, RTLD_NOW);
1346 if (!libgnutls_handle)
1347 {
1348 ERR_(winediag)("Failed to load libgnutls, secure connections will not be available.\n");
1349 return STATUS_DLL_NOT_FOUND;
1350 }
1351
1352 #define LOAD_FUNCPTR(f) \
1353 if (!(p##f = dlsym(libgnutls_handle, #f))) \
1354 { \
1355 ERR("Failed to load %s\n", #f); \
1356 goto fail; \
1357 }
1358
1359 LOAD_FUNCPTR(gnutls_alert_get)
1360 LOAD_FUNCPTR(gnutls_alert_get_name)
1361 LOAD_FUNCPTR(gnutls_certificate_allocate_credentials)
1362 LOAD_FUNCPTR(gnutls_certificate_free_credentials)
1363 LOAD_FUNCPTR(gnutls_certificate_get_peers)
1364 LOAD_FUNCPTR(gnutls_certificate_set_x509_key)
1365 LOAD_FUNCPTR(gnutls_cipher_get)
1366 LOAD_FUNCPTR(gnutls_cipher_get_key_size)
1367 LOAD_FUNCPTR(gnutls_credentials_set)
1368 LOAD_FUNCPTR(gnutls_deinit)
1369 LOAD_FUNCPTR(gnutls_global_deinit)
1370 LOAD_FUNCPTR(gnutls_global_init)
1371 LOAD_FUNCPTR(gnutls_global_set_log_function)
1372 LOAD_FUNCPTR(gnutls_global_set_log_level)
1373 LOAD_FUNCPTR(gnutls_handshake)
1374 LOAD_FUNCPTR(gnutls_init)
1375 LOAD_FUNCPTR(gnutls_kx_get)
1376 LOAD_FUNCPTR(gnutls_mac_get)
1377 LOAD_FUNCPTR(gnutls_mac_get_key_size)
1378 LOAD_FUNCPTR(gnutls_perror)
1379 LOAD_FUNCPTR(gnutls_protocol_get_version)
1380 LOAD_FUNCPTR(gnutls_priority_set_direct)
1381 LOAD_FUNCPTR(gnutls_privkey_deinit)
1382 LOAD_FUNCPTR(gnutls_privkey_init)
1383 LOAD_FUNCPTR(gnutls_record_get_max_size);
1384 LOAD_FUNCPTR(gnutls_record_recv);
1385 LOAD_FUNCPTR(gnutls_record_send);
1386 LOAD_FUNCPTR(gnutls_server_name_set)
1387 LOAD_FUNCPTR(gnutls_session_channel_binding)
1388 LOAD_FUNCPTR(gnutls_transport_get_ptr)
1389 LOAD_FUNCPTR(gnutls_transport_set_errno)
1390 LOAD_FUNCPTR(gnutls_transport_set_ptr)
1391 LOAD_FUNCPTR(gnutls_transport_set_pull_function)
1392 LOAD_FUNCPTR(gnutls_transport_set_push_function)
1393 LOAD_FUNCPTR(gnutls_x509_crt_deinit)
1394 LOAD_FUNCPTR(gnutls_x509_crt_import)
1395 LOAD_FUNCPTR(gnutls_x509_crt_init)
1396 LOAD_FUNCPTR(gnutls_x509_privkey_deinit)
1397 #undef LOAD_FUNCPTR
1398
1399 if (!(pgnutls_cipher_get_block_size = dlsym(libgnutls_handle, "gnutls_cipher_get_block_size")))
1400 {
1401 WARN("gnutls_cipher_get_block_size not found\n");
1402 pgnutls_cipher_get_block_size = compat_cipher_get_block_size;
1403 }
1404 if (!(pgnutls_transport_set_pull_timeout_function = dlsym(libgnutls_handle, "gnutls_transport_set_pull_timeout_function")))
1405 {
1406 WARN("gnutls_transport_set_pull_timeout_function not found\n");
1407 pgnutls_transport_set_pull_timeout_function = compat_gnutls_transport_set_pull_timeout_function;
1408 }
1409 if (!(pgnutls_alpn_set_protocols = dlsym(libgnutls_handle, "gnutls_alpn_set_protocols")))
1410 {
1411 WARN("gnutls_alpn_set_protocols not found\n");
1412 pgnutls_alpn_set_protocols = compat_gnutls_alpn_set_protocols;
1413 }
1414 if (!(pgnutls_alpn_get_selected_protocol = dlsym(libgnutls_handle, "gnutls_alpn_get_selected_protocol")))
1415 {
1416 WARN("gnutls_alpn_get_selected_protocol not found\n");
1417 pgnutls_alpn_get_selected_protocol = compat_gnutls_alpn_get_selected_protocol;
1418 }
1419 if (!(pgnutls_dtls_set_mtu = dlsym(libgnutls_handle, "gnutls_dtls_set_mtu")))
1420 {
1421 WARN("gnutls_dtls_set_mtu not found\n");
1422 pgnutls_dtls_set_mtu = compat_gnutls_dtls_set_mtu;
1423 }
1424 if (!(pgnutls_dtls_set_timeouts = dlsym(libgnutls_handle, "gnutls_dtls_set_timeouts")))
1425 {
1426 WARN("gnutls_dtls_set_timeouts not found\n");
1427 pgnutls_dtls_set_timeouts = compat_gnutls_dtls_set_timeouts;
1428 }
1429 if (!(pgnutls_privkey_export_x509 = dlsym(libgnutls_handle, "gnutls_privkey_export_x509")))
1430 {
1431 WARN("gnutls_privkey_export_x509 not found\n");
1432 pgnutls_privkey_export_x509 = compat_gnutls_privkey_export_x509;
1433 }
1434 if (!(pgnutls_privkey_import_rsa_raw = dlsym(libgnutls_handle, "gnutls_privkey_import_rsa_raw")))
1435 {
1436 WARN("gnutls_privkey_import_rsa_raw not found\n");
1437 pgnutls_privkey_import_rsa_raw = compat_gnutls_privkey_import_rsa_raw;
1438 }
1439
1440 ret = pgnutls_global_init();
1441 if (ret != GNUTLS_E_SUCCESS)
1442 {
1443 pgnutls_perror(ret);
1444 goto fail;
1445 }
1446
1447 if (TRACE_ON(secur32))
1448 {
1449 pgnutls_global_set_log_level(4);
1450 pgnutls_global_set_log_function(gnutls_log);
1451 }
1452
1453 check_supported_protocols();
1454 return STATUS_SUCCESS;
1455
1456 fail:
1457 dlclose(libgnutls_handle);
1458 libgnutls_handle = NULL;
1459 return STATUS_DLL_NOT_FOUND;
1460 }
1461
1462 static NTSTATUS process_detach( void *args )
1463 {
1464 pgnutls_global_deinit();
1465 dlclose(libgnutls_handle);
1466 libgnutls_handle = NULL;
1467 return STATUS_SUCCESS;
1468 }
1469
1470 const unixlib_entry_t __wine_unix_call_funcs[] =
1471 {
1472 process_attach,
1473 process_detach,
1474 schan_allocate_certificate_credentials,
1475 schan_create_session,
1476 schan_dispose_session,
1477 schan_free_certificate_credentials,
1478 schan_get_application_protocol,
1479 schan_get_cipher_info,
1480 schan_get_connection_info,
1481 schan_get_enabled_protocols,
1482 schan_get_key_signature_algorithm,
1483 schan_get_max_message_size,
1484 schan_get_session_cipher_block_size,
1485 schan_get_session_peer_certificate,
1486 schan_get_unique_channel_binding,
1487 schan_handshake,
1488 schan_recv,
1489 schan_send,
1490 schan_set_application_protocols,
1491 schan_set_dtls_mtu,
1492 schan_set_session_target,
1493 schan_set_dtls_timeouts,
1494 };
1495
1496 #ifdef _WIN64
1497
1498 typedef ULONG PTR32;
1499
1500 typedef struct SecBufferDesc32
1501 {
1502 ULONG ulVersion;
1503 ULONG cBuffers;
1504 PTR32 pBuffers;
1505 } SecBufferDesc32;
1506
1507 typedef struct SecBuffer32
1508 {
1509 ULONG cbBuffer;
1510 ULONG BufferType;
1511 PTR32 pvBuffer;
1512 } SecBuffer32;
1513
1514 static NTSTATUS wow64_schan_allocate_certificate_credentials( void *args )
1515 {
1516 struct
1517 {
1518 PTR32 c;
1519 ULONG cert_encoding;
1520 ULONG cert_size;
1521 PTR32 cert_blob;
1522 ULONG key_size;
1523 PTR32 key_blob;
1524 } const *params32 = args;
1525 struct allocate_certificate_credentials_params params =
1526 {
1527 ULongToPtr(params32->c),
1528 params32->cert_encoding,
1529 params32->cert_size,
1530 ULongToPtr(params32->cert_blob),
1531 params32->key_size,
1532 ULongToPtr(params32->key_blob),
1533 };
1534 return schan_allocate_certificate_credentials(&params);
1535 }
1536
1537 static NTSTATUS wow64_schan_create_session( void *args )
1538 {
1539 struct
1540 {
1541 PTR32 cred;
1542 PTR32 session;
1543 } const *params32 = args;
1544 struct create_session_params params =
1545 {
1546 ULongToPtr(params32->cred),
1547 ULongToPtr(params32->session),
1548 };
1549 return schan_create_session(&params);
1550 }
1551
1552 static NTSTATUS wow64_schan_free_certificate_credentials( void *args )
1553 {
1554 struct
1555 {
1556 PTR32 c;
1557 } const *params32 = args;
1558 struct free_certificate_credentials_params params =
1559 {
1560 ULongToPtr(params32->c),
1561 };
1562 return schan_free_certificate_credentials(&params);
1563 }
1564
1565 static NTSTATUS wow64_schan_get_application_protocol( void *args )
1566 {
1567 struct
1568 {
1569 schan_session session;
1570 PTR32 protocol;
1571 } const *params32 = args;
1572 struct get_application_protocol_params params =
1573 {
1574 params32->session,
1575 ULongToPtr(params32->protocol),
1576 };
1577 return schan_get_application_protocol(&params);
1578 }
1579
1580 static NTSTATUS wow64_schan_get_connection_info( void *args )
1581 {
1582 struct
1583 {
1584 schan_session session;
1585 PTR32 info;
1586 } const *params32 = args;
1587 struct get_connection_info_params params =
1588 {
1589 params32->session,
1590 ULongToPtr(params32->info),
1591 };
1592 return schan_get_connection_info(&params);
1593 }
1594
1595 static NTSTATUS wow64_schan_get_cipher_info( void *args )
1596 {
1597 struct
1598 {
1599 schan_session session;
1600 PTR32 info;
1601 } const *params32 = args;
1602 struct get_cipher_info_params params =
1603 {
1604 params32->session,
1605 ULongToPtr(params32->info),
1606 };
1607 return schan_get_cipher_info(&params);
1608 }
1609
1610 static NTSTATUS wow64_schan_get_session_peer_certificate( void *args )
1611 {
1612 struct
1613 {
1614 schan_session session;
1615 PTR32 buffer;
1616 PTR32 bufsize;
1617 PTR32 retcount;
1618 } const *params32 = args;
1619 struct get_session_peer_certificate_params params =
1620 {
1621 params32->session,
1622 ULongToPtr(params32->buffer),
1623 ULongToPtr(params32->bufsize),
1624 ULongToPtr(params32->retcount),
1625 };
1626 return schan_get_session_peer_certificate(&params);
1627 }
1628
1629 static NTSTATUS wow64_schan_get_unique_channel_binding( void *args )
1630 {
1631 struct
1632 {
1633 schan_session session;
1634 PTR32 buffer;
1635 PTR32 bufsize;
1636 } const *params32 = args;
1637 struct get_unique_channel_binding_params params =
1638 {
1639 params32->session,
1640 ULongToPtr(params32->buffer),
1641 ULongToPtr(params32->bufsize),
1642 };
1643 return schan_get_unique_channel_binding(&params);
1644 }
1645
1646 static void secbufferdesc_32to64(const SecBufferDesc32 *desc32, SecBufferDesc *desc)
1647 {
1648 unsigned int i;
1649
1650 desc->ulVersion = desc32->ulVersion;
1651 desc->cBuffers = desc32->cBuffers;
1652 for (i = 0; i < desc->cBuffers; ++i)
1653 {
1654 SecBuffer32 *buffer32 = ULongToPtr(desc32->pBuffers + i * sizeof(*buffer32));
1655 desc->pBuffers[i].cbBuffer = buffer32->cbBuffer;
1656 desc->pBuffers[i].BufferType = buffer32->BufferType;
1657 desc->pBuffers[i].pvBuffer = ULongToPtr(buffer32->pvBuffer);
1658 }
1659 }
1660
1661 static NTSTATUS wow64_schan_handshake( void *args )
1662 {
1663 SecBuffer input_buffers[3];
1664 SecBufferDesc input = { 0, 0, input_buffers };
1665 SecBuffer output_buffers[3];
1666 SecBufferDesc output = { 0, 0, output_buffers };
1667
1668 struct
1669 {
1670 schan_session session;
1671 PTR32 input;
1672 ULONG input_size;
1673 PTR32 output;
1674 PTR32 input_offset;
1675 PTR32 output_buffer_idx;
1676 PTR32 output_offset;
1677 } const *params32 = args;
1678 struct handshake_params params =
1679 {
1680 params32->session,
1681 params32->input ? &input : NULL,
1682 params32->input_size,
1683 params32->output ? &output : NULL,
1684 ULongToPtr(params32->input_offset),
1685 ULongToPtr(params32->output_buffer_idx),
1686 ULongToPtr(params32->output_offset),
1687 };
1688 if (params32->input)
1689 {
1690 SecBufferDesc32 *desc32 = ULongToPtr(params32->input);
1691 assert(desc32->cBuffers <= ARRAY_SIZE(input_buffers));
1692 secbufferdesc_32to64(desc32, &input);
1693 }
1694 if (params32->output)
1695 {
1696 SecBufferDesc32 *desc32 = ULongToPtr(params32->output);
1697 assert(desc32->cBuffers <= ARRAY_SIZE(output_buffers));
1698 secbufferdesc_32to64(desc32, &output);
1699 }
1700 return schan_handshake(&params);
1701 }
1702
1703 static NTSTATUS wow64_schan_recv( void *args )
1704 {
1705 SecBuffer buffers[3];
1706 SecBufferDesc input = { 0, 0, buffers };
1707
1708 struct
1709 {
1710 schan_session session;
1711 PTR32 input;
1712 ULONG input_size;
1713 PTR32 buffer;
1714 PTR32 length;
1715 } const *params32 = args;
1716 struct recv_params params =
1717 {
1718 params32->session,
1719 params32->input ? &input : NULL,
1720 params32->input_size,
1721 ULongToPtr(params32->buffer),
1722 ULongToPtr(params32->length),
1723 };
1724 if (params32->input)
1725 {
1726 SecBufferDesc32 *desc32 = ULongToPtr(params32->input);
1727 assert(desc32->cBuffers <= ARRAY_SIZE(buffers));
1728 secbufferdesc_32to64(desc32, &input);
1729 }
1730 return schan_recv(&params);
1731 }
1732
1733 static NTSTATUS wow64_schan_send( void *args )
1734 {
1735 SecBuffer buffers[3];
1736 SecBufferDesc output = { 0, 0, buffers };
1737
1738 struct
1739 {
1740 schan_session session;
1741 PTR32 output;
1742 PTR32 buffer;
1743 ULONG length;
1744 PTR32 output_buffer_idx;
1745 PTR32 output_offset;
1746 } const *params32 = args;
1747 struct send_params params =
1748 {
1749 params32->session,
1750 params32->output ? &output : NULL,
1751 ULongToPtr(params32->buffer),
1752 params32->length,
1753 ULongToPtr(params32->output_buffer_idx),
1754 ULongToPtr(params32->output_offset),
1755 };
1756 if (params32->output)
1757 {
1758 SecBufferDesc32 *desc32 = ULongToPtr(params32->output);
1759 assert(desc32->cBuffers <= ARRAY_SIZE(buffers));
1760 secbufferdesc_32to64(desc32, &output);
1761 }
1762 return schan_send(&params);
1763 }
1764
1765 static NTSTATUS wow64_schan_set_application_protocols( void *args )
1766 {
1767 struct
1768 {
1769 schan_session session;
1770 PTR32 buffer;
1771 unsigned int buflen;
1772 } const *params32 = args;
1773 struct set_application_protocols_params params =
1774 {
1775 params32->session,
1776 ULongToPtr(params32->buffer),
1777 params32->buflen,
1778 };
1779 return schan_set_application_protocols(&params);
1780 }
1781
1782 static NTSTATUS wow64_schan_set_session_target( void *args )
1783 {
1784 struct
1785 {
1786 schan_session session;
1787 PTR32 target;
1788 } const *params32 = args;
1789 struct set_session_target_params params =
1790 {
1791 params32->session,
1792 ULongToPtr(params32->target),
1793 };
1794 return schan_set_session_target(&params);
1795 }
1796
1797 const unixlib_entry_t __wine_unix_call_wow64_funcs[] =
1798 {
1799 process_attach,
1800 process_detach,
1801 wow64_schan_allocate_certificate_credentials,
1802 wow64_schan_create_session,
1803 schan_dispose_session,
1804 wow64_schan_free_certificate_credentials,
1805 wow64_schan_get_application_protocol,
1806 wow64_schan_get_cipher_info,
1807 wow64_schan_get_connection_info,
1808 schan_get_enabled_protocols,
1809 schan_get_key_signature_algorithm,
1810 schan_get_max_message_size,
1811 schan_get_session_cipher_block_size,
1812 wow64_schan_get_session_peer_certificate,
1813 wow64_schan_get_unique_channel_binding,
1814 wow64_schan_handshake,
1815 wow64_schan_recv,
1816 wow64_schan_send,
1817 wow64_schan_set_application_protocols,
1818 schan_set_dtls_mtu,
1819 wow64_schan_set_session_target,
1820 schan_set_dtls_timeouts,
1821 };
1822
1823 #endif /* _WIN64 */
1824
1825 #endif /* SONAME_LIBGNUTLS */
Windows API implementation