search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vbscript/tests: Add tests for the script TypeInfo's TypeComp binds.
[wine.git] / dlls / secur32 / schannel_macosx.c
blobd06267773ae47e8806a200c66669344feca8b122
1 /*
2 * Mac OS X Secure Transport implementation of the schannel (SSL/TLS) provider.
3 *
4 * Copyright 2005 Juan Lang
5 * Copyright 2008 Henri Verbeet
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include "config.h"
23 #include "wine/port.h"
24
25 #include <stdarg.h>
26 #ifdef HAVE_SECURITY_SECURITY_H
27 #include <Security/Security.h>
28 #define GetCurrentThread GetCurrentThread_Mac
29 #define LoadResource LoadResource_Mac
30 #include <CoreServices/CoreServices.h>
31 #undef GetCurrentThread
32 #undef LoadResource
33 #endif
34
35 #include "windef.h"
36 #include "winbase.h"
37 #include "sspi.h"
38 #include "schannel.h"
39 #include "secur32_priv.h"
40 #include "wine/debug.h"
41 #include "wine/library.h"
42
43 #ifdef HAVE_SECURITY_SECURITY_H
44
45 WINE_DEFAULT_DEBUG_CHANNEL(secur32);
46
47 #if MAC_OS_X_VERSION_MAX_ALLOWED < 1060
48 /* Defined in <Security/CipherSuite.h> in the 10.6 SDK or later. */
49 enum {
50 TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
51 TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
52 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
53 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
54 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
55 TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
56 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
57 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
58 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
59 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
60 TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
61 TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
62 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
63 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
64 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
65 TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
66 TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
67 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
68 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
69 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
70 TLS_ECDH_anon_WITH_NULL_SHA = 0xC015,
71 TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016,
72 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017,
73 TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018,
74 TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019,
75 };
76 #endif
77
78 #if MAC_OS_X_VERSION_MAX_ALLOWED < 1080
79 /* Defined in <Security/CipherSuite.h> in the 10.8 SDK or later. */
80 enum {
81 TLS_NULL_WITH_NULL_NULL = 0x0000,
82 TLS_RSA_WITH_NULL_MD5 = 0x0001,
83 TLS_RSA_WITH_NULL_SHA = 0x0002,
84 TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
85 TLS_RSA_WITH_RC4_128_SHA = 0x0005,
86 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
87 TLS_RSA_WITH_NULL_SHA256 = 0x003B,
88 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
89 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
90 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
91 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
92 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
93 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
94 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
95 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
96 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
97 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
98 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
99 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
100 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
101 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
102 TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
103 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B,
104 TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C,
105 TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D,
106 TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
107 TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
108 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
109 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
110 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
111 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
112 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
113 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
114 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
115 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
116 TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6,
117 TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7,
118 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
119 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
120 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
121 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
122 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
123 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
124 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
125 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
126 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
127 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
128 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
129 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
130 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
131 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
132 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
133 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
134 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF,
135 };
136
137 /* Defined in <Security/SecureTransport.h> in the 10.8 SDK or later. */
138 enum {
139 kTLSProtocol11 = 7, /* TLS 1.1 */
140 kTLSProtocol12 = 8, /* TLS 1.2 */
141 };
142 #endif
143
144 #if MAC_OS_X_VERSION_MAX_ALLOWED < 1090
145 /* Defined in <Security/CipherSuite.h> in the 10.9 SDK or later. */
146 enum {
147 TLS_PSK_WITH_RC4_128_SHA = 0x008A,
148 TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
149 TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
150 TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
151 TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
152 TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
153 TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
154 TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
155 TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
156 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
157 TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
158 TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
159 TLS_PSK_WITH_NULL_SHA = 0x002C,
160 TLS_DHE_PSK_WITH_NULL_SHA = 0x002D,
161 TLS_RSA_PSK_WITH_NULL_SHA = 0x002E,
162 TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
163 TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
164 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
165 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
166 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
167 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
168 TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
169 TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
170 TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
171 TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
172 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
173 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
174 TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
175 TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
176 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
177 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
178 TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
179 TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
180 };
181 #endif
182
183 enum schan_mode {
184 schan_mode_NONE,
185 schan_mode_READ,
186 schan_mode_WRITE,
187 schan_mode_HANDSHAKE,
188 };
189
190 struct mac_session {
191 SSLContextRef context;
192 struct schan_transport *transport;
193 enum schan_mode mode;
194 CRITICAL_SECTION cs;
195 };
196
197
198 enum {
199 schan_proto_SSL,
200 schan_proto_TLS,
201 };
202
203 enum {
204 schan_kx_DH_anon_EXPORT,
205 schan_kx_DH_anon,
206 schan_kx_DH_DSS_EXPORT,
207 schan_kx_DH_DSS,
208 schan_kx_DH_RSA_EXPORT,
209 schan_kx_DH_RSA,
210 schan_kx_DHE_DSS_EXPORT,
211 schan_kx_DHE_DSS,
212 schan_kx_DHE_PSK,
213 schan_kx_DHE_RSA_EXPORT,
214 schan_kx_DHE_RSA,
215 schan_kx_ECDH_anon,
216 schan_kx_ECDH_ECDSA,
217 schan_kx_ECDH_RSA,
218 schan_kx_ECDHE_ECDSA,
219 schan_kx_ECDHE_RSA,
220 schan_kx_FORTEZZA_DMS,
221 schan_kx_NULL,
222 schan_kx_PSK,
223 schan_kx_RSA_EXPORT,
224 schan_kx_RSA_PSK,
225 schan_kx_RSA,
226 };
227
228 enum {
229 schan_enc_3DES_EDE_CBC,
230 schan_enc_AES_128_CBC,
231 schan_enc_AES_128_GCM,
232 schan_enc_AES_256_CBC,
233 schan_enc_AES_256_GCM,
234 schan_enc_DES_CBC,
235 schan_enc_DES40_CBC,
236 schan_enc_FORTEZZA_CBC,
237 schan_enc_IDEA_CBC,
238 schan_enc_NULL,
239 schan_enc_RC2_CBC,
240 schan_enc_RC2_CBC_40,
241 schan_enc_RC4_128,
242 schan_enc_RC4_40,
243 };
244
245 enum {
246 schan_mac_MD5,
247 schan_mac_NULL,
248 schan_mac_SHA,
249 schan_mac_SHA256,
250 schan_mac_SHA384,
251 };
252
253
254 struct cipher_suite {
255 SSLCipherSuite suite;
256 int protocol;
257 int kx_alg;
258 int enc_alg;
259 int mac_alg;
260 };
261
262 /* This table corresponds to the enum in <Security/CipherSuite.h>. */
263 static const struct cipher_suite cipher_suites[] = {
264 #define CIPHER_SUITE(p, kx, enc, mac) { p##_##kx##_WITH_##enc##_##mac, schan_proto_##p, \
265 schan_kx_##kx, schan_enc_##enc, schan_mac_##mac }
266 CIPHER_SUITE(SSL, RSA, NULL, MD5),
267 CIPHER_SUITE(SSL, RSA, NULL, MD5),
268 CIPHER_SUITE(SSL, RSA, NULL, SHA),
269 CIPHER_SUITE(SSL, RSA_EXPORT, RC4_40, MD5),
270 CIPHER_SUITE(SSL, RSA, RC4_128, MD5),
271 CIPHER_SUITE(SSL, RSA, RC4_128, SHA),
272 CIPHER_SUITE(SSL, RSA_EXPORT, RC2_CBC_40, MD5),
273 CIPHER_SUITE(SSL, RSA, IDEA_CBC, SHA),
274 CIPHER_SUITE(SSL, RSA_EXPORT, DES40_CBC, SHA),
275 CIPHER_SUITE(SSL, RSA, DES_CBC, SHA),
276 CIPHER_SUITE(SSL, RSA, 3DES_EDE_CBC, SHA),
277 CIPHER_SUITE(SSL, DH_DSS_EXPORT, DES40_CBC, SHA),
278 CIPHER_SUITE(SSL, DH_DSS, DES_CBC, SHA),
279 CIPHER_SUITE(SSL, DH_DSS, 3DES_EDE_CBC, SHA),
280 CIPHER_SUITE(SSL, DH_RSA_EXPORT, DES40_CBC, SHA),
281 CIPHER_SUITE(SSL, DH_RSA, DES_CBC, SHA),
282 CIPHER_SUITE(SSL, DH_RSA, 3DES_EDE_CBC, SHA),
283 CIPHER_SUITE(SSL, DHE_DSS_EXPORT, DES40_CBC, SHA),
284 CIPHER_SUITE(SSL, DHE_DSS, DES_CBC, SHA),
285 CIPHER_SUITE(SSL, DHE_DSS, 3DES_EDE_CBC, SHA),
286 CIPHER_SUITE(SSL, DHE_RSA_EXPORT, DES40_CBC, SHA),
287 CIPHER_SUITE(SSL, DHE_RSA, DES_CBC, SHA),
288 CIPHER_SUITE(SSL, DHE_RSA, 3DES_EDE_CBC, SHA),
289 CIPHER_SUITE(SSL, DH_anon_EXPORT, RC4_40, MD5),
290 CIPHER_SUITE(SSL, DH_anon, RC4_128, MD5),
291 CIPHER_SUITE(SSL, DH_anon_EXPORT, DES40_CBC, SHA),
292 CIPHER_SUITE(SSL, DH_anon, DES_CBC, SHA),
293 CIPHER_SUITE(SSL, DH_anon, 3DES_EDE_CBC, SHA),
294 CIPHER_SUITE(SSL, FORTEZZA_DMS, NULL, SHA),
295 CIPHER_SUITE(SSL, FORTEZZA_DMS, FORTEZZA_CBC, SHA),
296
297 CIPHER_SUITE(TLS, RSA, AES_128_CBC, SHA),
298 CIPHER_SUITE(TLS, DH_DSS, AES_128_CBC, SHA),
299 CIPHER_SUITE(TLS, DH_RSA, AES_128_CBC, SHA),
300 CIPHER_SUITE(TLS, DHE_DSS, AES_128_CBC, SHA),
301 CIPHER_SUITE(TLS, DHE_RSA, AES_128_CBC, SHA),
302 CIPHER_SUITE(TLS, DH_anon, AES_128_CBC, SHA),
303 CIPHER_SUITE(TLS, RSA, AES_256_CBC, SHA),
304 CIPHER_SUITE(TLS, DH_DSS, AES_256_CBC, SHA),
305 CIPHER_SUITE(TLS, DH_RSA, AES_256_CBC, SHA),
306 CIPHER_SUITE(TLS, DHE_DSS, AES_256_CBC, SHA),
307 CIPHER_SUITE(TLS, DHE_RSA, AES_256_CBC, SHA),
308 CIPHER_SUITE(TLS, DH_anon, AES_256_CBC, SHA),
309
310 CIPHER_SUITE(TLS, ECDH_ECDSA, NULL, SHA),
311 CIPHER_SUITE(TLS, ECDH_ECDSA, RC4_128, SHA),
312 CIPHER_SUITE(TLS, ECDH_ECDSA, 3DES_EDE_CBC, SHA),
313 CIPHER_SUITE(TLS, ECDH_ECDSA, AES_128_CBC, SHA),
314 CIPHER_SUITE(TLS, ECDH_ECDSA, AES_256_CBC, SHA),
315 CIPHER_SUITE(TLS, ECDHE_ECDSA, NULL, SHA),
316 CIPHER_SUITE(TLS, ECDHE_ECDSA, RC4_128, SHA),
317 CIPHER_SUITE(TLS, ECDHE_ECDSA, 3DES_EDE_CBC, SHA),
318 CIPHER_SUITE(TLS, ECDHE_ECDSA, AES_128_CBC, SHA),
319 CIPHER_SUITE(TLS, ECDHE_ECDSA, AES_256_CBC, SHA),
320 CIPHER_SUITE(TLS, ECDH_RSA, NULL, SHA),
321 CIPHER_SUITE(TLS, ECDH_RSA, RC4_128, SHA),
322 CIPHER_SUITE(TLS, ECDH_RSA, 3DES_EDE_CBC, SHA),
323 CIPHER_SUITE(TLS, ECDH_RSA, AES_128_CBC, SHA),
324 CIPHER_SUITE(TLS, ECDH_RSA, AES_256_CBC, SHA),
325 CIPHER_SUITE(TLS, ECDHE_RSA, NULL, SHA),
326 CIPHER_SUITE(TLS, ECDHE_RSA, RC4_128, SHA),
327 CIPHER_SUITE(TLS, ECDHE_RSA, 3DES_EDE_CBC, SHA),
328 CIPHER_SUITE(TLS, ECDHE_RSA, AES_128_CBC, SHA),
329 CIPHER_SUITE(TLS, ECDHE_RSA, AES_256_CBC, SHA),
330 CIPHER_SUITE(TLS, ECDH_anon, NULL, SHA),
331 CIPHER_SUITE(TLS, ECDH_anon, RC4_128, SHA),
332 CIPHER_SUITE(TLS, ECDH_anon, 3DES_EDE_CBC, SHA),
333 CIPHER_SUITE(TLS, ECDH_anon, AES_128_CBC, SHA),
334 CIPHER_SUITE(TLS, ECDH_anon, AES_256_CBC, SHA),
335
336 CIPHER_SUITE(TLS, NULL, NULL, NULL),
337 CIPHER_SUITE(TLS, RSA, NULL, MD5),
338 CIPHER_SUITE(TLS, RSA, NULL, SHA),
339 CIPHER_SUITE(TLS, RSA, RC4_128, MD5),
340 CIPHER_SUITE(TLS, RSA, RC4_128, SHA),
341 CIPHER_SUITE(TLS, RSA, 3DES_EDE_CBC, SHA),
342 CIPHER_SUITE(TLS, RSA, NULL, SHA256),
343 CIPHER_SUITE(TLS, RSA, AES_128_CBC, SHA256),
344 CIPHER_SUITE(TLS, RSA, AES_256_CBC, SHA256),
345 CIPHER_SUITE(TLS, DH_DSS, 3DES_EDE_CBC, SHA),
346 CIPHER_SUITE(TLS, DH_RSA, 3DES_EDE_CBC, SHA),
347 CIPHER_SUITE(TLS, DHE_DSS, 3DES_EDE_CBC, SHA),
348 CIPHER_SUITE(TLS, DHE_RSA, 3DES_EDE_CBC, SHA),
349 CIPHER_SUITE(TLS, DH_DSS, AES_128_CBC, SHA256),
350 CIPHER_SUITE(TLS, DH_RSA, AES_128_CBC, SHA256),
351 CIPHER_SUITE(TLS, DHE_DSS, AES_128_CBC, SHA256),
352 CIPHER_SUITE(TLS, DHE_RSA, AES_128_CBC, SHA256),
353 CIPHER_SUITE(TLS, DH_DSS, AES_256_CBC, SHA256),
354 CIPHER_SUITE(TLS, DH_RSA, AES_256_CBC, SHA256),
355 CIPHER_SUITE(TLS, DHE_DSS, AES_256_CBC, SHA256),
356 CIPHER_SUITE(TLS, DHE_RSA, AES_256_CBC, SHA256),
357 CIPHER_SUITE(TLS, DH_anon, RC4_128, MD5),
358 CIPHER_SUITE(TLS, DH_anon, 3DES_EDE_CBC, SHA),
359 CIPHER_SUITE(TLS, DH_anon, AES_128_CBC, SHA256),
360 CIPHER_SUITE(TLS, DH_anon, AES_256_CBC, SHA256),
361
362 CIPHER_SUITE(TLS, PSK, RC4_128, SHA),
363 CIPHER_SUITE(TLS, PSK, 3DES_EDE_CBC, SHA),
364 CIPHER_SUITE(TLS, PSK, AES_128_CBC, SHA),
365 CIPHER_SUITE(TLS, PSK, AES_256_CBC, SHA),
366 CIPHER_SUITE(TLS, DHE_PSK, RC4_128, SHA),
367 CIPHER_SUITE(TLS, DHE_PSK, 3DES_EDE_CBC, SHA),
368 CIPHER_SUITE(TLS, DHE_PSK, AES_128_CBC, SHA),
369 CIPHER_SUITE(TLS, DHE_PSK, AES_256_CBC, SHA),
370 CIPHER_SUITE(TLS, RSA_PSK, RC4_128, SHA),
371 CIPHER_SUITE(TLS, RSA_PSK, 3DES_EDE_CBC, SHA),
372 CIPHER_SUITE(TLS, RSA_PSK, AES_128_CBC, SHA),
373 CIPHER_SUITE(TLS, RSA_PSK, AES_256_CBC, SHA),
374 CIPHER_SUITE(TLS, PSK, NULL, SHA),
375 CIPHER_SUITE(TLS, DHE_PSK, NULL, SHA),
376 CIPHER_SUITE(TLS, RSA_PSK, NULL, SHA),
377
378 CIPHER_SUITE(TLS, RSA, AES_128_GCM, SHA256),
379 CIPHER_SUITE(TLS, RSA, AES_256_GCM, SHA384),
380 CIPHER_SUITE(TLS, DHE_RSA, AES_128_GCM, SHA256),
381 CIPHER_SUITE(TLS, DHE_RSA, AES_256_GCM, SHA384),
382 CIPHER_SUITE(TLS, DH_RSA, AES_128_GCM, SHA256),
383 CIPHER_SUITE(TLS, DH_RSA, AES_256_GCM, SHA384),
384 CIPHER_SUITE(TLS, DHE_DSS, AES_128_GCM, SHA256),
385 CIPHER_SUITE(TLS, DHE_DSS, AES_256_GCM, SHA384),
386 CIPHER_SUITE(TLS, DH_DSS, AES_128_GCM, SHA256),
387 CIPHER_SUITE(TLS, DH_DSS, AES_256_GCM, SHA384),
388 CIPHER_SUITE(TLS, DH_anon, AES_128_GCM, SHA256),
389 CIPHER_SUITE(TLS, DH_anon, AES_256_GCM, SHA384),
390
391 CIPHER_SUITE(TLS, PSK, AES_128_GCM, SHA256),
392 CIPHER_SUITE(TLS, PSK, AES_256_GCM, SHA384),
393 CIPHER_SUITE(TLS, DHE_PSK, AES_128_GCM, SHA256),
394 CIPHER_SUITE(TLS, DHE_PSK, AES_256_GCM, SHA384),
395 CIPHER_SUITE(TLS, RSA_PSK, AES_128_GCM, SHA256),
396 CIPHER_SUITE(TLS, RSA_PSK, AES_256_GCM, SHA384),
397 CIPHER_SUITE(TLS, PSK, AES_128_CBC, SHA256),
398 CIPHER_SUITE(TLS, PSK, AES_256_CBC, SHA384),
399 CIPHER_SUITE(TLS, PSK, NULL, SHA256),
400 CIPHER_SUITE(TLS, PSK, NULL, SHA384),
401 CIPHER_SUITE(TLS, DHE_PSK, AES_128_CBC, SHA256),
402 CIPHER_SUITE(TLS, DHE_PSK, AES_256_CBC, SHA384),
403 CIPHER_SUITE(TLS, DHE_PSK, NULL, SHA256),
404 CIPHER_SUITE(TLS, DHE_PSK, NULL, SHA384),
405 CIPHER_SUITE(TLS, RSA_PSK, AES_128_CBC, SHA256),
406 CIPHER_SUITE(TLS, RSA_PSK, AES_256_CBC, SHA384),
407 CIPHER_SUITE(TLS, RSA_PSK, NULL, SHA256),
408 CIPHER_SUITE(TLS, RSA_PSK, NULL, SHA384),
409
410 CIPHER_SUITE(TLS, ECDHE_ECDSA, AES_128_CBC, SHA256),
411 CIPHER_SUITE(TLS, ECDHE_ECDSA, AES_256_CBC, SHA384),
412 CIPHER_SUITE(TLS, ECDH_ECDSA, AES_128_CBC, SHA256),
413 CIPHER_SUITE(TLS, ECDH_ECDSA, AES_256_CBC, SHA384),
414 CIPHER_SUITE(TLS, ECDHE_RSA, AES_128_CBC, SHA256),
415 CIPHER_SUITE(TLS, ECDHE_RSA, AES_256_CBC, SHA384),
416 CIPHER_SUITE(TLS, ECDH_RSA, AES_128_CBC, SHA256),
417 CIPHER_SUITE(TLS, ECDH_RSA, AES_256_CBC, SHA384),
418 CIPHER_SUITE(TLS, ECDHE_ECDSA, AES_128_GCM, SHA256),
419 CIPHER_SUITE(TLS, ECDHE_ECDSA, AES_256_GCM, SHA384),
420 CIPHER_SUITE(TLS, ECDH_ECDSA, AES_128_GCM, SHA256),
421 CIPHER_SUITE(TLS, ECDH_ECDSA, AES_256_GCM, SHA384),
422 CIPHER_SUITE(TLS, ECDHE_RSA, AES_128_GCM, SHA256),
423 CIPHER_SUITE(TLS, ECDHE_RSA, AES_256_GCM, SHA384),
424 CIPHER_SUITE(TLS, ECDH_RSA, AES_128_GCM, SHA256),
425 CIPHER_SUITE(TLS, ECDH_RSA, AES_256_GCM, SHA384),
426
427 CIPHER_SUITE(SSL, RSA, RC2_CBC, MD5),
428 CIPHER_SUITE(SSL, RSA, IDEA_CBC, MD5),
429 CIPHER_SUITE(SSL, RSA, DES_CBC, MD5),
430 CIPHER_SUITE(SSL, RSA, 3DES_EDE_CBC, MD5),
431 #undef CIPHER_SUITE
432 };
433
434
435 static const struct cipher_suite* get_cipher_suite(SSLCipherSuite cipher_suite)
436 {
437 int i;
438 for (i = 0; i < ARRAY_SIZE(cipher_suites); i++)
439 {
440 if (cipher_suites[i].suite == cipher_suite)
441 return &cipher_suites[i];
442 }
443
444 return NULL;
445 }
446
447
448 static DWORD schan_get_session_protocol(struct mac_session* s)
449 {
450 SSLProtocol protocol;
451 int status;
452
453 TRACE("(%p/%p)\n", s, s->context);
454
455 status = SSLGetNegotiatedProtocolVersion(s->context, &protocol);
456 if (status != noErr)
457 {
458 ERR("Failed to get session protocol: %d\n", status);
459 return 0;
460 }
461
462 TRACE("protocol %d\n", protocol);
463
464 switch (protocol)
465 {
466 case kSSLProtocol2: return SP_PROT_SSL2_CLIENT;
467 case kSSLProtocol3: return SP_PROT_SSL3_CLIENT;
468 case kTLSProtocol1: return SP_PROT_TLS1_CLIENT;
469 case kTLSProtocol11: return SP_PROT_TLS1_1_CLIENT;
470 case kTLSProtocol12: return SP_PROT_TLS1_2_CLIENT;
471 default:
472 FIXME("unknown protocol %d\n", protocol);
473 return 0;
474 }
475 }
476
477 static ALG_ID schan_get_cipher_algid(const struct cipher_suite* c)
478 {
479 TRACE("(%#x)\n", (unsigned int)c->suite);
480
481 switch (c->enc_alg)
482 {
483 case schan_enc_3DES_EDE_CBC: return CALG_3DES;
484 case schan_enc_AES_128_CBC: return CALG_AES_128;
485 case schan_enc_AES_256_CBC: return CALG_AES_256;
486 case schan_enc_DES_CBC: return CALG_DES;
487 case schan_enc_DES40_CBC: return CALG_DES;
488 case schan_enc_NULL: return 0;
489 case schan_enc_RC2_CBC_40: return CALG_RC2;
490 case schan_enc_RC2_CBC: return CALG_RC2;
491 case schan_enc_RC4_128: return CALG_RC4;
492 case schan_enc_RC4_40: return CALG_RC4;
493
494 case schan_enc_AES_128_GCM:
495 case schan_enc_AES_256_GCM:
496 case schan_enc_FORTEZZA_CBC:
497 case schan_enc_IDEA_CBC:
498 FIXME("Don't know CALG for encryption algorithm %d, returning 0\n", c->enc_alg);
499 return 0;
500
501 default:
502 FIXME("Unknown encryption algorithm %d for cipher suite %#x, returning 0\n", c->enc_alg, (unsigned int)c->suite);
503 return 0;
504 }
505 }
506
507 static unsigned int schan_get_cipher_key_size(const struct cipher_suite* c)
508 {
509 TRACE("(%#x)\n", (unsigned int)c->suite);
510
511 switch (c->enc_alg)
512 {
513 case schan_enc_3DES_EDE_CBC: return 168;
514 case schan_enc_AES_128_CBC: return 128;
515 case schan_enc_AES_128_GCM: return 128;
516 case schan_enc_AES_256_CBC: return 256;
517 case schan_enc_AES_256_GCM: return 256;
518 case schan_enc_DES_CBC: return 56;
519 case schan_enc_DES40_CBC: return 40;
520 case schan_enc_NULL: return 0;
521 case schan_enc_RC2_CBC_40: return 40;
522 case schan_enc_RC2_CBC: return 128;
523 case schan_enc_RC4_128: return 128;
524 case schan_enc_RC4_40: return 40;
525
526 case schan_enc_FORTEZZA_CBC:
527 case schan_enc_IDEA_CBC:
528 FIXME("Don't know key size for encryption algorithm %d, returning 0\n", c->enc_alg);
529 return 0;
530
531 default:
532 FIXME("Unknown encryption algorithm %d for cipher suite %#x, returning 0\n", c->enc_alg, (unsigned int)c->suite);
533 return 0;
534 }
535 }
536
537 static ALG_ID schan_get_mac_algid(const struct cipher_suite* c)
538 {
539 TRACE("(%#x)\n", (unsigned int)c->suite);
540
541 switch (c->mac_alg)
542 {
543 case schan_mac_MD5: return CALG_MD5;
544 case schan_mac_NULL: return 0;
545 case schan_mac_SHA: return CALG_SHA;
546 case schan_mac_SHA256: return CALG_SHA_256;
547 case schan_mac_SHA384: return CALG_SHA_384;
548
549 default:
550 FIXME("Unknown hashing algorithm %d for cipher suite %#x, returning 0\n", c->mac_alg, (unsigned)c->suite);
551 return 0;
552 }
553 }
554
555 static unsigned int schan_get_mac_key_size(const struct cipher_suite* c)
556 {
557 TRACE("(%#x)\n", (unsigned int)c->suite);
558
559 switch (c->mac_alg)
560 {
561 case schan_mac_MD5: return 128;
562 case schan_mac_NULL: return 0;
563 case schan_mac_SHA: return 160;
564 case schan_mac_SHA256: return 256;
565 case schan_mac_SHA384: return 384;
566
567 default:
568 FIXME("Unknown hashing algorithm %d for cipher suite %#x, returning 0\n", c->mac_alg, (unsigned)c->suite);
569 return 0;
570 }
571 }
572
573 static ALG_ID schan_get_kx_algid(const struct cipher_suite* c)
574 {
575 TRACE("(%#x)\n", (unsigned int)c->suite);
576
577 switch (c->kx_alg)
578 {
579 case schan_kx_DHE_DSS_EXPORT:
580 case schan_kx_DHE_DSS:
581 case schan_kx_DHE_PSK:
582 case schan_kx_DHE_RSA_EXPORT:
583 case schan_kx_DHE_RSA: return CALG_DH_EPHEM;
584 case schan_kx_ECDH_anon:
585 case schan_kx_ECDH_ECDSA:
586 case schan_kx_ECDH_RSA: return CALG_ECDH;
587 case schan_kx_ECDHE_ECDSA:
588 case schan_kx_ECDHE_RSA: return CALG_ECDH_EPHEM;
589 case schan_kx_NULL: return 0;
590 case schan_kx_RSA:
591 case schan_kx_RSA_EXPORT:
592 case schan_kx_RSA_PSK: return CALG_RSA_KEYX;
593
594 case schan_kx_DH_anon_EXPORT:
595 case schan_kx_DH_anon:
596 case schan_kx_DH_DSS_EXPORT:
597 case schan_kx_DH_DSS:
598 case schan_kx_DH_RSA_EXPORT:
599 case schan_kx_DH_RSA:
600 case schan_kx_FORTEZZA_DMS:
601 case schan_kx_PSK:
602 FIXME("Don't know CALG for key exchange algorithm %d for cipher suite %#x, returning 0\n", c->kx_alg, (unsigned)c->suite);
603 return 0;
604
605 default:
606 FIXME("Unknown key exchange algorithm %d for cipher suite %#x, returning 0\n", c->kx_alg, (unsigned)c->suite);
607 return 0;
608 }
609 }
610
611
612 /* schan_pull_adapter
613 * Callback registered with SSLSetIOFuncs as the read function for a
614 * session. Reads data from the session connection. Conforms to the
615 * SSLReadFunc type.
616 *
617 * transport - The session connection
618 * buff - The buffer into which to store the read data. Must be at least
619 * *buff_len bytes in length.
620 * *buff_len - On input, the desired length to read. On successful return,
621 * the number of bytes actually read.
622 *
623 * Returns:
624 * noErr on complete success meaning the requested length was successfully
625 * read.
626 * errSSLWouldBlock when the requested length could not be read without
627 * blocking. *buff_len indicates how much was actually read. The
628 * caller should try again if/when they want to read more.
629 * errSSLClosedGraceful when the connection has closed and there's no
630 * more data to be read.
631 * other error code for failure.
632 */
633 static OSStatus schan_pull_adapter(SSLConnectionRef transport, void *buff,
634 SIZE_T *buff_len)
635 {
636 struct mac_session *s = (struct mac_session*)transport;
637 size_t requested = *buff_len;
638 int status;
639 OSStatus ret;
640
641 TRACE("(%p/%p, %p, %p/%lu)\n", s, s->transport, buff, buff_len, *buff_len);
642
643 if (s->mode != schan_mode_READ && s->mode != schan_mode_HANDSHAKE)
644 {
645 WARN("called in mode %u\n", s->mode);
646 return noErr;
647 }
648
649 status = schan_pull(s->transport, buff, buff_len);
650 if (status == 0)
651 {
652 if (*buff_len == 0)
653 {
654 TRACE("Connection closed\n");
655 ret = errSSLClosedGraceful;
656 }
657 else if (*buff_len < requested)
658 {
659 TRACE("Pulled %lu bytes before would block\n", *buff_len);
660 ret = errSSLWouldBlock;
661 }
662 else
663 {
664 TRACE("Pulled %lu bytes\n", *buff_len);
665 ret = noErr;
666 }
667 }
668 else if (status == EAGAIN)
669 {
670 TRACE("Would block before being able to pull anything\n");
671 ret = errSSLWouldBlock;
672 }
673 else
674 {
675 FIXME("Unknown status code from schan_pull: %d\n", status);
676 ret = ioErr;
677 }
678
679 return ret;
680 }
681
682 /* schan_push_adapter
683 * Callback registered with SSLSetIOFuncs as the write function for a
684 * session. Writes data to the session connection. Conforms to the
685 * SSLWriteFunc type.
686 *
687 * transport - The session connection
688 * buff - The buffer of data to write. Must be at least *buff_len bytes in length.
689 * *buff_len - On input, the desired length to write. On successful return,
690 * the number of bytes actually written.
691 *
692 * Returns:
693 * noErr on complete or partial success; *buff_len indicates how much data
694 * was actually written, which may be less than requested.
695 * errSSLWouldBlock when no data could be written without blocking. The
696 * caller should try again.
697 * other error code for failure.
698 */
699 static OSStatus schan_push_adapter(SSLConnectionRef transport, const void *buff,
700 SIZE_T *buff_len)
701 {
702 struct mac_session *s = (struct mac_session*)transport;
703 int status;
704 OSStatus ret;
705
706 TRACE("(%p/%p, %p, %p/%lu)\n", s, s->transport, buff, buff_len, *buff_len);
707
708 if (s->mode != schan_mode_WRITE && s->mode != schan_mode_HANDSHAKE)
709 {
710 WARN("called in mode %u\n", s->mode);
711 return noErr;
712 }
713
714 status = schan_push(s->transport, buff, buff_len);
715 if (status == 0)
716 {
717 TRACE("Pushed %lu bytes\n", *buff_len);
718 ret = noErr;
719 }
720 else if (status == EAGAIN)
721 {
722 TRACE("Would block before being able to push anything\n");
723 ret = errSSLWouldBlock;
724 }
725 else
726 {
727 FIXME("Unknown status code from schan_push: %d\n", status);
728 ret = ioErr;
729 }
730
731 return ret;
732 }
733
734 static const struct {
735 DWORD enable_flag;
736 SSLProtocol mac_version;
737 } protocol_priority_flags[] = {
738 {SP_PROT_TLS1_2_CLIENT, kTLSProtocol12},
739 {SP_PROT_TLS1_1_CLIENT, kTLSProtocol11},
740 {SP_PROT_TLS1_0_CLIENT, kTLSProtocol1},
741 {SP_PROT_SSL3_CLIENT, kSSLProtocol3},
742 {SP_PROT_SSL2_CLIENT, kSSLProtocol2}
743 };
744
745 static DWORD supported_protocols;
746
747 DWORD schan_imp_enabled_protocols(void)
748 {
749 return supported_protocols;
750 }
751
752 BOOL schan_imp_create_session(schan_imp_session *session, schan_credentials *cred)
753 {
754 struct mac_session *s;
755 unsigned i;
756 int status;
757
758 TRACE("(%p)\n", session);
759
760 s = heap_alloc(sizeof(*s));
761 if (!s)
762 return FALSE;
763
764 InitializeCriticalSection(&s->cs);
765 s->cs.DebugInfo->Spare[0] = (DWORD_PTR)(__FILE__ ": mac_session.cs");
766
767 status = SSLNewContext(cred->credential_use == SECPKG_CRED_INBOUND, &s->context);
768 if (status != noErr)
769 {
770 ERR("Failed to create session context: %d\n", status);
771 goto fail;
772 }
773
774 status = SSLSetConnection(s->context, s);
775 if (status != noErr)
776 {
777 ERR("Failed to set session connection: %d\n", status);
778 goto fail;
779 }
780
781 status = SSLSetEnableCertVerify(s->context, FALSE);
782 if (status != noErr)
783 {
784 ERR("Failed to disable certificate verification: %d\n", status);
785 goto fail;
786 }
787
788 for(i = 0; i < ARRAY_SIZE(protocol_priority_flags); i++) {
789 if(!(protocol_priority_flags[i].enable_flag & supported_protocols))
790 continue;
791
792 status = SSLSetProtocolVersionEnabled(s->context, protocol_priority_flags[i].mac_version,
793 (cred->enabled_protocols & protocol_priority_flags[i].enable_flag) != 0);
794 if (status != noErr)
795 {
796 ERR("Failed to set SSL version %d: %d\n", protocol_priority_flags[i].mac_version, status);
797 goto fail;
798 }
799 }
800
801 status = SSLSetIOFuncs(s->context, schan_pull_adapter, schan_push_adapter);
802 if (status != noErr)
803 {
804 ERR("Failed to set session I/O funcs: %d\n", status);
805 goto fail;
806 }
807
808 s->mode = schan_mode_NONE;
809
810 TRACE(" -> %p/%p\n", s, s->context);
811
812 *session = (schan_imp_session)s;
813 return TRUE;
814
815 fail:
816 heap_free(s);
817 return FALSE;
818 }
819
820 void schan_imp_dispose_session(schan_imp_session session)
821 {
822 struct mac_session *s = (struct mac_session*)session;
823 int status;
824
825 TRACE("(%p/%p)\n", s, s->context);
826
827 status = SSLDisposeContext(s->context);
828 if (status != noErr)
829 ERR("Failed to dispose of session context: %d\n", status);
830 DeleteCriticalSection(&s->cs);
831 heap_free(s);
832 }
833
834 void schan_imp_set_session_transport(schan_imp_session session,
835 struct schan_transport *t)
836 {
837 struct mac_session *s = (struct mac_session*)session;
838
839 TRACE("(%p/%p, %p)\n", s, s->context, t);
840
841 s->transport = t;
842 }
843
844 void schan_imp_set_session_target(schan_imp_session session, const char *target)
845 {
846 struct mac_session *s = (struct mac_session*)session;
847
848 TRACE("(%p/%p, %s)\n", s, s->context, debugstr_a(target));
849
850 SSLSetPeerDomainName( s->context, target, strlen(target) );
851 }
852
853 SECURITY_STATUS schan_imp_handshake(schan_imp_session session)
854 {
855 struct mac_session *s = (struct mac_session*)session;
856 int status;
857
858 TRACE("(%p/%p)\n", s, s->context);
859
860 s->mode = schan_mode_HANDSHAKE;
861 status = SSLHandshake(s->context);
862 s->mode = schan_mode_NONE;
863
864 if (status == noErr)
865 {
866 TRACE("Handshake completed\n");
867 return SEC_E_OK;
868 }
869 else if (status == errSSLWouldBlock)
870 {
871 TRACE("Continue...\n");
872 return SEC_I_CONTINUE_NEEDED;
873 }
874 else if (errSecErrnoBase <= status && status <= errSecErrnoLimit)
875 {
876 ERR("Handshake failed: %s\n", strerror(status));
877 return SEC_E_INTERNAL_ERROR;
878 }
879 else
880 {
881 ERR("Handshake failed: %d\n", status);
882 cssmPerror("SSLHandshake", status);
883 return SEC_E_INTERNAL_ERROR;
884 }
885
886 /* Never reached */
887 return SEC_E_OK;
888 }
889
890 unsigned int schan_imp_get_session_cipher_block_size(schan_imp_session session)
891 {
892 struct mac_session* s = (struct mac_session*)session;
893 SSLCipherSuite cipherSuite;
894 const struct cipher_suite* c;
895 int status;
896
897 TRACE("(%p/%p)\n", s, s->context);
898
899 status = SSLGetNegotiatedCipher(s->context, &cipherSuite);
900 if (status != noErr)
901 {
902 ERR("Failed to get session cipher suite: %d\n", status);
903 return 0;
904 }
905
906 c = get_cipher_suite(cipherSuite);
907 if (!c)
908 {
909 ERR("Unknown session cipher suite: %#x\n", (unsigned int)cipherSuite);
910 return 0;
911 }
912
913 switch (c->enc_alg)
914 {
915 case schan_enc_3DES_EDE_CBC: return 64;
916 case schan_enc_AES_128_CBC: return 128;
917 case schan_enc_AES_128_GCM: return 128;
918 case schan_enc_AES_256_CBC: return 128;
919 case schan_enc_AES_256_GCM: return 128;
920 case schan_enc_DES_CBC: return 64;
921 case schan_enc_DES40_CBC: return 64;
922 case schan_enc_NULL: return 0;
923 case schan_enc_RC2_CBC_40: return 64;
924 case schan_enc_RC2_CBC: return 64;
925 case schan_enc_RC4_128: return 0;
926 case schan_enc_RC4_40: return 0;
927
928 case schan_enc_FORTEZZA_CBC:
929 case schan_enc_IDEA_CBC:
930 FIXME("Don't know block size for encryption algorithm %d, returning 0\n", c->enc_alg);
931 return 0;
932
933 default:
934 FIXME("Unknown encryption algorithm %d for cipher suite %#x, returning 0\n", c->enc_alg, (unsigned int)c->suite);
935 return 0;
936 }
937 }
938
939 unsigned int schan_imp_get_max_message_size(schan_imp_session session)
940 {
941 FIXME("Returning 1 << 14.\n");
942 return 1 << 14;
943 }
944
945 ALG_ID schan_imp_get_key_signature_algorithm(schan_imp_session session)
946 {
947 struct mac_session* s = (struct mac_session*)session;
948 SSLCipherSuite cipherSuite;
949 const struct cipher_suite* c;
950 int status;
951
952 TRACE("(%p/%p)\n", s, s->context);
953
954 status = SSLGetNegotiatedCipher(s->context, &cipherSuite);
955 if (status != noErr)
956 {
957 ERR("Failed to get session cipher suite: %d\n", status);
958 return 0;
959 }
960
961 c = get_cipher_suite(cipherSuite);
962 if (!c)
963 {
964 ERR("Unknown session cipher suite: %#x\n", (unsigned int)cipherSuite);
965 return 0;
966 }
967
968 switch (c->kx_alg)
969 {
970 case schan_kx_DH_DSS_EXPORT:
971 case schan_kx_DH_DSS:
972 case schan_kx_DHE_DSS_EXPORT:
973 case schan_kx_DHE_DSS:
974 return CALG_DSS_SIGN;
975
976 case schan_kx_DH_RSA_EXPORT:
977 case schan_kx_DH_RSA:
978 case schan_kx_DHE_RSA_EXPORT:
979 case schan_kx_DHE_RSA:
980 case schan_kx_ECDH_RSA:
981 case schan_kx_ECDHE_RSA:
982 case schan_kx_RSA_EXPORT:
983 case schan_kx_RSA:
984 return CALG_RSA_SIGN;
985
986 case schan_kx_ECDH_ECDSA:
987 case schan_kx_ECDHE_ECDSA:
988 return CALG_ECDSA;
989
990 case schan_kx_DH_anon_EXPORT:
991 case schan_kx_DH_anon:
992 case schan_kx_DHE_PSK:
993 case schan_kx_ECDH_anon:
994 case schan_kx_FORTEZZA_DMS:
995 case schan_kx_NULL:
996 case schan_kx_PSK:
997 case schan_kx_RSA_PSK:
998 FIXME("Don't know key signature algorithm for key exchange algorithm %d, returning 0\n", c->kx_alg);
999 return 0;
1000
1001 default:
1002 FIXME("Unknown key exchange algorithm %d for cipher suite %#x, returning 0\n", c->kx_alg, (unsigned int)c->suite);
1003 return 0;
1004 }
1005 }
1006
1007 SECURITY_STATUS schan_imp_get_connection_info(schan_imp_session session,
1008 SecPkgContext_ConnectionInfo *info)
1009 {
1010 struct mac_session* s = (struct mac_session*)session;
1011 SSLCipherSuite cipherSuite;
1012 const struct cipher_suite* c;
1013 int status;
1014
1015 TRACE("(%p/%p, %p)\n", s, s->context, info);
1016
1017 status = SSLGetNegotiatedCipher(s->context, &cipherSuite);
1018 if (status != noErr)
1019 {
1020 ERR("Failed to get session cipher suite: %d\n", status);
1021 return SEC_E_INTERNAL_ERROR;
1022 }
1023
1024 c = get_cipher_suite(cipherSuite);
1025 if (!c)
1026 {
1027 ERR("Unknown session cipher suite: %#x\n", (unsigned int)cipherSuite);
1028 return SEC_E_INTERNAL_ERROR;
1029 }
1030
1031 info->dwProtocol = schan_get_session_protocol(s);
1032 info->aiCipher = schan_get_cipher_algid(c);
1033 info->dwCipherStrength = schan_get_cipher_key_size(c);
1034 info->aiHash = schan_get_mac_algid(c);
1035 info->dwHashStrength = schan_get_mac_key_size(c);
1036 info->aiExch = schan_get_kx_algid(c);
1037 /* FIXME: info->dwExchStrength? */
1038 info->dwExchStrength = 0;
1039
1040 return SEC_E_OK;
1041 }
1042
1043 #ifndef HAVE_SSLCOPYPEERCERTIFICATES
1044 static void schan_imp_cf_release(const void *arg, void *ctx)
1045 {
1046 CFRelease(arg);
1047 }
1048 #endif
1049
1050 SECURITY_STATUS schan_imp_get_session_peer_certificate(schan_imp_session session, HCERTSTORE store,
1051 PCCERT_CONTEXT *ret_cert)
1052 {
1053 struct mac_session* s = (struct mac_session*)session;
1054 SECURITY_STATUS ret = SEC_E_OK;
1055 PCCERT_CONTEXT cert = NULL;
1056 SecCertificateRef mac_cert;
1057 CFArrayRef cert_array;
1058 int status;
1059 CFIndex cnt, i;
1060 CFDataRef data;
1061 BOOL res;
1062
1063 TRACE("(%p/%p, %p)\n", s, s->context, cert);
1064
1065 #ifdef HAVE_SSLCOPYPEERCERTIFICATES
1066 status = SSLCopyPeerCertificates(s->context, &cert_array);
1067 #else
1068 status = SSLGetPeerCertificates(s->context, &cert_array);
1069 #endif
1070 if (status != noErr || !cert_array)
1071 {
1072 WARN("SSLCopyPeerCertificates failed: %d\n", status);
1073 return SEC_E_INTERNAL_ERROR;
1074 }
1075
1076 cnt = CFArrayGetCount(cert_array);
1077 for (i=0; i < cnt; i++) {
1078 if (!(mac_cert = (SecCertificateRef)CFArrayGetValueAtIndex(cert_array, i)) ||
1079 (SecKeychainItemExport(mac_cert, kSecFormatX509Cert, 0, NULL, &data) != noErr))
1080 {
1081 WARN("Couldn't extract certificate data\n");
1082 ret = SEC_E_INTERNAL_ERROR;
1083 break;
1084 }
1085
1086 res = CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING, CFDataGetBytePtr(data), CFDataGetLength(data),
1087 CERT_STORE_ADD_REPLACE_EXISTING, i ? NULL : &cert);
1088 CFRelease(data);
1089 if (!res)
1090 {
1091 ret = GetLastError();
1092 WARN("CertAddEncodedCertificateToStore failed: %x\n", ret);
1093 break;
1094 }
1095 }
1096
1097 #ifndef HAVE_SSLCOPYPEERCERTIFICATES
1098 /* This is why SSLGetPeerCertificates was deprecated */
1099 CFArrayApplyFunction(cert_array, CFRangeMake(0, CFArrayGetCount(cert_array)),
1100 schan_imp_cf_release, NULL);
1101 #endif
1102 CFRelease(cert_array);
1103 if (ret != SEC_E_OK) {
1104 if(cert)
1105 CertFreeCertificateContext(cert);
1106 return ret;
1107 }
1108
1109 *ret_cert = cert;
1110 return SEC_E_OK;
1111 }
1112
1113 SECURITY_STATUS schan_imp_send(schan_imp_session session, const void *buffer,
1114 SIZE_T *length)
1115 {
1116 struct mac_session* s = (struct mac_session*)session;
1117 int status;
1118
1119 TRACE("(%p/%p, %p, %p/%lu)\n", s, s->context, buffer, length, *length);
1120
1121 EnterCriticalSection(&s->cs);
1122 s->mode = schan_mode_WRITE;
1123
1124 status = SSLWrite(s->context, buffer, *length, length);
1125
1126 s->mode = schan_mode_NONE;
1127 LeaveCriticalSection(&s->cs);
1128
1129 if (status == noErr)
1130 TRACE("Wrote %lu bytes\n", *length);
1131 else if (status == errSSLWouldBlock)
1132 {
1133 if (!*length)
1134 {
1135 TRACE("Would block before being able to write anything\n");
1136 return SEC_I_CONTINUE_NEEDED;
1137 }
1138 else
1139 TRACE("Wrote %lu bytes before would block\n", *length);
1140 }
1141 else
1142 {
1143 WARN("SSLWrite failed: %d\n", status);
1144 return SEC_E_INTERNAL_ERROR;
1145 }
1146
1147 return SEC_E_OK;
1148 }
1149
1150 SECURITY_STATUS schan_imp_recv(schan_imp_session session, void *buffer,
1151 SIZE_T *length)
1152 {
1153 struct mac_session* s = (struct mac_session*)session;
1154 int status;
1155
1156 TRACE("(%p/%p, %p, %p/%lu)\n", s, s->context, buffer, length, *length);
1157
1158 EnterCriticalSection(&s->cs);
1159 s->mode = schan_mode_READ;
1160
1161 status = SSLRead(s->context, buffer, *length, length);
1162
1163 s->mode = schan_mode_NONE;
1164 LeaveCriticalSection(&s->cs);
1165
1166 if (status == noErr || status == errSSLClosedGraceful)
1167 TRACE("Read %lu bytes\n", *length);
1168 else if (status == errSSLWouldBlock)
1169 {
1170 if (!*length)
1171 {
1172 TRACE("Would block before being able to read anything\n");
1173 return SEC_I_CONTINUE_NEEDED;
1174 }
1175 else
1176 TRACE("Read %lu bytes before would block\n", *length);
1177 }
1178 else
1179 {
1180 WARN("SSLRead failed: %d\n", status);
1181 return SEC_E_INTERNAL_ERROR;
1182 }
1183
1184 return SEC_E_OK;
1185 }
1186
1187 BOOL schan_imp_allocate_certificate_credentials(schan_credentials *c, const CERT_CONTEXT *cert)
1188 {
1189 if (cert) FIXME("no support for certificate credentials on this platform\n");
1190 c->credentials = NULL;
1191 return TRUE;
1192 }
1193
1194 void schan_imp_free_certificate_credentials(schan_credentials *c)
1195 {
1196 }
1197
1198 BOOL schan_imp_init(void)
1199 {
1200 TRACE("()\n");
1201
1202 supported_protocols = SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT;
1203
1204 #if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
1205 if(&SSLGetProtocolVersionMax != NULL) {
1206 SSLProtocol max_protocol;
1207 SSLContextRef ctx;
1208 OSStatus status;
1209
1210 status = SSLNewContext(FALSE, &ctx);
1211 if(status == noErr) {
1212 status = SSLGetProtocolVersionMax(ctx, &max_protocol);
1213 if(status == noErr) {
1214 if(max_protocol >= kTLSProtocol11)
1215 supported_protocols |= SP_PROT_TLS1_1_CLIENT;
1216 if(max_protocol >= kTLSProtocol12)
1217 supported_protocols |= SP_PROT_TLS1_2_CLIENT;
1218 }
1219 SSLDisposeContext(ctx);
1220 }else {
1221 WARN("SSLNewContext failed\n");
1222 }
1223 }
1224 #endif
1225
1226 return TRUE;
1227 }
1228
1229 void schan_imp_deinit(void)
1230 {
1231 TRACE("()\n");
1232 }
1233
1234 #endif /* HAVE_SECURITY_SECURITY_H */
Windows API implementation