search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
secur32: Don't try to set an empty target name in schan_InitializeSecurityContextW.
[wine/multimedia.git] / dlls / secur32 / schannel_gnutls.c
blob11735745b905e260c4d30dbf744cd3e2212c4693
1 /*
2 * GnuTLS-based implementation of the schannel (SSL/TLS) provider.
3 *
4 * Copyright 2005 Juan Lang
5 * Copyright 2008 Henri Verbeet
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include "config.h"
23 #include "wine/port.h"
24
25 #include <stdarg.h>
26 #ifdef SONAME_LIBGNUTLS
27 #include <gnutls/gnutls.h>
28 #include <gnutls/crypto.h>
29 #endif
30
31 #include "windef.h"
32 #include "winbase.h"
33 #include "sspi.h"
34 #include "schannel.h"
35 #include "secur32_priv.h"
36 #include "wine/debug.h"
37 #include "wine/library.h"
38
39 #if defined(SONAME_LIBGNUTLS) && !defined(HAVE_SECURITY_SECURITY_H)
40
41 WINE_DEFAULT_DEBUG_CHANNEL(secur32);
42 WINE_DECLARE_DEBUG_CHANNEL(winediag);
43
44 static void *libgnutls_handle;
45 #define MAKE_FUNCPTR(f) static typeof(f) * p##f
46 MAKE_FUNCPTR(gnutls_alert_get);
47 MAKE_FUNCPTR(gnutls_alert_get_name);
48 MAKE_FUNCPTR(gnutls_certificate_allocate_credentials);
49 MAKE_FUNCPTR(gnutls_certificate_free_credentials);
50 MAKE_FUNCPTR(gnutls_certificate_get_peers);
51 MAKE_FUNCPTR(gnutls_cipher_get);
52 MAKE_FUNCPTR(gnutls_cipher_get_key_size);
53 MAKE_FUNCPTR(gnutls_credentials_set);
54 MAKE_FUNCPTR(gnutls_deinit);
55 MAKE_FUNCPTR(gnutls_global_deinit);
56 MAKE_FUNCPTR(gnutls_global_init);
57 MAKE_FUNCPTR(gnutls_global_set_log_function);
58 MAKE_FUNCPTR(gnutls_global_set_log_level);
59 MAKE_FUNCPTR(gnutls_handshake);
60 MAKE_FUNCPTR(gnutls_init);
61 MAKE_FUNCPTR(gnutls_kx_get);
62 MAKE_FUNCPTR(gnutls_mac_get);
63 MAKE_FUNCPTR(gnutls_mac_get_key_size);
64 MAKE_FUNCPTR(gnutls_perror);
65 MAKE_FUNCPTR(gnutls_protocol_get_version);
66 MAKE_FUNCPTR(gnutls_priority_set_direct);
67 MAKE_FUNCPTR(gnutls_record_get_max_size);
68 MAKE_FUNCPTR(gnutls_record_recv);
69 MAKE_FUNCPTR(gnutls_record_send);
70 MAKE_FUNCPTR(gnutls_server_name_set);
71 MAKE_FUNCPTR(gnutls_transport_get_ptr);
72 MAKE_FUNCPTR(gnutls_transport_set_errno);
73 MAKE_FUNCPTR(gnutls_transport_set_ptr);
74 MAKE_FUNCPTR(gnutls_transport_set_pull_function);
75 MAKE_FUNCPTR(gnutls_transport_set_push_function);
76 #undef MAKE_FUNCPTR
77
78
79
80 static ssize_t schan_pull_adapter(gnutls_transport_ptr_t transport,
81 void *buff, size_t buff_len)
82 {
83 struct schan_transport *t = (struct schan_transport*)transport;
84 gnutls_session_t s = (gnutls_session_t)schan_session_for_transport(t);
85
86 int ret = schan_pull(transport, buff, &buff_len);
87 if (ret)
88 {
89 pgnutls_transport_set_errno(s, ret);
90 return -1;
91 }
92
93 return buff_len;
94 }
95
96 static ssize_t schan_push_adapter(gnutls_transport_ptr_t transport,
97 const void *buff, size_t buff_len)
98 {
99 struct schan_transport *t = (struct schan_transport*)transport;
100 gnutls_session_t s = (gnutls_session_t)schan_session_for_transport(t);
101
102 int ret = schan_push(transport, buff, &buff_len);
103 if (ret)
104 {
105 pgnutls_transport_set_errno(s, ret);
106 return -1;
107 }
108
109 return buff_len;
110 }
111
112 static const struct {
113 DWORD enable_flag;
114 const char *gnutls_flag;
115 } protocol_priority_flags[] = {
116 {SP_PROT_TLS1_2_CLIENT, "VERS-TLS1.2"},
117 {SP_PROT_TLS1_1_CLIENT, "VERS-TLS1.1"},
118 {SP_PROT_TLS1_0_CLIENT, "VERS-TLS1.0"},
119 {SP_PROT_SSL3_CLIENT, "VERS-SSL3.0"}
120 /* {SP_PROT_SSL2_CLIENT} is not supported by GnuTLS */
121 };
122
123 DWORD schan_imp_enabled_protocols(void)
124 {
125 /* NOTE: No support for SSL 2.0 */
126 return SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT;
127 }
128
129 BOOL schan_imp_create_session(schan_imp_session *session, schan_credentials *cred)
130 {
131 gnutls_session_t *s = (gnutls_session_t*)session;
132 char priority[64] = "NORMAL", *p;
133 unsigned i;
134
135 int err = pgnutls_init(s, cred->credential_use == SECPKG_CRED_INBOUND ? GNUTLS_SERVER : GNUTLS_CLIENT);
136 if (err != GNUTLS_E_SUCCESS)
137 {
138 pgnutls_perror(err);
139 return FALSE;
140 }
141
142 p = priority + strlen(priority);
143 for(i=0; i < sizeof(protocol_priority_flags)/sizeof(*protocol_priority_flags); i++) {
144 *p++ = ':';
145 *p++ = (cred->enabled_protocols & protocol_priority_flags[i].enable_flag) ? '+' : '-';
146 strcpy(p, protocol_priority_flags[i].gnutls_flag);
147 p += strlen(p);
148 }
149
150 TRACE("Using %s priority\n", debugstr_a(priority));
151 err = pgnutls_priority_set_direct(*s, priority, NULL);
152 if (err != GNUTLS_E_SUCCESS)
153 {
154 pgnutls_perror(err);
155 pgnutls_deinit(*s);
156 return FALSE;
157 }
158
159 err = pgnutls_credentials_set(*s, GNUTLS_CRD_CERTIFICATE,
160 (gnutls_certificate_credentials_t)cred->credentials);
161 if (err != GNUTLS_E_SUCCESS)
162 {
163 pgnutls_perror(err);
164 pgnutls_deinit(*s);
165 return FALSE;
166 }
167
168 pgnutls_transport_set_pull_function(*s, schan_pull_adapter);
169 pgnutls_transport_set_push_function(*s, schan_push_adapter);
170
171 return TRUE;
172 }
173
174 void schan_imp_dispose_session(schan_imp_session session)
175 {
176 gnutls_session_t s = (gnutls_session_t)session;
177 pgnutls_deinit(s);
178 }
179
180 void schan_imp_set_session_transport(schan_imp_session session,
181 struct schan_transport *t)
182 {
183 gnutls_session_t s = (gnutls_session_t)session;
184 pgnutls_transport_set_ptr(s, (gnutls_transport_ptr_t)t);
185 }
186
187 void schan_imp_set_session_target(schan_imp_session session, const char *target)
188 {
189 gnutls_session_t s = (gnutls_session_t)session;
190
191 pgnutls_server_name_set( s, GNUTLS_NAME_DNS, target, strlen(target) );
192 }
193
194 SECURITY_STATUS schan_imp_handshake(schan_imp_session session)
195 {
196 gnutls_session_t s = (gnutls_session_t)session;
197 int err;
198
199 while(1) {
200 err = pgnutls_handshake(s);
201 switch(err) {
202 case GNUTLS_E_SUCCESS:
203 TRACE("Handshake completed\n");
204 return SEC_E_OK;
205
206 case GNUTLS_E_AGAIN:
207 TRACE("Continue...\n");
208 return SEC_I_CONTINUE_NEEDED;
209
210 case GNUTLS_E_WARNING_ALERT_RECEIVED:
211 {
212 gnutls_alert_description_t alert = pgnutls_alert_get(s);
213
214 WARN("WARNING ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
215
216 switch(alert) {
217 case GNUTLS_A_UNRECOGNIZED_NAME:
218 TRACE("Ignoring\n");
219 continue;
220 default:
221 return SEC_E_INTERNAL_ERROR;
222 }
223 }
224
225 case GNUTLS_E_FATAL_ALERT_RECEIVED:
226 {
227 gnutls_alert_description_t alert = pgnutls_alert_get(s);
228 WARN("FATAL ALERT: %d %s\n", alert, pgnutls_alert_get_name(alert));
229 return SEC_E_INTERNAL_ERROR;
230 }
231
232 default:
233 pgnutls_perror(err);
234 return SEC_E_INTERNAL_ERROR;
235 }
236 }
237
238 /* Never reached */
239 return SEC_E_OK;
240 }
241
242 static unsigned int schannel_get_cipher_block_size(gnutls_cipher_algorithm_t cipher)
243 {
244 const struct
245 {
246 gnutls_cipher_algorithm_t cipher;
247 unsigned int block_size;
248 }
249 algorithms[] =
250 {
251 {GNUTLS_CIPHER_3DES_CBC, 8},
252 {GNUTLS_CIPHER_AES_128_CBC, 16},
253 {GNUTLS_CIPHER_AES_256_CBC, 16},
254 {GNUTLS_CIPHER_ARCFOUR_128, 1},
255 {GNUTLS_CIPHER_ARCFOUR_40, 1},
256 {GNUTLS_CIPHER_DES_CBC, 8},
257 {GNUTLS_CIPHER_NULL, 1},
258 {GNUTLS_CIPHER_RC2_40_CBC, 8},
259 };
260 unsigned int i;
261
262 for (i = 0; i < sizeof(algorithms) / sizeof(*algorithms); ++i)
263 {
264 if (algorithms[i].cipher == cipher)
265 return algorithms[i].block_size;
266 }
267
268 FIXME("Unknown cipher %#x, returning 1\n", cipher);
269
270 return 1;
271 }
272
273 static DWORD schannel_get_protocol(gnutls_protocol_t proto)
274 {
275 /* FIXME: currently schannel only implements client connections, but
276 * there's no reason it couldn't be used for servers as well. The
277 * context doesn't tell us which it is, so assume client for now.
278 */
279 switch (proto)
280 {
281 case GNUTLS_SSL3: return SP_PROT_SSL3_CLIENT;
282 case GNUTLS_TLS1_0: return SP_PROT_TLS1_0_CLIENT;
283 case GNUTLS_TLS1_1: return SP_PROT_TLS1_1_CLIENT;
284 case GNUTLS_TLS1_2: return SP_PROT_TLS1_2_CLIENT;
285 default:
286 FIXME("unknown protocol %d\n", proto);
287 return 0;
288 }
289 }
290
291 static ALG_ID schannel_get_cipher_algid(gnutls_cipher_algorithm_t cipher)
292 {
293 switch (cipher)
294 {
295 case GNUTLS_CIPHER_UNKNOWN:
296 case GNUTLS_CIPHER_NULL: return 0;
297 case GNUTLS_CIPHER_ARCFOUR_40:
298 case GNUTLS_CIPHER_ARCFOUR_128: return CALG_RC4;
299 case GNUTLS_CIPHER_DES_CBC:
300 case GNUTLS_CIPHER_3DES_CBC: return CALG_DES;
301 case GNUTLS_CIPHER_AES_128_CBC:
302 case GNUTLS_CIPHER_AES_256_CBC: return CALG_AES;
303 case GNUTLS_CIPHER_RC2_40_CBC: return CALG_RC2;
304 default:
305 FIXME("unknown algorithm %d\n", cipher);
306 return 0;
307 }
308 }
309
310 static ALG_ID schannel_get_mac_algid(gnutls_mac_algorithm_t mac)
311 {
312 switch (mac)
313 {
314 case GNUTLS_MAC_UNKNOWN:
315 case GNUTLS_MAC_NULL: return 0;
316 case GNUTLS_MAC_MD5: return CALG_MD5;
317 case GNUTLS_MAC_SHA1:
318 case GNUTLS_MAC_SHA256:
319 case GNUTLS_MAC_SHA384:
320 case GNUTLS_MAC_SHA512: return CALG_SHA;
321 default:
322 FIXME("unknown algorithm %d\n", mac);
323 return 0;
324 }
325 }
326
327 static ALG_ID schannel_get_kx_algid(gnutls_kx_algorithm_t kx)
328 {
329 switch (kx)
330 {
331 case GNUTLS_KX_RSA: return CALG_RSA_KEYX;
332 case GNUTLS_KX_DHE_DSS:
333 case GNUTLS_KX_DHE_RSA: return CALG_DH_EPHEM;
334 default:
335 FIXME("unknown algorithm %d\n", kx);
336 return 0;
337 }
338 }
339
340 unsigned int schan_imp_get_session_cipher_block_size(schan_imp_session session)
341 {
342 gnutls_session_t s = (gnutls_session_t)session;
343 gnutls_cipher_algorithm_t cipher = pgnutls_cipher_get(s);
344 return schannel_get_cipher_block_size(cipher);
345 }
346
347 unsigned int schan_imp_get_max_message_size(schan_imp_session session)
348 {
349 return pgnutls_record_get_max_size((gnutls_session_t)session);
350 }
351
352 SECURITY_STATUS schan_imp_get_connection_info(schan_imp_session session,
353 SecPkgContext_ConnectionInfo *info)
354 {
355 gnutls_session_t s = (gnutls_session_t)session;
356 gnutls_protocol_t proto = pgnutls_protocol_get_version(s);
357 gnutls_cipher_algorithm_t alg = pgnutls_cipher_get(s);
358 gnutls_mac_algorithm_t mac = pgnutls_mac_get(s);
359 gnutls_kx_algorithm_t kx = pgnutls_kx_get(s);
360
361 info->dwProtocol = schannel_get_protocol(proto);
362 info->aiCipher = schannel_get_cipher_algid(alg);
363 info->dwCipherStrength = pgnutls_cipher_get_key_size(alg) * 8;
364 info->aiHash = schannel_get_mac_algid(mac);
365 info->dwHashStrength = pgnutls_mac_get_key_size(mac) * 8;
366 info->aiExch = schannel_get_kx_algid(kx);
367 /* FIXME: info->dwExchStrength? */
368 info->dwExchStrength = 0;
369 return SEC_E_OK;
370 }
371
372 SECURITY_STATUS schan_imp_get_session_peer_certificate(schan_imp_session session, HCERTSTORE store,
373 PCCERT_CONTEXT *ret)
374 {
375 gnutls_session_t s = (gnutls_session_t)session;
376 PCCERT_CONTEXT cert = NULL;
377 const gnutls_datum_t *datum;
378 unsigned list_size, i;
379 BOOL res;
380
381 datum = pgnutls_certificate_get_peers(s, &list_size);
382 if(!datum)
383 return SEC_E_INTERNAL_ERROR;
384
385 for(i = 0; i < list_size; i++) {
386 res = CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING, datum[i].data, datum[i].size,
387 CERT_STORE_ADD_REPLACE_EXISTING, i ? NULL : &cert);
388 if(!res) {
389 if(i)
390 CertFreeCertificateContext(cert);
391 return GetLastError();
392 }
393 }
394
395 *ret = cert;
396 return SEC_E_OK;
397 }
398
399 SECURITY_STATUS schan_imp_send(schan_imp_session session, const void *buffer,
400 SIZE_T *length)
401 {
402 gnutls_session_t s = (gnutls_session_t)session;
403 ssize_t ret;
404
405 again:
406 ret = pgnutls_record_send(s, buffer, *length);
407
408 if (ret >= 0)
409 *length = ret;
410 else if (ret == GNUTLS_E_AGAIN)
411 {
412 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
413 SIZE_T count = 0;
414
415 if (schan_get_buffer(t, &t->out, &count))
416 goto again;
417
418 return SEC_I_CONTINUE_NEEDED;
419 }
420 else
421 {
422 pgnutls_perror(ret);
423 return SEC_E_INTERNAL_ERROR;
424 }
425
426 return SEC_E_OK;
427 }
428
429 SECURITY_STATUS schan_imp_recv(schan_imp_session session, void *buffer,
430 SIZE_T *length)
431 {
432 gnutls_session_t s = (gnutls_session_t)session;
433 ssize_t ret;
434
435 again:
436 ret = pgnutls_record_recv(s, buffer, *length);
437
438 if (ret >= 0)
439 *length = ret;
440 else if (ret == GNUTLS_E_AGAIN)
441 {
442 struct schan_transport *t = (struct schan_transport *)pgnutls_transport_get_ptr(s);
443 SIZE_T count = 0;
444
445 if (schan_get_buffer(t, &t->in, &count))
446 goto again;
447
448 return SEC_I_CONTINUE_NEEDED;
449 }
450 else
451 {
452 pgnutls_perror(ret);
453 return SEC_E_INTERNAL_ERROR;
454 }
455
456 return SEC_E_OK;
457 }
458
459 BOOL schan_imp_allocate_certificate_credentials(schan_credentials *c)
460 {
461 int ret = pgnutls_certificate_allocate_credentials((gnutls_certificate_credentials_t*)&c->credentials);
462 if (ret != GNUTLS_E_SUCCESS)
463 pgnutls_perror(ret);
464 return (ret == GNUTLS_E_SUCCESS);
465 }
466
467 void schan_imp_free_certificate_credentials(schan_credentials *c)
468 {
469 pgnutls_certificate_free_credentials(c->credentials);
470 }
471
472 static void schan_gnutls_log(int level, const char *msg)
473 {
474 TRACE("<%d> %s", level, msg);
475 }
476
477 BOOL schan_imp_init(void)
478 {
479 int ret;
480
481 libgnutls_handle = wine_dlopen(SONAME_LIBGNUTLS, RTLD_NOW, NULL, 0);
482 if (!libgnutls_handle)
483 {
484 ERR_(winediag)("Failed to load libgnutls, secure connections will not be available.\n");
485 return FALSE;
486 }
487
488 #define LOAD_FUNCPTR(f) \
489 if (!(p##f = wine_dlsym(libgnutls_handle, #f, NULL, 0))) \
490 { \
491 ERR("Failed to load %s\n", #f); \
492 goto fail; \
493 }
494
495 LOAD_FUNCPTR(gnutls_alert_get)
496 LOAD_FUNCPTR(gnutls_alert_get_name)
497 LOAD_FUNCPTR(gnutls_certificate_allocate_credentials)
498 LOAD_FUNCPTR(gnutls_certificate_free_credentials)
499 LOAD_FUNCPTR(gnutls_certificate_get_peers)
500 LOAD_FUNCPTR(gnutls_cipher_get)
501 LOAD_FUNCPTR(gnutls_cipher_get_key_size)
502 LOAD_FUNCPTR(gnutls_credentials_set)
503 LOAD_FUNCPTR(gnutls_deinit)
504 LOAD_FUNCPTR(gnutls_global_deinit)
505 LOAD_FUNCPTR(gnutls_global_init)
506 LOAD_FUNCPTR(gnutls_global_set_log_function)
507 LOAD_FUNCPTR(gnutls_global_set_log_level)
508 LOAD_FUNCPTR(gnutls_handshake)
509 LOAD_FUNCPTR(gnutls_init)
510 LOAD_FUNCPTR(gnutls_kx_get)
511 LOAD_FUNCPTR(gnutls_mac_get)
512 LOAD_FUNCPTR(gnutls_mac_get_key_size)
513 LOAD_FUNCPTR(gnutls_perror)
514 LOAD_FUNCPTR(gnutls_protocol_get_version)
515 LOAD_FUNCPTR(gnutls_priority_set_direct)
516 LOAD_FUNCPTR(gnutls_record_get_max_size);
517 LOAD_FUNCPTR(gnutls_record_recv);
518 LOAD_FUNCPTR(gnutls_record_send);
519 LOAD_FUNCPTR(gnutls_server_name_set)
520 LOAD_FUNCPTR(gnutls_transport_get_ptr)
521 LOAD_FUNCPTR(gnutls_transport_set_errno)
522 LOAD_FUNCPTR(gnutls_transport_set_ptr)
523 LOAD_FUNCPTR(gnutls_transport_set_pull_function)
524 LOAD_FUNCPTR(gnutls_transport_set_push_function)
525 #undef LOAD_FUNCPTR
526
527 ret = pgnutls_global_init();
528 if (ret != GNUTLS_E_SUCCESS)
529 {
530 pgnutls_perror(ret);
531 goto fail;
532 }
533
534 if (TRACE_ON(secur32))
535 {
536 pgnutls_global_set_log_level(4);
537 pgnutls_global_set_log_function(schan_gnutls_log);
538 }
539
540 return TRUE;
541
542 fail:
543 wine_dlclose(libgnutls_handle, NULL, 0);
544 libgnutls_handle = NULL;
545 return FALSE;
546 }
547
548 void schan_imp_deinit(void)
549 {
550 pgnutls_global_deinit();
551 wine_dlclose(libgnutls_handle, NULL, 0);
552 libgnutls_handle = NULL;
553 }
554
555 #endif /* SONAME_LIBGNUTLS && !HAVE_SECURITY_SECURITY_H */
Maarten's multimedia branch