libcups/cups/tls-sspi.c

*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * TLS support for CUPS on Windows using the Security Support Provider
*5e7646d2SAndroid Build Coastguard Worker * Interface (SSPI).
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * Copyright 2010-2018 by Apple Inc.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * Licensed under Apache License v2.0.  See the file "LICENSE" for more information.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/**** This file is included from tls.c ****/
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * Include necessary headers...
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#include "debug-private.h"
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * Include necessary libraries...
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#pragma comment(lib, "Crypt32.lib")
*5e7646d2SAndroid Build Coastguard Worker#pragma comment(lib, "Secur32.lib")
*5e7646d2SAndroid Build Coastguard Worker#pragma comment(lib, "Ws2_32.lib")
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * Constants...
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#ifndef SECURITY_FLAG_IGNORE_UNKNOWN_CA
*5e7646d2SAndroid Build Coastguard Worker#  define SECURITY_FLAG_IGNORE_UNKNOWN_CA         0x00000100 /* Untrusted root */
*5e7646d2SAndroid Build Coastguard Worker#endif /* SECURITY_FLAG_IGNORE_UNKNOWN_CA */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#ifndef SECURITY_FLAG_IGNORE_CERT_CN_INVALID
*5e7646d2SAndroid Build Coastguard Worker#  define SECURITY_FLAG_IGNORE_CERT_CN_INVALID	  0x00001000 /* Common name does not match */
*5e7646d2SAndroid Build Coastguard Worker#endif /* !SECURITY_FLAG_IGNORE_CERT_CN_INVALID */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#ifndef SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
*5e7646d2SAndroid Build Coastguard Worker#  define SECURITY_FLAG_IGNORE_CERT_DATE_INVALID  0x00002000 /* Expired X509 Cert. */
*5e7646d2SAndroid Build Coastguard Worker#endif /* !SECURITY_FLAG_IGNORE_CERT_DATE_INVALID */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * Local globals...
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic int		tls_options = -1,/* Options for TLS connections */
*5e7646d2SAndroid Build Coastguard Worker			tls_min_version = _HTTP_TLS_1_0,
*5e7646d2SAndroid Build Coastguard Worker			tls_max_version = _HTTP_TLS_MAX;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * Local functions...
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic _http_sspi_t *http_sspi_alloc(void);
*5e7646d2SAndroid Build Coastguard Workerstatic int	http_sspi_client(http_t *http, const char *hostname);
*5e7646d2SAndroid Build Coastguard Workerstatic PCCERT_CONTEXT http_sspi_create_credential(http_credential_t *cred);
*5e7646d2SAndroid Build Coastguard Workerstatic BOOL	http_sspi_find_credentials(http_t *http, const LPWSTR containerName, const char *common_name);
*5e7646d2SAndroid Build Coastguard Workerstatic void	http_sspi_free(_http_sspi_t *sspi);
*5e7646d2SAndroid Build Coastguard Workerstatic BOOL	http_sspi_make_credentials(_http_sspi_t *sspi, const LPWSTR containerName, const char *common_name, _http_mode_t mode, int years);
*5e7646d2SAndroid Build Coastguard Workerstatic int	http_sspi_server(http_t *http, const char *hostname);
*5e7646d2SAndroid Build Coastguard Workerstatic void	http_sspi_set_allows_any_root(_http_sspi_t *sspi, BOOL allow);
*5e7646d2SAndroid Build Coastguard Workerstatic void	http_sspi_set_allows_expired_certs(_http_sspi_t *sspi, BOOL allow);
*5e7646d2SAndroid Build Coastguard Workerstatic const char *http_sspi_strerror(char *buffer, size_t bufsize, DWORD code);
*5e7646d2SAndroid Build Coastguard Workerstatic DWORD	http_sspi_verify(PCCERT_CONTEXT cert, const char *common_name, DWORD dwCertFlags);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - 1 on success, 0 on failure */
*5e7646d2SAndroid Build Coastguard WorkercupsMakeServerCredentials(
*5e7646d2SAndroid Build Coastguard Worker    const char *path,			/* I - Keychain path or @code NULL@ for default */
*5e7646d2SAndroid Build Coastguard Worker    const char *common_name,		/* I - Common name */
*5e7646d2SAndroid Build Coastguard Worker    int        num_alt_names,		/* I - Number of subject alternate names */
*5e7646d2SAndroid Build Coastguard Worker    const char **alt_names,		/* I - Subject Alternate Names */
*5e7646d2SAndroid Build Coastguard Worker    time_t     expiration_date)		/* I - Expiration date */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  _http_sspi_t	*sspi;			/* SSPI data */
*5e7646d2SAndroid Build Coastguard Worker  int		ret;			/* Return value */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  (void)path;
*5e7646d2SAndroid Build Coastguard Worker  (void)num_alt_names;
*5e7646d2SAndroid Build Coastguard Worker  (void)alt_names;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  sspi = http_sspi_alloc();
*5e7646d2SAndroid Build Coastguard Worker  ret  = http_sspi_make_credentials(sspi, L"ServerContainer", common_name, _HTTP_MODE_SERVER, (int)((expiration_date - time(NULL) + 86399) / 86400 / 365));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  http_sspi_free(sspi);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (ret);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'cupsSetServerCredentials()' - Set the default server credentials.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * Note: The server credentials are used by all threads in the running process.
*5e7646d2SAndroid Build Coastguard Worker * This function is threadsafe.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - 1 on success, 0 on failure */
*5e7646d2SAndroid Build Coastguard WorkercupsSetServerCredentials(
*5e7646d2SAndroid Build Coastguard Worker    const char *path,			/* I - Keychain path or @code NULL@ for default */
*5e7646d2SAndroid Build Coastguard Worker    const char *common_name,		/* I - Default common name for server */
*5e7646d2SAndroid Build Coastguard Worker    int        auto_create)		/* I - 1 = automatically create self-signed certificates */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  (void)path;
*5e7646d2SAndroid Build Coastguard Worker  (void)common_name;
*5e7646d2SAndroid Build Coastguard Worker  (void)auto_create;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (0);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'httpCopyCredentials()' - Copy the credentials associated with the peer in
*5e7646d2SAndroid Build Coastguard Worker *                           an encrypted connection.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 1.5/macOS 10.7@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - Status of call (0 = success) */
*5e7646d2SAndroid Build Coastguard WorkerhttpCopyCredentials(
*5e7646d2SAndroid Build Coastguard Worker    http_t	 *http,			/* I - Connection to server */
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t **credentials)		/* O - Array of credentials */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!http || !http->tls || !http->tls->remoteCert || !credentials)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (credentials)
*5e7646d2SAndroid Build Coastguard Worker      *credentials = NULL;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  *credentials = cupsArrayNew(NULL, NULL);
*5e7646d2SAndroid Build Coastguard Worker  httpAddCredential(*credentials, http->tls->remoteCert->pbCertEncoded, http->tls->remoteCert->cbCertEncoded);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (0);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpCreateCredentials()' - Create credentials in the internal format.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerhttp_tls_credentials_t			/* O - Internal credentials */
*5e7646d2SAndroid Build Coastguard Worker_httpCreateCredentials(
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t *credentials)		/* I - Array of credentials */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  return (http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials)));
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - 1 if valid, 0 otherwise */
*5e7646d2SAndroid Build Coastguard WorkerhttpCredentialsAreValidForName(
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t *credentials,		/* I - Credentials */
*5e7646d2SAndroid Build Coastguard Worker    const char   *common_name)		/* I - Name to check */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  int		valid = 1;		/* Valid name? */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT cert = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
*5e7646d2SAndroid Build Coastguard Worker					/* Certificate */
*5e7646d2SAndroid Build Coastguard Worker  char		cert_name[1024];	/* Name from certificate */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (cert)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (CertNameToStrA(X509_ASN_ENCODING, &(cert->pCertInfo->Subject), CERT_SIMPLE_NAME_STR, cert_name, sizeof(cert_name)))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Extract common name at end...
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      char  *ptr = strrchr(cert_name, ',');
*5e7646d2SAndroid Build Coastguard Worker      if (ptr && ptr[1])
*5e7646d2SAndroid Build Coastguard Worker        _cups_strcpy(cert_name, ptr + 2);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker      strlcpy(cert_name, "unknown", sizeof(cert_name));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(cert);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker    strlcpy(cert_name, "unknown", sizeof(cert_name));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Compare the common names...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (_cups_strcasecmp(common_name, cert_name))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Not an exact match for the common name, check for wildcard certs...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    const char	*domain = strchr(common_name, '.');
*5e7646d2SAndroid Build Coastguard Worker					/* Domain in common name */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (strncmp(cert_name, "*.", 2) || !domain || _cups_strcasecmp(domain, cert_name + 1))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Not a wildcard match.
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      /* TODO: Check subject alternate names */
*5e7646d2SAndroid Build Coastguard Worker      valid = 0;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (valid);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'httpCredentialsGetTrust()' - Return the trust of credentials.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerhttp_trust_t				/* O - Level of trust */
*5e7646d2SAndroid Build Coastguard WorkerhttpCredentialsGetTrust(
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t *credentials,		/* I - Credentials */
*5e7646d2SAndroid Build Coastguard Worker    const char   *common_name)		/* I - Common name for trust lookup */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  http_trust_t	trust = HTTP_TRUST_OK;	/* Level of trust */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT cert = NULL;		/* Certificate to validate */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		certFlags = 0;		/* Cert verification flags */
*5e7646d2SAndroid Build Coastguard Worker  _cups_globals_t *cg = _cupsGlobals();	/* Per-thread global data */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!common_name)
*5e7646d2SAndroid Build Coastguard Worker    return (HTTP_TRUST_UNKNOWN);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  cert = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
*5e7646d2SAndroid Build Coastguard Worker  if (!cert)
*5e7646d2SAndroid Build Coastguard Worker    return (HTTP_TRUST_UNKNOWN);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (cg->any_root < 0)
*5e7646d2SAndroid Build Coastguard Worker    _cupsSetDefaults();
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (cg->any_root)
*5e7646d2SAndroid Build Coastguard Worker    certFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (cg->expired_certs)
*5e7646d2SAndroid Build Coastguard Worker    certFlags |= SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!cg->validate_certs)
*5e7646d2SAndroid Build Coastguard Worker    certFlags |= SECURITY_FLAG_IGNORE_CERT_CN_INVALID;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (http_sspi_verify(cert, common_name, certFlags) != SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker    trust = HTTP_TRUST_INVALID;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  CertFreeCertificateContext(cert);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (trust);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workertime_t					/* O - Expiration date of credentials */
*5e7646d2SAndroid Build Coastguard WorkerhttpCredentialsGetExpiration(
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t *credentials)		/* I - Credentials */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  time_t	expiration_date = 0;	/* Expiration data of credentials */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT cert = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
*5e7646d2SAndroid Build Coastguard Worker					/* Certificate */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (cert)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    SYSTEMTIME	systime;		/* System time */
*5e7646d2SAndroid Build Coastguard Worker    struct tm	tm;			/* UNIX date/time */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    FileTimeToSystemTime(&(cert->pCertInfo->NotAfter), &systime);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_year = systime.wYear - 1900;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_mon  = systime.wMonth - 1;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_mday = systime.wDay;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_hour = systime.wHour;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_min  = systime.wMinute;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_sec  = systime.wSecond;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    expiration_date = mktime(&tm);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(cert);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (expiration_date);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'httpCredentialsString()' - Return a string representing the credentials.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workersize_t					/* O - Total size of credentials string */
*5e7646d2SAndroid Build Coastguard WorkerhttpCredentialsString(
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t *credentials,		/* I - Credentials */
*5e7646d2SAndroid Build Coastguard Worker    char         *buffer,		/* I - Buffer or @code NULL@ */
*5e7646d2SAndroid Build Coastguard Worker    size_t       bufsize)		/* I - Size of buffer */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  http_credential_t	*first = (http_credential_t *)cupsArrayFirst(credentials);
*5e7646d2SAndroid Build Coastguard Worker					/* First certificate */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT 	cert;		/* Certificate */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!buffer)
*5e7646d2SAndroid Build Coastguard Worker    return (0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (buffer && bufsize > 0)
*5e7646d2SAndroid Build Coastguard Worker    *buffer = '\0';
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  cert = http_sspi_create_credential(first);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (cert)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    char		cert_name[256];	/* Common name */
*5e7646d2SAndroid Build Coastguard Worker    SYSTEMTIME		systime;	/* System time */
*5e7646d2SAndroid Build Coastguard Worker    struct tm		tm;		/* UNIX date/time */
*5e7646d2SAndroid Build Coastguard Worker    time_t		expiration;	/* Expiration date of cert */
*5e7646d2SAndroid Build Coastguard Worker    unsigned char	md5_digest[16];	/* MD5 result */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    FileTimeToSystemTime(&(cert->pCertInfo->NotAfter), &systime);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_year = systime.wYear - 1900;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_mon  = systime.wMonth - 1;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_mday = systime.wDay;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_hour = systime.wHour;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_min  = systime.wMinute;
*5e7646d2SAndroid Build Coastguard Worker    tm.tm_sec  = systime.wSecond;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    expiration = mktime(&tm);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (CertNameToStrA(X509_ASN_ENCODING, &(cert->pCertInfo->Subject), CERT_SIMPLE_NAME_STR, cert_name, sizeof(cert_name)))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Extract common name at end...
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      char  *ptr = strrchr(cert_name, ',');
*5e7646d2SAndroid Build Coastguard Worker      if (ptr && ptr[1])
*5e7646d2SAndroid Build Coastguard Worker        _cups_strcpy(cert_name, ptr + 2);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker      strlcpy(cert_name, "unknown", sizeof(cert_name));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", cert_name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(cert);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (strlen(buffer));
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpFreeCredentials()' - Free internal credentials.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workervoid
*5e7646d2SAndroid Build Coastguard Worker_httpFreeCredentials(
*5e7646d2SAndroid Build Coastguard Worker    http_tls_credentials_t credentials)	/* I - Internal credentials */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  if (!credentials)
*5e7646d2SAndroid Build Coastguard Worker    return;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  CertFreeCertificateContext(credentials);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - 0 on success, -1 on error */
*5e7646d2SAndroid Build Coastguard WorkerhttpLoadCredentials(
*5e7646d2SAndroid Build Coastguard Worker    const char   *path,			/* I  - Keychain path or @code NULL@ for default */
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t **credentials,		/* IO - Credentials */
*5e7646d2SAndroid Build Coastguard Worker    const char   *common_name)		/* I  - Common name for credentials */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  HCERTSTORE	store = NULL;		/* Certificate store */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT storedContext = NULL;	/* Context created from the store */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSize = 0; 		/* 32 bit size */
*5e7646d2SAndroid Build Coastguard Worker  PBYTE		p = NULL;		/* Temporary storage */
*5e7646d2SAndroid Build Coastguard Worker  HCRYPTPROV	hProv = (HCRYPTPROV)NULL;
*5e7646d2SAndroid Build Coastguard Worker					/* Handle to a CSP */
*5e7646d2SAndroid Build Coastguard Worker  CERT_NAME_BLOB sib;			/* Arbitrary array of bytes */
*5e7646d2SAndroid Build Coastguard Worker#ifdef DEBUG
*5e7646d2SAndroid Build Coastguard Worker  char		error[1024];		/* Error message buffer */
*5e7646d2SAndroid Build Coastguard Worker#endif /* DEBUG */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("httpLoadCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, credentials, common_name));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  (void)path;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (credentials)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    *credentials = NULL;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("1httpLoadCredentials: NULL credentials pointer, returning -1.");
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!common_name)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("1httpLoadCredentials: Bad common name, returning -1.");
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (GetLastError() == NTE_EXISTS)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("1httpLoadCredentials: CryptAcquireContext failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker        goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!store)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpLoadCredentials: CertOpenSystemStore failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  dwSize = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpLoadCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  p = (PBYTE)malloc(dwSize);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!p)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpLoadCredentials: malloc failed for %d bytes.", dwSize));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpLoadCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  sib.cbData = dwSize;
*5e7646d2SAndroid Build Coastguard Worker  sib.pbData = p;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  storedContext = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_NAME, &sib, NULL);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!storedContext)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpLoadCredentials: Unable to find credentials for \"%s\".", common_name));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  *credentials = cupsArrayNew(NULL, NULL);
*5e7646d2SAndroid Build Coastguard Worker  httpAddCredential(*credentials, storedContext->pbCertEncoded, storedContext->cbCertEncoded);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workercleanup:
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Cleanup
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (storedContext)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(storedContext);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (p)
*5e7646d2SAndroid Build Coastguard Worker    free(p);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (store)
*5e7646d2SAndroid Build Coastguard Worker    CertCloseStore(store, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (hProv)
*5e7646d2SAndroid Build Coastguard Worker    CryptReleaseContext(hProv, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("1httpLoadCredentials: Returning %d.", *credentials ? 0 : -1));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (*credentials ? 0 : -1);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
*5e7646d2SAndroid Build Coastguard Worker *
*5e7646d2SAndroid Build Coastguard Worker * @since CUPS 2.0/OS 10.10@
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - -1 on error, 0 on success */
*5e7646d2SAndroid Build Coastguard WorkerhttpSaveCredentials(
*5e7646d2SAndroid Build Coastguard Worker    const char   *path,			/* I - Keychain path or @code NULL@ for default */
*5e7646d2SAndroid Build Coastguard Worker    cups_array_t *credentials,		/* I - Credentials */
*5e7646d2SAndroid Build Coastguard Worker    const char   *common_name)		/* I - Common name for credentials */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  HCERTSTORE	store = NULL;		/* Certificate store */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT storedContext = NULL;	/* Context created from the store */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT createdContext = NULL;	/* Context created by us */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSize = 0; 		/* 32 bit size */
*5e7646d2SAndroid Build Coastguard Worker  PBYTE		p = NULL;		/* Temporary storage */
*5e7646d2SAndroid Build Coastguard Worker  HCRYPTPROV	hProv = (HCRYPTPROV)NULL;
*5e7646d2SAndroid Build Coastguard Worker					/* Handle to a CSP */
*5e7646d2SAndroid Build Coastguard Worker  CRYPT_KEY_PROV_INFO ckp;		/* Handle to crypto key */
*5e7646d2SAndroid Build Coastguard Worker  int		ret = -1;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker#ifdef DEBUG
*5e7646d2SAndroid Build Coastguard Worker  char		error[1024];		/* Error message buffer */
*5e7646d2SAndroid Build Coastguard Worker#endif /* DEBUG */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("httpSaveCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, credentials, common_name));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  (void)path;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!common_name)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("1httpSaveCredentials: Bad common name, returning -1.");
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  createdContext = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
*5e7646d2SAndroid Build Coastguard Worker  if (!createdContext)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("1httpSaveCredentials: Bad credentials, returning -1.");
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (GetLastError() == NTE_EXISTS)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (!CryptAcquireContextW(&hProv, L"RememberedContainer", MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("1httpSaveCredentials: CryptAcquireContext failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker        goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!store)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpSaveCredentials: CertOpenSystemStore failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  dwSize = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpSaveCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  p = (PBYTE)malloc(dwSize);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!p)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpSaveCredentials: malloc failed for %d bytes.", dwSize));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpSaveCredentials: CertStrToName failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Add the created context to the named store, and associate it with the named
*5e7646d2SAndroid Build Coastguard Worker  * container...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertAddCertificateContextToStore(store, createdContext, CERT_STORE_ADD_REPLACE_EXISTING, &storedContext))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpSaveCredentials: CertAddCertificateContextToStore failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&ckp, sizeof(ckp));
*5e7646d2SAndroid Build Coastguard Worker  ckp.pwszContainerName = L"RememberedContainer";
*5e7646d2SAndroid Build Coastguard Worker  ckp.pwszProvName      = MS_DEF_PROV_W;
*5e7646d2SAndroid Build Coastguard Worker  ckp.dwProvType        = PROV_RSA_FULL;
*5e7646d2SAndroid Build Coastguard Worker  ckp.dwFlags           = CRYPT_MACHINE_KEYSET;
*5e7646d2SAndroid Build Coastguard Worker  ckp.dwKeySpec         = AT_KEYEXCHANGE;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertSetCertificateContextProperty(storedContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &ckp))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("1httpSaveCredentials: CertSetCertificateContextProperty failed: %s", http_sspi_strerror(error, sizeof(error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ret = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workercleanup:
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Cleanup
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (createdContext)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(createdContext);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (storedContext)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(storedContext);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (p)
*5e7646d2SAndroid Build Coastguard Worker    free(p);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (store)
*5e7646d2SAndroid Build Coastguard Worker    CertCloseStore(store, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (hProv)
*5e7646d2SAndroid Build Coastguard Worker    CryptReleaseContext(hProv, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("1httpSaveCredentials: Returning %d.", ret));
*5e7646d2SAndroid Build Coastguard Worker  return (ret);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpTLSInitialize()' - Initialize the TLS stack.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workervoid
*5e7646d2SAndroid Build Coastguard Worker_httpTLSInitialize(void)
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Nothing to do...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workersize_t					/* O - Bytes available */
*5e7646d2SAndroid Build Coastguard Worker_httpTLSPending(http_t *http)		/* I - HTTP connection */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  if (http->tls)
*5e7646d2SAndroid Build Coastguard Worker    return (http->tls->readBufferUsed);
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker    return (0);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpTLSRead()' - Read from a SSL/TLS connection.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - Bytes read */
*5e7646d2SAndroid Build Coastguard Worker_httpTLSRead(http_t *http,		/* I - HTTP connection */
*5e7646d2SAndroid Build Coastguard Worker	     char   *buf,		/* I - Buffer to store data */
*5e7646d2SAndroid Build Coastguard Worker	     int    len)		/* I - Length of buffer */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  int		i;			/* Looping var */
*5e7646d2SAndroid Build Coastguard Worker  _http_sspi_t	*sspi = http->tls;	/* SSPI data */
*5e7646d2SAndroid Build Coastguard Worker  SecBufferDesc	message;		/* Array of SecBuffer struct */
*5e7646d2SAndroid Build Coastguard Worker  SecBuffer	buffers[4] = { 0 };	/* Security package buffer */
*5e7646d2SAndroid Build Coastguard Worker  int		num = 0;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker  PSecBuffer	pDataBuffer;		/* Data buffer */
*5e7646d2SAndroid Build Coastguard Worker  PSecBuffer	pExtraBuffer;		/* Excess data buffer */
*5e7646d2SAndroid Build Coastguard Worker  SECURITY_STATUS scRet;		/* SSPI status */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("4_httpTLSRead(http=%p, buf=%p, len=%d)", http, buf, len));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * If there are bytes that have already been decrypted and have not yet been
*5e7646d2SAndroid Build Coastguard Worker  * read, return those...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->readBufferUsed > 0)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    int bytesToCopy = min(sspi->readBufferUsed, len);
*5e7646d2SAndroid Build Coastguard Worker					/* Number of bytes to copy */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    memcpy(buf, sspi->readBuffer, bytesToCopy);
*5e7646d2SAndroid Build Coastguard Worker    sspi->readBufferUsed -= bytesToCopy;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (sspi->readBufferUsed > 0)
*5e7646d2SAndroid Build Coastguard Worker      memmove(sspi->readBuffer, sspi->readBuffer + bytesToCopy, sspi->readBufferUsed);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5_httpTLSRead: Returning %d bytes previously decrypted.", bytesToCopy));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    return (bytesToCopy);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Initialize security buffer structs
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  message.ulVersion = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker  message.cBuffers  = 4;
*5e7646d2SAndroid Build Coastguard Worker  message.pBuffers  = buffers;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  do
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * If there is not enough space in the buffer, then increase its size...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (sspi->decryptBufferLength <= sspi->decryptBufferUsed)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      BYTE *temp;			/* New buffer */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      if (sspi->decryptBufferLength >= 262144)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_puts("_httpTLSRead: Decryption buffer too large (>256k)");
*5e7646d2SAndroid Build Coastguard Worker	return (-1);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      if ((temp = realloc(sspi->decryptBuffer, sspi->decryptBufferLength + 4096)) == NULL)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	DEBUG_printf(("_httpTLSRead: Unable to allocate %d byte decryption buffer.", sspi->decryptBufferLength + 4096));
*5e7646d2SAndroid Build Coastguard Worker	WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker	return (-1);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      sspi->decryptBufferLength += 4096;
*5e7646d2SAndroid Build Coastguard Worker      sspi->decryptBuffer       = temp;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("_httpTLSRead: Resized decryption buffer to %d bytes.", sspi->decryptBufferLength));
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    buffers[0].pvBuffer	  = sspi->decryptBuffer;
*5e7646d2SAndroid Build Coastguard Worker    buffers[0].cbBuffer	  = (unsigned long)sspi->decryptBufferUsed;
*5e7646d2SAndroid Build Coastguard Worker    buffers[0].BufferType = SECBUFFER_DATA;
*5e7646d2SAndroid Build Coastguard Worker    buffers[1].BufferType = SECBUFFER_EMPTY;
*5e7646d2SAndroid Build Coastguard Worker    buffers[2].BufferType = SECBUFFER_EMPTY;
*5e7646d2SAndroid Build Coastguard Worker    buffers[3].BufferType = SECBUFFER_EMPTY;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5_httpTLSRead: decryptBufferUsed=%d", sspi->decryptBufferUsed));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    scRet = DecryptMessage(&sspi->context, &message, 0, NULL);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet == SEC_E_INCOMPLETE_MESSAGE)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      num = recv(http->fd, sspi->decryptBuffer + sspi->decryptBufferUsed, (int)(sspi->decryptBufferLength - sspi->decryptBufferUsed), 0);
*5e7646d2SAndroid Build Coastguard Worker      if (num < 0)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	DEBUG_printf(("5_httpTLSRead: recv failed: %d", WSAGetLastError()));
*5e7646d2SAndroid Build Coastguard Worker	return (-1);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else if (num == 0)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	DEBUG_puts("5_httpTLSRead: Server disconnected.");
*5e7646d2SAndroid Build Coastguard Worker	return (0);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5_httpTLSRead: Read %d bytes into decryption buffer.", num));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      sspi->decryptBufferUsed += num;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  while (scRet == SEC_E_INCOMPLETE_MESSAGE);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (scRet == SEC_I_CONTEXT_EXPIRED)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("5_httpTLSRead: Context expired.");
*5e7646d2SAndroid Build Coastguard Worker    WSASetLastError(WSAECONNRESET);
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else if (scRet != SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5_httpTLSRead: DecryptMessage failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker    WSASetLastError(WSASYSCALLFAILURE);
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * The decryption worked.  Now, locate data buffer.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  pDataBuffer  = NULL;
*5e7646d2SAndroid Build Coastguard Worker  pExtraBuffer = NULL;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  for (i = 1; i < 4; i++)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (buffers[i].BufferType == SECBUFFER_DATA)
*5e7646d2SAndroid Build Coastguard Worker      pDataBuffer = &buffers[i];
*5e7646d2SAndroid Build Coastguard Worker    else if (!pExtraBuffer && (buffers[i].BufferType == SECBUFFER_EXTRA))
*5e7646d2SAndroid Build Coastguard Worker      pExtraBuffer = &buffers[i];
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * If a data buffer is found, then copy the decrypted bytes to the passed-in
*5e7646d2SAndroid Build Coastguard Worker  * buffer...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (pDataBuffer)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    int bytesToCopy = min((int)pDataBuffer->cbBuffer, len);
*5e7646d2SAndroid Build Coastguard Worker				      /* Number of bytes to copy into buf */
*5e7646d2SAndroid Build Coastguard Worker    int bytesToSave = pDataBuffer->cbBuffer - bytesToCopy;
*5e7646d2SAndroid Build Coastguard Worker				      /* Number of bytes to save in our read buffer */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (bytesToCopy)
*5e7646d2SAndroid Build Coastguard Worker      memcpy(buf, pDataBuffer->pvBuffer, bytesToCopy);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * If there are more decrypted bytes than can be copied to the passed in
*5e7646d2SAndroid Build Coastguard Worker    * buffer, then save them...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (bytesToSave)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if ((sspi->readBufferLength - sspi->readBufferUsed) < bytesToSave)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        BYTE *temp;			/* New buffer pointer */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        if ((temp = realloc(sspi->readBuffer, sspi->readBufferUsed + bytesToSave)) == NULL)
*5e7646d2SAndroid Build Coastguard Worker	{
*5e7646d2SAndroid Build Coastguard Worker	  DEBUG_printf(("_httpTLSRead: Unable to allocate %d bytes.", sspi->readBufferUsed + bytesToSave));
*5e7646d2SAndroid Build Coastguard Worker	  WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker	  return (-1);
*5e7646d2SAndroid Build Coastguard Worker	}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker	sspi->readBufferLength = sspi->readBufferUsed + bytesToSave;
*5e7646d2SAndroid Build Coastguard Worker	sspi->readBuffer       = temp;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      memcpy(((BYTE *)sspi->readBuffer) + sspi->readBufferUsed, ((BYTE *)pDataBuffer->pvBuffer) + bytesToCopy, bytesToSave);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      sspi->readBufferUsed += bytesToSave;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    num = bytesToCopy;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("_httpTLSRead: Unable to find data buffer.");
*5e7646d2SAndroid Build Coastguard Worker    WSASetLastError(WSASYSCALLFAILURE);
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * If the decryption process left extra bytes, then save those back in
*5e7646d2SAndroid Build Coastguard Worker  * decryptBuffer.  They will be processed the next time through the loop.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (pExtraBuffer)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    memmove(sspi->decryptBuffer, pExtraBuffer->pvBuffer, pExtraBuffer->cbBuffer);
*5e7646d2SAndroid Build Coastguard Worker    sspi->decryptBufferUsed = pExtraBuffer->cbBuffer;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    sspi->decryptBufferUsed = 0;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (num);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workervoid
*5e7646d2SAndroid Build Coastguard Worker_httpTLSSetOptions(int options,		/* I - Options */
*5e7646d2SAndroid Build Coastguard Worker                   int min_version,	/* I - Minimum TLS version */
*5e7646d2SAndroid Build Coastguard Worker                   int max_version)	/* I - Maximum TLS version */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    tls_options     = options;
*5e7646d2SAndroid Build Coastguard Worker    tls_min_version = min_version;
*5e7646d2SAndroid Build Coastguard Worker    tls_max_version = max_version;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - 0 on success, -1 on failure */
*5e7646d2SAndroid Build Coastguard Worker_httpTLSStart(http_t *http)		/* I - HTTP connection */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  char	hostname[256],			/* Hostname */
*5e7646d2SAndroid Build Coastguard Worker	*hostptr;			/* Pointer into hostname */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("3_httpTLSStart(http=%p)", http));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (tls_options < 0)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("4_httpTLSStart: Setting defaults.");
*5e7646d2SAndroid Build Coastguard Worker    _cupsSetDefaults();
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if ((http->tls = http_sspi_alloc()) == NULL)
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (http->mode == _HTTP_MODE_CLIENT)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Client: determine hostname...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (httpAddrLocalhost(http->hostaddr))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      strlcpy(hostname, "localhost", sizeof(hostname));
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Otherwise make sure the hostname we have does not end in a trailing dot.
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      strlcpy(hostname, http->hostname, sizeof(hostname));
*5e7646d2SAndroid Build Coastguard Worker      if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
*5e7646d2SAndroid Build Coastguard Worker	  *hostptr == '.')
*5e7646d2SAndroid Build Coastguard Worker	*hostptr = '\0';
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    return (http_sspi_client(http, hostname));
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Server: determine hostname to use...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (http->fields[HTTP_FIELD_HOST])
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Use hostname for TLS upgrade...
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Resolve hostname from connection address...
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      http_addr_t	addr;		/* Connection address */
*5e7646d2SAndroid Build Coastguard Worker      socklen_t		addrlen;	/* Length of address */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      addrlen = sizeof(addr);
*5e7646d2SAndroid Build Coastguard Worker      if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
*5e7646d2SAndroid Build Coastguard Worker	hostname[0] = '\0';
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else if (httpAddrLocalhost(&addr))
*5e7646d2SAndroid Build Coastguard Worker	hostname[0] = '\0';
*5e7646d2SAndroid Build Coastguard Worker      else
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	httpAddrLookup(&addr, hostname, sizeof(hostname));
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    return (http_sspi_server(http, hostname));
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpTLSStop()' - Shut down SSL/TLS on a connection.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workervoid
*5e7646d2SAndroid Build Coastguard Worker_httpTLSStop(http_t *http)		/* I - HTTP connection */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  _http_sspi_t	*sspi = http->tls;	/* SSPI data */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->contextInitialized && http->fd >= 0)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    SecBufferDesc	message;	/* Array of SecBuffer struct */
*5e7646d2SAndroid Build Coastguard Worker    SecBuffer		buffers[1] = { 0 };
*5e7646d2SAndroid Build Coastguard Worker					/* Security package buffer */
*5e7646d2SAndroid Build Coastguard Worker    DWORD		dwType;		/* Type */
*5e7646d2SAndroid Build Coastguard Worker    DWORD		status;		/* Status */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  /*
*5e7646d2SAndroid Build Coastguard Worker   * Notify schannel that we are about to close the connection.
*5e7646d2SAndroid Build Coastguard Worker   */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   dwType = SCHANNEL_SHUTDOWN;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   buffers[0].pvBuffer   = &dwType;
*5e7646d2SAndroid Build Coastguard Worker   buffers[0].BufferType = SECBUFFER_TOKEN;
*5e7646d2SAndroid Build Coastguard Worker   buffers[0].cbBuffer   = sizeof(dwType);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   message.cBuffers  = 1;
*5e7646d2SAndroid Build Coastguard Worker   message.pBuffers  = buffers;
*5e7646d2SAndroid Build Coastguard Worker   message.ulVersion = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   status = ApplyControlToken(&sspi->context, &message);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   if (SUCCEEDED(status))
*5e7646d2SAndroid Build Coastguard Worker   {
*5e7646d2SAndroid Build Coastguard Worker     PBYTE	pbMessage;		/* Message buffer */
*5e7646d2SAndroid Build Coastguard Worker     DWORD	cbMessage;		/* Message buffer count */
*5e7646d2SAndroid Build Coastguard Worker     DWORD	cbData;			/* Data count */
*5e7646d2SAndroid Build Coastguard Worker     DWORD	dwSSPIFlags;		/* SSL attributes we requested */
*5e7646d2SAndroid Build Coastguard Worker     DWORD	dwSSPIOutFlags;		/* SSL attributes we received */
*5e7646d2SAndroid Build Coastguard Worker     TimeStamp	tsExpiry;		/* Time stamp */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker     dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT     |
*5e7646d2SAndroid Build Coastguard Worker                   ASC_REQ_REPLAY_DETECT       |
*5e7646d2SAndroid Build Coastguard Worker                   ASC_REQ_CONFIDENTIALITY     |
*5e7646d2SAndroid Build Coastguard Worker                   ASC_REQ_EXTENDED_ERROR      |
*5e7646d2SAndroid Build Coastguard Worker                   ASC_REQ_ALLOCATE_MEMORY     |
*5e7646d2SAndroid Build Coastguard Worker                   ASC_REQ_STREAM;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker     buffers[0].pvBuffer   = NULL;
*5e7646d2SAndroid Build Coastguard Worker     buffers[0].BufferType = SECBUFFER_TOKEN;
*5e7646d2SAndroid Build Coastguard Worker     buffers[0].cbBuffer   = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker     message.cBuffers  = 1;
*5e7646d2SAndroid Build Coastguard Worker     message.pBuffers  = buffers;
*5e7646d2SAndroid Build Coastguard Worker     message.ulVersion = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker     status = AcceptSecurityContext(&sspi->creds, &sspi->context, NULL,
*5e7646d2SAndroid Build Coastguard Worker                                    dwSSPIFlags, SECURITY_NATIVE_DREP, NULL,
*5e7646d2SAndroid Build Coastguard Worker                                    &message, &dwSSPIOutFlags, &tsExpiry);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      if (SUCCEEDED(status))
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        pbMessage = buffers[0].pvBuffer;
*5e7646d2SAndroid Build Coastguard Worker        cbMessage = buffers[0].cbBuffer;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker       /*
*5e7646d2SAndroid Build Coastguard Worker        * Send the close notify message to the client.
*5e7646d2SAndroid Build Coastguard Worker        */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        if (pbMessage && cbMessage)
*5e7646d2SAndroid Build Coastguard Worker        {
*5e7646d2SAndroid Build Coastguard Worker          cbData = send(http->fd, pbMessage, cbMessage, 0);
*5e7646d2SAndroid Build Coastguard Worker          if ((cbData == SOCKET_ERROR) || (cbData == 0))
*5e7646d2SAndroid Build Coastguard Worker          {
*5e7646d2SAndroid Build Coastguard Worker            status = WSAGetLastError();
*5e7646d2SAndroid Build Coastguard Worker            DEBUG_printf(("_httpTLSStop: sending close notify failed: %d", status));
*5e7646d2SAndroid Build Coastguard Worker          }
*5e7646d2SAndroid Build Coastguard Worker          else
*5e7646d2SAndroid Build Coastguard Worker          {
*5e7646d2SAndroid Build Coastguard Worker            FreeContextBuffer(pbMessage);
*5e7646d2SAndroid Build Coastguard Worker          }
*5e7646d2SAndroid Build Coastguard Worker        }
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("_httpTLSStop: AcceptSecurityContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), status)));
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("_httpTLSStop: ApplyControlToken failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), status)));
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  http_sspi_free(sspi);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  http->tls = NULL;
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * '_httpTLSWrite()' - Write to a SSL/TLS connection.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerint					/* O - Bytes written */
*5e7646d2SAndroid Build Coastguard Worker_httpTLSWrite(http_t     *http,		/* I - HTTP connection */
*5e7646d2SAndroid Build Coastguard Worker	      const char *buf,		/* I - Buffer holding data */
*5e7646d2SAndroid Build Coastguard Worker	      int        len)		/* I - Length of buffer */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  _http_sspi_t	*sspi = http->tls;	/* SSPI data */
*5e7646d2SAndroid Build Coastguard Worker  SecBufferDesc	message;		/* Array of SecBuffer struct */
*5e7646d2SAndroid Build Coastguard Worker  SecBuffer	buffers[4] = { 0 };	/* Security package buffer */
*5e7646d2SAndroid Build Coastguard Worker  int		bufferLen;		/* Buffer length */
*5e7646d2SAndroid Build Coastguard Worker  int		bytesLeft;		/* Bytes left to write */
*5e7646d2SAndroid Build Coastguard Worker  const char	*bufptr;		/* Pointer into buffer */
*5e7646d2SAndroid Build Coastguard Worker  int		num = 0;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  bufferLen = sspi->streamSizes.cbMaximumMessage + sspi->streamSizes.cbHeader + sspi->streamSizes.cbTrailer;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (bufferLen > sspi->writeBufferLength)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    BYTE *temp;				/* New buffer pointer */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if ((temp = (BYTE *)realloc(sspi->writeBuffer, bufferLen)) == NULL)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("_httpTLSWrite: Unable to allocate buffer of %d bytes.", bufferLen));
*5e7646d2SAndroid Build Coastguard Worker      WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker      return (-1);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    sspi->writeBuffer       = temp;
*5e7646d2SAndroid Build Coastguard Worker    sspi->writeBufferLength = bufferLen;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  bytesLeft = len;
*5e7646d2SAndroid Build Coastguard Worker  bufptr    = buf;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  while (bytesLeft)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    int chunk = min((int)sspi->streamSizes.cbMaximumMessage, bytesLeft);
*5e7646d2SAndroid Build Coastguard Worker					/* Size of data to write */
*5e7646d2SAndroid Build Coastguard Worker    SECURITY_STATUS scRet;		/* SSPI status */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Copy user data into the buffer, starting just past the header...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    memcpy(sspi->writeBuffer + sspi->streamSizes.cbHeader, bufptr, chunk);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Setup the SSPI buffers
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    message.ulVersion = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker    message.cBuffers  = 4;
*5e7646d2SAndroid Build Coastguard Worker    message.pBuffers  = buffers;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    buffers[0].pvBuffer   = sspi->writeBuffer;
*5e7646d2SAndroid Build Coastguard Worker    buffers[0].cbBuffer   = sspi->streamSizes.cbHeader;
*5e7646d2SAndroid Build Coastguard Worker    buffers[0].BufferType = SECBUFFER_STREAM_HEADER;
*5e7646d2SAndroid Build Coastguard Worker    buffers[1].pvBuffer   = sspi->writeBuffer + sspi->streamSizes.cbHeader;
*5e7646d2SAndroid Build Coastguard Worker    buffers[1].cbBuffer   = (unsigned long) chunk;
*5e7646d2SAndroid Build Coastguard Worker    buffers[1].BufferType = SECBUFFER_DATA;
*5e7646d2SAndroid Build Coastguard Worker    buffers[2].pvBuffer   = sspi->writeBuffer + sspi->streamSizes.cbHeader + chunk;
*5e7646d2SAndroid Build Coastguard Worker    buffers[2].cbBuffer   = sspi->streamSizes.cbTrailer;
*5e7646d2SAndroid Build Coastguard Worker    buffers[2].BufferType = SECBUFFER_STREAM_TRAILER;
*5e7646d2SAndroid Build Coastguard Worker    buffers[3].BufferType = SECBUFFER_EMPTY;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Encrypt the data
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    scRet = EncryptMessage(&sspi->context, 0, &message, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (FAILED(scRet))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("_httpTLSWrite: EncryptMessage failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker      WSASetLastError(WSASYSCALLFAILURE);
*5e7646d2SAndroid Build Coastguard Worker      return (-1);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Send the data. Remember the size of the total data to send is the size
*5e7646d2SAndroid Build Coastguard Worker    * of the header, the size of the data the caller passed in and the size
*5e7646d2SAndroid Build Coastguard Worker    * of the trailer...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    num = send(http->fd, sspi->writeBuffer, buffers[0].cbBuffer + buffers[1].cbBuffer + buffers[2].cbBuffer, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (num <= 0)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("_httpTLSWrite: send failed: %ld", WSAGetLastError()));
*5e7646d2SAndroid Build Coastguard Worker      return (num);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    bytesLeft -= chunk;
*5e7646d2SAndroid Build Coastguard Worker    bufptr    += chunk;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (len);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#if 0
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_setup_ssl()' - Set up SSL/TLS support on a connection.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic int				/* O - 0 on success, -1 on failure */
*5e7646d2SAndroid Build Coastguard Workerhttp_setup_ssl(http_t *http)		/* I - Connection to server */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  char			hostname[256],	/* Hostname */
*5e7646d2SAndroid Build Coastguard Worker			*hostptr;	/* Pointer into hostname */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  TCHAR			username[256];	/* Username returned from GetUserName() */
*5e7646d2SAndroid Build Coastguard Worker  TCHAR			commonName[256];/* Common name for certificate */
*5e7646d2SAndroid Build Coastguard Worker  DWORD			dwSize;		/* 32 bit size */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("7http_setup_ssl(http=%p)", http));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Get the hostname to use for SSL...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (httpAddrLocalhost(http->hostaddr))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    strlcpy(hostname, "localhost", sizeof(hostname));
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Otherwise make sure the hostname we have does not end in a trailing dot.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    strlcpy(hostname, http->hostname, sizeof(hostname));
*5e7646d2SAndroid Build Coastguard Worker    if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
*5e7646d2SAndroid Build Coastguard Worker        *hostptr == '.')
*5e7646d2SAndroid Build Coastguard Worker      *hostptr = '\0';
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  http->tls = http_sspi_alloc();
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!http->tls)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    _cupsSetHTTPError(HTTP_STATUS_ERROR);
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  dwSize          = sizeof(username) / sizeof(TCHAR);
*5e7646d2SAndroid Build Coastguard Worker  GetUserName(username, &dwSize);
*5e7646d2SAndroid Build Coastguard Worker  _sntprintf_s(commonName, sizeof(commonName) / sizeof(TCHAR),
*5e7646d2SAndroid Build Coastguard Worker               sizeof(commonName) / sizeof(TCHAR), TEXT("CN=%s"), username);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!_sspiGetCredentials(http->tls, L"ClientContainer",
*5e7646d2SAndroid Build Coastguard Worker                           commonName, FALSE))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    _sspiFree(http->tls);
*5e7646d2SAndroid Build Coastguard Worker    http->tls = NULL;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    http->error  = EIO;
*5e7646d2SAndroid Build Coastguard Worker    http->status = HTTP_STATUS_ERROR;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI,
*5e7646d2SAndroid Build Coastguard Worker                  _("Unable to establish a secure connection to host."), 1);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  _sspiSetAllowsAnyRoot(http->tls, TRUE);
*5e7646d2SAndroid Build Coastguard Worker  _sspiSetAllowsExpiredCerts(http->tls, TRUE);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!_sspiConnect(http->tls, hostname))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    _sspiFree(http->tls);
*5e7646d2SAndroid Build Coastguard Worker    http->tls = NULL;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    http->error  = EIO;
*5e7646d2SAndroid Build Coastguard Worker    http->status = HTTP_STATUS_ERROR;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI,
*5e7646d2SAndroid Build Coastguard Worker                  _("Unable to establish a secure connection to host."), 1);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (0);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker#endif // 0
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_alloc()' - Allocate SSPI object.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic _http_sspi_t *			/* O  - New SSPI/SSL object */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_alloc(void)
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  return ((_http_sspi_t *)calloc(sizeof(_http_sspi_t), 1));
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_client()' - Negotiate a TLS connection as a client.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic int				/* O - 0 on success, -1 on failure */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_client(http_t     *http,	/* I - Client connection */
*5e7646d2SAndroid Build Coastguard Worker                 const char *hostname)	/* I - Server hostname */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  _http_sspi_t	*sspi = http->tls;	/* SSPI data */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSize;			/* Size for buffer */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSSPIFlags;		/* SSL connection attributes we want */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSSPIOutFlags;		/* SSL connection attributes we got */
*5e7646d2SAndroid Build Coastguard Worker  TimeStamp	tsExpiry;		/* Time stamp */
*5e7646d2SAndroid Build Coastguard Worker  SECURITY_STATUS scRet;		/* Status */
*5e7646d2SAndroid Build Coastguard Worker  int		cbData;			/* Data count */
*5e7646d2SAndroid Build Coastguard Worker  SecBufferDesc	inBuffer;		/* Array of SecBuffer structs */
*5e7646d2SAndroid Build Coastguard Worker  SecBuffer	inBuffers[2];		/* Security package buffer */
*5e7646d2SAndroid Build Coastguard Worker  SecBufferDesc	outBuffer;		/* Array of SecBuffer structs */
*5e7646d2SAndroid Build Coastguard Worker  SecBuffer	outBuffers[1];		/* Security package buffer */
*5e7646d2SAndroid Build Coastguard Worker  int		ret = 0;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("4http_sspi_client(http=%p, hostname=\"%s\")", http, hostname));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT   |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_REPLAY_DETECT     |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_CONFIDENTIALITY   |
*5e7646d2SAndroid Build Coastguard Worker                ISC_RET_EXTENDED_ERROR    |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_ALLOCATE_MEMORY   |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_STREAM;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Lookup the client certificate...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!http_sspi_find_credentials(http, L"ClientContainer", NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_puts("5http_sspi_client: Unable to get client credentials.");
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Initiate a ClientHello message and generate a token.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  outBuffers[0].pvBuffer   = NULL;
*5e7646d2SAndroid Build Coastguard Worker  outBuffers[0].BufferType = SECBUFFER_TOKEN;
*5e7646d2SAndroid Build Coastguard Worker  outBuffers[0].cbBuffer   = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  outBuffer.cBuffers  = 1;
*5e7646d2SAndroid Build Coastguard Worker  outBuffer.pBuffers  = outBuffers;
*5e7646d2SAndroid Build Coastguard Worker  outBuffer.ulVersion = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  scRet = InitializeSecurityContext(&sspi->creds, NULL, TEXT(""), dwSSPIFlags, 0, SECURITY_NATIVE_DREP, NULL, 0, &sspi->context, &outBuffer, &dwSSPIOutFlags, &tsExpiry);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (scRet != SEC_I_CONTINUE_NEEDED)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_client: InitializeSecurityContext(1) failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker    return (-1);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Send response to server if there is one.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (outBuffers[0].cbBuffer && outBuffers[0].pvBuffer)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if ((cbData = send(http->fd, outBuffers[0].pvBuffer, outBuffers[0].cbBuffer, 0)) <= 0)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_client: send failed: %d", WSAGetLastError()));
*5e7646d2SAndroid Build Coastguard Worker      FreeContextBuffer(outBuffers[0].pvBuffer);
*5e7646d2SAndroid Build Coastguard Worker      DeleteSecurityContext(&sspi->context);
*5e7646d2SAndroid Build Coastguard Worker      return (-1);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_client: %d bytes of handshake data sent.", cbData));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    FreeContextBuffer(outBuffers[0].pvBuffer);
*5e7646d2SAndroid Build Coastguard Worker    outBuffers[0].pvBuffer = NULL;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  dwSSPIFlags = ISC_REQ_MANUAL_CRED_VALIDATION |
*5e7646d2SAndroid Build Coastguard Worker		ISC_REQ_SEQUENCE_DETECT        |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_REPLAY_DETECT          |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_CONFIDENTIALITY        |
*5e7646d2SAndroid Build Coastguard Worker                ISC_RET_EXTENDED_ERROR         |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_ALLOCATE_MEMORY        |
*5e7646d2SAndroid Build Coastguard Worker                ISC_REQ_STREAM;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  sspi->decryptBufferUsed = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Loop until the handshake is finished or an error occurs.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  scRet = SEC_I_CONTINUE_NEEDED;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  while(scRet == SEC_I_CONTINUE_NEEDED        ||
*5e7646d2SAndroid Build Coastguard Worker        scRet == SEC_E_INCOMPLETE_MESSAGE     ||
*5e7646d2SAndroid Build Coastguard Worker        scRet == SEC_I_INCOMPLETE_CREDENTIALS)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (sspi->decryptBufferUsed == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (sspi->decryptBufferLength <= sspi->decryptBufferUsed)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	BYTE *temp;			/* New buffer */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker	if (sspi->decryptBufferLength >= 262144)
*5e7646d2SAndroid Build Coastguard Worker	{
*5e7646d2SAndroid Build Coastguard Worker	  WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker	  DEBUG_puts("5http_sspi_client: Decryption buffer too large (>256k)");
*5e7646d2SAndroid Build Coastguard Worker	  return (-1);
*5e7646d2SAndroid Build Coastguard Worker	}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker	if ((temp = realloc(sspi->decryptBuffer, sspi->decryptBufferLength + 4096)) == NULL)
*5e7646d2SAndroid Build Coastguard Worker	{
*5e7646d2SAndroid Build Coastguard Worker	  DEBUG_printf(("5http_sspi_client: Unable to allocate %d byte buffer.", sspi->decryptBufferLength + 4096));
*5e7646d2SAndroid Build Coastguard Worker	  WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker	  return (-1);
*5e7646d2SAndroid Build Coastguard Worker	}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker	sspi->decryptBufferLength += 4096;
*5e7646d2SAndroid Build Coastguard Worker	sspi->decryptBuffer       = temp;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      cbData = recv(http->fd, sspi->decryptBuffer + sspi->decryptBufferUsed, (int)(sspi->decryptBufferLength - sspi->decryptBufferUsed), 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      if (cbData < 0)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_client: recv failed: %d", WSAGetLastError()));
*5e7646d2SAndroid Build Coastguard Worker        return (-1);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else if (cbData == 0)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_client: Server unexpectedly disconnected."));
*5e7646d2SAndroid Build Coastguard Worker        return (-1);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_client: %d bytes of handshake data received", cbData));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      sspi->decryptBufferUsed += cbData;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Set up the input buffers. Buffer 0 is used to pass in data received from
*5e7646d2SAndroid Build Coastguard Worker    * the server.  Schannel will consume some or all of this.  Leftover data
*5e7646d2SAndroid Build Coastguard Worker    * (if any) will be placed in buffer 1 and given a buffer type of
*5e7646d2SAndroid Build Coastguard Worker    * SECBUFFER_EXTRA.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[0].pvBuffer   = sspi->decryptBuffer;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[0].cbBuffer   = (unsigned long)sspi->decryptBufferUsed;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[0].BufferType = SECBUFFER_TOKEN;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[1].pvBuffer   = NULL;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[1].cbBuffer   = 0;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[1].BufferType = SECBUFFER_EMPTY;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    inBuffer.cBuffers       = 2;
*5e7646d2SAndroid Build Coastguard Worker    inBuffer.pBuffers       = inBuffers;
*5e7646d2SAndroid Build Coastguard Worker    inBuffer.ulVersion      = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Set up the output buffers. These are initialized to NULL so as to make it
*5e7646d2SAndroid Build Coastguard Worker    * less likely we'll attempt to free random garbage later.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    outBuffers[0].pvBuffer   = NULL;
*5e7646d2SAndroid Build Coastguard Worker    outBuffers[0].BufferType = SECBUFFER_TOKEN;
*5e7646d2SAndroid Build Coastguard Worker    outBuffers[0].cbBuffer   = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    outBuffer.cBuffers       = 1;
*5e7646d2SAndroid Build Coastguard Worker    outBuffer.pBuffers       = outBuffers;
*5e7646d2SAndroid Build Coastguard Worker    outBuffer.ulVersion      = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Call InitializeSecurityContext.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    scRet = InitializeSecurityContext(&sspi->creds, &sspi->context, NULL, dwSSPIFlags, 0, SECURITY_NATIVE_DREP, &inBuffer, 0, NULL, &outBuffer, &dwSSPIOutFlags, &tsExpiry);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * If InitializeSecurityContext was successful (or if the error was one of
*5e7646d2SAndroid Build Coastguard Worker    * the special extended ones), send the contents of the output buffer to the
*5e7646d2SAndroid Build Coastguard Worker    * server.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet == SEC_E_OK                ||
*5e7646d2SAndroid Build Coastguard Worker        scRet == SEC_I_CONTINUE_NEEDED   ||
*5e7646d2SAndroid Build Coastguard Worker        FAILED(scRet) && (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (outBuffers[0].cbBuffer && outBuffers[0].pvBuffer)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        cbData = send(http->fd, outBuffers[0].pvBuffer, outBuffers[0].cbBuffer, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        if (cbData <= 0)
*5e7646d2SAndroid Build Coastguard Worker        {
*5e7646d2SAndroid Build Coastguard Worker          DEBUG_printf(("5http_sspi_client: send failed: %d", WSAGetLastError()));
*5e7646d2SAndroid Build Coastguard Worker          FreeContextBuffer(outBuffers[0].pvBuffer);
*5e7646d2SAndroid Build Coastguard Worker          DeleteSecurityContext(&sspi->context);
*5e7646d2SAndroid Build Coastguard Worker          return (-1);
*5e7646d2SAndroid Build Coastguard Worker        }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_client: %d bytes of handshake data sent.", cbData));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker       /*
*5e7646d2SAndroid Build Coastguard Worker        * Free output buffer.
*5e7646d2SAndroid Build Coastguard Worker        */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        FreeContextBuffer(outBuffers[0].pvBuffer);
*5e7646d2SAndroid Build Coastguard Worker        outBuffers[0].pvBuffer = NULL;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * If InitializeSecurityContext returned SEC_E_INCOMPLETE_MESSAGE, then we
*5e7646d2SAndroid Build Coastguard Worker    * need to read more data from the server and try again.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet == SEC_E_INCOMPLETE_MESSAGE)
*5e7646d2SAndroid Build Coastguard Worker      continue;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * If InitializeSecurityContext returned SEC_E_OK, then the handshake
*5e7646d2SAndroid Build Coastguard Worker    * completed successfully.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet == SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * If the "extra" buffer contains data, this is encrypted application
*5e7646d2SAndroid Build Coastguard Worker      * protocol layer stuff. It needs to be saved. The application layer will
*5e7646d2SAndroid Build Coastguard Worker      * later decrypt it with DecryptMessage.
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_puts("5http_sspi_client: Handshake was successful.");
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        memmove(sspi->decryptBuffer, sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer, inBuffers[1].cbBuffer);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_client: %d bytes of app data was bundled with handshake data", sspi->decryptBufferUsed));
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else
*5e7646d2SAndroid Build Coastguard Worker        sspi->decryptBufferUsed = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Bail out to quit
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      break;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Check for fatal error.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (FAILED(scRet))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_client: InitializeSecurityContext(2) failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker      ret = -1;
*5e7646d2SAndroid Build Coastguard Worker      break;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * If InitializeSecurityContext returned SEC_I_INCOMPLETE_CREDENTIALS,
*5e7646d2SAndroid Build Coastguard Worker    * then the server just requested client authentication.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet == SEC_I_INCOMPLETE_CREDENTIALS)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * Unimplemented
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_client: server requested client credentials."));
*5e7646d2SAndroid Build Coastguard Worker      ret = -1;
*5e7646d2SAndroid Build Coastguard Worker      break;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Copy any leftover data from the "extra" buffer, and go around again.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      memmove(sspi->decryptBuffer, sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer, inBuffers[1].cbBuffer);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      sspi->decryptBufferUsed = 0;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!ret)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Success!  Get the server cert
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    sspi->contextInitialized = TRUE;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    scRet = QueryContextAttributes(&sspi->context, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (VOID *)&(sspi->remoteCert));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet != SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_client: QueryContextAttributes failed(SECPKG_ATTR_REMOTE_CERT_CONTEXT): %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker      return (-1);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Find out how big the header/trailer will be:
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    scRet = QueryContextAttributes(&sspi->context, SECPKG_ATTR_STREAM_SIZES, &sspi->streamSizes);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet != SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_client: QueryContextAttributes failed(SECPKG_ATTR_STREAM_SIZES): %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker      ret = -1;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (ret);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_create_credential()' - Create an SSPI certificate context.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic PCCERT_CONTEXT			/* O - Certificate context */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_create_credential(
*5e7646d2SAndroid Build Coastguard Worker    http_credential_t *cred)		/* I - Credential */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  if (cred)
*5e7646d2SAndroid Build Coastguard Worker    return (CertCreateCertificateContext(X509_ASN_ENCODING, cred->data, cred->datalen));
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker    return (NULL);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_find_credentials()' - Retrieve a TLS certificate from the system store.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic BOOL				/* O - 1 on success, 0 on failure */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_find_credentials(
*5e7646d2SAndroid Build Coastguard Worker    http_t       *http,			/* I - HTTP connection */
*5e7646d2SAndroid Build Coastguard Worker    const LPWSTR container,		/* I - Cert container name */
*5e7646d2SAndroid Build Coastguard Worker    const char   *common_name)		/* I - Common name of certificate */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  _http_sspi_t	*sspi = http->tls;	/* SSPI data */
*5e7646d2SAndroid Build Coastguard Worker  HCERTSTORE	store = NULL;		/* Certificate store */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT storedContext = NULL;	/* Context created from the store */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSize = 0; 		/* 32 bit size */
*5e7646d2SAndroid Build Coastguard Worker  PBYTE		p = NULL;		/* Temporary storage */
*5e7646d2SAndroid Build Coastguard Worker  HCRYPTPROV	hProv = (HCRYPTPROV)NULL;
*5e7646d2SAndroid Build Coastguard Worker					/* Handle to a CSP */
*5e7646d2SAndroid Build Coastguard Worker  CERT_NAME_BLOB sib;			/* Arbitrary array of bytes */
*5e7646d2SAndroid Build Coastguard Worker  SCHANNEL_CRED	SchannelCred;		/* Schannel credential data */
*5e7646d2SAndroid Build Coastguard Worker  TimeStamp	tsExpiry;		/* Time stamp */
*5e7646d2SAndroid Build Coastguard Worker  SECURITY_STATUS Status;		/* Status */
*5e7646d2SAndroid Build Coastguard Worker  BOOL		ok = TRUE;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (GetLastError() == NTE_EXISTS)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_find_credentials: CryptAcquireContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker        ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker        goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!store)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_find_credentials: CertOpenSystemStore failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (common_name)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    dwSize = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_find_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker      ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker      goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    p = (PBYTE)malloc(dwSize);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (!p)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_find_credentials: malloc failed for %d bytes.", dwSize));
*5e7646d2SAndroid Build Coastguard Worker      ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker      goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_find_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker      ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker      goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    sib.cbData = dwSize;
*5e7646d2SAndroid Build Coastguard Worker    sib.pbData = p;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    storedContext = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_NAME, &sib, NULL);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (!storedContext)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_find_credentials: Unable to find credentials for \"%s\".", common_name));
*5e7646d2SAndroid Build Coastguard Worker      ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker      goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&SchannelCred, sizeof(SchannelCred));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (common_name)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    SchannelCred.cCreds = 1;
*5e7646d2SAndroid Build Coastguard Worker    SchannelCred.paCred = &storedContext;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Set supported protocols (can also be overriden in the registry...)
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#ifdef SP_PROT_TLS1_2_SERVER
*5e7646d2SAndroid Build Coastguard Worker  if (http->mode == _HTTP_MODE_SERVER)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (tls_min_version > _HTTP_TLS_1_1)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER;
*5e7646d2SAndroid Build Coastguard Worker    else if (tls_min_version > _HTTP_TLS_1_0)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER;
*5e7646d2SAndroid Build Coastguard Worker    else if (tls_min_version == _HTTP_TLS_SSL3)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER;
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (tls_min_version > _HTTP_TLS_1_1)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
*5e7646d2SAndroid Build Coastguard Worker    else if (tls_min_version > _HTTP_TLS_1_0)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT;
*5e7646d2SAndroid Build Coastguard Worker    else if (tls_min_version == _HTTP_TLS_SSL3)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT;
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker#else
*5e7646d2SAndroid Build Coastguard Worker  if (http->mode == _HTTP_MODE_SERVER)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (tls_min_version == _HTTP_TLS_SSL3)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (tls_min_version == _HTTP_TLS_SSL3)
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
*5e7646d2SAndroid Build Coastguard Worker    else
*5e7646d2SAndroid Build Coastguard Worker      SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker#endif /* SP_PROT_TLS1_2_SERVER */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  /* TODO: Support _HTTP_TLS_ALLOW_RC4, _HTTP_TLS_ALLOW_DH, and _HTTP_TLS_DENY_CBC options; right now we'll rely on Windows registry to enable/disable RC4/DH/CBC... */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Create an SSPI credential.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  Status = AcquireCredentialsHandle(NULL, UNISP_NAME, http->mode == _HTTP_MODE_SERVER ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND, NULL, &SchannelCred, NULL, NULL, &sspi->creds, &tsExpiry);
*5e7646d2SAndroid Build Coastguard Worker  if (Status != SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_find_credentials: AcquireCredentialsHandle failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), Status)));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workercleanup:
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Cleanup
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (storedContext)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(storedContext);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (p)
*5e7646d2SAndroid Build Coastguard Worker    free(p);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (store)
*5e7646d2SAndroid Build Coastguard Worker    CertCloseStore(store, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (hProv)
*5e7646d2SAndroid Build Coastguard Worker    CryptReleaseContext(hProv, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (ok);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_free()' - Close a connection and free resources.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic void
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_free(_http_sspi_t *sspi)	/* I - SSPI data */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  if (!sspi)
*5e7646d2SAndroid Build Coastguard Worker    return;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->contextInitialized)
*5e7646d2SAndroid Build Coastguard Worker    DeleteSecurityContext(&sspi->context);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->decryptBuffer)
*5e7646d2SAndroid Build Coastguard Worker    free(sspi->decryptBuffer);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->readBuffer)
*5e7646d2SAndroid Build Coastguard Worker    free(sspi->readBuffer);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->writeBuffer)
*5e7646d2SAndroid Build Coastguard Worker    free(sspi->writeBuffer);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->localCert)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(sspi->localCert);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (sspi->remoteCert)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(sspi->remoteCert);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  free(sspi);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_make_credentials()' - Create a TLS certificate in the system store.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic BOOL				/* O - 1 on success, 0 on failure */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_make_credentials(
*5e7646d2SAndroid Build Coastguard Worker    _http_sspi_t *sspi,			/* I - SSPI data */
*5e7646d2SAndroid Build Coastguard Worker    const LPWSTR container,		/* I - Cert container name */
*5e7646d2SAndroid Build Coastguard Worker    const char   *common_name,		/* I - Common name of certificate */
*5e7646d2SAndroid Build Coastguard Worker    _http_mode_t mode,			/* I - Client or server? */
*5e7646d2SAndroid Build Coastguard Worker    int          years)			/* I - Years until expiration */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  HCERTSTORE	store = NULL;		/* Certificate store */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT storedContext = NULL;	/* Context created from the store */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CONTEXT createdContext = NULL;	/* Context created by us */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSize = 0; 		/* 32 bit size */
*5e7646d2SAndroid Build Coastguard Worker  PBYTE		p = NULL;		/* Temporary storage */
*5e7646d2SAndroid Build Coastguard Worker  HCRYPTPROV	hProv = (HCRYPTPROV)NULL;
*5e7646d2SAndroid Build Coastguard Worker					/* Handle to a CSP */
*5e7646d2SAndroid Build Coastguard Worker  CERT_NAME_BLOB sib;			/* Arbitrary array of bytes */
*5e7646d2SAndroid Build Coastguard Worker  SCHANNEL_CRED	SchannelCred;		/* Schannel credential data */
*5e7646d2SAndroid Build Coastguard Worker  TimeStamp	tsExpiry;		/* Time stamp */
*5e7646d2SAndroid Build Coastguard Worker  SECURITY_STATUS Status;		/* Status */
*5e7646d2SAndroid Build Coastguard Worker  HCRYPTKEY	hKey = (HCRYPTKEY)NULL;	/* Handle to crypto key */
*5e7646d2SAndroid Build Coastguard Worker  CRYPT_KEY_PROV_INFO kpi;		/* Key container info */
*5e7646d2SAndroid Build Coastguard Worker  SYSTEMTIME	et;			/* System time */
*5e7646d2SAndroid Build Coastguard Worker  CERT_EXTENSIONS exts;			/* Array of cert extensions */
*5e7646d2SAndroid Build Coastguard Worker  CRYPT_KEY_PROV_INFO ckp;		/* Handle to crypto key */
*5e7646d2SAndroid Build Coastguard Worker  BOOL		ok = TRUE;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("4http_sspi_make_credentials(sspi=%p, container=%p, common_name=\"%s\", mode=%d, years=%d)", sspi, container, common_name, mode, years));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (GetLastError() == NTE_EXISTS)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (!CryptAcquireContextW(&hProv, (LPWSTR)container, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_make_credentials: CryptAcquireContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker        ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker        goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  store = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, hProv, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, L"MY");
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!store)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: CertOpenSystemStore failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  dwSize = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, NULL, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  p = (PBYTE)malloc(dwSize);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!p)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: malloc failed for %d bytes", dwSize));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertStrToNameA(X509_ASN_ENCODING, common_name, CERT_OID_NAME_STR, NULL, p, &dwSize, NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: CertStrToName failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Create a private key and self-signed certificate...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CryptGenKey(hProv, AT_KEYEXCHANGE, CRYPT_EXPORTABLE, &hKey))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: CryptGenKey failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&kpi, sizeof(kpi));
*5e7646d2SAndroid Build Coastguard Worker  kpi.pwszContainerName = (LPWSTR)container;
*5e7646d2SAndroid Build Coastguard Worker  kpi.pwszProvName      = MS_DEF_PROV_W;
*5e7646d2SAndroid Build Coastguard Worker  kpi.dwProvType        = PROV_RSA_FULL;
*5e7646d2SAndroid Build Coastguard Worker  kpi.dwFlags           = CERT_SET_KEY_CONTEXT_PROP_ID;
*5e7646d2SAndroid Build Coastguard Worker  kpi.dwKeySpec         = AT_KEYEXCHANGE;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  GetSystemTime(&et);
*5e7646d2SAndroid Build Coastguard Worker  et.wYear += years;
*5e7646d2SAndroid Build Coastguard Worker  if (et.wMonth == 2 && et.wDay == 29)
*5e7646d2SAndroid Build Coastguard Worker    et.wDay = 28;			/* Avoid Feb 29th due to leap years */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&exts, sizeof(exts));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  createdContext = CertCreateSelfSignCertificate(hProv, &sib, 0, &kpi, NULL, NULL, &et, &exts);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!createdContext)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: CertCreateSelfSignCertificate failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Add the created context to the named store, and associate it with the named
*5e7646d2SAndroid Build Coastguard Worker  * container...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertAddCertificateContextToStore(store, createdContext, CERT_STORE_ADD_REPLACE_EXISTING, &storedContext))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: CertAddCertificateContextToStore failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&ckp, sizeof(ckp));
*5e7646d2SAndroid Build Coastguard Worker  ckp.pwszContainerName = (LPWSTR) container;
*5e7646d2SAndroid Build Coastguard Worker  ckp.pwszProvName      = MS_DEF_PROV_W;
*5e7646d2SAndroid Build Coastguard Worker  ckp.dwProvType        = PROV_RSA_FULL;
*5e7646d2SAndroid Build Coastguard Worker  ckp.dwFlags           = CRYPT_MACHINE_KEYSET;
*5e7646d2SAndroid Build Coastguard Worker  ckp.dwKeySpec         = AT_KEYEXCHANGE;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertSetCertificateContextProperty(storedContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &ckp))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: CertSetCertificateContextProperty failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), GetLastError())));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Get a handle to use the certificate...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&SchannelCred, sizeof(SchannelCred));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
*5e7646d2SAndroid Build Coastguard Worker  SchannelCred.cCreds    = 1;
*5e7646d2SAndroid Build Coastguard Worker  SchannelCred.paCred    = &storedContext;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Create an SSPI credential.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  Status = AcquireCredentialsHandle(NULL, UNISP_NAME, mode == _HTTP_MODE_SERVER ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND, NULL, &SchannelCred, NULL, NULL, &sspi->creds, &tsExpiry);
*5e7646d2SAndroid Build Coastguard Worker  if (Status != SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("5http_sspi_make_credentials: AcquireCredentialsHandle failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), Status)));
*5e7646d2SAndroid Build Coastguard Worker    ok = FALSE;
*5e7646d2SAndroid Build Coastguard Worker    goto cleanup;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workercleanup:
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Cleanup
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (hKey)
*5e7646d2SAndroid Build Coastguard Worker    CryptDestroyKey(hKey);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (createdContext)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(createdContext);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (storedContext)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateContext(storedContext);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (p)
*5e7646d2SAndroid Build Coastguard Worker    free(p);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (store)
*5e7646d2SAndroid Build Coastguard Worker    CertCloseStore(store, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (hProv)
*5e7646d2SAndroid Build Coastguard Worker    CryptReleaseContext(hProv, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (ok);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_server()' - Negotiate a TLS connection as a server.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic int				/* O - 0 on success, -1 on failure */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_server(http_t     *http,	/* I - HTTP connection */
*5e7646d2SAndroid Build Coastguard Worker                 const char *hostname)	/* I - Hostname of server */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  _http_sspi_t	*sspi = http->tls;	/* I - SSPI data */
*5e7646d2SAndroid Build Coastguard Worker  char		common_name[512];	/* Common name for cert */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSSPIFlags;		/* SSL connection attributes we want */
*5e7646d2SAndroid Build Coastguard Worker  DWORD		dwSSPIOutFlags;		/* SSL connection attributes we got */
*5e7646d2SAndroid Build Coastguard Worker  TimeStamp	tsExpiry;		/* Time stamp */
*5e7646d2SAndroid Build Coastguard Worker  SECURITY_STATUS scRet;		/* SSPI Status */
*5e7646d2SAndroid Build Coastguard Worker  SecBufferDesc	inBuffer;		/* Array of SecBuffer structs */
*5e7646d2SAndroid Build Coastguard Worker  SecBuffer	inBuffers[2];		/* Security package buffer */
*5e7646d2SAndroid Build Coastguard Worker  SecBufferDesc	outBuffer;		/* Array of SecBuffer structs */
*5e7646d2SAndroid Build Coastguard Worker  SecBuffer	outBuffers[1];		/* Security package buffer */
*5e7646d2SAndroid Build Coastguard Worker  int		num = 0;		/* 32 bit status value */
*5e7646d2SAndroid Build Coastguard Worker  BOOL		fInitContext = TRUE;	/* Has the context been init'd? */
*5e7646d2SAndroid Build Coastguard Worker  int		ret = 0;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  DEBUG_printf(("4http_sspi_server(http=%p, hostname=\"%s\")", http, hostname));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT  |
*5e7646d2SAndroid Build Coastguard Worker                ASC_REQ_REPLAY_DETECT    |
*5e7646d2SAndroid Build Coastguard Worker                ASC_REQ_CONFIDENTIALITY  |
*5e7646d2SAndroid Build Coastguard Worker                ASC_REQ_EXTENDED_ERROR   |
*5e7646d2SAndroid Build Coastguard Worker                ASC_REQ_ALLOCATE_MEMORY  |
*5e7646d2SAndroid Build Coastguard Worker                ASC_REQ_STREAM;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  sspi->decryptBufferUsed = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Lookup the server certificate...
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  snprintf(common_name, sizeof(common_name), "CN=%s", hostname);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!http_sspi_find_credentials(http, L"ServerContainer", common_name))
*5e7646d2SAndroid Build Coastguard Worker    if (!http_sspi_make_credentials(http->tls, L"ServerContainer", common_name, _HTTP_MODE_SERVER, 10))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_puts("5http_sspi_server: Unable to get server credentials.");
*5e7646d2SAndroid Build Coastguard Worker      return (-1);
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Set OutBuffer for AcceptSecurityContext call
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  outBuffer.cBuffers  = 1;
*5e7646d2SAndroid Build Coastguard Worker  outBuffer.pBuffers  = outBuffers;
*5e7646d2SAndroid Build Coastguard Worker  outBuffer.ulVersion = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  scRet = SEC_I_CONTINUE_NEEDED;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  while (scRet == SEC_I_CONTINUE_NEEDED    ||
*5e7646d2SAndroid Build Coastguard Worker         scRet == SEC_E_INCOMPLETE_MESSAGE ||
*5e7646d2SAndroid Build Coastguard Worker         scRet == SEC_I_INCOMPLETE_CREDENTIALS)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    if (sspi->decryptBufferUsed == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (sspi->decryptBufferLength <= sspi->decryptBufferUsed)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker	BYTE *temp;			/* New buffer */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker	if (sspi->decryptBufferLength >= 262144)
*5e7646d2SAndroid Build Coastguard Worker	{
*5e7646d2SAndroid Build Coastguard Worker	  WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker	  DEBUG_puts("5http_sspi_server: Decryption buffer too large (>256k)");
*5e7646d2SAndroid Build Coastguard Worker	  return (-1);
*5e7646d2SAndroid Build Coastguard Worker	}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker	if ((temp = realloc(sspi->decryptBuffer, sspi->decryptBufferLength + 4096)) == NULL)
*5e7646d2SAndroid Build Coastguard Worker	{
*5e7646d2SAndroid Build Coastguard Worker	  DEBUG_printf(("5http_sspi_server: Unable to allocate %d byte buffer.", sspi->decryptBufferLength + 4096));
*5e7646d2SAndroid Build Coastguard Worker	  WSASetLastError(E_OUTOFMEMORY);
*5e7646d2SAndroid Build Coastguard Worker	  return (-1);
*5e7646d2SAndroid Build Coastguard Worker	}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker	sspi->decryptBufferLength += 4096;
*5e7646d2SAndroid Build Coastguard Worker	sspi->decryptBuffer       = temp;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      for (;;)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        num = recv(http->fd, sspi->decryptBuffer + sspi->decryptBufferUsed, (int)(sspi->decryptBufferLength - sspi->decryptBufferUsed), 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        if (num == -1 && WSAGetLastError() == WSAEWOULDBLOCK)
*5e7646d2SAndroid Build Coastguard Worker          Sleep(1);
*5e7646d2SAndroid Build Coastguard Worker        else
*5e7646d2SAndroid Build Coastguard Worker          break;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      if (num < 0)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_server: recv failed: %d", WSAGetLastError()));
*5e7646d2SAndroid Build Coastguard Worker        return (-1);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else if (num == 0)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_puts("5http_sspi_server: client disconnected");
*5e7646d2SAndroid Build Coastguard Worker        return (-1);
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_server: received %d (handshake) bytes from client.", num));
*5e7646d2SAndroid Build Coastguard Worker      sspi->decryptBufferUsed += num;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * InBuffers[1] is for getting extra data that SSPI/SCHANNEL doesn't process
*5e7646d2SAndroid Build Coastguard Worker    * on this run around the loop.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[0].pvBuffer   = sspi->decryptBuffer;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[0].cbBuffer   = (unsigned long)sspi->decryptBufferUsed;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[0].BufferType = SECBUFFER_TOKEN;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[1].pvBuffer   = NULL;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[1].cbBuffer   = 0;
*5e7646d2SAndroid Build Coastguard Worker    inBuffers[1].BufferType = SECBUFFER_EMPTY;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    inBuffer.cBuffers       = 2;
*5e7646d2SAndroid Build Coastguard Worker    inBuffer.pBuffers       = inBuffers;
*5e7646d2SAndroid Build Coastguard Worker    inBuffer.ulVersion      = SECBUFFER_VERSION;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Initialize these so if we fail, pvBuffer contains NULL, so we don't try to
*5e7646d2SAndroid Build Coastguard Worker    * free random garbage at the quit.
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    outBuffers[0].pvBuffer   = NULL;
*5e7646d2SAndroid Build Coastguard Worker    outBuffers[0].BufferType = SECBUFFER_TOKEN;
*5e7646d2SAndroid Build Coastguard Worker    outBuffers[0].cbBuffer   = 0;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    scRet = AcceptSecurityContext(&sspi->creds, (fInitContext?NULL:&sspi->context), &inBuffer, dwSSPIFlags, SECURITY_NATIVE_DREP, (fInitContext?&sspi->context:NULL), &outBuffer, &dwSSPIOutFlags, &tsExpiry);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    fInitContext = FALSE;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet == SEC_E_OK              ||
*5e7646d2SAndroid Build Coastguard Worker        scRet == SEC_I_CONTINUE_NEEDED ||
*5e7646d2SAndroid Build Coastguard Worker        (FAILED(scRet) && ((dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR) != 0)))
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (outBuffers[0].cbBuffer && outBuffers[0].pvBuffer)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker       /*
*5e7646d2SAndroid Build Coastguard Worker        * Send response to server if there is one.
*5e7646d2SAndroid Build Coastguard Worker        */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        num = send(http->fd, outBuffers[0].pvBuffer, outBuffers[0].cbBuffer, 0);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        if (num <= 0)
*5e7646d2SAndroid Build Coastguard Worker        {
*5e7646d2SAndroid Build Coastguard Worker          DEBUG_printf(("5http_sspi_server: handshake send failed: %d", WSAGetLastError()));
*5e7646d2SAndroid Build Coastguard Worker	  return (-1);
*5e7646d2SAndroid Build Coastguard Worker        }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        DEBUG_printf(("5http_sspi_server: sent %d handshake bytes to client.", outBuffers[0].cbBuffer));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker        FreeContextBuffer(outBuffers[0].pvBuffer);
*5e7646d2SAndroid Build Coastguard Worker        outBuffers[0].pvBuffer = NULL;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet == SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker     /*
*5e7646d2SAndroid Build Coastguard Worker      * If there's extra data then save it for next time we go to decrypt.
*5e7646d2SAndroid Build Coastguard Worker      */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker      if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        memcpy(sspi->decryptBuffer, (LPBYTE)(sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer), inBuffers[1].cbBuffer);
*5e7646d2SAndroid Build Coastguard Worker        sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        sspi->decryptBufferUsed = 0;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      break;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker    else if (FAILED(scRet) && scRet != SEC_E_INCOMPLETE_MESSAGE)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_server: AcceptSecurityContext failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker      ret = -1;
*5e7646d2SAndroid Build Coastguard Worker      break;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet != SEC_E_INCOMPLETE_MESSAGE &&
*5e7646d2SAndroid Build Coastguard Worker        scRet != SEC_I_INCOMPLETE_CREDENTIALS)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      if (inBuffers[1].BufferType == SECBUFFER_EXTRA)
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        memcpy(sspi->decryptBuffer, (LPBYTE)(sspi->decryptBuffer + sspi->decryptBufferUsed - inBuffers[1].cbBuffer), inBuffers[1].cbBuffer);
*5e7646d2SAndroid Build Coastguard Worker        sspi->decryptBufferUsed = inBuffers[1].cbBuffer;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker      else
*5e7646d2SAndroid Build Coastguard Worker      {
*5e7646d2SAndroid Build Coastguard Worker        sspi->decryptBufferUsed = 0;
*5e7646d2SAndroid Build Coastguard Worker      }
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!ret)
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    sspi->contextInitialized = TRUE;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Find out how big the header will be:
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    scRet = QueryContextAttributes(&sspi->context, SECPKG_ATTR_STREAM_SIZES, &sspi->streamSizes);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    if (scRet != SEC_E_OK)
*5e7646d2SAndroid Build Coastguard Worker    {
*5e7646d2SAndroid Build Coastguard Worker      DEBUG_printf(("5http_sspi_server: QueryContextAttributes failed: %s", http_sspi_strerror(sspi->error, sizeof(sspi->error), scRet)));
*5e7646d2SAndroid Build Coastguard Worker      ret = -1;
*5e7646d2SAndroid Build Coastguard Worker    }
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (ret);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_strerror()' - Return a string for the specified error code.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic const char *			/* O - String for error */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_strerror(char   *buffer,	/* I - Error message buffer */
*5e7646d2SAndroid Build Coastguard Worker                   size_t bufsize,	/* I - Size of buffer */
*5e7646d2SAndroid Build Coastguard Worker                   DWORD  code)		/* I - Error code */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  if (FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, code, 0, buffer, bufsize, NULL))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker   /*
*5e7646d2SAndroid Build Coastguard Worker    * Strip trailing CR + LF...
*5e7646d2SAndroid Build Coastguard Worker    */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    char	*ptr;			/* Pointer into error message */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    for (ptr = buffer + strlen(buffer) - 1; ptr >= buffer; ptr --)
*5e7646d2SAndroid Build Coastguard Worker      if (*ptr == '\n' || *ptr == '\r')
*5e7646d2SAndroid Build Coastguard Worker        *ptr = '\0';
*5e7646d2SAndroid Build Coastguard Worker      else
*5e7646d2SAndroid Build Coastguard Worker        break;
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker    snprintf(buffer, bufsize, "Unknown error %x", code);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (buffer);
*5e7646d2SAndroid Build Coastguard Worker}
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker/*
*5e7646d2SAndroid Build Coastguard Worker * 'http_sspi_verify()' - Verify a certificate.
*5e7646d2SAndroid Build Coastguard Worker */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Workerstatic DWORD				/* O - Error code (0 == No error) */
*5e7646d2SAndroid Build Coastguard Workerhttp_sspi_verify(
*5e7646d2SAndroid Build Coastguard Worker    PCCERT_CONTEXT cert,		/* I - Server certificate */
*5e7646d2SAndroid Build Coastguard Worker    const char     *common_name,	/* I - Common name */
*5e7646d2SAndroid Build Coastguard Worker    DWORD          dwCertFlags)		/* I - Verification flags */
*5e7646d2SAndroid Build Coastguard Worker{
*5e7646d2SAndroid Build Coastguard Worker  HTTPSPolicyCallbackData httpsPolicy;	/* HTTPS Policy Struct */
*5e7646d2SAndroid Build Coastguard Worker  CERT_CHAIN_POLICY_PARA policyPara;	/* Cert chain policy parameters */
*5e7646d2SAndroid Build Coastguard Worker  CERT_CHAIN_POLICY_STATUS policyStatus;/* Cert chain policy status */
*5e7646d2SAndroid Build Coastguard Worker  CERT_CHAIN_PARA	chainPara;	/* Used for searching and matching criteria */
*5e7646d2SAndroid Build Coastguard Worker  PCCERT_CHAIN_CONTEXT	chainContext = NULL;
*5e7646d2SAndroid Build Coastguard Worker					/* Certificate chain */
*5e7646d2SAndroid Build Coastguard Worker  PWSTR			commonNameUnicode = NULL;
*5e7646d2SAndroid Build Coastguard Worker					/* Unicode common name */
*5e7646d2SAndroid Build Coastguard Worker  LPSTR			rgszUsages[] = { szOID_PKIX_KP_SERVER_AUTH,
*5e7646d2SAndroid Build Coastguard Worker                                         szOID_SERVER_GATED_CRYPTO,
*5e7646d2SAndroid Build Coastguard Worker                                         szOID_SGC_NETSCAPE };
*5e7646d2SAndroid Build Coastguard Worker					/* How are we using this certificate? */
*5e7646d2SAndroid Build Coastguard Worker  DWORD			cUsages = sizeof(rgszUsages) / sizeof(LPSTR);
*5e7646d2SAndroid Build Coastguard Worker					/* Number of ites in rgszUsages */
*5e7646d2SAndroid Build Coastguard Worker  DWORD			count;		/* 32 bit count variable */
*5e7646d2SAndroid Build Coastguard Worker  DWORD			status;		/* Return value */
*5e7646d2SAndroid Build Coastguard Worker#ifdef DEBUG
*5e7646d2SAndroid Build Coastguard Worker  char			error[1024];	/* Error message string */
*5e7646d2SAndroid Build Coastguard Worker#endif /* DEBUG */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!cert)
*5e7646d2SAndroid Build Coastguard Worker    return (SEC_E_WRONG_PRINCIPAL);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Convert common name to Unicode.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!common_name || !*common_name)
*5e7646d2SAndroid Build Coastguard Worker    return (SEC_E_WRONG_PRINCIPAL);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  count             = MultiByteToWideChar(CP_ACP, 0, common_name, -1, NULL, 0);
*5e7646d2SAndroid Build Coastguard Worker  commonNameUnicode = LocalAlloc(LMEM_FIXED, count * sizeof(WCHAR));
*5e7646d2SAndroid Build Coastguard Worker  if (!commonNameUnicode)
*5e7646d2SAndroid Build Coastguard Worker    return (SEC_E_INSUFFICIENT_MEMORY);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!MultiByteToWideChar(CP_ACP, 0, common_name, -1, commonNameUnicode, count))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    LocalFree(commonNameUnicode);
*5e7646d2SAndroid Build Coastguard Worker    return (SEC_E_WRONG_PRINCIPAL);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Build certificate chain.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&chainPara, sizeof(chainPara));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  chainPara.cbSize					= sizeof(chainPara);
*5e7646d2SAndroid Build Coastguard Worker  chainPara.RequestedUsage.dwType			= USAGE_MATCH_TYPE_OR;
*5e7646d2SAndroid Build Coastguard Worker  chainPara.RequestedUsage.Usage.cUsageIdentifier	= cUsages;
*5e7646d2SAndroid Build Coastguard Worker  chainPara.RequestedUsage.Usage.rgpszUsageIdentifier	= rgszUsages;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertGetCertificateChain(NULL, cert, NULL, cert->hCertStore, &chainPara, 0, NULL, &chainContext))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    status = GetLastError();
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("CertGetCertificateChain returned: %s", http_sspi_strerror(error, sizeof(error), status)));
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    LocalFree(commonNameUnicode);
*5e7646d2SAndroid Build Coastguard Worker    return (status);
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker /*
*5e7646d2SAndroid Build Coastguard Worker  * Validate certificate chain.
*5e7646d2SAndroid Build Coastguard Worker  */
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  ZeroMemory(&httpsPolicy, sizeof(HTTPSPolicyCallbackData));
*5e7646d2SAndroid Build Coastguard Worker  httpsPolicy.cbStruct		= sizeof(HTTPSPolicyCallbackData);
*5e7646d2SAndroid Build Coastguard Worker  httpsPolicy.dwAuthType	= AUTHTYPE_SERVER;
*5e7646d2SAndroid Build Coastguard Worker  httpsPolicy.fdwChecks		= dwCertFlags;
*5e7646d2SAndroid Build Coastguard Worker  httpsPolicy.pwszServerName	= commonNameUnicode;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  memset(&policyPara, 0, sizeof(policyPara));
*5e7646d2SAndroid Build Coastguard Worker  policyPara.cbSize		= sizeof(policyPara);
*5e7646d2SAndroid Build Coastguard Worker  policyPara.pvExtraPolicyPara	= &httpsPolicy;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  memset(&policyStatus, 0, sizeof(policyStatus));
*5e7646d2SAndroid Build Coastguard Worker  policyStatus.cbSize = sizeof(policyStatus);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, chainContext, &policyPara, &policyStatus))
*5e7646d2SAndroid Build Coastguard Worker  {
*5e7646d2SAndroid Build Coastguard Worker    status = GetLastError();
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker    DEBUG_printf(("CertVerifyCertificateChainPolicy returned %s", http_sspi_strerror(error, sizeof(error), status)));
*5e7646d2SAndroid Build Coastguard Worker  }
*5e7646d2SAndroid Build Coastguard Worker  else if (policyStatus.dwError)
*5e7646d2SAndroid Build Coastguard Worker    status = policyStatus.dwError;
*5e7646d2SAndroid Build Coastguard Worker  else
*5e7646d2SAndroid Build Coastguard Worker    status = SEC_E_OK;
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (chainContext)
*5e7646d2SAndroid Build Coastguard Worker    CertFreeCertificateChain(chainContext);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  if (commonNameUnicode)
*5e7646d2SAndroid Build Coastguard Worker    LocalFree(commonNameUnicode);
*5e7646d2SAndroid Build Coastguard Worker
*5e7646d2SAndroid Build Coastguard Worker  return (status);
*5e7646d2SAndroid Build Coastguard Worker}