libwinpr-sspi: added more Schannel definitions

2012-12-22 12:18:13 -05:00 · 2012-12-22 12:18:13 -05:00 · af05962a8e
commit af05962a8e
parent 093a0edd9c
4 changed files with 303 additions and 8 deletions
--- a/winpr/include/winpr/crypto.h
+++ b/winpr/include/winpr/crypto.h
@ -25,6 +25,158 @@

 #ifndef _WIN32

+#define GET_ALG_CLASS(x)		(x & (7 << 13))
+#define GET_ALG_TYPE(x)			(x & (15 << 9))
+#define GET_ALG_SID(x)			(x & (511))
+
+#define ALG_CLASS_ANY			(0)
+#define ALG_CLASS_SIGNATURE		(1 << 13)
+#define ALG_CLASS_MSG_ENCRYPT		(2 << 13)
+#define ALG_CLASS_DATA_ENCRYPT		(3 << 13)
+#define ALG_CLASS_HASH			(4 << 13)
+#define ALG_CLASS_KEY_EXCHANGE		(5 << 13)
+#define ALG_CLASS_ALL			(7 << 13)
+
+#define ALG_TYPE_ANY			(0)
+#define ALG_TYPE_DSS			(1 << 9)
+#define ALG_TYPE_RSA			(2 << 9)
+#define ALG_TYPE_BLOCK			(3 << 9)
+#define ALG_TYPE_STREAM			(4 << 9)
+#define ALG_TYPE_DH			(5 << 9)
+#define ALG_TYPE_SECURECHANNEL		(6 << 9)
+
+#define ALG_SID_ANY			(0)
+
+#define ALG_SID_RSA_ANY			0
+#define ALG_SID_RSA_PKCS		1
+#define ALG_SID_RSA_MSATWORK		2
+#define ALG_SID_RSA_ENTRUST		3
+#define ALG_SID_RSA_PGP			4
+
+#define ALG_SID_DSS_ANY			0
+#define ALG_SID_DSS_PKCS		1
+#define ALG_SID_DSS_DMS			2
+
+#define ALG_SID_ECDSA			3
+
+#define ALG_SID_DES			1
+#define ALG_SID_3DES			3
+#define ALG_SID_DESX			4
+#define ALG_SID_IDEA			5
+#define ALG_SID_CAST			6
+#define ALG_SID_SAFERSK64		7
+#define ALG_SID_SAFERSK128		8
+#define ALG_SID_3DES_112		9
+#define ALG_SID_CYLINK_MEK		12
+#define ALG_SID_RC5			13
+
+#define ALG_SID_AES_128			14
+#define ALG_SID_AES_192			15
+#define ALG_SID_AES_256			16
+#define ALG_SID_AES			17
+
+#define ALG_SID_SKIPJACK		10
+#define ALG_SID_TEK			11
+
+#define CRYPT_MODE_CBCI			6
+#define CRYPT_MODE_CFBP			7
+#define CRYPT_MODE_OFBP			8
+#define CRYPT_MODE_CBCOFM		9
+#define CRYPT_MODE_CBCOFMI		10
+
+#define ALG_SID_RC2			2
+
+#define ALG_SID_RC4			1
+#define ALG_SID_SEAL			2
+
+#define ALG_SID_DH_SANDF		1
+#define ALG_SID_DH_EPHEM		2
+#define ALG_SID_AGREED_KEY_ANY		3
+#define ALG_SID_KEA			4
+
+#define ALG_SID_ECDH			5
+
+#define ALG_SID_MD2			1
+#define ALG_SID_MD4			2
+#define ALG_SID_MD5			3
+#define ALG_SID_SHA			4
+#define ALG_SID_SHA1			4
+#define ALG_SID_MAC			5
+#define ALG_SID_RIPEMD			6
+#define ALG_SID_RIPEMD160		7
+#define ALG_SID_SSL3SHAMD5		8
+#define ALG_SID_HMAC			9
+#define ALG_SID_TLS1PRF			10
+
+#define ALG_SID_HASH_REPLACE_OWF	11
+
+#define ALG_SID_SHA_256			12
+#define ALG_SID_SHA_384			13
+#define ALG_SID_SHA_512			14
+
+#define ALG_SID_SSL3_MASTER		1
+#define ALG_SID_SCHANNEL_MASTER_HASH	2
+#define ALG_SID_SCHANNEL_MAC_KEY	3
+#define ALG_SID_PCT1_MASTER		4
+#define ALG_SID_SSL2_MASTER		5
+#define ALG_SID_TLS1_MASTER		6
+#define ALG_SID_SCHANNEL_ENC_KEY	7
+
+#define ALG_SID_ECMQV			1
+
+#define CALG_MD2			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MD2)
+#define CALG_MD4			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MD4)
+#define CALG_MD5			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MD5)
+#define CALG_SHA			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA)
+#define CALG_SHA1			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA1)
+#define CALG_MAC			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MAC)
+#define CALG_RSA_SIGN			(ALG_CLASS_SIGNATURE | ALG_TYPE_RSA | ALG_SID_RSA_ANY)
+#define CALG_DSS_SIGN			(ALG_CLASS_SIGNATURE | ALG_TYPE_DSS | ALG_SID_DSS_ANY)
+
+#define CALG_NO_SIGN			(ALG_CLASS_SIGNATURE | ALG_TYPE_ANY | ALG_SID_ANY)
+
+#define CALG_RSA_KEYX			(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_RSA | ALG_SID_RSA_ANY)
+#define CALG_DES			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_DES)
+#define CALG_3DES_112			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_3DES_112)
+#define CALG_3DES			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_3DES)
+#define CALG_DESX			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_DESX)
+#define CALG_RC2			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_RC2)
+#define CALG_RC4			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_STREAM | ALG_SID_RC4)
+#define CALG_SEAL			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_STREAM | ALG_SID_SEAL)
+#define CALG_DH_SF			(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_DH | ALG_SID_DH_SANDF)
+#define CALG_DH_EPHEM			(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_DH | ALG_SID_DH_EPHEM)
+#define CALG_AGREEDKEY_ANY		(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_DH | ALG_SID_AGREED_KEY_ANY)
+#define CALG_KEA_KEYX			(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_DH | ALG_SID_KEA)
+#define CALG_HUGHES_MD5			(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_ANY | ALG_SID_MD5)
+#define CALG_SKIPJACK			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_SKIPJACK)
+#define CALG_TEK			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_TEK)
+#define CALG_CYLINK_MEK			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_CYLINK_MEK)
+#define CALG_SSL3_SHAMD5		(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SSL3SHAMD5)
+#define CALG_SSL3_MASTER		(ALG_CLASS_MSG_ENCRYPT | ALG_TYPE_SECURECHANNEL | ALG_SID_SSL3_MASTER)
+#define CALG_SCHANNEL_MASTER_HASH	(ALG_CLASS_MSG_ENCRYPT | ALG_TYPE_SECURECHANNEL | ALG_SID_SCHANNEL_MASTER_HASH)
+#define CALG_SCHANNEL_MAC_KEY		(ALG_CLASS_MSG_ENCRYPT | ALG_TYPE_SECURECHANNEL | ALG_SID_SCHANNEL_MAC_KEY)
+#define CALG_SCHANNEL_ENC_KEY		(ALG_CLASS_MSG_ENCRYPT | ALG_TYPE_SECURECHANNEL | ALG_SID_SCHANNEL_ENC_KEY)
+#define CALG_PCT1_MASTER		(ALG_CLASS_MSG_ENCRYPT | ALG_TYPE_SECURECHANNEL | ALG_SID_PCT1_MASTER)
+#define CALG_SSL2_MASTER		(ALG_CLASS_MSG_ENCRYPT | ALG_TYPE_SECURECHANNEL | ALG_SID_SSL2_MASTER)
+#define CALG_TLS1_MASTER		(ALG_CLASS_MSG_ENCRYPT | ALG_TYPE_SECURECHANNEL | ALG_SID_TLS1_MASTER)
+#define CALG_RC5			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_RC5)
+#define CALG_HMAC			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_HMAC)
+#define CALG_TLS1PRF			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_TLS1PRF)
+
+#define CALG_HASH_REPLACE_OWF		(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_HASH_REPLACE_OWF)
+#define CALG_AES_128			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_AES_128)
+#define CALG_AES_192			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_AES_192)
+#define CALG_AES_256			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_AES_256)
+#define CALG_AES			(ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_BLOCK | ALG_SID_AES)
+
+#define CALG_SHA_256			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_256)
+#define CALG_SHA_384			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_384)
+#define CALG_SHA_512			(ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_512)
+
+#define CALG_ECDH			(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_DH | ALG_SID_ECDH)
+#define CALG_ECMQV			(ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_ANY | ALG_SID_ECMQV)
+#define CALG_ECDSA			(ALG_CLASS_SIGNATURE | ALG_TYPE_DSS | ALG_SID_ECDSA)
+
 typedef struct _CRYPTOAPI_BLOB
 {
 	DWORD cbData;
--- a/winpr/include/winpr/schannel.h
+++ b/winpr/include/winpr/schannel.h
@ -34,6 +34,27 @@
 #define SCHANNEL_NAME	SCHANNEL_NAME_A
 #endif

+#define SECPKG_ATTR_SUPPORTED_ALGS		86
+#define SECPKG_ATTR_CIPHER_STRENGTHS		87
+#define SECPKG_ATTR_SUPPORTED_PROTOCOLS		88
+
+typedef struct _SecPkgCred_SupportedAlgs
+{
+	DWORD cSupportedAlgs;
+	ALG_ID* palgSupportedAlgs;
+} SecPkgCred_SupportedAlgs, *PSecPkgCred_SupportedAlgs;
+
+typedef struct _SecPkgCred_CipherStrengths
+{
+	DWORD dwMinimumCipherStrength;
+	DWORD dwMaximumCipherStrength;
+} SecPkgCred_CipherStrengths, *PSecPkgCred_CipherStrengths;
+
+typedef struct _SecPkgCred_SupportedProtocols
+{
+	DWORD grbitProtocol;
+} SecPkgCred_SupportedProtocols, *PSecPkgCred_SupportedProtocols;
+
 enum eTlsSignatureAlgorithm
 {
 	TlsSignatureAlgorithm_Anonymous = 0,
--- a/winpr/libwinpr/sspi/Schannel/schannel.c
+++ b/winpr/libwinpr/sspi/Schannel/schannel.c
@ -52,26 +52,98 @@ void schannel_ContextFree(SCHANNEL_CONTEXT* context)
 	free(context);
 }

+SCHANNEL_CREDENTIALS* schannel_CredentialsNew()
+{
+	SCHANNEL_CREDENTIALS* credentials;
+
+	credentials = (SCHANNEL_CREDENTIALS*) malloc(sizeof(SCHANNEL_CREDENTIALS));
+
+	if (credentials != NULL)
+	{
+		ZeroMemory(credentials, sizeof(SCHANNEL_CREDENTIALS));
+	}
+
+	return credentials;
+}
+
+void schannel_CredentialsFree(SCHANNEL_CREDENTIALS* credentials)
+{
+	if (!credentials)
+		return;
+
+	free(credentials);
+}
+
 SECURITY_STATUS SEC_ENTRY schannel_QueryCredentialsAttributesW(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer)
 {
+	if (ulAttribute == SECPKG_ATTR_SUPPORTED_ALGS)
+	{
+		PSecPkgCred_SupportedAlgs SupportedAlgs = (PSecPkgCred_SupportedAlgs) pBuffer;
+
+		SupportedAlgs->cSupportedAlgs = 0;
+		SupportedAlgs->palgSupportedAlgs = NULL;
+
+		return SEC_E_OK;
+	}
+	else if (ulAttribute == SECPKG_ATTR_CIPHER_STRENGTHS)
+	{
+		PSecPkgCred_CipherStrengths CipherStrengths = (PSecPkgCred_CipherStrengths) pBuffer;
+
+		CipherStrengths->dwMinimumCipherStrength = 128;
+		CipherStrengths->dwMaximumCipherStrength = 256;
+
+		return SEC_E_OK;
+	}
+	else if (ulAttribute == SECPKG_ATTR_SUPPORTED_PROTOCOLS)
+	{
+		PSecPkgCred_SupportedProtocols SupportedProtocols = (PSecPkgCred_SupportedProtocols) pBuffer;
+
+		SupportedProtocols->grbitProtocol = (SP_PROT_CLIENTS | SP_PROT_SERVERS);
+
+		return SEC_E_OK;
+	}
+
 	return SEC_E_UNSUPPORTED_FUNCTION;
 }

 SECURITY_STATUS SEC_ENTRY schannel_QueryCredentialsAttributesA(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer)
 {
-	return SEC_E_UNSUPPORTED_FUNCTION;
+	return schannel_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
 }

 SECURITY_STATUS SEC_ENTRY schannel_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage,
 		ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
 		void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry)
 {
+	SCHANNEL_CREDENTIALS* credentials;
+
 	if (fCredentialUse == SECPKG_CRED_OUTBOUND)
 	{
+		SCHANNEL_CRED* cred;
+
+		credentials = schannel_CredentialsNew();
+		credentials->fCredentialUse = fCredentialUse;
+
+		cred = (SCHANNEL_CRED*) pAuthData;
+
+		if (cred)
+		{
+			CopyMemory(&credentials->cred, cred, sizeof(SCHANNEL_CRED));
+		}
+
+		sspi_SecureHandleSetLowerPointer(phCredential, (void*) credentials);
+		sspi_SecureHandleSetUpperPointer(phCredential, (void*) SCHANNEL_PACKAGE_NAME);
+
 		return SEC_E_OK;
 	}
 	else if (fCredentialUse == SECPKG_CRED_INBOUND)
 	{
+		credentials = schannel_CredentialsNew();
+		credentials->fCredentialUse = fCredentialUse;
+
+		sspi_SecureHandleSetLowerPointer(phCredential, (void*) credentials);
+		sspi_SecureHandleSetUpperPointer(phCredential, (void*) SCHANNEL_PACKAGE_NAME);
+
 		return SEC_E_OK;
 	}

@ -100,17 +172,17 @@ SECURITY_STATUS SEC_ENTRY schannel_AcquireCredentialsHandleA(SEC_CHAR* pszPrinci

 SECURITY_STATUS SEC_ENTRY schannel_FreeCredentialsHandle(PCredHandle phCredential)
 {
-	CREDENTIALS* credentials;
+	SCHANNEL_CREDENTIALS* credentials;

 	if (!phCredential)
 		return SEC_E_INVALID_HANDLE;

-	credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+	credentials = (SCHANNEL_CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);

 	if (!credentials)
 		return SEC_E_INVALID_HANDLE;

-	sspi_CredentialsFree(credentials);
+	schannel_CredentialsFree(credentials);

 	return SEC_E_OK;
 }
@ -121,7 +193,7 @@ SECURITY_STATUS SEC_ENTRY schannel_InitializeSecurityContextW(PCredHandle phCred
 		PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
 {
 	SCHANNEL_CONTEXT* context;
-	SCHANNEL_CRED* credentials;
+	SCHANNEL_CREDENTIALS* credentials;

 	context = sspi_SecureHandleGetLowerPointer(phContext);

@ -132,7 +204,10 @@ SECURITY_STATUS SEC_ENTRY schannel_InitializeSecurityContextW(PCredHandle phCred
 		if (!context)
 			return SEC_E_INSUFFICIENT_MEMORY;

-		credentials = (SCHANNEL_CRED*) sspi_SecureHandleGetLowerPointer(phCredential);
+		credentials = (SCHANNEL_CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+
+		context->server = FALSE;
+		CopyMemory(&context->cred, &credentials->cred, sizeof(SCHANNEL_CRED));

 		sspi_SecureHandleSetLowerPointer(phNewContext, context);
 		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) SCHANNEL_PACKAGE_NAME);
@ -163,6 +238,33 @@ SECURITY_STATUS SEC_ENTRY schannel_InitializeSecurityContextA(PCredHandle phCred
 	return status;
 }

+SECURITY_STATUS SEC_ENTRY schannel_AcceptSecurityContext(PCredHandle phCredential, PCtxtHandle phContext,
+		PSecBufferDesc pInput, ULONG fContextReq, ULONG TargetDataRep, PCtxtHandle phNewContext,
+		PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsTimeStamp)
+{
+	SCHANNEL_CONTEXT* context;
+	SCHANNEL_CREDENTIALS* credentials;
+
+	context = (SCHANNEL_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!context)
+	{
+		context = schannel_ContextNew();
+
+		if (!context)
+			return SEC_E_INSUFFICIENT_MEMORY;
+
+		credentials = (SCHANNEL_CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+
+		context->server = TRUE;
+
+		sspi_SecureHandleSetLowerPointer(phNewContext, context);
+		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) SCHANNEL_PACKAGE_NAME);
+	}
+
+	return SEC_E_OK;
+}
+
 SECURITY_STATUS SEC_ENTRY schannel_DeleteSecurityContext(PCtxtHandle phContext)
 {
 	SCHANNEL_CONTEXT* context;
@ -185,6 +287,18 @@ SECURITY_STATUS SEC_ENTRY schannel_QueryContextAttributes(PCtxtHandle phContext,
 	if (!pBuffer)
 		return SEC_E_INSUFFICIENT_MEMORY;

+	if (ulAttribute == SECPKG_ATTR_SIZES)
+	{
+		SecPkgContext_Sizes* ContextSizes = (SecPkgContext_Sizes*) pBuffer;
+
+		ContextSizes->cbMaxToken = 0x6000;
+		ContextSizes->cbMaxSignature = 16;
+		ContextSizes->cbBlockSize = 0;
+		ContextSizes->cbSecurityTrailer = 16;
+
+		return SEC_E_OK;
+	}
+
 	return SEC_E_UNSUPPORTED_FUNCTION;
 }

@ -217,7 +331,7 @@ const SecurityFunctionTableA SCHANNEL_SecurityFunctionTableA =
 	schannel_FreeCredentialsHandle, /* FreeCredentialsHandle */
 	NULL, /* Reserved2 */
 	schannel_InitializeSecurityContextA, /* InitializeSecurityContext */
-	NULL, /* AcceptSecurityContext */
+	schannel_AcceptSecurityContext, /* AcceptSecurityContext */
 	NULL, /* CompleteAuthToken */
 	schannel_DeleteSecurityContext, /* DeleteSecurityContext */
 	NULL, /* ApplyControlToken */
@ -249,7 +363,7 @@ const SecurityFunctionTableW SCHANNEL_SecurityFunctionTableW =
 	schannel_FreeCredentialsHandle, /* FreeCredentialsHandle */
 	NULL, /* Reserved2 */
 	schannel_InitializeSecurityContextW, /* InitializeSecurityContext */
-	NULL, /* AcceptSecurityContext */
+	schannel_AcceptSecurityContext, /* AcceptSecurityContext */
 	NULL, /* CompleteAuthToken */
 	schannel_DeleteSecurityContext, /* DeleteSecurityContext */
 	NULL, /* ApplyControlToken */
--- a/winpr/libwinpr/sspi/Schannel/schannel.h
+++ b/winpr/libwinpr/sspi/Schannel/schannel.h
@ -25,9 +25,17 @@

 #include "../sspi.h"

+struct _SCHANNEL_CREDENTIALS
+{
+	SCHANNEL_CRED cred;
+	ULONG fCredentialUse;
+};
+typedef struct _SCHANNEL_CREDENTIALS SCHANNEL_CREDENTIALS;
+
 struct _SCHANNEL_CONTEXT
 {
 	BOOL server;
+	SCHANNEL_CRED cred;
 };
 typedef struct _SCHANNEL_CONTEXT SCHANNEL_CONTEXT;