X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=engines%2Fe_capi.c;h=d8d976d2e13ee5eac784d7c51b4aa9e0d5447af4;hp=568b8d3632f52c1035b207e8de098128fa40bea3;hb=da2a5a79efd785ec5e93cd2b5d1662a7f5b72abf;hpb=46d47828880e94df9f2cb44a59cb9cef7193f47c diff --git a/engines/e_capi.c b/engines/e_capi.c index 568b8d3632..d8d976d2e1 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -54,22 +54,69 @@ #include #include +#include + #include -#include -#include -#include #ifdef OPENSSL_SYS_WIN32 #ifndef OPENSSL_NO_CAPIENG +#include +#include +#include + +#ifndef _WIN32_WINNT +#define _WIN32_WINNT 0x0400 +#endif + #include #include +#include +#ifndef alloca +# define alloca _alloca +#endif + +/* + * This module uses several "new" interfaces, among which is + * CertGetCertificateContextProperty. CERT_KEY_PROV_INFO_PROP_ID is + * one of possible values you can pass to function in question. By + * checking if it's defined we can see if wincrypt.h and accompanying + * crypt32.lib are in shape. The native MingW32 headers up to and + * including __W32API_VERSION 3.14 lack of struct DSSPUBKEY and the + * defines CERT_STORE_PROV_SYSTEM_A and CERT_STORE_READONLY_FLAG, + * so we check for these too and avoid compiling. + * Yes, it's rather "weak" test and if compilation fails, + * then re-configure with -DOPENSSL_NO_CAPIENG. + */ +#if defined(CERT_KEY_PROV_INFO_PROP_ID) && \ + defined(CERT_STORE_PROV_SYSTEM_A) && \ + defined(CERT_STORE_READONLY_FLAG) +# define __COMPILE_CAPIENG +#endif /* CERT_KEY_PROV_INFO_PROP_ID */ +#endif /* OPENSSL_NO_CAPIENG */ +#endif /* OPENSSL_SYS_WIN32 */ + +#ifdef __COMPILE_CAPIENG #undef X509_EXTENSIONS #undef X509_CERT_PAIR +/* Definitions which may be missing from earlier version of headers */ +#ifndef CERT_STORE_OPEN_EXISTING_FLAG +#define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000 +#endif + +#ifndef CERT_STORE_CREATE_NEW_FLAG +#define CERT_STORE_CREATE_NEW_FLAG 0x00002000 +#endif + +#ifndef CERT_SYSTEM_STORE_CURRENT_USER +#define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000 +#endif + #include #include +#include #include "e_capi_err.h" #include "e_capi_err.c" @@ -136,21 +183,21 @@ struct CAPI_CTX_st { char *debug_file; /* Parameters to use for container lookup */ DWORD keytype; - LPTSTR cspname; + LPSTR cspname; DWORD csptype; /* Certificate store name to use */ - LPTSTR storename; - LPTSTR ssl_client_store; + LPSTR storename; + LPSTR ssl_client_store; /* System store flags */ DWORD store_flags; /* Lookup string meanings in load_private_key */ /* Substring of subject: uses "storename" */ -#define CAPI_LU_SUBSTR 0 +#define CAPI_LU_SUBSTR 1 /* Friendly name: uses storename */ -#define CAPI_LU_FNAME 1 +#define CAPI_LU_FNAME 2 /* Container name: uses cspname, keytype */ -#define CAPI_LU_CONTNAME 2 +#define CAPI_LU_CONTNAME 3 int lookup_method; /* Info to dump with dumpcerts option */ /* Issuer and serial name strings */ @@ -400,33 +447,41 @@ static int capi_init(ENGINE *e) CAPI_CTX *ctx; const RSA_METHOD *ossl_rsa_meth; const DSA_METHOD *ossl_dsa_meth; - capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0); - cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0); + + if (capi_idx < 0) + { + capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0); + if (capi_idx < 0) + goto memerr; + + cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0); + + /* Setup RSA_METHOD */ + rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0); + ossl_rsa_meth = RSA_PKCS1_SSLeay(); + capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc; + capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec; + capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp; + capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp; + + /* Setup DSA Method */ + dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0); + ossl_dsa_meth = DSA_OpenSSL(); + capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify; + capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp; + capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp; + } ctx = capi_ctx_new(); - if (!ctx || (capi_idx < 0)) + if (!ctx) goto memerr; ENGINE_set_ex_data(e, capi_idx, ctx); - /* Setup RSA_METHOD */ - rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0); - ossl_rsa_meth = RSA_PKCS1_SSLeay(); - capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc; - capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec; - capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp; - capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp; - - /* Setup DSA Method */ - dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0); - ossl_dsa_meth = DSA_OpenSSL(); - capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify; - capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp; - capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp; #ifdef OPENSSL_CAPIENG_DIALOG { HMODULE cryptui = LoadLibrary(TEXT("CRYPTUI.DLL")); - HMODULE kernel = LoadLibrary(TEXT("KERNEL32.DLL")); + HMODULE kernel = GetModuleHandle(TEXT("KERNEL32.DLL")); if (cryptui) ctx->certselectdlg = (CERTDLG)GetProcAddress(cryptui, "CryptUIDlgSelectCertificateFromStore"); if (kernel) @@ -480,6 +535,7 @@ static int bind_capi(ENGINE *e) { if (!ENGINE_set_id(e, engine_capi_id) || !ENGINE_set_name(e, engine_capi_name) + || !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) || !ENGINE_set_init_function(e, capi_init) || !ENGINE_set_finish_function(e, capi_finish) || !ENGINE_set_destroy_function(e, capi_destroy) @@ -700,7 +756,7 @@ static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY *key) return ret; memerr: - CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE); + CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE); goto err; } @@ -1017,25 +1073,39 @@ static void capi_adderror(DWORD err) ERR_add_error_data(2, "Error code= 0x", errstr); } -static char *wide_to_asc(LPWSTR wstr) +static char *wide_to_asc(LPCWSTR wstr) { char *str; + int len_0,sz; + if (!wstr) return NULL; - str = OPENSSL_malloc(wcslen(wstr) + 1); + len_0 = (int)wcslen(wstr)+1; /* WideCharToMultiByte expects int */ + sz = WideCharToMultiByte(CP_ACP,0,wstr,len_0,NULL,0,NULL,NULL); + if (!sz) + { + CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR); + return NULL; + } + str = OPENSSL_malloc(sz); if (!str) { CAPIerr(CAPI_F_WIDE_TO_ASC, ERR_R_MALLOC_FAILURE); return NULL; } - sprintf(str, "%S", wstr); + if (!WideCharToMultiByte(CP_ACP,0,wstr,len_0,str,sz,NULL,NULL)) + { + OPENSSL_free(str); + CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR); + return NULL; + } return str; } static int capi_get_provname(CAPI_CTX *ctx, LPSTR *pname, DWORD *ptype, DWORD idx) { - LPSTR name; DWORD len, err; + LPTSTR name; CAPI_trace(ctx, "capi_get_provname, index=%d\n", idx); if (!CryptEnumProviders(idx, NULL, 0, ptype, NULL, &len)) { @@ -1046,8 +1116,11 @@ static int capi_get_provname(CAPI_CTX *ctx, LPSTR *pname, DWORD *ptype, DWORD id capi_adderror(err); return 0; } - name = OPENSSL_malloc(len); - if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) + if (sizeof(TCHAR) != sizeof(char)) + name = alloca(len); + else + name = OPENSSL_malloc(len); + if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) { err = GetLastError(); if (err == ERROR_NO_MORE_ITEMS) @@ -1056,8 +1129,11 @@ static int capi_get_provname(CAPI_CTX *ctx, LPSTR *pname, DWORD *ptype, DWORD id capi_adderror(err); return 0; } - *pname = name; - CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", name, *ptype); + if (sizeof(TCHAR) != sizeof(char)) + *pname = wide_to_asc((WCHAR *)name); + else + *pname = (char *)name; + CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", *pname, *ptype); return 1; } @@ -1066,7 +1142,7 @@ static int capi_list_providers(CAPI_CTX *ctx, BIO *out) { DWORD idx, ptype; int ret; - LPTSTR provname = NULL; + LPSTR provname = NULL; CAPI_trace(ctx, "capi_list_providers\n"); BIO_printf(out, "Available CSPs:\n"); for(idx = 0; ; idx++) @@ -1088,8 +1164,26 @@ static int capi_list_containers(CAPI_CTX *ctx, BIO *out) HCRYPTPROV hprov; DWORD err, idx, flags, buflen = 0, clen; LPSTR cname; + LPTSTR cspname = NULL; + CAPI_trace(ctx, "Listing containers CSP=%s, type = %d\n", ctx->cspname, ctx->csptype); - if (!CryptAcquireContext(&hprov, NULL, ctx->cspname, ctx->csptype, CRYPT_VERIFYCONTEXT)) + if (ctx->cspname && sizeof(TCHAR)!=sizeof(char)) + { + if ((clen=MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,NULL,0))) + { + cspname = alloca(clen*sizeof(WCHAR)); + MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,(WCHAR *)cspname,clen); + } + if (!cspname) + { + CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE); + capi_addlasterror(); + return 0; + } + } + else + cspname = (TCHAR *)ctx->cspname; + if (!CryptAcquireContext(&hprov, NULL, cspname, ctx->csptype, CRYPT_VERIFYCONTEXT)) { CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_CRYPTACQUIRECONTEXT_ERROR); capi_addlasterror(); @@ -1120,7 +1214,7 @@ static int capi_list_containers(CAPI_CTX *ctx, BIO *out) flags = CRYPT_FIRST; else flags = 0; - if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, cname, &clen, flags)) + if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, (BYTE *)cname, &clen, flags)) { err = GetLastError(); if (err == ERROR_NO_MORE_ITEMS) @@ -1316,7 +1410,6 @@ int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *id) { for(idx = 0;;idx++) { - LPWSTR fname = NULL; cert = CertEnumCertificatesInStore(hstore, cert); if (!cert) break; @@ -1363,13 +1456,24 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE h } } -static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provname, DWORD ptype, DWORD keyspec) +static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const TCHAR *contname, TCHAR *provname, DWORD ptype, DWORD keyspec) { CAPI_KEY *key; key = OPENSSL_malloc(sizeof(CAPI_KEY)); + if (sizeof(TCHAR)==sizeof(char)) + CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", contname, provname, ptype); - CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", - contname, provname, ptype); + else if (ctx && ctx->debug_level>=CAPI_DBG_TRACE && ctx->debug_file) + { + /* above 'if' is optimization to minimize malloc-ations */ + char *_contname = wide_to_asc((WCHAR *)contname); + char *_provname = wide_to_asc((WCHAR *)provname); + + CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", + _contname, _provname, ptype); + if (_provname) OPENSSL_free(_provname); + if (_contname) OPENSSL_free(_contname); + } if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, 0)) { CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR); @@ -1400,12 +1504,19 @@ static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert) pinfo = capi_get_prov_info(ctx, cert); if (!pinfo) goto err; - provname = wide_to_asc(pinfo->pwszProvName); - contname = wide_to_asc(pinfo->pwszContainerName); - if (!provname || !contname) - goto err; - key = capi_get_key(ctx, contname, provname, + if (sizeof(TCHAR) != sizeof(char)) + key = capi_get_key(ctx, (TCHAR *)pinfo->pwszContainerName, + (TCHAR *)pinfo->pwszProvName, pinfo->dwProvType, pinfo->dwKeySpec); + else + { + provname = wide_to_asc(pinfo->pwszProvName); + contname = wide_to_asc(pinfo->pwszContainerName); + if (!provname || !contname) + goto err; + key = capi_get_key(ctx, (TCHAR *)contname, (TCHAR *)provname, + pinfo->dwProvType, pinfo->dwKeySpec); + } err: if (pinfo) @@ -1439,8 +1550,25 @@ CAPI_KEY *capi_find_key(CAPI_CTX *ctx, const char *id) break; case CAPI_LU_CONTNAME: - key = capi_get_key(ctx, id, ctx->cspname, ctx->csptype, - ctx->keytype); + if (sizeof(TCHAR)!=sizeof(char)) + { + WCHAR *contname, *provname; + DWORD len; + + if ((len=MultiByteToWideChar(CP_ACP,0,id,-1,NULL,0)) && + (contname=alloca(len*sizeof(WCHAR)), + MultiByteToWideChar(CP_ACP,0,id,-1,contname,len)) && + (len=MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,NULL,0)) && + (provname=alloca(len*sizeof(WCHAR)), + MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,provname,len))) + key = capi_get_key(ctx,(TCHAR *)contname, + (TCHAR *)provname, + ctx->csptype,ctx->keytype); + } + else + key = capi_get_key(ctx, (TCHAR *)id, + (TCHAR *)ctx->cspname, + ctx->csptype,ctx->keytype); break; } @@ -1508,7 +1636,21 @@ static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int che if (check) { HCRYPTPROV hprov; - if (!CryptAcquireContext(&hprov, NULL, pname, type, + LPTSTR name=NULL; + + if (sizeof(TCHAR)!=sizeof(char)) + { + DWORD len; + if ((len=MultiByteToWideChar(CP_ACP,0,pname,-1,NULL,0))) + { + name = alloca(len*sizeof(WCHAR)); + MultiByteToWideChar(CP_ACP,0,pname,-1,(WCHAR *)name,len); + } + } + else + name = (TCHAR *)pname; + + if (!name || !CryptAcquireContext(&hprov, NULL, name, type, CRYPT_VERIFYCONTEXT)) { CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, CAPI_R_CRYPTACQUIRECONTEXT_ERROR); @@ -1587,11 +1729,15 @@ static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, CAPI_trace(ctx, "Can't Parse Certificate %d\n", i); continue; } - if (cert_issuer_match(ca_dn, x)) + if (cert_issuer_match(ca_dn, x) + && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0)) { key = capi_get_cert_key(ctx, cert); if (!key) + { + X509_free(x); continue; + } /* Match found: attach extra data to it so * we can retrieve the key later. */ @@ -1666,8 +1812,14 @@ static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) * CryptUIDlgSelectCertificateFromStore() to produce a dialog box. */ -#include -#include +/* Definitions which are in cryptuiapi.h but this is not present in older + * versions of headers. + */ + +#ifndef CRYPTUI_SELECT_LOCATION_COLUMN +#define CRYPTUI_SELECT_LOCATION_COLUMN 0x000000010 +#define CRYPTUI_SELECT_INTENDEDUSE_COLUMN 0x000000004 +#endif #define dlg_title L"OpenSSL Application SSL Client Certificate Selection" #define dlg_prompt L"Select a certificate to use for authentication" @@ -1691,7 +1843,7 @@ static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) CERT_STORE_CREATE_NEW_FLAG, NULL); if (!dstore) { - CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_CREATING_STORE); + CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_CREATING_STORE); capi_addlasterror(); goto err; } @@ -1704,13 +1856,15 @@ static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) if (!CertAddCertificateContextToStore(dstore, key->pcert, CERT_STORE_ADD_NEW, NULL)) { - CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_ADDING_CERT); + CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_ADDING_CERT); capi_addlasterror(); goto err; } } - hwnd = GetActiveWindow(); + hwnd = GetForegroundWindow(); + if (!hwnd) + hwnd = GetActiveWindow(); if (!hwnd && ctx->getconswindow) hwnd = ctx->getconswindow(); /* Call dialog to select one */ @@ -1743,5 +1897,15 @@ static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) } #endif +#else /* !__COMPILE_CAPIENG */ +#include +#ifndef OPENSSL_NO_DYNAMIC_ENGINE +OPENSSL_EXPORT +int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); +OPENSSL_EXPORT +int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; } +IMPLEMENT_DYNAMIC_CHECK_FN() +#else +void ENGINE_load_capi(void){} #endif #endif