contrib/wpa_supplicant-0.4.9/tls_schannel.c

   1 /*
   2  * WPA Supplicant / SSL/TLS interface functions for Microsoft Schannel
   3  * Copyright (c) 2005, Jouni Malinen <jkmaline@cc.hut.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 /*
  16  * FIX: Go through all SSPI functions and verify what needs to be freed
  17  * FIX: session resumption
  18  * TODO: add support for server cert chain validation
  19  * TODO: add support for CA cert validation
  20  * TODO: add support for EAP-TLS (client cert/key conf)
  21  */
  22
  23 #include <stdlib.h>
  24 #include <stdio.h>
  25 #include <string.h>
  26 #include <windows.h>
  27 #include <wincrypt.h>
  28 #include <schannel.h>
  29 #define SECURITY_WIN32
  30 #include <security.h>
  31 #include <sspi.h>
  32
  33 #include "common.h"
  34 #include "tls.h"
  35
  36
  37 struct tls_global {
  38         HMODULE hsecurity;
  39         PSecurityFunctionTable sspi;
  40         HCERTSTORE my_cert_store;
  41 };
  42
  43 struct tls_connection {
  44         int established, start;
  45         int failed, read_alerts, write_alerts;
  46
  47         SCHANNEL_CRED schannel_cred;
  48         CredHandle creds;
  49         CtxtHandle context;
  50
  51         u8 eap_tls_prf[128];
  52         int eap_tls_prf_set;
  53 };
  54
  55
  56 static int schannel_load_lib(struct tls_global *global)
  57 {
  58         INIT_SECURITY_INTERFACE pInitSecurityInterface;
  59
  60         global->hsecurity = LoadLibrary("Secur32.dll");
  61         if (global->hsecurity == NULL) {
  62                 wpa_printf(MSG_ERROR, "%s: Could not load Secur32.dll - 0x%x",
  63                            __func__, (unsigned int) GetLastError());
  64                 return -1;
  65         }
  66
  67         pInitSecurityInterface = (INIT_SECURITY_INTERFACE) GetProcAddress(
  68                 global->hsecurity, "InitSecurityInterfaceA");
  69         if (pInitSecurityInterface == NULL) {
  70                 wpa_printf(MSG_ERROR, "%s: Could not find "
  71                            "InitSecurityInterfaceA from Secur32.dll",
  72                            __func__);
  73                 FreeLibrary(global->hsecurity);
  74                 global->hsecurity = NULL;
  75                 return -1;
  76         }
  77
  78         global->sspi = pInitSecurityInterface();
  79         if (global->sspi == NULL) {
  80                 wpa_printf(MSG_ERROR, "%s: Could not read security "
  81                            "interface - 0x%x",
  82                            __func__, (unsigned int) GetLastError());
  83                 FreeLibrary(global->hsecurity);
  84                 global->hsecurity = NULL;
  85                 return -1;
  86         }
  87
  88         return 0;
  89 }
  90
  91
  92 void * tls_init(const struct tls_config *conf)
  93 {
  94         struct tls_global *global;
  95
  96         global = malloc(sizeof(*global));
  97         if (global == NULL)
  98                 return NULL;
  99         memset(global, 0, sizeof(*global));
 100         if (schannel_load_lib(global)) {
 101                 free(global);
 102                 return NULL;
 103         }
 104         return global;
 105 }
 106
 107
 108 void tls_deinit(void *ssl_ctx)
 109 {
 110         struct tls_global *global = ssl_ctx;
 111
 112         if (global->my_cert_store)
 113                 CertCloseStore(global->my_cert_store, 0);
 114         FreeLibrary(global->hsecurity);
 115         free(global);
 116 }
 117
 118
 119 int tls_get_errors(void *ssl_ctx)
 120 {
 121         return 0;
 122 }
 123
 124
 125 struct tls_connection * tls_connection_init(void *ssl_ctx)
 126 {
 127         struct tls_connection *conn;
 128
 129         conn = malloc(sizeof(*conn));
 130         if (conn == NULL)
 131                 return NULL;
 132         memset(conn, 0, sizeof(*conn));
 133         conn->start = 1;
 134
 135         return conn;
 136 }
 137
 138
 139 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
 140 {
 141         if (conn == NULL)
 142                 return;
 143
 144         free(conn);
 145 }
 146
 147
 148 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
 149 {
 150         return conn ? conn->established : 0;
 151 }
 152
 153
 154 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
 155 {
 156         struct tls_global *global = ssl_ctx;
 157         if (conn == NULL)
 158                 return -1;
 159
 160         conn->eap_tls_prf_set = 0;
 161         conn->established = conn->failed = 0;
 162         conn->read_alerts = conn->write_alerts = 0;
 163         global->sspi->DeleteSecurityContext(&conn->context);
 164         /* FIX: what else needs to be reseted? */
 165
 166         return 0;
 167 }
 168
 169
 170 int tls_global_ca_cert(void *_ssl_ctx, const char *ca_cert)
 171 {
 172         return -1;
 173 }
 174
 175
 176 int tls_global_set_verify(void *ssl_ctx, int check_crl)
 177 {
 178         return -1;
 179 }
 180
 181
 182 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
 183                               int verify_peer)
 184 {
 185         return -1;
 186 }
 187
 188
 189 int tls_global_client_cert(void *_ssl_ctx, const char *client_cert)
 190 {
 191         return -1;
 192 }
 193
 194
 195 int tls_global_private_key(void *_ssl_ctx, const char *private_key,
 196                            const char *private_key_passwd)
 197 {
 198         return -1;
 199 }
 200
 201
 202 int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
 203                             struct tls_keys *keys)
 204 {
 205         if (conn == NULL || keys == NULL || !conn->eap_tls_prf_set)
 206                 return -1;
 207
 208         memset(keys, 0, sizeof(*keys));
 209
 210         /*
 211          * Cannot get master_key from Schannel, but EapKeyBlock can be used to
 212          * generate session keys for EAP-TLS and EAP-PEAPv0. EAP-PEAPv2 and
 213          * EAP-TTLS cannot use this, though, since they are using different
 214          * labels. The only option could be to implement TLSv1 completely here
 215          * and just use Schannel or CryptoAPI for low-level crypto
 216          * functionality..
 217          */
 218         keys->eap_tls_prf = conn->eap_tls_prf;
 219         keys->eap_tls_prf_len = sizeof(conn->eap_tls_prf);
 220
 221         return 0;
 222 }
 223
 224
 225 static u8 * tls_conn_hs_clienthello(struct tls_global *global,
 226                                     struct tls_connection *conn,
 227                                     size_t *out_len)
 228 {
 229         DWORD sspi_flags, sspi_flags_out;
 230         SecBufferDesc outbuf;
 231         SecBuffer outbufs[1];
 232         SECURITY_STATUS status;
 233         TimeStamp ts_expiry;
 234
 235         sspi_flags = ISC_REQ_REPLAY_DETECT |
 236                 ISC_REQ_CONFIDENTIALITY |
 237                 ISC_RET_EXTENDED_ERROR |
 238                 ISC_REQ_ALLOCATE_MEMORY |
 239                 ISC_REQ_MANUAL_CRED_VALIDATION;
 240
 241         wpa_printf(MSG_DEBUG, "%s: Generating ClientHello", __func__);
 242
 243         outbufs[0].pvBuffer = NULL;
 244         outbufs[0].BufferType = SECBUFFER_TOKEN;
 245         outbufs[0].cbBuffer = 0;
 246
 247         outbuf.cBuffers = 1;
 248         outbuf.pBuffers = outbufs;
 249         outbuf.ulVersion = SECBUFFER_VERSION;
 250
 251         status = global->sspi->InitializeSecurityContextA(
 252                 &conn->creds, NULL, NULL /* server name */, sspi_flags, 0,
 253                 SECURITY_NATIVE_DREP, NULL, 0, &conn->context,
 254                 &outbuf, &sspi_flags_out, &ts_expiry);
 255         if (status != SEC_I_CONTINUE_NEEDED) {
 256                 wpa_printf(MSG_ERROR, "%s: InitializeSecurityContextA "
 257                            "failed - 0x%x",
 258                            __func__, (unsigned int) status);
 259                 return NULL;
 260         }
 261
 262         if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
 263                 u8 *buf;
 264                 wpa_hexdump(MSG_MSGDUMP, "SChannel - ClientHello",
 265                             outbufs[0].pvBuffer, outbufs[0].cbBuffer);
 266                 conn->start = 0;
 267                 *out_len = outbufs[0].cbBuffer;
 268                 buf = malloc(*out_len);
 269                 if (buf == NULL)
 270                         return NULL;
 271                 memcpy(buf, outbufs[0].pvBuffer, *out_len);
 272                 global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
 273                 return buf;
 274         }
 275
 276         wpa_printf(MSG_ERROR, "SChannel: Failed to generate ClientHello");
 277
 278         return NULL;
 279 }
 280
 281
 282 #ifndef SECPKG_ATTR_EAP_KEY_BLOCK
 283 #define SECPKG_ATTR_EAP_KEY_BLOCK 0x5b
 284
 285 typedef struct _SecPkgContext_EapKeyBlock {
 286         BYTE rgbKeys[128];
 287         BYTE rgbIVs[64];
 288 } SecPkgContext_EapKeyBlock, *PSecPkgContext_EapKeyBlock;
 289 #endif /* !SECPKG_ATTR_EAP_KEY_BLOCK */
 290
 291 static int tls_get_eap(struct tls_global *global, struct tls_connection *conn)
 292 {
 293         SECURITY_STATUS status;
 294         SecPkgContext_EapKeyBlock kb;
 295
 296         /* Note: Windows NT and Windows Me/98/95 do not support getting
 297          * EapKeyBlock */
 298
 299         status = global->sspi->QueryContextAttributes(
 300                 &conn->context, SECPKG_ATTR_EAP_KEY_BLOCK, &kb);
 301         if (status != SEC_E_OK) {
 302                 wpa_printf(MSG_DEBUG, "%s: QueryContextAttributes("
 303                            "SECPKG_ATTR_EAP_KEY_BLOCK) failed (%d)",
 304                            __func__, (int) status);
 305                 return -1;
 306         }
 307
 308         wpa_hexdump_key(MSG_MSGDUMP, "Schannel - EapKeyBlock - rgbKeys",
 309                         kb.rgbKeys, sizeof(kb.rgbKeys));
 310         wpa_hexdump_key(MSG_MSGDUMP, "Schannel - EapKeyBlock - rgbIVs",
 311                         kb.rgbIVs, sizeof(kb.rgbIVs));
 312
 313         memcpy(conn->eap_tls_prf, kb.rgbKeys, sizeof(kb.rgbKeys));
 314         conn->eap_tls_prf_set = 1;
 315 }
 316
 317
 318 u8 * tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
 319                               const u8 *in_data, size_t in_len,
 320                               size_t *out_len)
 321 {
 322         struct tls_global *global = ssl_ctx;
 323         DWORD sspi_flags, sspi_flags_out;
 324         SecBufferDesc inbuf, outbuf;
 325         SecBuffer inbufs[2], outbufs[1];
 326         SECURITY_STATUS status;
 327         TimeStamp ts_expiry;
 328         u8 *out_buf = NULL;
 329
 330         if (conn->start) {
 331                 return tls_conn_hs_clienthello(global, conn, out_len);
 332         }
 333
 334         wpa_printf(MSG_DEBUG, "SChannel: %d bytes handshake data to process",
 335                    in_len);
 336
 337         sspi_flags = ISC_REQ_REPLAY_DETECT |
 338                 ISC_REQ_CONFIDENTIALITY |
 339                 ISC_RET_EXTENDED_ERROR |
 340                 ISC_REQ_ALLOCATE_MEMORY |
 341                 ISC_REQ_MANUAL_CRED_VALIDATION;
 342
 343         /* Input buffer for Schannel */
 344         inbufs[0].pvBuffer = (u8 *) in_data;
 345         inbufs[0].cbBuffer = in_len;
 346         inbufs[0].BufferType = SECBUFFER_TOKEN;
 347
 348         /* Place for leftover data from Schannel */
 349         inbufs[1].pvBuffer = NULL;
 350         inbufs[1].cbBuffer = 0;
 351         inbufs[1].BufferType = SECBUFFER_EMPTY;
 352
 353         inbuf.cBuffers = 2;
 354         inbuf.pBuffers = inbufs;
 355         inbuf.ulVersion = SECBUFFER_VERSION;
 356
 357         /* Output buffer for Schannel */
 358         outbufs[0].pvBuffer = NULL;
 359         outbufs[0].cbBuffer = 0;
 360         outbufs[0].BufferType = SECBUFFER_TOKEN;
 361
 362         outbuf.cBuffers = 1;
 363         outbuf.pBuffers = outbufs;
 364         outbuf.ulVersion = SECBUFFER_VERSION;
 365
 366         status = global->sspi->InitializeSecurityContextA(
 367                 &conn->creds, &conn->context, NULL, sspi_flags, 0,
 368                 SECURITY_NATIVE_DREP, &inbuf, 0, NULL,
 369                 &outbuf, &sspi_flags_out, &ts_expiry);
 370
 371         wpa_printf(MSG_MSGDUMP, "Schannel: InitializeSecurityContextA -> "
 372                    "status=%d inlen[0]=%d intype[0]=%d inlen[1]=%d "
 373                    "intype[1]=%d outlen[0]=%d",
 374                    (int) status, (int) inbufs[0].cbBuffer,
 375                    (int) inbufs[0].BufferType, (int) inbufs[1].cbBuffer,
 376                    (int) inbufs[1].BufferType,
 377                    (int) outbufs[0].cbBuffer);
 378         if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED ||
 379             (FAILED(status) && (sspi_flags_out & ISC_RET_EXTENDED_ERROR))) {
 380                 if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
 381                         wpa_hexdump(MSG_MSGDUMP, "SChannel - output",
 382                                     outbufs[0].pvBuffer, outbufs[0].cbBuffer);
 383                         *out_len = outbufs[0].cbBuffer;
 384                         out_buf = malloc(*out_len);
 385                         if (out_buf == NULL)
 386                                 return NULL;
 387                         memcpy(out_buf, outbufs[0].pvBuffer, *out_len);
 388                         global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
 389                         outbufs[0].pvBuffer = NULL;
 390                 }
 391         }
 392
 393         switch (status) {
 394         case SEC_E_INCOMPLETE_MESSAGE:
 395                 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_INCOMPLETE_MESSAGE");
 396                 break;
 397         case SEC_I_CONTINUE_NEEDED:
 398                 wpa_printf(MSG_DEBUG, "Schannel: SEC_I_CONTINUE_NEEDED");
 399                 break;
 400         case SEC_E_OK:
 401                 /* TODO: verify server certificate chain */
 402                 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_OK - Handshake "
 403                            "completed successfully");
 404                 conn->established = 1;
 405                 tls_get_eap(global, conn);
 406
 407                 /* Need to return something to get final TLS ACK. */
 408                 if (out_buf == NULL)
 409                         out_buf = malloc(1);
 410
 411                 if (inbufs[1].BufferType == SECBUFFER_EXTRA) {
 412                         wpa_hexdump(MSG_MSGDUMP, "SChannel - Encrypted "
 413                                     "application data",
 414                                     inbufs[1].pvBuffer, inbufs[1].cbBuffer);
 415                         /* FIX: need to fix TLS API to allow this data to be
 416                          * passed to the caller */
 417                         global->sspi->FreeContextBuffer(inbufs[1].pvBuffer);
 418                         inbufs[1].pvBuffer = NULL;
 419                 }
 420                 break;
 421         case SEC_I_INCOMPLETE_CREDENTIALS:
 422                 wpa_printf(MSG_DEBUG,
 423                            "Schannel: SEC_I_INCOMPLETE_CREDENTIALS");
 424                 break;
 425         case SEC_E_WRONG_PRINCIPAL:
 426                 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_WRONG_PRINCIPAL");
 427                 break;
 428         case SEC_E_INTERNAL_ERROR:
 429                 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_INTERNAL_ERROR");
 430                 break;
 431         }
 432
 433         if (FAILED(status)) {
 434                 wpa_printf(MSG_DEBUG, "Schannel: Handshake failed "
 435                            "(out_buf=%p)", out_buf);
 436                 conn->failed++;
 437                 global->sspi->DeleteSecurityContext(&conn->context);
 438                 return out_buf;
 439         }
 440
 441         if (inbufs[1].BufferType == SECBUFFER_EXTRA) {
 442                 /* TODO: Can this happen? What to do with this data? */
 443                 wpa_hexdump(MSG_MSGDUMP, "SChannel - Leftover data",
 444                             inbufs[1].pvBuffer, inbufs[1].cbBuffer);
 445                 global->sspi->FreeContextBuffer(inbufs[1].pvBuffer);
 446                 inbufs[1].pvBuffer = NULL;
 447         }
 448
 449         return out_buf;
 450 }
 451
 452
 453 u8 * tls_connection_server_handshake(void *ssl_ctx,
 454                                      struct tls_connection *conn,
 455                                      const u8 *in_data, size_t in_len,
 456                                      size_t *out_len)
 457 {
 458         return NULL;
 459 }
 460
 461
 462 int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
 463                            const u8 *in_data, size_t in_len,
 464                            u8 *out_data, size_t out_len)
 465 {
 466         struct tls_global *global = ssl_ctx;
 467         SECURITY_STATUS status;
 468         SecBufferDesc buf;
 469         SecBuffer bufs[4];
 470         SecPkgContext_StreamSizes sizes;
 471         int i;
 472         size_t total_len;
 473
 474         status = global->sspi->QueryContextAttributes(&conn->context,
 475                                                       SECPKG_ATTR_STREAM_SIZES,
 476                                                       &sizes);
 477         if (status != SEC_E_OK) {
 478                 wpa_printf(MSG_DEBUG, "%s: QueryContextAttributes failed",
 479                            __func__);
 480                 return -1;
 481         }
 482         wpa_printf(MSG_DEBUG, "%s: Stream sizes: header=%u trailer=%u",
 483                    __func__,
 484                    (unsigned int) sizes.cbHeader,
 485                    (unsigned int) sizes.cbTrailer);
 486
 487         total_len = sizes.cbHeader + in_len + sizes.cbTrailer;
 488
 489         if (out_len < total_len) {
 490                 wpa_printf(MSG_DEBUG, "%s: too short out_data (out_len=%lu "
 491                            "in_len=%lu total_len=%lu)", __func__,
 492                            (unsigned long) out_len, (unsigned long) in_len,
 493                            (unsigned long) total_len);
 494                 return -1;
 495         }
 496
 497         memset(&bufs, 0, sizeof(bufs));
 498         bufs[0].pvBuffer = out_data;
 499         bufs[0].cbBuffer = sizes.cbHeader;
 500         bufs[0].BufferType = SECBUFFER_STREAM_HEADER;
 501
 502         memcpy(out_data + sizes.cbHeader, in_data, in_len);
 503         bufs[1].pvBuffer = out_data + sizes.cbHeader;
 504         bufs[1].cbBuffer = in_len;
 505         bufs[1].BufferType = SECBUFFER_DATA;
 506
 507         bufs[2].pvBuffer = out_data + sizes.cbHeader + in_len;
 508         bufs[2].cbBuffer = sizes.cbTrailer;
 509         bufs[2].BufferType = SECBUFFER_STREAM_TRAILER;
 510
 511         buf.ulVersion = SECBUFFER_VERSION;
 512         buf.cBuffers = 3;
 513         buf.pBuffers = bufs;
 514
 515         status = global->sspi->EncryptMessage(&conn->context, 0, &buf, 0);
 516
 517         wpa_printf(MSG_MSGDUMP, "Schannel: EncryptMessage -> "
 518                    "status=%d len[0]=%d type[0]=%d len[1]=%d type[1]=%d "
 519                    "len[2]=%d type[2]=%d",
 520                    (int) status,
 521                    (int) bufs[0].cbBuffer, (int) bufs[0].BufferType,
 522                    (int) bufs[1].cbBuffer, (int) bufs[1].BufferType,
 523                    (int) bufs[2].cbBuffer, (int) bufs[2].BufferType);
 524         wpa_printf(MSG_MSGDUMP, "Schannel: EncryptMessage pointers: "
 525                    "out_data=%p bufs %p %p %p",
 526                    out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
 527                    bufs[2].pvBuffer);
 528
 529         for (i = 0; i < 3; i++) {
 530                 if (bufs[i].pvBuffer && bufs[i].BufferType != SECBUFFER_EMPTY)
 531                 {
 532                         wpa_hexdump(MSG_MSGDUMP, "SChannel: bufs",
 533                                     bufs[i].pvBuffer, bufs[i].cbBuffer);
 534                 }
 535         }
 536
 537         if (status == SEC_E_OK) {
 538                 wpa_printf(MSG_DEBUG, "%s: SEC_E_OK", __func__);
 539                 wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Encrypted data from "
 540                                 "EncryptMessage", out_data, total_len);
 541                 return total_len;
 542         }
 543
 544         wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
 545                    __func__, (int) status);
 546         return -1;
 547 }
 548
 549
 550 int tls_connection_decrypt(void *ssl_ctx, struct tls_connection *conn,
 551                            const u8 *in_data, size_t in_len,
 552                            u8 *out_data, size_t out_len)
 553 {
 554         struct tls_global *global = ssl_ctx;
 555         SECURITY_STATUS status;
 556         SecBufferDesc buf;
 557         SecBuffer bufs[4];
 558         int i;
 559
 560         if (out_len < in_len) {
 561                 wpa_printf(MSG_DEBUG, "%s: out_len=%lu < in_len=%lu", __func__,
 562                            (unsigned long) out_len, (unsigned long) in_len);
 563                 return -1;
 564         }
 565
 566         wpa_hexdump(MSG_MSGDUMP, "Schannel: Encrypted data to DecryptMessage",
 567                     in_data, in_len);
 568         memset(&bufs, 0, sizeof(bufs));
 569         memcpy(out_data, in_data, in_len);
 570         bufs[0].pvBuffer = out_data;
 571         bufs[0].cbBuffer = in_len;
 572         bufs[0].BufferType = SECBUFFER_DATA;
 573
 574         bufs[1].BufferType = SECBUFFER_EMPTY;
 575         bufs[2].BufferType = SECBUFFER_EMPTY;
 576         bufs[3].BufferType = SECBUFFER_EMPTY;
 577
 578         buf.ulVersion = SECBUFFER_VERSION;
 579         buf.cBuffers = 4;
 580         buf.pBuffers = bufs;
 581
 582         status = global->sspi->DecryptMessage(&conn->context, &buf, 0,
 583                                                     NULL);
 584         wpa_printf(MSG_MSGDUMP, "Schannel: DecryptMessage -> "
 585                    "status=%d len[0]=%d type[0]=%d len[1]=%d type[1]=%d "
 586                    "len[2]=%d type[2]=%d len[3]=%d type[3]=%d",
 587                    (int) status,
 588                    (int) bufs[0].cbBuffer, (int) bufs[0].BufferType,
 589                    (int) bufs[1].cbBuffer, (int) bufs[1].BufferType,
 590                    (int) bufs[2].cbBuffer, (int) bufs[2].BufferType,
 591                    (int) bufs[3].cbBuffer, (int) bufs[3].BufferType);
 592         wpa_printf(MSG_MSGDUMP, "Schannel: DecryptMessage pointers: "
 593                    "out_data=%p bufs %p %p %p %p",
 594                    out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
 595                    bufs[2].pvBuffer, bufs[3].pvBuffer);
 596
 597         switch (status) {
 598         case SEC_E_INCOMPLETE_MESSAGE:
 599                 wpa_printf(MSG_DEBUG, "%s: SEC_E_INCOMPLETE_MESSAGE",
 600                            __func__);
 601                 break;
 602         case SEC_E_OK:
 603                 wpa_printf(MSG_DEBUG, "%s: SEC_E_OK", __func__);
 604                 for (i = 0; i < 4; i++) {
 605                         if (bufs[i].BufferType == SECBUFFER_DATA)
 606                                 break;
 607                 }
 608                 if (i == 4) {
 609                         wpa_printf(MSG_DEBUG, "%s: No output data from "
 610                                    "DecryptMessage", __func__);
 611                         return -1;
 612                 }
 613                 wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Decrypted data from "
 614                                 "DecryptMessage",
 615                                 bufs[i].pvBuffer, bufs[i].cbBuffer);
 616                 if (bufs[i].cbBuffer > out_len) {
 617                         wpa_printf(MSG_DEBUG, "%s: Too long output data",
 618                                    __func__);
 619                         return -1;
 620                 }
 621                 memmove(out_data, bufs[i].pvBuffer, bufs[i].cbBuffer);
 622                 return bufs[i].cbBuffer;
 623         }
 624
 625         wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
 626                    __func__, (int) status);
 627         return -1;
 628 }
 629
 630
 631 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
 632 {
 633         return 0;
 634 }
 635
 636
 637 #ifdef EAP_FAST
 638 int tls_connection_set_master_key(void *ssl_ctx, struct tls_connection *conn,
 639                                   const u8 *key, size_t key_len)
 640 {
 641         return -1;
 642 }
 643 #endif /* EAP_FAST */
 644
 645
 646 int tls_connection_set_anon_dh(void *ssl_ctx, struct tls_connection *conn)
 647 {
 648         return -1;
 649 }
 650
 651
 652 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
 653                    char *buf, size_t buflen)
 654 {
 655         return -1;
 656 }
 657
 658
 659 int tls_connection_enable_workaround(void *ssl_ctx,
 660                                      struct tls_connection *conn)
 661 {
 662         return 0;
 663 }
 664
 665
 666 #ifdef EAP_FAST
 667 /* ClientHello TLS extensions require a patch to openssl, so this function is
 668  * commented out unless explicitly needed for EAP-FAST in order to be able to
 669  * build this file with unmodified openssl. */
 670 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
 671                                     int ext_type, const u8 *data,
 672                                     size_t data_len)
 673 {
 674         return -1;
 675 }
 676 #endif /* EAP_FAST */
 677
 678
 679 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
 680 {
 681         if (conn == NULL)
 682                 return -1;
 683         return conn->failed;
 684 }
 685
 686
 687 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
 688 {
 689         if (conn == NULL)
 690                 return -1;
 691         return conn->read_alerts;
 692 }
 693
 694
 695 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
 696 {
 697         if (conn == NULL)
 698                 return -1;
 699         return conn->write_alerts;
 700 }
 701
 702
 703 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 704                               const struct tls_connection_params *params)
 705 {
 706         struct tls_global *global = tls_ctx;
 707         ALG_ID algs[1];
 708         SECURITY_STATUS status;
 709         TimeStamp ts_expiry;
 710
 711         if (conn == NULL)
 712                 return -1;
 713
 714         if (global->my_cert_store == NULL &&
 715             (global->my_cert_store = CertOpenSystemStore(0, "MY")) == NULL) {
 716                 wpa_printf(MSG_ERROR, "%s: CertOpenSystemStore failed - 0x%x",
 717                            __func__, (unsigned int) GetLastError());
 718                 return -1;
 719         }
 720
 721         memset(&conn->schannel_cred, 0, sizeof(conn->schannel_cred));
 722         conn->schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
 723         conn->schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1;
 724         algs[0] = CALG_RSA_KEYX;
 725         conn->schannel_cred.cSupportedAlgs = 1;
 726         conn->schannel_cred.palgSupportedAlgs = algs;
 727         conn->schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
 728         status = global->sspi->AcquireCredentialsHandleA(
 729                 NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
 730                 &conn->schannel_cred, NULL, NULL, &conn->creds, &ts_expiry);
 731         if (status != SEC_E_OK) {
 732                 wpa_printf(MSG_DEBUG, "%s: AcquireCredentialsHandleA failed - "
 733                            "0x%x", __func__, (unsigned int) status);
 734                 return -1;
 735         }
 736
 737         return 0;
 738 }