archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/inetsrv/iis/iisrearc/iisplus/sfwp/dll/iisctl.cxx

606 lines
13 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name :
  6. iisctl.cxx
  8. Abstract:
  9. IIS CTL (Certificate Trust List) handler
  10. This gets used only with SSL client certificates
  12. Author:
  13. Jaroslav Dunajsky
  15. Environment:
  16. Win32 - User Mode
  18. Project:
  19. Stream Filter Worker Process
  20. --*/
  22. #include "precomp.hxx"
  24. IIS_CTL_HASH * IIS_CTL::sm_pIisCtlHash;
  26. IIS_CTL::IIS_CTL(
  27. IN CREDENTIAL_ID * pCredentialId
  28. ) : _pCredentialId( pCredentialId ),
  29. _pCtlContext( NULL ),
  30. _pCtlStore( NULL ),
  31. _cRefs( 1 )
  32. {
  33. _dwSignature = IIS_CTL_SIGNATURE;
  34. }
  36. IIS_CTL::~IIS_CTL()
  37. {
  38. if ( _pCtlContext != NULL )
  39. {
  40. CertFreeCTLContext( _pCtlContext );
  41. _pCtlContext = NULL;
  42. }
  44. if ( _pCtlStore != NULL )
  45. {
  46. _pCtlStore->DereferenceStore();
  47. _pCtlStore = NULL;
  48. }
  50. if ( _pCredentialId != NULL )
  51. {
  52. delete _pCredentialId;
  53. _pCredentialId = NULL;
  54. }
  57. _dwSignature = IIS_CTL_SIGNATURE_FREE;
  58. }
  60. //static
  61. HRESULT
  62. IIS_CTL::Initialize(
  63. VOID
  64. )
  65. /*++
  67. Routine Description:
  69. Initialize IIS CTL globals
  71. Arguments:
  73. None
  75. Return Value:
  77. HRESULT
  79. --*/
  80. {
  81. sm_pIisCtlHash = new IIS_CTL_HASH();
  82. if ( sm_pIisCtlHash == NULL )
  83. {
  84. return HRESULT_FROM_WIN32( ERROR_OUTOFMEMORY );
  85. }
  87. return NO_ERROR;
  88. }
  90. //static
  91. VOID
  92. IIS_CTL::Terminate(
  93. VOID
  94. )
  95. /*++
  97. Routine Description:
  99. Cleanup IIS Ctl globals
  101. Arguments:
  103. None
  105. Return Value:
  107. None
  109. --*/
  110. {
  111. if ( sm_pIisCtlHash != NULL )
  112. {
  113. delete sm_pIisCtlHash;
  114. sm_pIisCtlHash = NULL;
  115. }
  116. }
  118. //static
  119. HRESULT
  120. IIS_CTL::GetIisCtl(
  121. IN WCHAR * pszSslCtlIdentifier,
  122. IN WCHAR * pszSslCtlStoreName,
  123. OUT IIS_CTL ** ppIisCtl
  124. )
  125. /*++
  127. Routine Description:
  129. Find a suitable Ctl for use with the site represented by
  130. given site SslConfig
  132. Arguments:
  134. pzsSslCtlIdentifier - identifies CTL
  135. pszSslCtlStoreName - store name where CTL is to be located (in the LOCAL_MACHINE context)
  136. If NULL, then default "CA" store is assumed
  137. ppIisCtl - pointer to IIS CTL
  139. Return Value:
  141. HRESULT
  143. --*/
  144. {
  145. IIS_CTL * pIisCtl = NULL;
  146. CREDENTIAL_ID * pCredentialId = NULL;
  147. HRESULT hr = NO_ERROR;
  148. LK_RETCODE lkrc;
  150. if ( ppIisCtl == NULL )
  151. {
  152. DBG_ASSERT( FALSE );
  153. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  154. }
  155. *ppIisCtl = NULL;
  157. if ( pszSslCtlStoreName == NULL )
  158. {
  159. //
  160. // assume default store name
  161. //
  162. pszSslCtlStoreName = L"CA";
  163. }
  165. //
  166. // First build up a Credential ID to use in looking up in our
  167. // server cert cache
  168. //
  170. pCredentialId = new CREDENTIAL_ID;
  171. if ( pCredentialId == NULL )
  172. {
  173. return HRESULT_FROM_WIN32( ERROR_OUTOFMEMORY );
  174. }
  176. hr = IIS_CTL::BuildCredentialId( pszSslCtlIdentifier,
  177. pCredentialId );
  178. if ( FAILED( hr ) )
  179. {
  180. //
  181. // Regardless of error, we are toast because we couldn't find
  182. // a server cert
  183. //
  185. delete pCredentialId;
  186. return hr;
  187. }
  189. DBG_ASSERT( sm_pIisCtlHash != NULL );
  191. lkrc = sm_pIisCtlHash->FindKey( pCredentialId,
  192. &pIisCtl );
  193. if ( lkrc == LK_SUCCESS )
  194. {
  195. //
  196. // Server already contains a credential ID
  197. //
  199. delete pCredentialId;
  201. *ppIisCtl = pIisCtl;
  203. return NO_ERROR;
  204. }
  206. //
  207. // Ok. It wasn't in our case, we need to do it there
  208. //
  209. // if IIS_CTL construction succeeds then IIS_CTL
  210. // takes ownership of pCredentialId and is responsible for freeing it
  211. //
  213. pIisCtl = new IIS_CTL( pCredentialId );
  214. if ( pIisCtl == NULL )
  215. {
  216. hr = HRESULT_FROM_WIN32( ERROR_OUTOFMEMORY );
  218. delete pCredentialId;
  220. return hr;
  221. }
  223. hr = pIisCtl->SetupIisCtl( pszSslCtlIdentifier,
  224. pszSslCtlStoreName );
  225. if ( FAILED( hr ) )
  226. {
  227. //
  228. // Server certificate owns the reference to pCredentialId now
  229. //
  231. delete pIisCtl;
  233. return hr;
  234. }
  236. //
  237. // Now try to add cert to hash.
  238. //
  240. lkrc = sm_pIisCtlHash->InsertRecord( pIisCtl );
  242. //
  243. // Ignore the error. If it didn't get added then we will naturally
  244. // clean it up on the callers dereference
  245. //
  247. *ppIisCtl = pIisCtl;
  249. return NO_ERROR;
  250. }
  252. //static
  253. HRESULT
  254. IIS_CTL::BuildCredentialId(
  255. IN WCHAR * pszSslCtlIdentifier,
  256. OUT CREDENTIAL_ID * pCredentialId
  257. )
  258. /*++
  260. Routine Description:
  262. Read the configured server cert and CTL hash. This forms the identifier
  263. for the credentials we need for this site
  265. Arguments:
  267. pszSslCtlIdentifier - CTL identifier
  268. pCredentialId - Filled with credential ID
  270. Return Value:
  272. HRESULT
  274. --*/
  275. {
  276. STACK_BUFFER( buff, 64 );
  277. HRESULT hr = NO_ERROR;
  279. if ( pCredentialId == NULL )
  280. {
  281. DBG_ASSERT( FALSE );
  282. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  283. }
  285. if ( pszSslCtlIdentifier == NULL ||
  286. pszSslCtlIdentifier[0] == '\0' )
  287. {
  288. //
  289. // No CTL
  290. //
  292. return HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  293. }
  294. else
  295. {
  296. //
  297. // Add to our credential ID
  298. //
  300. hr = pCredentialId->Append( (BYTE*) pszSslCtlIdentifier,
  301. (DWORD) wcslen( pszSslCtlIdentifier ) * sizeof(WCHAR) );
  302. if ( FAILED( hr ) )
  303. {
  304. return hr;
  305. }
  306. }
  308. return NO_ERROR;
  309. }
  312. //private
  313. //static
  314. HRESULT
  315. IIS_CTL::SetupIisCtl(
  316. IN WCHAR * pszSslCtlIdentifier,
  317. IN WCHAR * pszSslCtlStoreName
  318. )
  319. /*++
  321. Routine Description:
  323. Build CTL context for the site based on SiteSslConfig Info
  325. Arguments:
  327. pszSslCtlIdentifier - identifies CTL
  328. pszSslCtlStoreName - store name where CTL is to be located (in the LOCAL_MACHINE context)
  332. Return Value:
  334. HRESULT
  336. --*/
  337. {
  338. HRESULT hr = E_FAIL;
  339. PCCTL_CONTEXT pCtlContext = NULL;
  340. CERT_STORE * pCertStore = NULL;
  341. STACK_STRU( strStoreName, 256 );
  344. if ( pszSslCtlIdentifier == NULL ||
  345. pszSslCtlStoreName == NULL ||
  346. pszSslCtlStoreName == L'\0' )
  348. {
  349. // CTLs not configured
  350. _pCtlContext = NULL;
  351. return S_OK;
  352. }
  354. //
  355. // First get the desired store and store it away for later!
  356. //
  358. hr = strStoreName.Copy( pszSslCtlStoreName );
  359. if ( FAILED( hr ) )
  360. {
  361. goto Finished;
  362. }
  364. hr = CERT_STORE::OpenStore( strStoreName,
  365. &pCertStore );
  366. if ( FAILED( hr ) )
  367. {
  368. goto Finished;
  369. }
  371. DBG_ASSERT( pCertStore != NULL );
  372. _pCtlStore = pCertStore;
  375. CTL_FIND_USAGE_PARA CtlFindUsagePara;
  376. ZeroMemory( &CtlFindUsagePara,
  377. sizeof(CtlFindUsagePara) );
  379. CtlFindUsagePara.cbSize = sizeof(CtlFindUsagePara);
  380. CtlFindUsagePara.ListIdentifier.cbData =
  381. ( (DWORD) wcslen( pszSslCtlIdentifier ) + 1 ) * sizeof(WCHAR);
  382. CtlFindUsagePara.ListIdentifier.pbData = (PBYTE) pszSslCtlIdentifier;
  385. //
  386. // Try to find CTL in specified store
  387. //
  388. pCtlContext = CertFindCTLInStore( _pCtlStore->QueryStore(),
  389. X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  390. 0,
  391. CTL_FIND_USAGE,
  392. (LPVOID) &CtlFindUsagePara,
  393. NULL );
  395. if ( pCtlContext == NULL )
  396. {
  398. hr = HRESULT_FROM_WIN32( GetLastError() );
  399. goto Finished;
  401. }
  402. _pCtlContext = pCtlContext;
  403. hr = S_OK;
  405. Finished:
  406. return hr;
  408. }
  410. //static
  411. LK_PREDICATE
  412. IIS_CTL::CertStorePredicate(
  413. IN IIS_CTL * pIisCtl,
  414. IN void * pvState
  415. )
  416. /*++
  418. Description:
  420. DeleteIf() predicate used to find items which reference the
  421. CERT_STORE pointed to by pvState
  423. Arguments:
  425. pIisCtl - Server cert
  426. pvState - Points to CERT_STORE
  428. Returns:
  430. LK_PREDICATE - LKP_PERFORM indicates removing the current
  431. token from token cache
  433. LKP_NO_ACTION indicates doing nothing.
  435. --*/
  436. {
  437. LK_PREDICATE lkpAction;
  438. CERT_STORE * pCtlStore;
  440. DBG_ASSERT( pIisCtl != NULL );
  442. pCtlStore = (CERT_STORE*) pvState;
  443. DBG_ASSERT( pCtlStore != NULL );
  445. if ( pIisCtl->_pCtlStore == pCtlStore )
  446. {
  447. //
  448. // Before we delete the cert, flush any site which is referencing
  449. // it
  450. //
  452. ENDPOINT_CONFIG::FlushByIisCtl( pIisCtl );
  454. lkpAction = LKP_PERFORM;
  455. }
  456. else
  457. {
  458. lkpAction = LKP_NO_ACTION;
  459. }
  461. return lkpAction;
  462. }
  464. //static
  465. HRESULT
  466. IIS_CTL::FlushByStore(
  467. IN CERT_STORE * pCertStore
  468. )
  469. /*++
  471. Routine Description:
  473. Flush any server certs which reference the given store
  475. Arguments:
  477. pCertStore - Cert store to check
  479. Return Value:
  481. HRESULT
  483. --*/
  484. {
  485. DBG_ASSERT( sm_pIisCtlHash != NULL );
  487. sm_pIisCtlHash->DeleteIf( IIS_CTL::CertStorePredicate,
  488. pCertStore );
  490. return NO_ERROR;
  491. }
  495. HRESULT
  496. IIS_CTL::VerifyContainsCert(
  497. IN PCCERT_CONTEXT pChainTop,
  498. OUT BOOL * pfContainsCert
  499. )
  500. /*++
  502. Routine Description:
  504. Verify is CTL contains given certificate
  506. Arguments:
  508. pChainTop - top certificate of the chain to be found in CTL
  509. pfContainsCert - TRUE if contains, FALSE if it doesn't
  510. (valuse valid only if function returns SUCCESS)
  511. Return Value:
  513. HRESULT
  515. --*/
  517. {
  518. HRESULT hr = E_FAIL;
  519. const int SHA1_HASH_SIZE = 20;
  520. BYTE rgbChainTopHash[ SHA1_HASH_SIZE ];
  521. DWORD cbSize = SHA1_HASH_SIZE;
  523. if ( _pCtlContext == NULL )
  524. {
  525. //
  526. // pCTLContext could be NULL if there was failure in building
  527. // CTL context in the SITE CONFIG setup
  528. //
  529. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  530. }
  532. //
  533. // get hash of the certificate to be verified
  534. //
  535. if ( !CertGetCertificateContextProperty( pChainTop,
  536. CERT_SHA1_HASH_PROP_ID,
  537. rgbChainTopHash,
  538. &cbSize ) )
  539. {
  540. hr = HRESULT_FROM_WIN32( GetLastError() );
  541. DBGPRINTF((DBG_CONTEXT,
  542. "Failed to get cert hash for CTL check: 0x%x\n",
  543. hr));
  544. return hr;
  545. }
  547. //
  548. // Iterate through all the cert hashes in the CTL and compare hashes
  549. //
  551. for ( DWORD dwIndex = 0; dwIndex< _pCtlContext->pCtlInfo->cCTLEntry; dwIndex++ )
  552. {
  553. CRYPT_DATA_BLOB CertInCTLHashBlob =
  554. _pCtlContext->pCtlInfo->rgCTLEntry[dwIndex].SubjectIdentifier;
  555. //
  556. // CODEWORK: checking hash size is a bit simplistic way of
  557. // verifying that SHA1 hash is used in CTL
  558. //
  559. if ( CertInCTLHashBlob.cbData != SHA1_HASH_SIZE ||
  560. CertInCTLHashBlob.pbData == NULL )
  561. {
  562. //
  563. // hash in the CTL is no SHA1 because size is different
  564. // or invalid CTL
  565. //
  566. DBG_ASSERT( FALSE );
  567. return CRYPT_E_NOT_FOUND;
  568. }
  569. if ( memcmp( CertInCTLHashBlob.pbData,
  570. rgbChainTopHash,
  571. SHA1_HASH_SIZE ) == 0 )
  572. {
  573. *pfContainsCert = TRUE;
  574. return S_OK;
  575. }
  576. }
  578. *pfContainsCert = FALSE;
  579. return S_OK;
  580. }
  582. //static
  583. VOID
  584. IIS_CTL::Cleanup(
  585. VOID
  586. )
  587. /*++
  589. Routine Description:
  591. Cleanup must be called before Terminate
  593. Arguments:
  595. none
  597. Return Value:
  599. VOID
  601. --*/
  602. {
  603. sm_pIisCtlHash->Clear();
  604. }