archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/inetsrv/iis/iisrearc/iisplus/sfwp/dll/sslcontext.hxx

331 lines
9.4 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. #ifndef _SSLCONTEXT_HXX_
  2. #define _SSLCONTEXT_HXX_
  4. /*++
  6. Copyright (c) 1998 Microsoft Corporation
  8. Module Name :
  9. sslcontext.hxx
  11. Abstract:
  12. SSL stream context
  14. Author:
  15. Bilal Alam (BAlam) 29-March-2000
  17. Environment:
  18. Win32 - User Mode
  20. Project:
  21. Stream Filter Worker Process
  22. --*/
  24. class ENDPOINT_CONFIG;
  26. #define SSL_ASC_FLAGS ( ASC_REQ_EXTENDED_ERROR | \
  27. ASC_REQ_SEQUENCE_DETECT | \
  28. ASC_REQ_REPLAY_DETECT | \
  29. ASC_REQ_CONFIDENTIALITY | \
  30. ASC_REQ_STREAM | \
  31. ASC_REQ_ALLOCATE_MEMORY )
  33. enum SSL_STATE
  34. {
  35. SSL_STATE_HANDSHAKE_START = 0,
  36. SSL_STATE_HANDSHAKE_IN_PROGRESS,
  37. SSL_STATE_HANDSHAKE_COMPLETE
  38. };
  40. #define SSL_CONTEXT_FLAG_SYNC 0x1
  41. #define SSL_CONTEXT_FLAG_ASYNC 0x2
  43. #define SZ_REG_CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL L"CertChainCacheOnlyUrlRetrieval"
  45. class SSL_STREAM_CONTEXT : public STREAM_CONTEXT
  46. {
  47. public:
  49. SSL_STREAM_CONTEXT(
  50. FILTER_CHANNEL_CONTEXT * pFiltChannelContext
  51. );
  53. virtual ~SSL_STREAM_CONTEXT();
  55. VOID *
  56. operator new(
  57. size_t size
  58. )
  59. {
  60. UNREFERENCED_PARAMETER( size );
  61. DBG_ASSERT( size == sizeof( SSL_STREAM_CONTEXT ) );
  62. DBG_ASSERT( sm_pachSslStreamContexts != NULL );
  63. return sm_pachSslStreamContexts->Alloc();
  64. }
  66. VOID
  67. operator delete(
  68. VOID * pSslStreamContext
  69. )
  70. {
  71. DBG_ASSERT( pSslStreamContext != NULL );
  72. DBG_ASSERT( sm_pachSslStreamContexts != NULL );
  74. DBG_REQUIRE( sm_pachSslStreamContexts->Free( pSslStreamContext ) );
  75. }
  77. static
  78. HRESULT
  79. Initialize(
  80. VOID
  81. );
  83. static
  84. VOID
  85. Terminate(
  86. VOID
  87. );
  89. HRESULT
  90. ProcessRawReadData(
  91. RAW_STREAM_INFO * pRawStreamInfo,
  92. BOOL * pfReadMore,
  93. BOOL * pfComplete
  94. );
  96. HRESULT
  97. ProcessRawWriteData(
  98. RAW_STREAM_INFO * pRawStreamInfo,
  99. BOOL * pfComplete
  100. );
  102. HRESULT
  103. ProcessNewConnection(
  104. CONNECTION_INFO * pConnectionInfo,
  105. ENDPOINT_CONFIG * pEndpointConfig
  106. );
  108. HRESULT
  109. SendDataBack(
  110. RAW_STREAM_INFO * pRawStreamInfo
  111. );
  114. private:
  116. VOID
  117. ConditionalAddWorkerThread(
  118. VOID
  119. )
  120. /*++
  122. Routine Description:
  124. AcceptSecurityContext is always synchronous call
  125. If hardware accelerator is used then during AcceptSecurityContext call
  126. our worker thread will get blocked waiting for accelerator to complete
  127. while doing nothing. That may lead to low CPU because of the blocking
  128. not enough worker threads is around to handle SSL.
  129. AcceptSecurityContext will not have async support any time soon so the
  130. only thing we can do to improve performance is to bump up the soft thread limit
  131. by one before calling AcceptSecurityContext and bumping it down on completion
  133. Also using DS mapper may cause delays on AcceptSecurityContext calls
  134. if remote DC is accessed
  136. Arguments:
  138. None
  140. Return Value:
  142. none
  144. --*/
  146. {
  147. DBG_ASSERT( _pEndpointConfig != NULL );
  149. DBG_ASSERT( _pEndpointConfig->QueryServerCert() );
  150. if ( _pEndpointConfig->QueryServerCert()->QueryUsesHardwareAccelerator() ||
  151. _pEndpointConfig->QueryUseDSMapper() )
  152. {
  153. QueryFiltChannelContext()->AddWorkerThread();
  154. }
  155. }
  157. VOID
  158. ConditionalRemoveWorkerThread(
  159. VOID
  160. )
  161. /*++
  163. Routine Description:
  165. AcceptSecurityContext is always synchronous call
  166. If hardware accelerator is used then during AcceptSecurityContext call
  167. our worker thread will get blocked waiting for accelerator to complete
  168. while doing nothing. That may lead to low CPU because of the blocking
  169. not enough worker threads is around to handle SSL.
  170. AcceptSecurityContext will not have async support any time soon so the
  171. only thing we can do to improve performance is to bump up the soft thread limit
  172. by one before calling AcceptSecurityContext and bumping it down on completion
  174. Also using DS mapper may cause delays on AcceptSecurityContext calls
  175. if remote DC is accessed
  177. Arguments:
  179. None
  181. Return Value:
  183. none
  185. --*/
  186. {
  187. DBG_ASSERT( _pEndpointConfig != NULL );
  189. DBG_ASSERT( _pEndpointConfig->QueryServerCert() );
  190. if ( _pEndpointConfig->QueryServerCert()->QueryUsesHardwareAccelerator() ||
  191. _pEndpointConfig->QueryUseDSMapper() )
  192. {
  193. QueryFiltChannelContext()->RemoveWorkerThread();
  194. }
  195. }
  198. CredHandle *
  199. QueryCredentials(
  200. VOID
  201. );
  203. HRESULT
  204. DoHandshakeCompleted(
  205. VOID
  206. );
  208. HRESULT
  209. DoHandshake(
  210. RAW_STREAM_INFO * pRawStreamInfo,
  211. BOOL * pfReadMore,
  212. BOOL * pfComplete,
  213. BOOL * pfExtraData
  214. );
  216. HRESULT
  217. RetrieveClientCertAndToken(
  218. VOID
  219. );
  221. HRESULT
  222. DoRenegotiate(
  223. VOID
  224. );
  226. HRESULT
  227. DoDecrypt(
  228. RAW_STREAM_INFO * pRawStreamInfo,
  229. BOOL * pfReadMore,
  230. BOOL * pfComplete,
  231. BOOL * pfExtraData
  232. );
  234. HRESULT
  235. DoEncrypt(
  236. RAW_STREAM_INFO * pRawStreamInfo,
  237. BOOL * pfComplete
  238. );
  240. HRESULT
  241. BuildSslInfo(
  242. VOID
  243. );
  245. VOID
  246. DumpCertDebugInfo(
  247. DWORD dwPolicyStatus
  248. );
  250. HRESULT
  251. BuildClientCertInfo(
  252. VOID
  253. );
  255. private:
  257. static
  258. HRESULT
  259. OnHandshakeRawWriteCompletion(
  260. PVOID pParam
  261. );
  263. enum INIT_STATE {
  264. INIT_NONE,
  265. INIT_CERT_STORE,
  266. INIT_SERVER_CERT,
  267. INIT_IIS_CTL,
  268. INIT_SITE_CREDENTIALS,
  269. INIT_ENDPOINT_CONFIG,
  270. INIT_ACACHE
  271. };
  273. // initialization state
  274. static enum INIT_STATE s_InitState;
  275. // Endpoint (IP:Port based) SSL configuration
  276. ENDPOINT_CONFIG * _pEndpointConfig;
  277. // The state of the handshake
  278. SSL_STATE _sslState;
  279. // Handshake state information
  280. // Stream sizes (as retrieved from QueryContextAttributes(SECPKG_ATTR_STREAM_SIZES)
  281. DWORD _cbHeader;
  282. DWORD _cbTrailer;
  283. DWORD _cbBlockSize;
  284. DWORD _cbMaximumMessage;
  285. // offset to the raw buffer of the incoming stream
  286. // where the data not processed yet starts
  287. // _cbToBeProcessedOffset is often equal to _cbDecrypted
  288. // but there are cases when they differ
  289. // See DoDecrypt() for example of difference in value
  290. DWORD _cbToBeProcessedOffset;
  291. // number of bytes in the raw data buffer on the incoming stream
  292. // that were already processed (decrypted)
  293. DWORD _cbDecrypted;
  295. // SSL Security Context Handle
  296. CtxtHandle _hContext;
  297. // Flag if hContext is valid
  298. BOOL _fValidContext;
  299. // Flag that application requested cert mapping
  300. // this flag is mostly legacy because IIS certificate
  301. // mapping are done in IIS by worker process and
  302. // DS mappings happen once they are enabled on endpoint
  303. BOOL _fDoCertMap;
  304. // Flag that client certificate renegotiation was started by server
  305. // Note: This flag doesn't uniquely indicate that client
  306. // certificates are negotiated. They are negotiated
  307. // also when client certificates are enabled on site level
  308. BOOL _fRenegotiate;
  309. // _fExpectRenegotiationFromClient flag will be used to eliminate
  310. // client triggered renegotiation by enabling client data to cause
  311. // renegotiation only if fExpectRenegotiationFromClient is already set
  312. BOOL _fExpectRenegotiationFromClient;
  313. // SSL information (not related to client certificates)
  314. HTTP_SSL_INFO _ulSslInfo;
  315. // SSL client certificate related info (including mapped tokens)
  316. HTTP_SSL_CLIENT_CERT_INFO _ulCertInfo;
  317. // Client Certificate context negotiated for connection
  318. PCCERT_CONTEXT _pClientCert;
  319. // If active directory mapping is enabled and handshake
  321. // Lookaside
  322. static ALLOC_CACHE_HANDLER * sm_pachSslStreamContexts;
  323. // flag for CertGetCertificateChain whether intermediate certificates
  324. // for the cert chain building can be retrieved of the network
  325. // (cache only is set by default because going the the network is not
  326. // a safe - although convenient - alternative)
  327. static BOOL sm_fCertChainCacheOnlyUrlRetrieval;
  329. };
  331. #endif