archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
4.9 GiB
 
 
 
 
 
 
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/inetsrv/iis/iisrearc/iisplus/sfwp/dll/sslcontext.hxx

331 lines
9.4 KiB
Raw Blame History

#ifndef _SSLCONTEXT_HXX_
#define _SSLCONTEXT_HXX_
/*++
Copyright (c) 1998 Microsoft Corporation
Module Name :
sslcontext.hxx
Abstract:
SSL stream context
Author:
Bilal Alam (BAlam) 29-March-2000
Environment:
Win32 - User Mode
Project:
Stream Filter Worker Process
--*/
class ENDPOINT_CONFIG;
#define SSL_ASC_FLAGS ( ASC_REQ_EXTENDED_ERROR | \
ASC_REQ_SEQUENCE_DETECT | \
ASC_REQ_REPLAY_DETECT | \
ASC_REQ_CONFIDENTIALITY | \
ASC_REQ_STREAM | \
ASC_REQ_ALLOCATE_MEMORY )
enum SSL_STATE
{
SSL_STATE_HANDSHAKE_START = 0,
SSL_STATE_HANDSHAKE_IN_PROGRESS,
SSL_STATE_HANDSHAKE_COMPLETE
};
#define SSL_CONTEXT_FLAG_SYNC 0x1
#define SSL_CONTEXT_FLAG_ASYNC 0x2
#define SZ_REG_CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL L"CertChainCacheOnlyUrlRetrieval"
class SSL_STREAM_CONTEXT : public STREAM_CONTEXT
{
public:
SSL_STREAM_CONTEXT(
FILTER_CHANNEL_CONTEXT * pFiltChannelContext
);
virtual ~SSL_STREAM_CONTEXT();
VOID *
operator new(
size_t size
)
{
UNREFERENCED_PARAMETER( size );
DBG_ASSERT( size == sizeof( SSL_STREAM_CONTEXT ) );
DBG_ASSERT( sm_pachSslStreamContexts != NULL );
return sm_pachSslStreamContexts->Alloc();
}
VOID
operator delete(
VOID * pSslStreamContext
)
{
DBG_ASSERT( pSslStreamContext != NULL );
DBG_ASSERT( sm_pachSslStreamContexts != NULL );
DBG_REQUIRE( sm_pachSslStreamContexts->Free( pSslStreamContext ) );
}
static
HRESULT
Initialize(
VOID
);
static
VOID
Terminate(
VOID
);
HRESULT
ProcessRawReadData(
RAW_STREAM_INFO * pRawStreamInfo,
BOOL * pfReadMore,
BOOL * pfComplete
);
HRESULT
ProcessRawWriteData(
RAW_STREAM_INFO * pRawStreamInfo,
BOOL * pfComplete
);
HRESULT
ProcessNewConnection(
CONNECTION_INFO * pConnectionInfo,
ENDPOINT_CONFIG * pEndpointConfig
);
HRESULT
SendDataBack(
RAW_STREAM_INFO * pRawStreamInfo
);
private:
VOID
ConditionalAddWorkerThread(
VOID
)
/*++
Routine Description:
AcceptSecurityContext is always synchronous call
If hardware accelerator is used then during AcceptSecurityContext call
our worker thread will get blocked waiting for accelerator to complete
while doing nothing. That may lead to low CPU because of the blocking
not enough worker threads is around to handle SSL.
AcceptSecurityContext will not have async support any time soon so the
only thing we can do to improve performance is to bump up the soft thread limit
by one before calling AcceptSecurityContext and bumping it down on completion
Also using DS mapper may cause delays on AcceptSecurityContext calls
if remote DC is accessed
Arguments:
None
Return Value:
none
--*/
{
DBG_ASSERT( _pEndpointConfig != NULL );
DBG_ASSERT( _pEndpointConfig->QueryServerCert() );
if ( _pEndpointConfig->QueryServerCert()->QueryUsesHardwareAccelerator() ||
_pEndpointConfig->QueryUseDSMapper() )
{
QueryFiltChannelContext()->AddWorkerThread();
}
}
VOID
ConditionalRemoveWorkerThread(
VOID
)
/*++
Routine Description:
AcceptSecurityContext is always synchronous call
If hardware accelerator is used then during AcceptSecurityContext call
our worker thread will get blocked waiting for accelerator to complete
while doing nothing. That may lead to low CPU because of the blocking
not enough worker threads is around to handle SSL.
AcceptSecurityContext will not have async support any time soon so the
only thing we can do to improve performance is to bump up the soft thread limit
by one before calling AcceptSecurityContext and bumping it down on completion
Also using DS mapper may cause delays on AcceptSecurityContext calls
if remote DC is accessed
Arguments:
None
Return Value:
none
--*/
{
DBG_ASSERT( _pEndpointConfig != NULL );
DBG_ASSERT( _pEndpointConfig->QueryServerCert() );
if ( _pEndpointConfig->QueryServerCert()->QueryUsesHardwareAccelerator() ||
_pEndpointConfig->QueryUseDSMapper() )
{
QueryFiltChannelContext()->RemoveWorkerThread();
}
}
CredHandle *
QueryCredentials(
VOID
);
HRESULT
DoHandshakeCompleted(
VOID
);
HRESULT
DoHandshake(
RAW_STREAM_INFO * pRawStreamInfo,
BOOL * pfReadMore,
BOOL * pfComplete,
BOOL * pfExtraData
);
HRESULT
RetrieveClientCertAndToken(
VOID
);
HRESULT
DoRenegotiate(
VOID
);
HRESULT
DoDecrypt(
RAW_STREAM_INFO * pRawStreamInfo,
BOOL * pfReadMore,
BOOL * pfComplete,
BOOL * pfExtraData
);
HRESULT
DoEncrypt(
RAW_STREAM_INFO * pRawStreamInfo,
BOOL * pfComplete
);
HRESULT
BuildSslInfo(
VOID
);
VOID
DumpCertDebugInfo(
DWORD dwPolicyStatus
);
HRESULT
BuildClientCertInfo(
VOID
);
private:
static
HRESULT
OnHandshakeRawWriteCompletion(
PVOID pParam
);
enum INIT_STATE {
INIT_NONE,
INIT_CERT_STORE,
INIT_SERVER_CERT,
INIT_IIS_CTL,
INIT_SITE_CREDENTIALS,
INIT_ENDPOINT_CONFIG,
INIT_ACACHE
};
// initialization state
static enum INIT_STATE s_InitState;
// Endpoint (IP:Port based) SSL configuration
ENDPOINT_CONFIG * _pEndpointConfig;
// The state of the handshake
SSL_STATE _sslState;
// Handshake state information
// Stream sizes (as retrieved from QueryContextAttributes(SECPKG_ATTR_STREAM_SIZES)
DWORD _cbHeader;
DWORD _cbTrailer;
DWORD _cbBlockSize;
DWORD _cbMaximumMessage;
// offset to the raw buffer of the incoming stream
// where the data not processed yet starts
// _cbToBeProcessedOffset is often equal to _cbDecrypted
// but there are cases when they differ
// See DoDecrypt() for example of difference in value
DWORD _cbToBeProcessedOffset;
// number of bytes in the raw data buffer on the incoming stream
// that were already processed (decrypted)
DWORD _cbDecrypted;
// SSL Security Context Handle
CtxtHandle _hContext;
// Flag if hContext is valid
BOOL _fValidContext;
// Flag that application requested cert mapping
// this flag is mostly legacy because IIS certificate
// mapping are done in IIS by worker process and
// DS mappings happen once they are enabled on endpoint
BOOL _fDoCertMap;
// Flag that client certificate renegotiation was started by server
// Note: This flag doesn't uniquely indicate that client
// certificates are negotiated. They are negotiated
// also when client certificates are enabled on site level
BOOL _fRenegotiate;
// _fExpectRenegotiationFromClient flag will be used to eliminate
// client triggered renegotiation by enabling client data to cause
// renegotiation only if fExpectRenegotiationFromClient is already set
BOOL _fExpectRenegotiationFromClient;
// SSL information (not related to client certificates)
HTTP_SSL_INFO _ulSslInfo;
// SSL client certificate related info (including mapped tokens)
HTTP_SSL_CLIENT_CERT_INFO _ulCertInfo;
// Client Certificate context negotiated for connection
PCCERT_CONTEXT _pClientCert;
// If active directory mapping is enabled and handshake
// Lookaside
static ALLOC_CACHE_HANDLER * sm_pachSslStreamContexts;
// flag for CertGetCertificateChain whether intermediate certificates
// for the cert chain building can be retrieved of the network
// (cache only is set by default because going the the network is not
// a safe - although convenient - alternative)
static BOOL sm_fCertChainCacheOnlyUrlRetrieval;
};
#endif