PR: 1868

[oweals/openssl.git] / engines / e_capi.c
diff --git a/engines/e_capi.c b/engines/e_capi.c

index f641c4e713ca2c5b099c7824558922bbbd049885..e98946c85a0a288c8ac925db665785f980bc32fe 100644 (file)
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -56,21 +56,37 @@
  #include <string.h>
  #include <openssl/crypto.h>
  #include <openssl/buffer.h>
-#include <openssl/engine.h>
  #include <openssl/rsa.h>
  #include <openssl/bn.h>
-#include <openssl/pem.h>
  
  #ifdef OPENSSL_SYS_WIN32
  #ifndef OPENSSL_NO_CAPIENG
  
+
+#include <windows.h>
+
  #ifndef _WIN32_WINNT
-#define _WIN32_WINNT 0x400
+#define _WIN32_WINNT 0x0400
  #endif
  
-#include <windows.h>
  #include <wincrypt.h>
  
+#undef X509_EXTENSIONS
+#undef X509_CERT_PAIR
+
+/* Definitions which may be missing from earlier version of headers */
+#ifndef CERT_STORE_OPEN_EXISTING_FLAG
+#define CERT_STORE_OPEN_EXISTING_FLAG                   0x00004000
+#endif
+
+#ifndef CERT_STORE_CREATE_NEW_FLAG
+#define CERT_STORE_CREATE_NEW_FLAG                      0x00002000
+#endif
+
+#include <openssl/engine.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+
  #include "e_capi_err.h"
  #include "e_capi_err.c"
  
@@ -105,6 +121,24 @@ static int capi_rsa_priv_dec(int flen, const unsigned char *from,
                  unsigned char *to, RSA *rsa, int padding);
  static int capi_rsa_free(RSA *rsa);
  
+static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
+                                                       DSA *dsa);
+static int capi_dsa_free(DSA *dsa);
+
+static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
+       STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+       STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
+
+static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
+#ifdef OPENSSL_CAPIENG_DIALOG
+static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
+#endif
+
+typedef PCCERT_CONTEXT (WINAPI *CERTDLG)(HCERTSTORE, HWND, LPCWSTR,
+                                               LPCWSTR, DWORD, DWORD,
+                                               void *);
+typedef HWND (WINAPI *GETCONSWIN)(void);
+
  /* This structure contains CAPI ENGINE specific data:
   * it contains various global options and affects how
   * other functions behave.
@@ -122,6 +156,9 @@ struct CAPI_CTX_st {
         DWORD csptype;
         /* Certificate store name to use */
         LPTSTR storename;
+       LPTSTR ssl_client_store;
+       /* System store flags */
+       DWORD store_flags;
  
  /* Lookup string meanings in load_private_key */
  /* Substring of subject: uses "storename" */
@@ -146,6 +183,10 @@ struct CAPI_CTX_st {
  #define CAPI_DMP_PKEYINFO      0x20
  
         DWORD dump_flags;
+       int (*client_cert_select)(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
+
+       CERTDLG certselectdlg;
+       GETCONSWIN getconswindow;
  };
  
  
@@ -154,18 +195,20 @@ static void capi_ctx_free(CAPI_CTX *ctx);
  static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int check);
  static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx);
  
-#define CAPI_CMD_LIST_CERTS                    ENGINE_CMD_BASE
+#define CAPI_CMD_LIST_CERTS            ENGINE_CMD_BASE
  #define CAPI_CMD_LOOKUP_CERT           (ENGINE_CMD_BASE + 1)
  #define CAPI_CMD_DEBUG_LEVEL           (ENGINE_CMD_BASE + 2)
-#define CAPI_CMD_DEBUG_FILE                    (ENGINE_CMD_BASE + 3)
-#define CAPI_CMD_KEYTYPE                       (ENGINE_CMD_BASE + 4)
-#define CAPI_CMD_LIST_CSPS                     (ENGINE_CMD_BASE + 5)
+#define CAPI_CMD_DEBUG_FILE            (ENGINE_CMD_BASE + 3)
+#define CAPI_CMD_KEYTYPE               (ENGINE_CMD_BASE + 4)
+#define CAPI_CMD_LIST_CSPS             (ENGINE_CMD_BASE + 5)
  #define CAPI_CMD_SET_CSP_IDX           (ENGINE_CMD_BASE + 6)
  #define CAPI_CMD_SET_CSP_NAME          (ENGINE_CMD_BASE + 7)
  #define CAPI_CMD_SET_CSP_TYPE          (ENGINE_CMD_BASE + 8)
  #define CAPI_CMD_LIST_CONTAINERS       (ENGINE_CMD_BASE + 9)
  #define CAPI_CMD_LIST_OPTIONS          (ENGINE_CMD_BASE + 10)
  #define CAPI_CMD_LOOKUP_METHOD         (ENGINE_CMD_BASE + 11)
+#define CAPI_CMD_STORE_NAME            (ENGINE_CMD_BASE + 12)
+#define CAPI_CMD_STORE_FLAGS           (ENGINE_CMD_BASE + 13)
  
  static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
         {CAPI_CMD_LIST_CERTS,
@@ -217,6 +260,14 @@ static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
                 "lookup_method",
                 "Set key lookup method (1=substring, 2=friendlyname, 3=container name)",
                 ENGINE_CMD_FLAG_NUMERIC},
+       {CAPI_CMD_STORE_NAME,
+               "store_name",
+               "certificate store name, default \"MY\"",
+               ENGINE_CMD_FLAG_STRING},
+       {CAPI_CMD_STORE_FLAGS,
+               "store_flags",
+               "Certificate store flags: 1 = system store",
+               ENGINE_CMD_FLAG_NUMERIC},
  
         {0, NULL, NULL, 0}
         };
@@ -224,9 +275,10 @@ static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
  static int capi_idx = -1;
  static int rsa_capi_idx = -1;
  static int dsa_capi_idx = -1;
+static int cert_capi_idx = -1;
  
  static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
-{
+       {
         int ret = 1;
         CAPI_CTX *ctx;
         BIO *out;
@@ -255,6 +307,27 @@ static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
                 ret = capi_list_containers(ctx, out);
                 break;
  
+               case CAPI_CMD_STORE_NAME:
+               if (ctx->storename)
+                       OPENSSL_free(ctx->storename);
+               ctx->storename = BUF_strdup(p);
+               CAPI_trace(ctx, "Setting store name to %s\n", p);
+               break;
+
+               case CAPI_CMD_STORE_FLAGS:
+               if (i & 1)
+                       {
+                       ctx->store_flags |= CERT_SYSTEM_STORE_LOCAL_MACHINE;
+                       ctx->store_flags &= ~CERT_SYSTEM_STORE_CURRENT_USER;
+                       }
+               else
+                       {
+                       ctx->store_flags |= CERT_SYSTEM_STORE_CURRENT_USER;
+                       ctx->store_flags &= ~CERT_SYSTEM_STORE_LOCAL_MACHINE;
+                       }
+               CAPI_trace(ctx, "Setting flags to %d\n", i);
+               break;
+
                 case CAPI_CMD_DEBUG_LEVEL:
                 ctx->debug_level = (int)i;
                 CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level);
@@ -303,45 +376,48 @@ static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
         BIO_free(out);
         return ret;
  
-}
+       }
  
  static RSA_METHOD capi_rsa_method =
         {
         "CryptoAPI RSA method",
         0,                              /* pub_enc */
         0,                              /* pub_dec */
-       capi_rsa_priv_enc,      /* priv_enc */
-       capi_rsa_priv_dec,      /* priv_dec */
+       capi_rsa_priv_enc,              /* priv_enc */
+       capi_rsa_priv_dec,              /* priv_dec */
         0,                              /* rsa_mod_exp */
         0,                              /* bn_mod_exp */
         0,                              /* init */
-       capi_rsa_free,  /* finish */
-       RSA_FLAG_SIGN_VER, /* flags */
-       NULL,                   /* app_data */
-       capi_rsa_sign,  /* rsa_sign */
+       capi_rsa_free,                  /* finish */
+       RSA_FLAG_SIGN_VER,              /* flags */
+       NULL,                           /* app_data */
+       capi_rsa_sign,                  /* rsa_sign */
         0                               /* rsa_verify */
         };
  
-static void capi_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
-        int ind,long argl, void *argp)
+static DSA_METHOD capi_dsa_method =
         {
-/*fprintf(stderr, "Called capi_ex_free obj=%lx, idx=%d, item=%lx\n", obj, ind, item);*/
-       capi_ctx_free(item);
-       }
-
-static void capi_rsa_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
-        int ind,long argl, void *argp)
-       {
-/*fprintf(stderr, "Called capi_rsa_free_key\n");*/
-
-       capi_free_key(item);
-       }
+       "CryptoAPI DSA method",
+       capi_dsa_do_sign,               /* dsa_do_sign */
+       0,                              /* dsa_sign_setup */
+       0,                              /* dsa_do_verify */
+       0,                              /* dsa_mod_exp */
+       0,                              /* bn_mod_exp */
+       0,                              /* init */
+       capi_dsa_free,                  /* finish */
+       0,                              /* flags */
+       NULL,                           /* app_data */
+       0,                              /* dsa_paramgen */
+       0                               /* dsa_keygen */
+       };
  
  static int capi_init(ENGINE *e)
         {
         CAPI_CTX *ctx;
-       const RSA_METHOD *ossl_meth;
-       capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, /*capi_ex_free*/ 0);
+       const RSA_METHOD *ossl_rsa_meth;
+       const DSA_METHOD *ossl_dsa_meth;
+       capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
+       cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
  
         ctx = capi_ctx_new();
         if (!ctx || (capi_idx < 0))
@@ -349,13 +425,33 @@ static int capi_init(ENGINE *e)
  
         ENGINE_set_ex_data(e, capi_idx, ctx);
         /* Setup RSA_METHOD */
-       rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, /*capi_rsa_ex_free*/ 0);
-       dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, /*capi_rsa_ex_free*/ 0);
-       ossl_meth = RSA_PKCS1_SSLeay();
-       capi_rsa_method.rsa_pub_enc = ossl_meth->rsa_pub_enc;
-       capi_rsa_method.rsa_pub_dec = ossl_meth->rsa_pub_dec;
-       capi_rsa_method.rsa_mod_exp = ossl_meth->rsa_mod_exp;
-       capi_rsa_method.bn_mod_exp = ossl_meth->bn_mod_exp;
+       rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
+       ossl_rsa_meth = RSA_PKCS1_SSLeay();
+       capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
+       capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
+       capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
+       capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
+
+       /* Setup DSA Method */
+       dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
+       ossl_dsa_meth = DSA_OpenSSL();
+       capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
+       capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
+       capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
+
+#ifdef OPENSSL_CAPIENG_DIALOG
+       {
+       HMODULE cryptui = LoadLibrary(TEXT("CRYPTUI.DLL"));
+       HMODULE kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
+       if (cryptui)
+               ctx->certselectdlg = (CERTDLG)GetProcAddress(cryptui, "CryptUIDlgSelectCertificateFromStore");
+       if (kernel)
+               ctx->getconswindow = (GETCONSWIN)GetProcAddress(kernel, "GetConsoleWindow");
+       if (cryptui && !OPENSSL_isservice())
+               ctx->client_cert_select = cert_select_dialog;
+       }
+#endif
+               
  
         return 1;
  
@@ -368,7 +464,6 @@ static int capi_init(ENGINE *e)
  
  static int capi_destroy(ENGINE *e)
         {
-
         ERR_unload_CAPI_strings();
         return 1;
         }
@@ -390,8 +485,11 @@ static int capi_finish(ENGINE *e)
  
  struct CAPI_KEY_st
         {
+       /* Associated certificate context (if any) */
+       PCCERT_CONTEXT pcert;
         HCRYPTPROV hprov;
         HCRYPTKEY key;
+       DWORD keyspec;
         };
  
  static int bind_capi(ENGINE *e)
@@ -402,7 +500,10 @@ static int bind_capi(ENGINE *e)
                 || !ENGINE_set_finish_function(e, capi_finish)
                 || !ENGINE_set_destroy_function(e, capi_destroy)
                 || !ENGINE_set_RSA(e, &capi_rsa_method)
+               || !ENGINE_set_DSA(e, &capi_dsa_method)
                 || !ENGINE_set_load_privkey_function(e, capi_load_privkey)
+               || !ENGINE_set_load_ssl_client_cert_function(e,
+                                               capi_load_ssl_client_cert)
                 || !ENGINE_set_cmd_defns(e, capi_cmd_defns)
                 || !ENGINE_set_ctrl_function(e, capi_ctrl))
                         return 0;
@@ -469,34 +570,19 @@ static int lend_tobn(BIGNUM *bn, unsigned char *bin, int binlen)
         return 1;
         }
  
-static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
-       UI_METHOD *ui_method, void *callback_data)
+/* Given a CAPI_KEY get an EVP_PKEY structure */
+
+static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY *key)
         {
-       EVP_PKEY *ret = NULL;
-       CAPI_CTX *ctx;
-       CAPI_KEY *key;
         unsigned char *pubkey = NULL;
         DWORD len;
         BLOBHEADER *bh;
         RSA *rkey = NULL;
         DSA *dkey = NULL;
-       ctx = ENGINE_get_ex_data(eng, capi_idx);
-
-       if (!ctx)
-               {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT);
-               return NULL;
-               }
-
-       key = capi_find_key(ctx, key_id);
-
-       if (!key)
-               return NULL;
-
-       len = 0;
+       EVP_PKEY *ret = NULL;
         if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, NULL, &len))
                 {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR);
                 capi_addlasterror();
                 return NULL;
                 }
@@ -508,7 +594,7 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
  
         if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, pubkey, &len))
                 {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_PUBKEY_EXPORT_ERROR);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_ERROR);
                 capi_addlasterror();
                 goto err;
                 }
@@ -516,7 +602,7 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
         bh = (BLOBHEADER *)pubkey;
         if (bh->bType != PUBLICKEYBLOB)
                 {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB);
                 goto err;
                 }
         if (bh->aiKeyAlg == CALG_RSA_SIGN || bh->aiKeyAlg == CALG_RSA_KEYX)
@@ -528,8 +614,8 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
                 if (rp->magic != 0x31415352)
                         {
                         char magstr[10];
-                       BIO_snprintf(10, magstr, "%lx", rp->magic);
-                       CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
+                       BIO_snprintf(magstr, 10, "%lx", rp->magic);
+                       CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
                         ERR_add_error_data(2, "magic=0x", magstr);
                         goto err;
                         }
@@ -569,14 +655,14 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
                 if (dp->magic != 0x31535344)
                         {
                         char magstr[10];
-                       BIO_snprintf(10, magstr, "%lx", rp->magic);
-                       CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
+                       BIO_snprintf(magstr, 10, "%lx", dp->magic);
+                       CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
                         ERR_add_error_data(2, "magic=0x", magstr);
                         goto err;
                         }
                 dsa_plen = dp->bitlen / 8;
                 btmp = (unsigned char *)(dp + 1);
-               dkey = DSA_new();
+               dkey = DSA_new_method(eng);
                 if (!dkey)
                         goto memerr;
                 dkey->p = BN_new();
@@ -609,12 +695,13 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
         else
                 {
                 char algstr[10];
-               BIO_snprintf(10, algstr, "%lx", bh->aiKeyAlg);
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM);
+               BIO_snprintf(algstr, 10, "%lx", bh->aiKeyAlg);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM);
                 ERR_add_error_data(2, "aiKeyAlg=0x", algstr);
                 goto err;
                 }
  
+
         err:
         if (pubkey)
                 OPENSSL_free(pubkey);
@@ -624,18 +711,43 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
                         RSA_free(rkey);
                 if (dkey)
                         DSA_free(dkey);
-               if (key)
-                       capi_free_key(key);
                 }
  
         return ret;
  
  memerr:
-       CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE);
+       CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE);
         goto err;
  
         }
  
+static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
+       UI_METHOD *ui_method, void *callback_data)
+       {
+       CAPI_CTX *ctx;
+       CAPI_KEY *key;
+       EVP_PKEY *ret;
+       ctx = ENGINE_get_ex_data(eng, capi_idx);
+
+       if (!ctx)
+               {
+               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT);
+               return NULL;
+               }
+
+       key = capi_find_key(ctx, key_id);
+
+       if (!key)
+               return NULL;
+
+       ret = capi_get_pkey(eng, key);
+
+       if (!ret)
+               capi_free_key(key);
+       return ret;
+
+       }
+
  /* CryptoAPI RSA operations */
  
  int capi_rsa_priv_enc(int flen, const unsigned char *from,
@@ -667,7 +779,8 @@ int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
                 return -1;
                 }
  /* Convert the signature type to a CryptoAPI algorithm ID */
-       switch(dtype) {
+       switch(dtype)
+               {
         case NID_sha1:
                 alg = CALG_SHA1;
                 break;
@@ -682,7 +795,7 @@ int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
         default:
                 {
                 char algstr[10];
-               BIO_snprintf(10, algstr, "%lx", dtype);
+               BIO_snprintf(algstr, 10, "%lx", dtype);
                 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_UNSUPPORTED_ALGORITHM_NID);
                 ERR_add_error_data(2, "NID=0x", algstr);
                 return -1;
@@ -692,38 +805,43 @@ int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
  
  
  /* Create the hash object */
-       if(!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash)) {
+       if(!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash))
+               {
                 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
                 capi_addlasterror();
                 return -1;
-       }
+               }
  /* Set the hash value to the value passed */
  
-       if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0)) {
+       if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0))
+               {
                 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
                 capi_addlasterror();
                 goto err;
-       }
+               }
  
  
  /* Finally sign it */
         slen = RSA_size(rsa);
-       if(!CryptSignHash(hash, AT_KEYEXCHANGE, NULL, 0, sigret, &slen)) {
+       if(!CryptSignHash(hash, capi_key->keyspec, NULL, 0, sigret, &slen))
+               {
                 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_ERROR_SIGNING_HASH);
                 capi_addlasterror();
                 goto err;
-       } else {
+               }
+       else
+               {
                 ret = 1;
                 /* Inplace byte reversal of signature */
-               for(i = 0; i < slen / 2; i++) {
+               for(i = 0; i < slen / 2; i++)
+                       {
                         unsigned char c;
                         c = sigret[i];
                         sigret[i] = sigret[slen - i - 1];
                         sigret[slen - i - 1] = c;
-               }
+                       }
                 *siglen = slen;
-       }
-
+               }
  
         /* Now cleanup */
  
@@ -731,11 +849,11 @@ err:
         CryptDestroyHash(hash);
  
         return ret;
-}
+       }
  
  int capi_rsa_priv_dec(int flen, const unsigned char *from,
                  unsigned char *to, RSA *rsa, int padding)
-{
+       {
         int i;
         unsigned char *tmpbuf;
         CAPI_KEY *capi_key;
@@ -755,7 +873,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
         if(padding != RSA_PKCS1_PADDING)
                 {
                 char errstr[10];
-               BIO_snprintf(10, errstr, "%d", padding);
+               BIO_snprintf(errstr, 10, "%d", padding);
                 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
                 ERR_add_error_data(2, "padding=", errstr);
                 return -1;
@@ -767,7 +885,8 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
                 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, ERR_R_MALLOC_FAILURE);
                 return -1;
                 }
-       for(i = 0; i < flen; i++) tmpbuf[flen - i - 1] = from[i];
+       for(i = 0; i < flen; i++)
+               tmpbuf[flen - i - 1] = from[i];
         
         /* Finally decrypt it */
         if(!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &flen))
@@ -782,7 +901,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
         OPENSSL_free(tmpbuf);
  
         return flen;
-}
+       }
  
  static int capi_rsa_free(RSA *rsa)
         {
@@ -793,6 +912,96 @@ static int capi_rsa_free(RSA *rsa)
         return 1;
         }
  
+/* CryptoAPI DSA operations */
+
+static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
+                                                               DSA *dsa)
+       {
+       HCRYPTHASH hash;
+       DWORD slen;
+       DSA_SIG *ret = NULL;
+       CAPI_KEY *capi_key;
+       CAPI_CTX *ctx;
+       unsigned char csigbuf[40];
+
+       ctx = ENGINE_get_ex_data(dsa->engine, capi_idx);
+
+       CAPI_trace(ctx, "Called CAPI_dsa_do_sign()\n");
+
+       capi_key = DSA_get_ex_data(dsa, dsa_capi_idx);
+
+       if (!capi_key)
+               {
+               CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_GET_KEY);
+               return NULL;
+               }
+
+       if (dlen != 20)
+               {
+               CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_INVALID_DIGEST_LENGTH);
+               return NULL;
+               }
+
+       /* Create the hash object */
+       if(!CryptCreateHash(capi_key->hprov, CALG_SHA1, 0, 0, &hash))
+               {
+               CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
+               capi_addlasterror();
+               return NULL;
+               }
+
+       /* Set the hash value to the value passed */
+       if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)digest, 0))
+               {
+               CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
+               capi_addlasterror();
+               goto err;
+               }
+
+
+       /* Finally sign it */
+       slen = sizeof(csigbuf);
+       if(!CryptSignHash(hash, capi_key->keyspec, NULL, 0, csigbuf, &slen))
+               {
+               CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_ERROR_SIGNING_HASH);
+               capi_addlasterror();
+               goto err;
+               }
+       else
+               {
+               ret = DSA_SIG_new();
+               if (!ret)
+                       goto err;
+               ret->r = BN_new();
+               ret->s = BN_new();
+               if (!ret->r || !ret->s)
+                       goto err;
+               if (!lend_tobn(ret->r, csigbuf, 20)
+                       || !lend_tobn(ret->s, csigbuf + 20, 20))
+                       {
+                       DSA_SIG_free(ret);
+                       ret = NULL;
+                       goto err;
+                       }
+               }
+
+       /* Now cleanup */
+
+err:
+       OPENSSL_cleanse(csigbuf, 40);
+       CryptDestroyHash(hash);
+       return ret;
+       }
+
+static int capi_dsa_free(DSA *dsa)
+       {
+       CAPI_KEY *capi_key;
+       capi_key = DSA_get_ex_data(dsa, dsa_capi_idx);
+       capi_free_key(capi_key);
+       DSA_set_ex_data(dsa, dsa_capi_idx, 0);
+       return 1;
+       }
+
  static void capi_vtrace(CAPI_CTX *ctx, int level, char *format, va_list argptr)
         {
         BIO *out;
@@ -820,7 +1029,7 @@ static void capi_addlasterror(void)
  static void capi_adderror(DWORD err)
         {
         char errstr[10];
-       BIO_snprintf(10, errstr, "%lX", err);
+       BIO_snprintf(errstr, 10, "%lX", err);
         ERR_add_error_data(2, "Error code= 0x", errstr);
         }
  
@@ -920,29 +1129,29 @@ static int capi_list_containers(CAPI_CTX *ctx, BIO *out)
  
         for (idx = 0;;idx++)
                 {
-                       clen = buflen;
-                       cname[0] = 0;
-
-                       if (idx == 0)
-                               flags = CRYPT_FIRST;
-                       else
-                               flags = 0;
-                       if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, cname, &clen, flags))
-                               {
-                               err = GetLastError();
-                               if (err == ERROR_NO_MORE_ITEMS)
-                                       goto done;
-                               CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
-                               capi_adderror(err);
-                               goto err;
-                               }
-                       CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n", cname, clen, idx, flags);
-                       if (!cname[0] && (clen == buflen))
-                               {
-                               CAPI_trace(ctx, "Enumerate bug: using workaround\n");
+               clen = buflen;
+               cname[0] = 0;
+
+               if (idx == 0)
+                       flags = CRYPT_FIRST;
+               else
+                       flags = 0;
+               if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, cname, &clen, flags))
+                       {
+                       err = GetLastError();
+                       if (err == ERROR_NO_MORE_ITEMS)
                                 goto done;
-                               }
-                       BIO_printf(out, "%d. %s\n", idx, cname);
+                       CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
+                       capi_adderror(err);
+                       goto err;
+                       }
+               CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n", cname, clen, idx, flags);
+               if (!cname[0] && (clen == buflen))
+                       {
+                       CAPI_trace(ctx, "Enumerate bug: using workaround\n");
+                       goto done;
+                       }
+               BIO_printf(out, "%d. %s\n", idx, cname);
                 }
         err:
  
@@ -1082,7 +1291,8 @@ HCERTSTORE capi_open_store(CAPI_CTX *ctx, char *storename)
                 storename = "MY";
         CAPI_trace(ctx, "Opening certificate store %s\n", storename);
  
-       hstore = CertOpenSystemStore(0, storename);
+       hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0, 
+                               ctx->store_flags, storename);
         if (!hstore)
                 {
                 CAPIerr(CAPI_F_CAPI_OPEN_STORE, CAPI_R_ERROR_OPENING_STORE);
@@ -1143,8 +1353,9 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE h
         switch(ctx->lookup_method)
                 {
                 case CAPI_LU_SUBSTR:
-                       return CertFindCertificateInStore(hstore, X509_ASN_ENCODING, 0, 
-                                                                                       CERT_FIND_SUBJECT_STR_A, id, NULL);
+                       return CertFindCertificateInStore(hstore,
+                                       X509_ASN_ENCODING, 0,
+                                       CERT_FIND_SUBJECT_STR_A, id, NULL);
                 case CAPI_LU_FNAME:
                         for(;;)
                                 {
@@ -1173,7 +1384,7 @@ static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provnam
         CAPI_KEY *key;
         key = OPENSSL_malloc(sizeof(CAPI_KEY));
         CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 
-                                                                                                                       contname, provname, ptype);
+                                               contname, provname, ptype);
         if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, 0))
                 {
                 CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
@@ -1187,6 +1398,8 @@ static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provnam
                 CryptReleaseContext(key->hprov, 0);
                 goto err;
                 }
+       key->keyspec = keyspec;
+       key->pcert = NULL;
         return key;
  
         err:
@@ -1196,7 +1409,7 @@ static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provnam
  
  static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
         {
-       CAPI_KEY *key;
+       CAPI_KEY *key = NULL;
         CRYPT_KEY_PROV_INFO *pinfo = NULL;
         char *provname = NULL, *contname = NULL;
         pinfo = capi_get_prov_info(ctx, cert);
@@ -1205,9 +1418,9 @@ static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
         provname = wide_to_asc(pinfo->pwszProvName);
         contname = wide_to_asc(pinfo->pwszContainerName);
         if (!provname || !contname)
-               return 0;
-
-       key = capi_get_key(ctx, contname, provname, pinfo->dwProvType, pinfo->dwKeySpec);
+               goto err;
+       key = capi_get_key(ctx, contname, provname,
+                               pinfo->dwProvType, pinfo->dwKeySpec);
  
         err:
         if (pinfo)
@@ -1241,7 +1454,8 @@ CAPI_KEY *capi_find_key(CAPI_CTX *ctx, const char *id)
                 break;
  
                 case CAPI_LU_CONTNAME:
-               key = capi_get_key(ctx, id, ctx->cspname, ctx->csptype, ctx->keytype);
+               key = capi_get_key(ctx, id, ctx->cspname, ctx->csptype,
+                                                       ctx->keytype);
                 break;
                 }
  
@@ -1254,6 +1468,8 @@ void capi_free_key(CAPI_KEY *key)
                 return;
         CryptDestroyKey(key->key);
         CryptReleaseContext(key->hprov, 0);
+       if (key->pcert)
+               CertFreeCertificateContext(key->pcert);
         OPENSSL_free(key);
         }
  
@@ -1274,9 +1490,14 @@ static CAPI_CTX *capi_ctx_new()
         ctx->dump_flags = CAPI_DMP_SUMMARY|CAPI_DMP_FNAME;
         ctx->keytype = AT_KEYEXCHANGE;
         ctx->storename = NULL;
+       ctx->ssl_client_store = NULL;
+       ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG |
+                               CERT_STORE_READONLY_FLAG |
+                               CERT_SYSTEM_STORE_CURRENT_USER;
         ctx->lookup_method = CAPI_LU_SUBSTR;
         ctx->debug_level = 0;
         ctx->debug_file = NULL;
+       ctx->client_cert_select = cert_select_simple;
         return ctx;
         }
  
@@ -1291,6 +1512,8 @@ static void capi_ctx_free(CAPI_CTX *ctx)
                 OPENSSL_free(ctx->debug_file);
         if (ctx->storename)
                 OPENSSL_free(ctx->storename);
+       if (ctx->ssl_client_store)
+               OPENSSL_free(ctx->ssl_client_store);
         OPENSSL_free(ctx);
         }
  
@@ -1300,7 +1523,8 @@ static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int che
         if (check)
                 {
                 HCRYPTPROV hprov;
-               if (!CryptAcquireContext(&hprov, NULL, pname, type, CRYPT_VERIFYCONTEXT))
+               if (!CryptAcquireContext(&hprov, NULL, pname, type,
+                                               CRYPT_VERIFYCONTEXT))
                         {
                         CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
                         capi_addlasterror();
@@ -1322,5 +1546,236 @@ static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx)
         return capi_ctx_set_provname(ctx, pname, type, 0);
         }
  
+static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x)
+       {
+       int i;
+       X509_NAME *nm;
+       /* Special case: empty list: match anything */
+       if (sk_X509_NAME_num(ca_dn) <= 0)
+               return 1;
+       for (i = 0; i < sk_X509_NAME_num(ca_dn); i++)
+               {
+               nm = sk_X509_NAME_value(ca_dn, i);
+               if (!X509_NAME_cmp(nm, X509_get_issuer_name(x)))
+                               return 1;
+               }
+       return 0;
+       }
+
+
+
+static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
+       STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+       STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data)
+       {
+       STACK_OF(X509) *certs = NULL;
+       X509 *x;
+       char *storename;
+       const char *p;
+       int i, client_cert_idx;
+       HCERTSTORE hstore;
+       PCCERT_CONTEXT cert = NULL, excert = NULL;
+       CAPI_CTX *ctx;
+       CAPI_KEY *key;
+       ctx = ENGINE_get_ex_data(e, capi_idx);
+
+       *pcert = NULL;
+       *pkey = NULL;
+
+       storename = ctx->ssl_client_store;
+       if (!storename)
+               storename = "MY";
+
+       hstore = capi_open_store(ctx, storename);
+       if (!hstore)
+               return 0;
+       /* Enumerate all certificates collect any matches */
+       for(i = 0;;i++)
+               {
+               cert = CertEnumCertificatesInStore(hstore, cert);
+               if (!cert)
+                       break;
+               p = cert->pbCertEncoded;
+               x = d2i_X509(NULL, &p, cert->cbCertEncoded);
+               if (!x)
+                       {
+                       CAPI_trace(ctx, "Can't Parse Certificate %d\n", i);
+                       continue;
+                       }
+               if (cert_issuer_match(ca_dn, x)
+                       && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0))
+                       {
+                       key = capi_get_cert_key(ctx, cert);
+                       if (!key)
+                               {
+                               X509_free(x);
+                               continue;
+                               }
+                       /* Match found: attach extra data to it so
+                        * we can retrieve the key later.
+                        */
+                       excert = CertDuplicateCertificateContext(cert);
+                       key->pcert = excert;
+                       X509_set_ex_data(x, cert_capi_idx, key);
+
+                       if (!certs)
+                               certs = sk_X509_new_null();
+
+                       sk_X509_push(certs, x);
+                       }
+               else
+                       X509_free(x);
+
+               }
+
+       if (cert)
+               CertFreeCertificateContext(cert);
+       if (hstore)
+               CertCloseStore(hstore, 0);
+
+       if (!certs)
+               return 0;
+
+
+       /* Select the appropriate certificate */
+
+       client_cert_idx = ctx->client_cert_select(e, ssl, certs);
+
+       /* Set the selected certificate and free the rest */
+
+       for(i = 0; i < sk_X509_num(certs); i++)
+               {
+               x = sk_X509_value(certs, i);
+               if (i == client_cert_idx)
+                       *pcert = x;
+               else
+                       {
+                       key = X509_get_ex_data(x, cert_capi_idx);
+                       capi_free_key(key);
+                       X509_free(x);
+                       }
+               }
+
+       sk_X509_free(certs);
+
+       if (!*pcert)
+               return 0;
+
+       /* Setup key for selected certificate */
+
+       key = X509_get_ex_data(*pcert, cert_capi_idx);
+       *pkey = capi_get_pkey(e, key);
+       X509_set_ex_data(*pcert, cert_capi_idx, NULL);
+
+       return 1;
+
+       }
+
+
+/* Simple client cert selection function: always select first */
+
+static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+       {
+       return 0;
+       }
+
+#ifdef OPENSSL_CAPIENG_DIALOG
+
+/* More complex cert selection function, using standard function
+ * CryptUIDlgSelectCertificateFromStore() to produce a dialog box.
+ */
+
+/* Definitions which are in cryptuiapi.h but this is not present in older
+ * versions of headers.
+ */
+
+#ifndef CRYPTUI_SELECT_LOCATION_COLUMN
+#define CRYPTUI_SELECT_LOCATION_COLUMN                   0x000000010
+#define CRYPTUI_SELECT_INTENDEDUSE_COLUMN                0x000000004
+#endif
+
+#define dlg_title L"OpenSSL Application SSL Client Certificate Selection"
+#define dlg_prompt L"Select a certificate to use for authentication"
+#define dlg_columns     CRYPTUI_SELECT_LOCATION_COLUMN \
+                       |CRYPTUI_SELECT_INTENDEDUSE_COLUMN
+
+static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+       {
+       X509 *x;
+       HCERTSTORE dstore;
+       PCCERT_CONTEXT cert;
+       CAPI_CTX *ctx;
+       CAPI_KEY *key;
+       HWND hwnd;
+       int i, idx = -1;
+       if (sk_X509_num(certs) == 1)
+               return 0;
+       ctx = ENGINE_get_ex_data(e, capi_idx);
+       /* Create an in memory store of certificates */
+       dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+                                       CERT_STORE_CREATE_NEW_FLAG, NULL);
+       if (!dstore)
+               {
+               CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_CREATING_STORE);
+               capi_addlasterror();
+               goto err;
+               }
+       /* Add all certificates to store */
+       for(i = 0; i < sk_X509_num(certs); i++)
+               {
+               x = sk_X509_value(certs, i);
+               key = X509_get_ex_data(x, cert_capi_idx);
+
+               if (!CertAddCertificateContextToStore(dstore, key->pcert,
+                                               CERT_STORE_ADD_NEW, NULL))
+                       {
+                       CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_ADDING_CERT);
+                       capi_addlasterror();
+                       goto err;
+                       }
+
+               }
+       hwnd = GetForegroundWindow();
+       if (!hwnd)
+               hwnd = GetActiveWindow();
+       if (!hwnd && ctx->getconswindow)
+               hwnd = ctx->getconswindow();
+       /* Call dialog to select one */
+       cert = ctx->certselectdlg(dstore, hwnd, dlg_title, dlg_prompt,
+                                               dlg_columns, 0, NULL);
+
+       /* Find matching cert from list */
+       if (cert)
+               {
+               for(i = 0; i < sk_X509_num(certs); i++)
+                       {
+                       x = sk_X509_value(certs, i);
+                       key = X509_get_ex_data(x, cert_capi_idx);
+                       if (CertCompareCertificate(
+                               X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                                       cert->pCertInfo,
+                                       key->pcert->pCertInfo))
+                               {
+                               idx = i;
+                               break;
+                               }
+                       }
+               }
+
+       err:
+       if (dstore)
+               CertCloseStore(dstore, 0);
+       return idx;
+
+       }
+#endif
+
+#endif
+#else /* !WIN32 */
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
+IMPLEMENT_DYNAMIC_CHECK_FN()
  #endif
  #endif