1 /*
2 * Schannel tests
3 *
4 * Copyright 2006 Juan Lang
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 */
20
21 #include <stdarg.h>
22 #include <windef.h>
23 #include <winsock2.h>
24 #include <ws2tcpip.h>
25 #include <stdio.h>
26 #define SECURITY_WIN32
27 #include <security.h>
28 #include <schannel.h>
29
30 #include "wine/test.h"
31
32 static QUERY_CONTEXT_ATTRIBUTES_FN_A pQueryContextAttributesA;
33
34 static const BYTE bigCert[] = { 0x30, 0x7a, 0x02, 0x01, 0x01, 0x30, 0x02, 0x06,
35 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
36 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30, 0x22,
37 0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30,
38 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30,
39 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30,
40 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20,
41 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30, 0x07, 0x30, 0x02, 0x06, 0x00, 0x03, 0x01,
42 0x00, 0xa3, 0x16, 0x30, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
43 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01 };
44 static WCHAR cspNameW[] = { 'W','i','n','e','C','r','y','p','t','T','e',
45 'm','p',0 };
46 static BYTE privKey[] = {
47 0x07, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x52, 0x53, 0x41, 0x32, 0x00,
48 0x02, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x79, 0x10, 0x1c, 0xd0, 0x6b, 0x10,
49 0x18, 0x30, 0x94, 0x61, 0xdc, 0x0e, 0xcb, 0x96, 0x4e, 0x21, 0x3f, 0x79, 0xcd,
50 0xa9, 0x17, 0x62, 0xbc, 0xbb, 0x61, 0x4c, 0xe0, 0x75, 0x38, 0x6c, 0xf3, 0xde,
51 0x60, 0x86, 0x03, 0x97, 0x65, 0xeb, 0x1e, 0x6b, 0xdb, 0x53, 0x85, 0xad, 0x68,
52 0x21, 0xf1, 0x5d, 0xe7, 0x1f, 0xe6, 0x53, 0xb4, 0xbb, 0x59, 0x3e, 0x14, 0x27,
53 0xb1, 0x83, 0xa7, 0x3a, 0x54, 0xe2, 0x8f, 0x65, 0x8e, 0x6a, 0x4a, 0xcf, 0x3b,
54 0x1f, 0x65, 0xff, 0xfe, 0xf1, 0x31, 0x3a, 0x37, 0x7a, 0x8b, 0xcb, 0xc6, 0xd4,
55 0x98, 0x50, 0x36, 0x67, 0xe4, 0xa1, 0xe8, 0x7e, 0x8a, 0xc5, 0x23, 0xf2, 0x77,
56 0xf5, 0x37, 0x61, 0x49, 0x72, 0x59, 0xe8, 0x3d, 0xf7, 0x60, 0xb2, 0x77, 0xca,
57 0x78, 0x54, 0x6d, 0x65, 0x9e, 0x03, 0x97, 0x1b, 0x61, 0xbd, 0x0c, 0xd8, 0x06,
58 0x63, 0xe2, 0xc5, 0x48, 0xef, 0xb3, 0xe2, 0x6e, 0x98, 0x7d, 0xbd, 0x4e, 0x72,
59 0x91, 0xdb, 0x31, 0x57, 0xe3, 0x65, 0x3a, 0x49, 0xca, 0xec, 0xd2, 0x02, 0x4e,
60 0x22, 0x7e, 0x72, 0x8e, 0xf9, 0x79, 0x84, 0x82, 0xdf, 0x7b, 0x92, 0x2d, 0xaf,
61 0xc9, 0xe4, 0x33, 0xef, 0x89, 0x5c, 0x66, 0x99, 0xd8, 0x80, 0x81, 0x47, 0x2b,
62 0xb1, 0x66, 0x02, 0x84, 0x59, 0x7b, 0xc3, 0xbe, 0x98, 0x45, 0x4a, 0x3d, 0xdd,
63 0xea, 0x2b, 0xdf, 0x4e, 0xb4, 0x24, 0x6b, 0xec, 0xe7, 0xd9, 0x0c, 0x45, 0xb8,
64 0xbe, 0xca, 0x69, 0x37, 0x92, 0x4c, 0x38, 0x6b, 0x96, 0x6d, 0xcd, 0x86, 0x67,
65 0x5c, 0xea, 0x54, 0x94, 0xa4, 0xca, 0xa4, 0x02, 0xa5, 0x21, 0x4d, 0xae, 0x40,
66 0x8f, 0x9d, 0x51, 0x83, 0xf2, 0x3f, 0x33, 0xc1, 0x72, 0xb4, 0x1d, 0x94, 0x6e,
67 0x7d, 0xe4, 0x27, 0x3f, 0xea, 0xff, 0xe5, 0x9b, 0xa7, 0x5e, 0x55, 0x8e, 0x0d,
68 0x69, 0x1c, 0x7a, 0xff, 0x81, 0x9d, 0x53, 0x52, 0x97, 0x9a, 0x76, 0x79, 0xda,
69 0x93, 0x32, 0x16, 0xec, 0x69, 0x51, 0x1a, 0x4e, 0xc3, 0xf1, 0x72, 0x80, 0x78,
70 0x5e, 0x66, 0x4a, 0x8d, 0x85, 0x2f, 0x3f, 0xb2, 0xa7 };
71
72 static const BYTE selfSignedCert[] = {
73 0x30, 0x82, 0x01, 0x1f, 0x30, 0x81, 0xce, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
74 0x10, 0xeb, 0x0d, 0x57, 0x2a, 0x9c, 0x09, 0xba, 0xa4, 0x4a, 0xb7, 0x25, 0x49,
75 0xd9, 0x3e, 0xb5, 0x73, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1d,
76 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03,
77 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30,
78 0x1e, 0x17, 0x0d, 0x30, 0x36, 0x30, 0x36, 0x32, 0x39, 0x30, 0x35, 0x30, 0x30,
79 0x34, 0x36, 0x5a, 0x17, 0x0d, 0x30, 0x37, 0x30, 0x36, 0x32, 0x39, 0x31, 0x31,
80 0x30, 0x30, 0x34, 0x36, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
81 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e,
82 0x67, 0x00, 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
83 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41,
84 0x00, 0xe2, 0x54, 0x3a, 0xa7, 0x83, 0xb1, 0x27, 0x14, 0x3e, 0x59, 0xbb, 0xb4,
85 0x53, 0xe6, 0x1f, 0xe7, 0x5d, 0xf1, 0x21, 0x68, 0xad, 0x85, 0x53, 0xdb, 0x6b,
86 0x1e, 0xeb, 0x65, 0x97, 0x03, 0x86, 0x60, 0xde, 0xf3, 0x6c, 0x38, 0x75, 0xe0,
87 0x4c, 0x61, 0xbb, 0xbc, 0x62, 0x17, 0xa9, 0xcd, 0x79, 0x3f, 0x21, 0x4e, 0x96,
88 0xcb, 0x0e, 0xdc, 0x61, 0x94, 0x30, 0x18, 0x10, 0x6b, 0xd0, 0x1c, 0x10, 0x79,
89 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02,
90 0x1d, 0x05, 0x00, 0x03, 0x41, 0x00, 0x25, 0x90, 0x53, 0x34, 0xd9, 0x56, 0x41,
91 0x5e, 0xdb, 0x7e, 0x01, 0x36, 0xec, 0x27, 0x61, 0x5e, 0xb7, 0x4d, 0x90, 0x66,
92 0xa2, 0xe1, 0x9d, 0x58, 0x76, 0xd4, 0x9c, 0xba, 0x2c, 0x84, 0xc6, 0x83, 0x7a,
93 0x22, 0x0d, 0x03, 0x69, 0x32, 0x1a, 0x6d, 0xcb, 0x0c, 0x15, 0xb3, 0x6b, 0xc7,
94 0x0a, 0x8c, 0xb4, 0x5c, 0x34, 0x78, 0xe0, 0x3c, 0x9c, 0xe9, 0xf3, 0x30, 0x9f,
95 0xa8, 0x76, 0x57, 0x92, 0x36 };
96
97 static CHAR unisp_name_a[] = UNISP_NAME_A;
98
algid_to_str(ALG_ID alg)99 static const char *algid_to_str(ALG_ID alg)
100 {
101 static char buf[12];
102 switch(alg) {
103 #define X(x) case x: return #x
104 X(CALG_MD2);
105 X(CALG_MD4);
106 X(CALG_MD5);
107 X(CALG_SHA1); /* same as CALG_SHA */
108 X(CALG_MAC);
109 X(CALG_RSA_SIGN);
110 X(CALG_DSS_SIGN);
111 X(CALG_NO_SIGN);
112 X(CALG_RSA_KEYX);
113 X(CALG_DES);
114 X(CALG_3DES_112);
115 X(CALG_3DES);
116 X(CALG_DESX);
117 X(CALG_RC2);
118 X(CALG_RC4);
119 X(CALG_SEAL);
120 X(CALG_DH_SF);
121 X(CALG_DH_EPHEM);
122 X(CALG_AGREEDKEY_ANY);
123 X(CALG_KEA_KEYX);
124 X(CALG_HUGHES_MD5);
125 X(CALG_SKIPJACK);
126 X(CALG_TEK);
127 X(CALG_CYLINK_MEK);
128 X(CALG_SSL3_SHAMD5);
129 X(CALG_SSL3_MASTER);
130 X(CALG_SCHANNEL_MASTER_HASH);
131 X(CALG_SCHANNEL_MAC_KEY);
132 X(CALG_SCHANNEL_ENC_KEY);
133 X(CALG_PCT1_MASTER);
134 X(CALG_SSL2_MASTER);
135 X(CALG_TLS1_MASTER);
136 X(CALG_RC5);
137 X(CALG_HMAC);
138 X(CALG_TLS1PRF);
139 X(CALG_HASH_REPLACE_OWF);
140 X(CALG_AES_128);
141 X(CALG_AES_192);
142 X(CALG_AES_256);
143 X(CALG_AES);
144 X(CALG_SHA_256);
145 X(CALG_SHA_384);
146 X(CALG_SHA_512);
147 X(CALG_ECDH);
148 X(CALG_ECMQV);
149 X(CALG_ECDSA);
150 #undef X
151 }
152
153 sprintf(buf, "%x", alg);
154 return buf;
155 }
156
init_cred(SCHANNEL_CRED * cred)157 static void init_cred(SCHANNEL_CRED *cred)
158 {
159 cred->dwVersion = SCHANNEL_CRED_VERSION;
160 cred->cCreds = 0;
161 cred->paCred = 0;
162 cred->hRootStore = NULL;
163 cred->cMappers = 0;
164 cred->aphMappers = NULL;
165 cred->cSupportedAlgs = 0;
166 cred->palgSupportedAlgs = NULL;
167 cred->grbitEnabledProtocols = 0;
168 cred->dwMinimumCipherStrength = 0;
169 cred->dwMaximumCipherStrength = 0;
170 cred->dwSessionLifespan = 0;
171 cred->dwFlags = 0;
172 }
173
test_strength(PCredHandle handle)174 static void test_strength(PCredHandle handle)
175 {
176 SecPkgCred_CipherStrengths strength = {-1,-1};
177 SECURITY_STATUS st;
178
179 st = QueryCredentialsAttributesA(handle, SECPKG_ATTR_CIPHER_STRENGTHS, &strength);
180 ok(st == SEC_E_OK, "QueryCredentialsAttributesA failed: %u\n", GetLastError());
181 ok(strength.dwMinimumCipherStrength, "dwMinimumCipherStrength not changed\n");
182 ok(strength.dwMaximumCipherStrength, "dwMaximumCipherStrength not changed\n");
183 trace("strength %d - %d\n", strength.dwMinimumCipherStrength, strength.dwMaximumCipherStrength);
184 }
185
test_supported_protocols(CredHandle * handle,unsigned exprots)186 static void test_supported_protocols(CredHandle *handle, unsigned exprots)
187 {
188 SecPkgCred_SupportedProtocols protocols;
189 SECURITY_STATUS status;
190
191 status = QueryCredentialsAttributesA(handle, SECPKG_ATTR_SUPPORTED_PROTOCOLS, &protocols);
192 ok(status == SEC_E_OK, "QueryCredentialsAttributes failed: %08x\n", status);
193
194 if(exprots)
195 ok(protocols.grbitProtocol == exprots, "protocols.grbitProtocol = %x, expected %x\n", protocols.grbitProtocol, exprots);
196
197 trace("Supported protocols:\n");
198
199 #define X(flag, name) do { if(protocols.grbitProtocol & flag) { trace(name "\n"); protocols.grbitProtocol &= ~flag; } }while(0)
200 X(SP_PROT_SSL2_CLIENT, "SSL 2 client");
201 X(SP_PROT_SSL3_CLIENT, "SSL 3 client");
202 X(SP_PROT_TLS1_0_CLIENT, "TLS 1.0 client");
203 X(SP_PROT_TLS1_1_CLIENT, "TLS 1.1 client");
204 X(SP_PROT_TLS1_2_CLIENT, "TLS 1.2 client");
205 X(SP_PROT_TLS1_3_CLIENT, "TLS 1.3 client");
206 #undef X
207
208 if(protocols.grbitProtocol)
209 trace("Unknown flags: %x\n", protocols.grbitProtocol);
210 }
211
test_supported_algs(CredHandle * handle)212 static void test_supported_algs(CredHandle *handle)
213 {
214 SecPkgCred_SupportedAlgs algs;
215 SECURITY_STATUS status;
216 unsigned i;
217
218 status = QueryCredentialsAttributesA(handle, SECPKG_ATTR_SUPPORTED_ALGS, &algs);
219 todo_wine ok(status == SEC_E_OK, "QueryCredentialsAttributes failed: %08x\n", status);
220 if(status != SEC_E_OK)
221 return;
222
223 trace("Supported algorithms (%d):\n", algs.cSupportedAlgs);
224 for(i=0; i < algs.cSupportedAlgs; i++)
225 trace(" %s\n", algid_to_str(algs.palgSupportedAlgs[i]));
226
227 FreeContextBuffer(algs.palgSupportedAlgs);
228 }
229
test_cread_attrs(void)230 static void test_cread_attrs(void)
231 {
232 SCHANNEL_CRED schannel_cred;
233 SECURITY_STATUS status;
234 CredHandle cred;
235
236 status = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
237 NULL, NULL, NULL, NULL, &cred, NULL);
238 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %x\n", status);
239
240 test_supported_protocols(&cred, 0);
241 test_supported_algs(&cred);
242
243 status = QueryCredentialsAttributesA(&cred, SECPKG_ATTR_SUPPORTED_PROTOCOLS, NULL);
244 ok(status == SEC_E_INTERNAL_ERROR, "QueryCredentialsAttributes failed: %08x, expected SEC_E_INTERNAL_ERROR\n", status);
245
246 status = QueryCredentialsAttributesA(&cred, SECPKG_ATTR_SUPPORTED_ALGS, NULL);
247 ok(status == SEC_E_INTERNAL_ERROR, "QueryCredentialsAttributes failed: %08x, expected SEC_E_INTERNAL_ERROR\n", status);
248
249 FreeCredentialsHandle(&cred);
250
251 init_cred(&schannel_cred);
252 schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
253 status = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
254 NULL, &schannel_cred, NULL, NULL, &cred, NULL);
255 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %x\n", status);
256
257 test_supported_protocols(&cred, SP_PROT_TLS1_CLIENT);
258 test_supported_algs(&cred);
259
260 FreeCredentialsHandle(&cred);
261 }
262
testAcquireSecurityContext(void)263 static void testAcquireSecurityContext(void)
264 {
265 BOOL has_schannel = FALSE;
266 SecPkgInfoA *package_info;
267 ULONG i;
268 SECURITY_STATUS st;
269 CredHandle cred;
270 SecPkgCredentials_NamesA names;
271 TimeStamp exp;
272 SCHANNEL_CRED schanCred;
273 PCCERT_CONTEXT certs[2];
274 HCRYPTPROV csp;
275 WCHAR ms_def_prov_w[MAX_PATH];
276 BOOL ret;
277 HCRYPTKEY key;
278 CRYPT_KEY_PROV_INFO keyProvInfo;
279
280
281 if (SUCCEEDED(EnumerateSecurityPackagesA(&i, &package_info)))
282 {
283 while(i--)
284 {
285 if (!strcmp(package_info[i].Name, unisp_name_a))
286 {
287 has_schannel = TRUE;
288 break;
289 }
290 }
291 FreeContextBuffer(package_info);
292 }
293 if (!has_schannel)
294 {
295 skip("Schannel not available\n");
296 return;
297 }
298
299 lstrcpyW(ms_def_prov_w, MS_DEF_PROV_W);
300
301 keyProvInfo.pwszContainerName = cspNameW;
302 keyProvInfo.pwszProvName = ms_def_prov_w;
303 keyProvInfo.dwProvType = PROV_RSA_FULL;
304 keyProvInfo.dwFlags = 0;
305 keyProvInfo.cProvParam = 0;
306 keyProvInfo.rgProvParam = NULL;
307 keyProvInfo.dwKeySpec = AT_SIGNATURE;
308
309 certs[0] = CertCreateCertificateContext(X509_ASN_ENCODING, bigCert, sizeof(bigCert));
310 certs[1] = CertCreateCertificateContext(X509_ASN_ENCODING, selfSignedCert, sizeof(selfSignedCert));
311
312 SetLastError(0xdeadbeef);
313 ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
314 CRYPT_DELETEKEYSET);
315 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
316 {
317 /* WinMe would crash on some tests */
318 win_skip("CryptAcquireContextW is not implemented\n");
319 return;
320 }
321
322 st = AcquireCredentialsHandleA(NULL, NULL, 0, NULL, NULL, NULL, NULL, NULL,
323 NULL);
324 ok(st == SEC_E_SECPKG_NOT_FOUND,
325 "Expected SEC_E_SECPKG_NOT_FOUND, got %08x\n", st);
326 if (0)
327 {
328 /* Crashes on Win2K */
329 st = AcquireCredentialsHandleA(NULL, unisp_name_a, 0, NULL, NULL, NULL,
330 NULL, NULL, NULL);
331 ok(st == SEC_E_NO_CREDENTIALS, "Expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
332
333 /* Crashes on WinNT */
334 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_BOTH, NULL,
335 NULL, NULL, NULL, NULL, NULL);
336 ok(st == SEC_E_NO_CREDENTIALS, "Expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
337
338 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
339 NULL, NULL, NULL, NULL, NULL, NULL);
340 ok(st == SEC_E_NO_CREDENTIALS, "Expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
341
342 /* Crashes */
343 AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
344 NULL, NULL, NULL, NULL, NULL, NULL);
345 }
346 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
347 NULL, NULL, NULL, NULL, &cred, NULL);
348 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
349 if(st == SEC_E_OK)
350 FreeCredentialsHandle(&cred);
351 memset(&cred, 0, sizeof(cred));
352 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
353 NULL, NULL, NULL, NULL, &cred, &exp);
354 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
355 /* expriy is indeterminate in win2k3 */
356 trace("expiry: %08x%08x\n", exp.HighPart, exp.LowPart);
357
358 st = QueryCredentialsAttributesA(&cred, SECPKG_CRED_ATTR_NAMES, &names);
359 ok(st == SEC_E_NO_CREDENTIALS || st == SEC_E_UNSUPPORTED_FUNCTION /* before Vista */, "expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
360
361 FreeCredentialsHandle(&cred);
362
363 /* Bad version in SCHANNEL_CRED */
364 memset(&schanCred, 0, sizeof(schanCred));
365 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
366 NULL, &schanCred, NULL, NULL, NULL, NULL);
367 ok(st == SEC_E_INTERNAL_ERROR ||
368 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */ ||
369 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
370 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
371 NULL, &schanCred, NULL, NULL, NULL, NULL);
372 ok(st == SEC_E_INTERNAL_ERROR ||
373 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */ ||
374 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
375
376 /* No cert in SCHANNEL_CRED succeeds for outbound.. */
377 schanCred.dwVersion = SCHANNEL_CRED_VERSION;
378 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
379 NULL, &schanCred, NULL, NULL, &cred, NULL);
380 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
381 FreeCredentialsHandle(&cred);
382 /* but fails for inbound. */
383 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
384 NULL, &schanCred, NULL, NULL, &cred, NULL);
385 ok(st == SEC_E_NO_CREDENTIALS ||
386 st == SEC_E_OK /* Vista/win2k8 */,
387 "Expected SEC_E_NO_CREDENTIALS or SEC_E_OK, got %08x\n", st);
388
389 if (0)
390 {
391 /* Crashes with bad paCred pointer */
392 schanCred.cCreds = 1;
393 AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
394 NULL, &schanCred, NULL, NULL, NULL, NULL);
395 }
396
397 /* Bogus cert in SCHANNEL_CRED. Windows fails with
398 * SEC_E_UNKNOWN_CREDENTIALS, but I'll accept SEC_E_NO_CREDENTIALS too.
399 */
400 schanCred.cCreds = 1;
401 schanCred.paCred = &certs[0];
402 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
403 NULL, &schanCred, NULL, NULL, NULL, NULL);
404 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
405 st == SEC_E_NO_CREDENTIALS ||
406 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
407 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
408 NULL, &schanCred, NULL, NULL, NULL, NULL);
409 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
410 st == SEC_E_NO_CREDENTIALS ||
411 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
412
413 /* Good cert, but missing private key. Windows fails with
414 * SEC_E_NO_CREDENTIALS, but I'll accept SEC_E_UNKNOWN_CREDENTIALS too.
415 */
416 schanCred.cCreds = 1;
417 schanCred.paCred = &certs[1];
418 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
419 NULL, &schanCred, NULL, NULL, &cred, NULL);
420 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_NO_CREDENTIALS ||
421 st == SEC_E_INTERNAL_ERROR, /* win2k */
422 "Expected SEC_E_UNKNOWN_CREDENTIALS, SEC_E_NO_CREDENTIALS "
423 "or SEC_E_INTERNAL_ERROR, got %08x\n", st);
424 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
425 NULL, &schanCred, NULL, NULL, NULL, NULL);
426 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_NO_CREDENTIALS ||
427 st == SEC_E_INTERNAL_ERROR, /* win2k */
428 "Expected SEC_E_UNKNOWN_CREDENTIALS, SEC_E_NO_CREDENTIALS "
429 "or SEC_E_INTERNAL_ERROR, got %08x\n", st);
430
431 /* Good cert, with CRYPT_KEY_PROV_INFO set before it's had a key loaded. */
432 ret = CertSetCertificateContextProperty(certs[1],
433 CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo);
434 schanCred.dwVersion = SCH_CRED_V3;
435 ok(ret, "CertSetCertificateContextProperty failed: %08x\n", GetLastError());
436 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
437 NULL, &schanCred, NULL, NULL, &cred, NULL);
438 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */ ||
439 st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
440 "Expected SEC_E_UNKNOWN_CREDENTIALS or SEC_E_INTERNAL_ERROR, got %08x\n", st);
441 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
442 NULL, &schanCred, NULL, NULL, &cred, NULL);
443 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */ ||
444 st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
445 "Expected SEC_E_UNKNOWN_CREDENTIALS or SEC_E_INTERNAL_ERROR, got %08x\n", st);
446
447 ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
448 CRYPT_NEWKEYSET);
449 ok(ret, "CryptAcquireContextW failed: %08x\n", GetLastError());
450 ret = 0;
451
452 ret = CryptImportKey(csp, privKey, sizeof(privKey), 0, 0, &key);
453 ok(ret, "CryptImportKey failed: %08x\n", GetLastError());
454 if (ret)
455 {
456 PCCERT_CONTEXT tmp;
457
458 if (0)
459 {
460 /* Crashes */
461 AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
462 NULL, &schanCred, NULL, NULL, NULL, NULL);
463
464 /* Crashes on WinNT */
465 /* Good cert with private key, bogus version */
466 schanCred.dwVersion = SCH_CRED_V1;
467 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
468 NULL, &schanCred, NULL, NULL, &cred, NULL);
469 ok(st == SEC_E_INTERNAL_ERROR ||
470 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
471 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
472 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
473 NULL, &schanCred, NULL, NULL, &cred, NULL);
474 ok(st == SEC_E_INTERNAL_ERROR ||
475 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
476 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
477 schanCred.dwVersion = SCH_CRED_V2;
478 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
479 NULL, &schanCred, NULL, NULL, &cred, NULL);
480 ok(st == SEC_E_INTERNAL_ERROR ||
481 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
482 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
483 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
484 NULL, &schanCred, NULL, NULL, &cred, NULL);
485 ok(st == SEC_E_INTERNAL_ERROR ||
486 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
487 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
488 }
489
490 /* Succeeds on V3 or higher */
491 schanCred.dwVersion = SCH_CRED_V3;
492 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
493 NULL, &schanCred, NULL, NULL, &cred, NULL);
494 ok(st == SEC_E_OK || st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
495 "AcquireCredentialsHandleA failed: %08x\n", st);
496 FreeCredentialsHandle(&cred);
497 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
498 NULL, &schanCred, NULL, NULL, &cred, NULL);
499 ok(st == SEC_E_OK || st == SEC_E_UNKNOWN_CREDENTIALS /* win2k3 */ ||
500 st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
501 "AcquireCredentialsHandleA failed: %08x\n", st);
502 FreeCredentialsHandle(&cred);
503 schanCred.dwVersion = SCHANNEL_CRED_VERSION;
504 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
505 NULL, &schanCred, NULL, NULL, &cred, NULL);
506 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
507 FreeCredentialsHandle(&cred);
508 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
509 NULL, &schanCred, NULL, NULL, &cred, NULL);
510 ok(st == SEC_E_OK ||
511 st == SEC_E_UNKNOWN_CREDENTIALS, /* win2k3 */
512 "AcquireCredentialsHandleA failed: %08x\n", st);
513 if (st == SEC_E_OK) test_strength(&cred);
514 FreeCredentialsHandle(&cred);
515
516 /* How about more than one cert? */
517 schanCred.cCreds = 2;
518 schanCred.paCred = certs;
519 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
520 NULL, &schanCred, NULL, NULL, &cred, NULL);
521 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
522 st == SEC_E_NO_CREDENTIALS /* Vista/win2k8 */ ||
523 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
524 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
525 NULL, &schanCred, NULL, NULL, &cred, NULL);
526 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
527 st == SEC_E_NO_CREDENTIALS ||
528 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
529 tmp = certs[0];
530 certs[0] = certs[1];
531 certs[1] = tmp;
532 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
533 NULL, &schanCred, NULL, NULL, &cred, NULL);
534 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
535 st == SEC_E_NO_CREDENTIALS ||
536 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
537 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
538 NULL, &schanCred, NULL, NULL, &cred, NULL);
539 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_NO_CREDENTIALS,
540 "Expected SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
541 /* FIXME: what about two valid certs? */
542
543 CryptDestroyKey(key);
544 }
545
546 CryptReleaseContext(csp, 0);
547 CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_DELETEKEYSET);
548
549 CertFreeCertificateContext(certs[0]);
550 CertFreeCertificateContext(certs[1]);
551 }
552
test_remote_cert(PCCERT_CONTEXT remote_cert)553 static void test_remote_cert(PCCERT_CONTEXT remote_cert)
554 {
555 PCCERT_CONTEXT iter = NULL;
556 BOOL incl_remote = FALSE;
557 unsigned cert_cnt = 0;
558
559 ok(remote_cert->hCertStore != NULL, "hCertStore == NULL\n");
560
561 while((iter = CertEnumCertificatesInStore(remote_cert->hCertStore, iter))) {
562 if(iter == remote_cert)
563 incl_remote = TRUE;
564 cert_cnt++;
565 }
566
567 ok(cert_cnt == 2, "cert_cnt = %u\n", cert_cnt);
568 ok(incl_remote, "context does not contain cert itself\n");
569 }
570
571 static const char http_request[] = "HEAD /test.html HTTP/1.1\r\nHost: test.winehq.org\r\nConnection: close\r\n\r\n";
572
init_buffers(SecBufferDesc * desc,unsigned count,unsigned size)573 static void init_buffers(SecBufferDesc *desc, unsigned count, unsigned size)
574 {
575 desc->ulVersion = SECBUFFER_VERSION;
576 desc->cBuffers = count;
577 desc->pBuffers = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, count*sizeof(SecBuffer));
578
579 desc->pBuffers[0].cbBuffer = size;
580 desc->pBuffers[0].pvBuffer = HeapAlloc(GetProcessHeap(), 0, size);
581 }
582
reset_buffers(SecBufferDesc * desc)583 static void reset_buffers(SecBufferDesc *desc)
584 {
585 unsigned i;
586
587 for (i = 0; i < desc->cBuffers; ++i)
588 {
589 desc->pBuffers[i].BufferType = SECBUFFER_EMPTY;
590 if (i > 0)
591 {
592 desc->pBuffers[i].cbBuffer = 0;
593 desc->pBuffers[i].pvBuffer = NULL;
594 }
595 }
596 }
597
free_buffers(SecBufferDesc * desc)598 static void free_buffers(SecBufferDesc *desc)
599 {
600 HeapFree(GetProcessHeap(), 0, desc->pBuffers[0].pvBuffer);
601 HeapFree(GetProcessHeap(), 0, desc->pBuffers);
602 }
603
receive_data(SOCKET sock,SecBuffer * buf)604 static int receive_data(SOCKET sock, SecBuffer *buf)
605 {
606 unsigned received = 0;
607
608 while (1)
609 {
610 unsigned char *data = buf->pvBuffer;
611 unsigned expected = 0;
612 int ret;
613
614 ret = recv(sock, (char *)data+received, buf->cbBuffer-received, 0);
615 if (ret == -1)
616 {
617 skip("recv failed\n");
618 return -1;
619 }
620 else if(ret == 0)
621 {
622 skip("connection closed\n");
623 return -1;
624 }
625 received += ret;
626
627 while (expected < received)
628 {
629 unsigned frame_size = 5 + ((data[3]<<8) | data[4]);
630 expected += frame_size;
631 data += frame_size;
632 }
633
634 if (expected == received)
635 break;
636 }
637
638 buf->cbBuffer = received;
639
640 return received;
641 }
642
test_InitializeSecurityContext(void)643 static void test_InitializeSecurityContext(void)
644 {
645 SCHANNEL_CRED cred;
646 CredHandle cred_handle;
647 CtxtHandle context;
648 SECURITY_STATUS status;
649 SecBuffer out_buffer = {1000, SECBUFFER_TOKEN, NULL};
650 SecBuffer in_buffer = {0, SECBUFFER_EMPTY, NULL};
651 SecBufferDesc out_buffers = {SECBUFFER_VERSION, 1, &out_buffer};
652 SecBufferDesc in_buffers = {SECBUFFER_VERSION, 1, &in_buffer};
653 ULONG attrs;
654
655 init_cred(&cred);
656 cred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
657 cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS|SCH_CRED_MANUAL_CRED_VALIDATION;
658 status = AcquireCredentialsHandleA(NULL, (SEC_CHAR *)UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
659 &cred, NULL, NULL, &cred_handle, NULL);
660 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", status);
661 if (status != SEC_E_OK) return;
662
663 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
664 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM|ISC_REQ_ALLOCATE_MEMORY,
665 0, 0, &in_buffers, 0, &context, &out_buffers, &attrs, NULL);
666 ok(status == SEC_I_CONTINUE_NEEDED, "Expected SEC_I_CONTINUE_NEEDED, got %08x\n", status);
667
668 FreeContextBuffer(out_buffer.pvBuffer);
669 DeleteSecurityContext(&context);
670 FreeCredentialsHandle(&cred_handle);
671 }
672
test_communication(void)673 static void test_communication(void)
674 {
675 int ret;
676
677 WSADATA wsa_data;
678 SOCKET sock;
679 struct hostent *host;
680 struct sockaddr_in addr;
681
682 SECURITY_STATUS status;
683 ULONG attrs;
684
685 SCHANNEL_CRED cred;
686 CredHandle cred_handle;
687 CtxtHandle context;
688 SecPkgCredentials_NamesA names;
689 SecPkgContext_StreamSizes sizes;
690 SecPkgContext_ConnectionInfo conn_info;
691 SecPkgContext_KeyInfoA key_info;
692 CERT_CONTEXT *cert;
693 SecPkgContext_NegotiationInfoA info;
694
695 SecBufferDesc buffers[2];
696 SecBuffer *buf;
697 unsigned buf_size = 8192;
698 unsigned char *data;
699 unsigned data_size;
700
701 if (!pQueryContextAttributesA)
702 {
703 win_skip("Required secur32 functions not available\n");
704 return;
705 }
706
707 /* Create a socket and connect to test.winehq.org */
708 ret = WSAStartup(0x0202, &wsa_data);
709 if (ret)
710 {
711 skip("Can't init winsock 2.2\n");
712 return;
713 }
714
715 host = gethostbyname("test.winehq.org");
716 if (!host)
717 {
718 skip("Can't resolve test.winehq.org\n");
719 return;
720 }
721
722 addr.sin_family = host->h_addrtype;
723 addr.sin_addr = *(struct in_addr *)host->h_addr_list[0];
724 addr.sin_port = htons(443);
725 sock = socket(host->h_addrtype, SOCK_STREAM, 0);
726 if (sock == SOCKET_ERROR)
727 {
728 skip("Can't create socket\n");
729 return;
730 }
731
732 ret = connect(sock, (struct sockaddr *)&addr, sizeof(addr));
733 if (ret == SOCKET_ERROR)
734 {
735 skip("Can't connect to test.winehq.org\n");
736 return;
737 }
738
739 /* Create client credentials */
740 init_cred(&cred);
741 cred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
742 cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS|SCH_CRED_MANUAL_CRED_VALIDATION;
743
744 status = AcquireCredentialsHandleA(NULL, (SEC_CHAR *)UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
745 &cred, NULL, NULL, &cred_handle, NULL);
746 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", status);
747 if (status != SEC_E_OK) return;
748
749 /* Initialize the connection */
750 init_buffers(&buffers[0], 4, buf_size);
751 init_buffers(&buffers[1], 4, buf_size);
752
753 buffers[0].pBuffers[0].BufferType = SECBUFFER_TOKEN;
754 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
755 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
756 0, 0, NULL, 0, &context, &buffers[0], &attrs, NULL);
757 ok(status == SEC_I_CONTINUE_NEEDED, "Expected SEC_I_CONTINUE_NEEDED, got %08x\n", status);
758
759 buffers[1].cBuffers = 1;
760 buffers[1].pBuffers[0].BufferType = SECBUFFER_TOKEN;
761 buffers[0].pBuffers[0].cbBuffer = 1;
762 memset(buffers[1].pBuffers[0].pvBuffer, 0xfa, buf_size);
763 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
764 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
765 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
766 todo_wine
767 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
768 todo_wine
769 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
770
771 buffers[1].cBuffers = 1;
772 buffers[1].pBuffers[0].BufferType = SECBUFFER_TOKEN;
773 buffers[0].pBuffers[0].cbBuffer = 1;
774 memset(buffers[1].pBuffers[0].pvBuffer, 0, buf_size);
775 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
776 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
777 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
778 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
779 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
780
781 buffers[0].pBuffers[0].cbBuffer = 0;
782 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
783 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
784 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
785 todo_wine
786 ok(status == SEC_E_INSUFFICIENT_MEMORY || status == SEC_E_INVALID_TOKEN,
787 "Expected SEC_E_INSUFFICIENT_MEMORY or SEC_E_INVALID_TOKEN, got %08x\n", status);
788 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
789
790 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
791 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
792 0, 0, NULL, 0, &context, NULL, &attrs, NULL);
793 todo_wine
794 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
795
796 buffers[0].pBuffers[0].cbBuffer = buf_size;
797 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
798 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
799 0, 0, NULL, 0, &context, &buffers[0], &attrs, NULL);
800 ok(status == SEC_I_CONTINUE_NEEDED, "Expected SEC_I_CONTINUE_NEEDED, got %08x\n", status);
801
802 buf = &buffers[0].pBuffers[0];
803 send(sock, buf->pvBuffer, buf->cbBuffer, 0);
804 buf->cbBuffer = buf_size;
805
806 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
807 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
808 0, 0, NULL, 0, NULL, &buffers[0], &attrs, NULL);
809 ok(status == SEC_E_INCOMPLETE_MESSAGE, "Got unexpected status %#x.\n", status);
810 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
811 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
812
813 buffers[1].cBuffers = 1;
814 buffers[1].pBuffers[0].cbBuffer = 0;
815
816 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
817 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
818 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
819 ok(status == SEC_E_INCOMPLETE_MESSAGE, "Got unexpected status %#x.\n", status);
820 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
821 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
822
823 buf = &buffers[1].pBuffers[0];
824 buf->cbBuffer = buf_size;
825 ret = receive_data(sock, buf);
826 if (ret == -1)
827 return;
828
829 buffers[1].pBuffers[0].cbBuffer = 4;
830 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
831 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
832 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
833 ok(status == SEC_E_INCOMPLETE_MESSAGE || status == SEC_E_INVALID_TOKEN,
834 "Got unexpected status %#x.\n", status);
835 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
836 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
837
838 buffers[1].pBuffers[0].cbBuffer = 5;
839 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
840 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
841 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
842 ok(status == SEC_E_INCOMPLETE_MESSAGE || status == SEC_E_INVALID_TOKEN,
843 "Got unexpected status %#x.\n", status);
844 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
845 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
846
847 buffers[1].pBuffers[0].cbBuffer = ret;
848 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
849 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM|ISC_REQ_USE_SUPPLIED_CREDS,
850 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
851 buffers[1].pBuffers[0].cbBuffer = buf_size;
852 while (status == SEC_I_CONTINUE_NEEDED)
853 {
854 buf = &buffers[0].pBuffers[0];
855 send(sock, buf->pvBuffer, buf->cbBuffer, 0);
856 buf->cbBuffer = buf_size;
857
858 buf = &buffers[1].pBuffers[0];
859 ret = receive_data(sock, buf);
860 if (ret == -1)
861 return;
862
863 buf->BufferType = SECBUFFER_TOKEN;
864
865 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
866 ISC_REQ_USE_SUPPLIED_CREDS,
867 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
868 buffers[1].pBuffers[0].cbBuffer = buf_size;
869 }
870
871 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
872 ok(status == SEC_E_OK || broken(status == SEC_E_ILLEGAL_MESSAGE) /* winxp */,
873 "InitializeSecurityContext failed: %08x\n", status);
874 if(status != SEC_E_OK) {
875 skip("Handshake failed\n");
876 return;
877 }
878 ok(attrs == (ISC_RET_REPLAY_DETECT|ISC_RET_SEQUENCE_DETECT|ISC_RET_CONFIDENTIALITY|ISC_RET_STREAM|ISC_RET_USED_SUPPLIED_CREDS),
879 "got %08x\n", attrs);
880
881 status = QueryCredentialsAttributesA(&cred_handle, SECPKG_CRED_ATTR_NAMES, &names);
882 ok(status == SEC_E_NO_CREDENTIALS || status == SEC_E_UNSUPPORTED_FUNCTION /* before Vista */, "expected SEC_E_NO_CREDENTIALS, got %08x\n", status);
883
884 status = pQueryContextAttributesA(&context, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (void*)&cert);
885 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_REMOTE_CERT_CONTEXT) failed: %08x\n", status);
886 if(status == SEC_E_OK) {
887 SecPkgContext_Bindings bindings = {0xdeadbeef, (void*)0xdeadbeef};
888
889 test_remote_cert(cert);
890
891 status = pQueryContextAttributesA(&context, SECPKG_ATTR_ENDPOINT_BINDINGS, &bindings);
892 ok(status == SEC_E_OK || broken(status == SEC_E_UNSUPPORTED_FUNCTION),
893 "QueryContextAttributesW(SECPKG_ATTR_ENDPOINT_BINDINGS) failed: %08x\n", status);
894 if(status == SEC_E_OK) {
895 static const char prefix[] = "tls-server-end-point:";
896 const char *p;
897 BYTE hash[64];
898 DWORD hash_size;
899
900 ok(bindings.BindingsLength == sizeof(*bindings.Bindings) + sizeof(prefix)-1 + 32 /* hash size */,
901 "bindings.BindingsLength = %u\n", bindings.BindingsLength);
902 ok(!bindings.Bindings->dwInitiatorAddrType, "dwInitiatorAddrType = %x\n", bindings.Bindings->dwInitiatorAddrType);
903 ok(!bindings.Bindings->cbInitiatorLength, "cbInitiatorLength = %x\n", bindings.Bindings->cbInitiatorLength);
904 ok(!bindings.Bindings->dwInitiatorOffset, "dwInitiatorOffset = %x\n", bindings.Bindings->dwInitiatorOffset);
905 ok(!bindings.Bindings->dwAcceptorAddrType, "dwAcceptorAddrType = %x\n", bindings.Bindings->dwAcceptorAddrType);
906 ok(!bindings.Bindings->cbAcceptorLength, "cbAcceptorLength = %x\n", bindings.Bindings->cbAcceptorLength);
907 ok(!bindings.Bindings->dwAcceptorOffset, "dwAcceptorOffset = %x\n", bindings.Bindings->dwAcceptorOffset);
908 ok(sizeof(*bindings.Bindings) + bindings.Bindings->cbApplicationDataLength == bindings.BindingsLength,
909 "cbApplicationDataLength = %x\n", bindings.Bindings->cbApplicationDataLength);
910 ok(bindings.Bindings->dwApplicationDataOffset == sizeof(*bindings.Bindings),
911 "dwApplicationDataOffset = %x\n", bindings.Bindings->dwApplicationDataOffset);
912 p = (const char*)(bindings.Bindings+1);
913 ok(!memcmp(p, prefix, sizeof(prefix)-1), "missing prefix\n");
914 p += sizeof(prefix)-1;
915
916 hash_size = sizeof(hash);
917 ret = CryptHashCertificate(0, CALG_SHA_256, 0, cert->pbCertEncoded, cert->cbCertEncoded, hash, &hash_size);
918 if(ret) {
919 ok(hash_size == 32, "hash_size = %u\n", hash_size);
920 ok(!memcmp(hash, p, hash_size), "unexpected hash part\n");
921 }else {
922 win_skip("SHA 256 hash not supported.\n");
923 }
924
925 FreeContextBuffer(bindings.Bindings);
926 }else {
927 win_skip("SECPKG_ATTR_ENDPOINT_BINDINGS not supported\n");
928 }
929
930 CertFreeCertificateContext(cert);
931 }
932
933 status = pQueryContextAttributesA(&context, SECPKG_ATTR_CONNECTION_INFO, (void*)&conn_info);
934 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_CONNECTION_INFO) failed: %08x\n", status);
935 if(status == SEC_E_OK) {
936 ok(conn_info.dwCipherStrength >= 128, "conn_info.dwCipherStrength = %d\n", conn_info.dwCipherStrength);
937 ok(conn_info.dwHashStrength >= 128, "conn_info.dwHashStrength = %d\n", conn_info.dwHashStrength);
938 }
939
940 status = pQueryContextAttributesA(&context, SECPKG_ATTR_KEY_INFO, &key_info);
941 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_KEY_INFO) failed: %08x\n", status);
942 if(status == SEC_E_OK) {
943 ok(broken(key_info.SignatureAlgorithm == 0 /* WinXP,2003 */) ||
944 key_info.SignatureAlgorithm == CALG_RSA_SIGN,
945 "key_info.SignatureAlgorithm = %04x\n", key_info.SignatureAlgorithm);
946 ok(broken(key_info.SignatureAlgorithm == 0 /* WinXP,2003 */) ||
947 !strcmp(key_info.sSignatureAlgorithmName, "RSA"),
948 "key_info.sSignatureAlgorithmName = %s\n", key_info.sSignatureAlgorithmName);
949 ok(key_info.KeySize >= 128, "key_info.KeySize = %d\n", key_info.KeySize);
950 }
951
952 status = pQueryContextAttributesA(&context, SECPKG_ATTR_STREAM_SIZES, &sizes);
953 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_STREAM_SIZES) failed: %08x\n", status);
954
955 status = QueryContextAttributesA(&context, SECPKG_ATTR_NEGOTIATION_INFO, &info);
956 ok(status == SEC_E_UNSUPPORTED_FUNCTION, "QueryContextAttributesA returned %08x\n", status);
957
958 reset_buffers(&buffers[0]);
959
960 /* Send a simple request so we get data for testing DecryptMessage */
961 buf = &buffers[0].pBuffers[0];
962 data = buf->pvBuffer;
963 buf->BufferType = SECBUFFER_STREAM_HEADER;
964 buf->cbBuffer = sizes.cbHeader;
965 ++buf;
966 buf->BufferType = SECBUFFER_DATA;
967 buf->pvBuffer = data + sizes.cbHeader;
968 buf->cbBuffer = sizeof(http_request) - 1;
969 memcpy(buf->pvBuffer, http_request, sizeof(http_request) - 1);
970 ++buf;
971 buf->BufferType = SECBUFFER_STREAM_TRAILER;
972 buf->pvBuffer = data + sizes.cbHeader + sizeof(http_request) -1;
973 buf->cbBuffer = sizes.cbTrailer;
974
975 status = EncryptMessage(&context, 0, &buffers[0], 0);
976 ok(status == SEC_E_OK, "EncryptMessage failed: %08x\n", status);
977 if (status != SEC_E_OK)
978 return;
979
980 buf = &buffers[0].pBuffers[0];
981 send(sock, buf->pvBuffer, buffers[0].pBuffers[0].cbBuffer + buffers[0].pBuffers[1].cbBuffer + buffers[0].pBuffers[2].cbBuffer, 0);
982
983 reset_buffers(&buffers[0]);
984 buf->cbBuffer = buf_size;
985 data_size = receive_data(sock, buf);
986
987 /* Too few buffers */
988 --buffers[0].cBuffers;
989 status = DecryptMessage(&context, &buffers[0], 0, NULL);
990 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
991
992 /* No data buffer */
993 ++buffers[0].cBuffers;
994 status = DecryptMessage(&context, &buffers[0], 0, NULL);
995 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
996
997 /* Two data buffers */
998 buffers[0].pBuffers[0].BufferType = SECBUFFER_DATA;
999 buffers[0].pBuffers[1].BufferType = SECBUFFER_DATA;
1000 status = DecryptMessage(&context, &buffers[0], 0, NULL);
1001 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
1002
1003 /* Too few empty buffers */
1004 buffers[0].pBuffers[1].BufferType = SECBUFFER_EXTRA;
1005 status = DecryptMessage(&context, &buffers[0], 0, NULL);
1006 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
1007
1008 /* Incomplete data */
1009 buffers[0].pBuffers[1].BufferType = SECBUFFER_EMPTY;
1010 buffers[0].pBuffers[0].cbBuffer = (data[3]<<8) | data[4];
1011 status = DecryptMessage(&context, &buffers[0], 0, NULL);
1012 ok(status == SEC_E_INCOMPLETE_MESSAGE, "Expected SEC_E_INCOMPLETE_MESSAGE, got %08x\n", status);
1013 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_MISSING, "Expected first buffer to be SECBUFFER_MISSING\n");
1014 ok(buffers[0].pBuffers[0].cbBuffer == 5, "Expected first buffer to be a five bytes\n");
1015
1016 buffers[0].pBuffers[0].cbBuffer = data_size;
1017 buffers[0].pBuffers[0].BufferType = SECBUFFER_DATA;
1018 buffers[0].pBuffers[1].BufferType = SECBUFFER_EMPTY;
1019 status = DecryptMessage(&context, &buffers[0], 0, NULL);
1020 ok(status == SEC_E_OK, "DecryptMessage failed: %08x\n", status);
1021 if (status == SEC_E_OK)
1022 {
1023 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_STREAM_HEADER, "Expected first buffer to be SECBUFFER_STREAM_HEADER\n");
1024 ok(buffers[0].pBuffers[1].BufferType == SECBUFFER_DATA, "Expected second buffer to be SECBUFFER_DATA\n");
1025 ok(buffers[0].pBuffers[2].BufferType == SECBUFFER_STREAM_TRAILER, "Expected third buffer to be SECBUFFER_STREAM_TRAILER\n");
1026
1027 data = buffers[0].pBuffers[1].pvBuffer;
1028 data[buffers[0].pBuffers[1].cbBuffer] = 0;
1029 }
1030
1031 DeleteSecurityContext(&context);
1032 FreeCredentialsHandle(&cred_handle);
1033
1034 free_buffers(&buffers[0]);
1035 free_buffers(&buffers[1]);
1036
1037 closesocket(sock);
1038 }
1039
START_TEST(schannel)1040 START_TEST(schannel)
1041 {
1042 pQueryContextAttributesA = (void*)GetProcAddress(GetModuleHandleA("secur32.dll"), "QueryContextAttributesA");
1043
1044 test_cread_attrs();
1045 testAcquireSecurityContext();
1046 test_InitializeSecurityContext();
1047 test_communication();
1048 }
1049