crate acquire common section

awslabs · May 18, 2024 · 94436dd · 94436dd
1 parent 84c4417
commit 94436dd
Show file tree

Hide file tree

Showing 2 changed files with 132 additions and 73 deletions.
diff --git a/source/tls_channel_handler.c b/source/tls_channel_handler.c
@@ -733,6 +733,7 @@ void aws_tls_clean_up_static_state(void) {}
 
 #endif /* BYO_CRYPTO */
 
+// XXX: not used function
 int aws_channel_setup_client_tls(
     struct aws_channel_slot *right_of_slot,
     struct aws_tls_connection_options *tls_options) {

diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c
@@ -73,7 +73,6 @@ struct secure_channel_ctx {
     struct aws_string *alpn_list;
     SCHANNEL_CRED credentials;
     SCH_CREDENTIALS credentials_new;
-    //TLS_PARAMETERS tls_parameters;
     PCERT_CONTEXT pcerts;
     HCERTSTORE cert_store;
     HCERTSTORE custom_trust_store;
@@ -142,7 +141,7 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) {
 }
 //#include "Ntddk.h"
 
-bool is_windows_equal_or_above_10(void) {
+bool s_is_windows_equal_or_above_10(void) {
 
 // Windows 10 1809
 // Windows Server 1809
@@ -2126,56 +2125,98 @@ static struct aws_channel_handler_vtable s_handler_vtable = {
     .gather_statistics = s_gather_statistics,
 };
 
-static struct aws_channel_handler *s_tls_handler_new(
+static struct aws_channel_handler *s_tls_handler_new_common(
+    struct aws_allocator *alloc,
+    struct aws_tls_connection_options *options,
+    struct aws_channel_slot *slot,
+    bool is_client_mode,
+    struct secure_channel_handler *sc_handler) {
+    sc_handler->advertise_alpn_message = options->advertise_alpn_message;
+    sc_handler->on_data_read = options->on_data_read;
+    sc_handler->on_error = options->on_error;
+    sc_handler->on_negotiation_result = options->on_negotiation_result;
+    sc_handler->user_data = options->user_data;
+
+    if (!options->alpn_list && sc_ctx->alpn_list) {
+        sc_handler->alpn_list = aws_string_new_from_string(alloc, sc_ctx->alpn_list);
+        if (!sc_handler->alpn_list) {
+            goto on_error;
+        }
+    } else if (options->alpn_list) {
+        sc_handler->alpn_list = aws_string_new_from_string(alloc, options->alpn_list);
+        if (!sc_handler->alpn_list) {
+            goto on_error;
+        }
+    }
+
+    if (options->server_name) {
+        AWS_LOGF_DEBUG(
+            AWS_LS_IO_TLS,
+            "id=%p: Setting SNI to %s",
+            (void *)&sc_handler->handler,
+            aws_string_c_str(options->server_name));
+        struct aws_byte_cursor server_name_crsr = aws_byte_cursor_from_string(options->server_name);
+        if (aws_byte_buf_init_copy_from_cursor(&sc_handler->server_name, alloc, server_name_crsr)) {
+            goto on_error;
+        }
+    }
+
+    sc_handler->slot = slot;
+
+    if (is_client_mode) {
+        sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_1;
+    } else {
+        sc_handler->s_connection_state_fn = s_do_server_side_negotiation_step_1;
+    }
+
+    sc_handler->custom_ca_store = sc_ctx->custom_trust_store;
+    sc_handler->buffered_read_in_data_buf =
+        aws_byte_buf_from_array(sc_handler->buffered_read_in_data, sizeof(sc_handler->buffered_read_in_data));
+    sc_handler->buffered_read_in_data_buf.len = 0;
+    sc_handler->buffered_read_out_data_buf =
+        aws_byte_buf_from_array(sc_handler->buffered_read_out_data, sizeof(sc_handler->buffered_read_out_data));
+    sc_handler->buffered_read_out_data_buf.len = 0;
+    sc_handler->verify_peer = sc_ctx->verify_peer;
+
+    return &sc_handler->handler;
+
+on_error:
+
+    s_secure_channel_handler_destroy(alloc, sc_handler);
+
+    return NULL;
+}
+
+static struct aws_channel_handler *s_tls_handler_new_win10_plus(
     struct aws_allocator *alloc,
     struct aws_tls_connection_options *options,
     struct aws_channel_slot *slot,
     bool is_client_mode) {
     AWS_ASSERT(options->ctx);
-    printf("======================================== creating new handler\n");
 
     struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler));
     if (!sc_handler) {
         return NULL;
     }
     struct secure_channel_ctx *sc_ctx = options->ctx->impl;
 
-    DWORD enabled_protocols = 0;
-    enabled_protocols |= SP_PROT_TLS1_3_CLIENT;
-//    enabled_protocols |= SP_PROT_TLS1_2_CLIENT;
- //   enabled_protocols |= SP_PROT_TLS1_1_CLIENT;
-  //  enabled_protocols |= SP_PROT_TLS1_0_CLIENT;
-
-    //TLS_PARAMETERS tls_parameters = {0};
-    //sc_ctx->tls_parameters.cAlpnIds = 0;
-    //sc_ctx->tls_parameters.rgstrAlpnIds = NULL;
-    //sc_ctx->tls_parameters.grbitDisabledProtocols = 0;// = (DWORD)~enabled_protocols; // force TLS_1.3 protocol
-   // sc_ctx->tls_parameters.cDisabledCrypto = 0;
-   // sc_ctx->tls_parameters.pDisabledCrypto = NULL;
-    // tls_parameters.pDisabledCrypto = &crypto_settings;
-    //sc_ctx->tls_parameters.dwFlags = 0; // only set on server;
-
-    //sc_ctx->credentials_new.pTlsParameters = &sc_ctx->tls_parameters;
-    //sc_ctx->credentials_new.pTlsParameters->grbitDisabledProtocols = (DWORD)~enabled_protocols;
     sc_ctx->credentials_new.cTlsParameters = 0;
     sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours
-    //secure_channel_ctx->credentials_new.pTlsParameters->grbitDisabledProtocols
-
 
+    // TODO: try to copy to the common section above
     sc_handler->handler.alloc = alloc;
     sc_handler->handler.impl = sc_handler;
     sc_handler->handler.vtable = &s_handler_vtable;
     sc_handler->handler.slot = slot;
 
     sc_ctx->credentials_new.dwFlags =
-        SCH_CRED_NO_DEFAULT_CREDS |
-        SCH_CRED_NO_SERVERNAME_CHECK |
-        SCH_SEND_AUX_RECORD |
+            SCH_CRED_NO_DEFAULT_CREDS |
+            SCH_CRED_NO_SERVERNAME_CHECK |
+            SCH_SEND_AUX_RECORD |
 	    SCH_USE_STRONG_CRYPTO |
-       // SCH_CRED_MANUAL_CRED_VALIDATION |
 	    SCH_CRED_AUTO_CRED_VALIDATION;
-    aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options);
 
+    aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options);
 
     unsigned long credential_use = SECPKG_CRED_INBOUND;
     if (is_client_mode) {
@@ -2187,90 +2228,106 @@ static struct aws_channel_handler *s_tls_handler_new(
         UNISP_NAME,
         credential_use,
         NULL,
-      //  &sc_ctx->credentials,
         &sc_ctx->credentials_new,
         NULL,
         NULL,
         &sc_handler->creds,
         &sc_handler->sspi_timestamp);
 
     if (status != SEC_E_OK) {
-        printf(" AcquireCredentialsHandle failed status = %X\n", status);
         AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status);
         int aws_error = s_determine_sspi_error(status);
         aws_raise_error(aws_error);
         goto on_error;
     }
 
-    sc_handler->advertise_alpn_message = options->advertise_alpn_message;
-    sc_handler->on_data_read = options->on_data_read;
-    sc_handler->on_error = options->on_error;
-    sc_handler->on_negotiation_result = options->on_negotiation_result;
-    sc_handler->user_data = options->user_data;
+    return s_tls_handler_new_common(alloc, options, slot, is_client_mode, sc_handler);
 
-    if (!options->alpn_list && sc_ctx->alpn_list) {
-        sc_handler->alpn_list = aws_string_new_from_string(alloc, sc_ctx->alpn_list);
-        if (!sc_handler->alpn_list) {
-            goto on_error;
-        }
-    } else if (options->alpn_list) {
-        sc_handler->alpn_list = aws_string_new_from_string(alloc, options->alpn_list);
-        if (!sc_handler->alpn_list) {
-            goto on_error;
-        }
-    }
+on_error:
 
-    if (options->server_name) {
-        AWS_LOGF_DEBUG(
-            AWS_LS_IO_TLS,
-            "id=%p: Setting SNI to %s",
-            (void *)&sc_handler->handler,
-            aws_string_c_str(options->server_name));
-        struct aws_byte_cursor server_name_crsr = aws_byte_cursor_from_string(options->server_name);
-        if (aws_byte_buf_init_copy_from_cursor(&sc_handler->server_name, alloc, server_name_crsr)) {
-            goto on_error;
-        }
+    s_secure_channel_handler_destroy(alloc, sc_handler);
+
+    return NULL;
+}
+
+
+static struct aws_channel_handler *s_tls_handler_new(
+    struct aws_allocator *alloc,
+    struct aws_tls_connection_options *options,
+    struct aws_channel_slot *slot,
+    bool is_client_mode) {
+    AWS_ASSERT(options->ctx);
+
+    struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler));
+    if (!sc_handler) {
+        return NULL;
     }
 
-    sc_handler->slot = slot;
+    // TODO: try to copy to the common section above
+    sc_handler->handler.alloc = alloc;
+    sc_handler->handler.impl = sc_handler;
+    sc_handler->handler.vtable = &s_handler_vtable;
+    sc_handler->handler.slot = slot;
+
+    aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options);
+
+    struct secure_channel_ctx *sc_ctx = options->ctx->impl;
 
+    unsigned long credential_use = SECPKG_CRED_INBOUND;
     if (is_client_mode) {
-        sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_1;
-    } else {
-        sc_handler->s_connection_state_fn = s_do_server_side_negotiation_step_1;
+        credential_use = SECPKG_CRED_OUTBOUND;
     }
 
-    sc_handler->custom_ca_store = sc_ctx->custom_trust_store;
-    sc_handler->buffered_read_in_data_buf =
-        aws_byte_buf_from_array(sc_handler->buffered_read_in_data, sizeof(sc_handler->buffered_read_in_data));
-    sc_handler->buffered_read_in_data_buf.len = 0;
-    sc_handler->buffered_read_out_data_buf =
-        aws_byte_buf_from_array(sc_handler->buffered_read_out_data, sizeof(sc_handler->buffered_read_out_data));
-    sc_handler->buffered_read_out_data_buf.len = 0;
-    sc_handler->verify_peer = sc_ctx->verify_peer;
+    SECURITY_STATUS status = AcquireCredentialsHandleA(
+        NULL,
+        UNISP_NAME,
+        credential_use,
+        NULL,
+        &sc_ctx->credentials,
+        NULL,
+        NULL,
+        &sc_handler->creds,
+        &sc_handler->sspi_timestamp);
 
-    return &sc_handler->handler;
+    if (status != SEC_E_OK) {
+        AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status);
+        int aws_error = s_determine_sspi_error(status);
+        aws_raise_error(aws_error);
+        goto on_error;
+    }
+
+    return s_tls_handler_new_common(alloc, options, slot, is_client_mode, sc_handler);
 
 on_error:
 
     s_secure_channel_handler_destroy(alloc, sc_handler);
 
     return NULL;
 }
+
+
 struct aws_channel_handler *aws_tls_client_handler_new(
     struct aws_allocator *allocator,
     struct aws_tls_connection_options *options,
     struct aws_channel_slot *slot) {
 
-    return s_tls_handler_new(allocator, options, slot, true);
+    if(s_is_windows_equal_or_above_10()) {
+        return s_tls_handler_new_win10_plus(allocator, options, slot, true);
+    else {
+        return s_tls_handler_new(allocator, options, slot, true);
+    }
 }
 
 struct aws_channel_handler *aws_tls_server_handler_new(
     struct aws_allocator *allocator,
     struct aws_tls_connection_options *options,
     struct aws_channel_slot *slot) {
 
-    return s_tls_handler_new(allocator, options, slot, false);
+    if(s_is_windows_equal_or_above_10()) {
+        return s_tls_handler_new_win10_plus(allocator, options, slot, false);
+    else {
+        return s_tls_handler_new(allocator, options, slot, false);
+    }
 }
 
 static void s_secure_channel_ctx_destroy(struct secure_channel_ctx *secure_channel_ctx) {
@@ -2319,8 +2376,9 @@ struct aws_tls_ctx *s_ctx_new(
     bool is_client_mode) {
 
     bool is_above_win_10;
-    is_above_win_10 = is_windows_equal_or_above_10();
+    is_above_win_10 = s_is_windows_equal_or_above_10();
     printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10);
+
     if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) {
         aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED);
         AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: TLS Cipher Preference is not supported: %d.", options->cipher_pref);
@@ -2355,7 +2413,7 @@ struct aws_tls_ctx *s_ctx_new(
     //int crypto_settings_num = 0;
 
     //crypto_settings[crypto_settings_num].eAlgorithmUsage = TlsParametersCngAlgUsageCipher;
-    
+
     secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION;
 
     secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION;