From 624fe50c27bf80ceaf8aeb0ba7fa3f26bd7ef85d Mon Sep 17 00:00:00 2001 From: alfred2g Date: Thu, 16 May 2024 14:22:57 -0700 Subject: [PATCH 01/88] tls1.3 support --- source/alpn_handler.c | 2 +- source/channel.c | 6 +- source/channel_bootstrap.c | 5 +- source/socket_channel_handler.c | 12 +- source/tls_channel_handler_shared.c | 2 +- source/windows/secure_channel_tls_handler.c | 495 ++++++++++++++++++-- 6 files changed, 489 insertions(+), 33 deletions(-) diff --git a/source/alpn_handler.c b/source/alpn_handler.c index 5ad288260..c9bbea215 100644 --- a/source/alpn_handler.c +++ b/source/alpn_handler.c @@ -103,7 +103,7 @@ struct aws_channel_handler *aws_tls_alpn_handler_new( alpn_handler->user_data = user_data; channel_handler->impl = alpn_handler; channel_handler->alloc = allocator; - + printf("============================= seting write handler to null\n"); channel_handler->vtable = &s_alpn_handler_vtable; return channel_handler; diff --git a/source/channel.c b/source/channel.c index 36a3975b2..f6333c3da 100644 --- a/source/channel.c +++ b/source/channel.c @@ -385,6 +385,7 @@ static void s_shutdown_task(struct aws_channel_task *task, void *arg, enum aws_t static int s_channel_shutdown(struct aws_channel *channel, int error_code, bool shutdown_immediately) { bool need_to_schedule = true; + printf("s_channel_shutdown called\n"); aws_mutex_lock(&channel->cross_thread_tasks.lock); if (channel->cross_thread_tasks.shutdown_task.task.task_fn) { need_to_schedule = false; @@ -809,6 +810,7 @@ int aws_channel_slot_send_message( (void *)slot, (void *)slot->adj_left, (void *)slot->adj_left->handler); + printf("%s handler %p\n",__FUNCTION__, slot->adj_left->handler); return aws_channel_handler_process_write_message(slot->adj_left->handler, slot->adj_left, message); } @@ -942,6 +944,7 @@ static void s_run_shutdown_write_direction(struct aws_task *task, void *arg, enu task->fn = NULL; task->arg = NULL; struct aws_channel_slot *slot = shutdown_notify->slot; + AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "s_run_shutdown_write_direction"); aws_channel_handler_shutdown( slot->handler, slot, AWS_CHANNEL_DIR_WRITE, shutdown_notify->error_code, shutdown_notify->shutdown_immediately); } @@ -965,6 +968,7 @@ int aws_channel_slot_on_handler_shutdown_complete( if (dir == AWS_CHANNEL_DIR_READ) { if (slot->adj_right && slot->adj_right->handler) { + AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "handler shutdown in dir completed. error_code %d", err_code); return aws_channel_handler_shutdown( slot->adj_right->handler, slot->adj_right, dir, err_code, free_scarce_resources_immediately); } @@ -982,6 +986,7 @@ int aws_channel_slot_on_handler_shutdown_complete( } if (slot->adj_left && slot->adj_left->handler) { + AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "handler shutdown2 in dir completed. error_code %d", err_code); return aws_channel_handler_shutdown( slot->adj_left->handler, slot->adj_left, dir, err_code, free_scarce_resources_immediately); } @@ -1030,7 +1035,6 @@ int aws_channel_handler_process_write_message( struct aws_channel_handler *handler, struct aws_channel_slot *slot, struct aws_io_message *message) { - AWS_ASSERT(handler->vtable && handler->vtable->process_write_message); return handler->vtable->process_write_message(handler, slot, message); } diff --git a/source/channel_bootstrap.c b/source/channel_bootstrap.c index 2ccd3873a..f85866f84 100644 --- a/source/channel_bootstrap.c +++ b/source/channel_bootstrap.c @@ -191,6 +191,9 @@ static void s_connect_args_setup_callback_safe( (args->requested_event_loop == NULL) || aws_event_loop_thread_is_callers_thread(args->requested_event_loop)); /* setup_callback is always called exactly once */ + if (args->setup_called) { + return; + } AWS_FATAL_ASSERT(!args->setup_called); AWS_ASSERT((error_code == AWS_OP_SUCCESS) == (channel != NULL)); @@ -306,7 +309,7 @@ static void s_tls_client_on_negotiation_result( int err_code, void *user_data) { struct client_connection_args *connection_args = user_data; - + printf("entering s_tls_client_on_negotiation_resul entering\n"); if (connection_args->channel_data.user_on_negotiation_result) { connection_args->channel_data.user_on_negotiation_result( handler, slot, err_code, connection_args->channel_data.tls_user_data); diff --git a/source/socket_channel_handler.c b/source/socket_channel_handler.c index c327f6f35..3396f1863 100644 --- a/source/socket_channel_handler.c +++ b/source/socket_channel_handler.c @@ -97,6 +97,7 @@ static int s_socket_process_write_message( return aws_raise_error(AWS_IO_SOCKET_CLOSED); } + printf("aws socket write\n"); struct aws_byte_cursor cursor = aws_byte_cursor_from_buf(&message->message_data); if (aws_socket_write(socket_handler->socket, &cursor, s_on_socket_write_complete, message)) { return AWS_OP_ERR; @@ -146,7 +147,7 @@ static void s_do_read(struct socket_handler *socket_handler) { int last_error = 0; while (total_read < max_to_read) { size_t iter_max_read = max_to_read - total_read; - + printf("entering s_do_read function\n"); struct aws_io_message *message = aws_channel_acquire_message_from_pool( socket_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, iter_max_read); @@ -158,10 +159,13 @@ static void s_do_read(struct socket_handler *socket_handler) { if (aws_socket_read(socket_handler->socket, &message->message_data, &read)) { last_error = aws_last_error(); aws_mem_release(message->allocator, message); + printf("second break: %d errno %d\n", ret, errno); break; } + printf("total read is %lu max_read is: %lu read is: %lu\n", total_read, max_to_read, read); total_read += read; + AWS_LOGF_TRACE( AWS_LS_IO_SOCKET_HANDLER, "id=%p: read %llu from socket", @@ -171,6 +175,7 @@ static void s_do_read(struct socket_handler *socket_handler) { if (aws_channel_slot_send_message(socket_handler->slot, message, AWS_CHANNEL_DIR_READ)) { last_error = aws_last_error(); aws_mem_release(message->allocator, message); + printf("third break\n"); break; } } @@ -249,6 +254,7 @@ static void s_read_task(struct aws_channel_task *task, void *arg, aws_task_statu task->task_fn = NULL; task->arg = NULL; + AWS_LOGF_TRACE(AWS_LS_IO_SOCKET_HANDLER, " caling s_read_task"); if (status == AWS_TASK_STATUS_RUN_READY) { struct socket_handler *socket_handler = arg; s_do_read(socket_handler); @@ -377,6 +383,8 @@ static void s_gather_statistics(struct aws_channel_handler *handler, struct aws_ static void s_trigger_read(struct aws_channel_handler *handler) { struct socket_handler *socket_handler = (struct socket_handler *)handler->impl; + // printf("s_trigger read do \n"); + AWS_LOGF_TRACE(AWS_LS_IO_SOCKET_HANDLER, " caling s_do_read from s_trigger_read"); s_do_read(socket_handler); } @@ -421,7 +429,7 @@ struct aws_channel_handler *aws_socket_handler_new( if (aws_crt_statistics_socket_init(&impl->stats)) { goto cleanup_handler; } - + printf("-------------------------> setting up s_socket_process_write_message handler %p\n", handler); AWS_LOGF_DEBUG( AWS_LS_IO_SOCKET_HANDLER, "id=%p: Socket handler created with max_read_size of %llu", diff --git a/source/tls_channel_handler_shared.c b/source/tls_channel_handler_shared.c index 884b09f6f..de08ae1c2 100644 --- a/source/tls_channel_handler_shared.c +++ b/source/tls_channel_handler_shared.c @@ -10,7 +10,7 @@ static void s_tls_timeout_task_fn(struct aws_channel_task *channel_task, void *arg, enum aws_task_status status) { (void)channel_task; - + printf(" == == == == == == == == timeout\n "); if (status != AWS_TASK_STATUS_RUN_READY) { return; } diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index b62b1a0b7..993e1bc2d 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -18,10 +18,16 @@ #include #include +#define SCHANNEL_USE_BLACKLISTS #include +#include +//#include +//#include + #include #include +#include #include #include @@ -42,6 +48,19 @@ #define EST_TLS_RECORD_OVERHEAD 53 /* 5 byte header + 32 + 16 bytes for padding */ +static void print_buffer(unsigned char *message, int len, char* print_message) +{ + char *str3 = message; + int read_len = len; + printf("%s of size: %d\n", print_message, read_len); + for (int i = 0; i < read_len; i++) { + printf("%.2X ",(unsigned char) str3[i]); + if (i != 0 && i % 32 == 0) + printf("\n"); + } + printf("\n"); +} + void aws_tls_init_static_state(struct aws_allocator *alloc) { AWS_LOGF_INFO(AWS_LS_IO_TLS, "static: Initializing TLS using SecureChannel (SSPI)."); (void)alloc; @@ -53,6 +72,8 @@ struct secure_channel_ctx { struct aws_tls_ctx ctx; struct aws_string *alpn_list; SCHANNEL_CRED credentials; + SCH_CREDENTIALS credentials_new; + //TLS_PARAMETERS tls_parameters; PCERT_CONTEXT pcerts; HCERTSTORE cert_store; HCERTSTORE custom_trust_store; @@ -362,27 +383,34 @@ static void s_invoke_negotiation_error(struct aws_channel_handler *handler, int static void s_on_negotiation_success(struct aws_channel_handler *handler) { struct secure_channel_handler *sc_handler = handler->impl; + printf("s_on_negotiation_success entering\n"); /* if the user provided an ALPN handler to the channel, we need to let them know what their protocol is. */ if (sc_handler->slot->adj_right && sc_handler->advertise_alpn_message && sc_handler->protocol.len) { + printf("s_on_negotiation_success inside the if\n"); struct aws_io_message *message = aws_channel_acquire_message_from_pool( sc_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, sizeof(struct aws_tls_negotiated_protocol_message)); + printf("s_on_negotiation_success middle part\n"); message->message_tag = AWS_TLS_NEGOTIATED_PROTOCOL_MESSAGE; struct aws_tls_negotiated_protocol_message *protocol_message = (struct aws_tls_negotiated_protocol_message *)message->message_data.buffer; protocol_message->protocol = sc_handler->protocol; message->message_data.len = sizeof(struct aws_tls_negotiated_protocol_message); + printf("s_on_negotiation_success sending message\n"); if (aws_channel_slot_send_message(sc_handler->slot, message, AWS_CHANNEL_DIR_READ)) { aws_mem_release(message->allocator, message); aws_channel_shutdown(sc_handler->slot->channel, aws_last_error()); } } + printf("s_on_negotiation_success calling aws_on_tls_negotiation_completed\n"); aws_on_tls_negotiation_completed(&sc_handler->shared_state, AWS_ERROR_SUCCESS); + printf("s_on_negotiation_success calling aws_on_tls_negotiation_completed finished\n"); if (sc_handler->on_negotiation_result) { + printf("s_on_negotiation_success calling inside the second if\n"); sc_handler->on_negotiation_result(handler, sc_handler->slot, AWS_OP_SUCCESS, sc_handler->user_data); } } @@ -527,7 +555,7 @@ static int s_do_server_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ASC_REQ_SEQUENCE_DETECT | ASC_REQ_REPLAY_DETECT | ASC_REQ_CONFIDENTIALITY | - ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM; + ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM | ASC_REQ_CONNECTION; if (sc_handler->verify_peer) { AWS_LOGF_DEBUG( @@ -749,7 +777,7 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl handler, (int)status); int aws_error = s_determine_sspi_error(status); - aws_raise_error(aws_error); + // aws_raise_error(aws_error); } } #endif @@ -804,7 +832,8 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONFIDENTIALITY | - ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM; + ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM | + ISC_REQ_USE_SUPPLIED_CREDS; // Schannel must not attempt to supply credentials for the client automatically. (necessary for SCH_CREDENTIALS for negotiations to work) SecBuffer output_buffer = { .pvBuffer = NULL, @@ -822,7 +851,7 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl AWS_ZERO_ARRAY(server_name_cstr); AWS_ASSERT(sc_handler->server_name.len < 256); memcpy(server_name_cstr, sc_handler->server_name.buffer, sc_handler->server_name.len); - + // step 1 SECURITY_STATUS status = InitializeSecurityContextA( &sc_handler->creds, NULL, @@ -837,6 +866,7 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl &sc_handler->ctx_ret_flags, &sc_handler->sspi_timestamp); + printf("first initialize security context called %lu\n", status); if (status != SEC_I_CONTINUE_NEEDED) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, @@ -878,8 +908,10 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl } /* cipher exchange, key exchange etc.... */ +bool second_call = true; static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handler) { struct secure_channel_handler *sc_handler = handler->impl; + printf("-> %s entering\n", __FUNCTION__); AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: running step 2 of client-side negotiation (cipher change, key exchange etc...)", @@ -927,6 +959,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl AWS_FATAL_ASSERT(sc_handler->server_name.len < sizeof(server_name_cstr)); memcpy(server_name_cstr, sc_handler->server_name.buffer, sc_handler->server_name.len); + // step 2 status = InitializeSecurityContextA( &sc_handler->creds, &sc_handler->sec_handle, @@ -936,14 +969,18 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl 0, &input_buffers_desc, 0, - NULL, + &sc_handler->sec_handle, //NULL, &output_buffers_desc, &sc_handler->ctx_ret_flags, &sc_handler->sspi_timestamp); - + printf("second initialize security context called %lu\n", status); + if (status == SEC_I_INCOMPLETE_CREDENTIALS) { + printf("second initialize incomplete credentials %lu\n", status); + // return AWS_OP_SUCCESS; + } if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error during negotiation. SECURITY_STATUS is %d", (void *)handler, (int)status); + AWS_LS_IO_TLS, "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %lu", (void *)handler, (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); s_invoke_negotiation_error(handler, aws_error); @@ -961,6 +998,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl } if (status == SEC_I_CONTINUE_NEEDED || status == SEC_E_OK) { + printf("sending packets\n"); for (size_t i = 0; i < output_buffers_desc.cBuffers; ++i) { SecBuffer *buf_ptr = &output_buffers[i]; @@ -981,6 +1019,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl if (aws_channel_slot_send_message(sc_handler->slot, outgoing_message, AWS_CHANNEL_DIR_WRITE)) { aws_mem_release(outgoing_message->allocator, outgoing_message); s_invoke_negotiation_error(handler, aws_last_error()); + printf("error sending packet\n"); return AWS_OP_ERR; } } @@ -993,6 +1032,9 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl (void *)handler, input_buffers[1].cbBuffer); sc_handler->read_extra = input_buffers[1].cbBuffer; + if (status == SEC_I_CONTINUE_NEEDED) { + printf("sec i continue needed\n"); + } } } @@ -1040,13 +1082,25 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl #endif AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "id=%p: TLS handshake completed successfully.", (void *)handler); sc_handler->s_connection_state_fn = s_do_application_data_decrypt; - s_on_negotiation_success(handler); + printf("before on _negotiation success %p\n", handler); + if (second_call == true) { + s_on_negotiation_success(handler); + printf("before on _negotiation success completed\n"); + } + second_call = true; } + printf("returning ok from this function\n"); return AWS_OP_SUCCESS; } +/* cipher exchange, key exchange etc.... */ +static int s_do_client_side_negotiation_step_3(struct aws_channel_handler *handler) { + struct secure_channel_handler *sc_handler = handler->impl; -static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { + +} +static int s_do_application_data_decrypt(struct aws_channel_handler *handler) +{ struct secure_channel_handler *sc_handler = handler->impl; /* I know this is an unncessary initialization, it's initialized here to make linters happy.*/ @@ -1055,6 +1109,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { any extra buffers left over, in the last phase, we then go ahead and send the output. This state function will always say BLOCKED_ON_READ, AWS_IO_TLS_ERROR_READ_FAILURE or SUCCESS. There will never be left over reads.*/ do { +label1: error = AWS_OP_ERR; /* 4 buffers are needed, only one is input, the others get zeroed out for the output operation. */ SecBuffer input_buffers[4]; @@ -1075,16 +1130,24 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { .cBuffers = 4, .pBuffers = input_buffers, }; + print_buffer( + sc_handler->buffered_read_in_data_buf.buffer, + sc_handler->buffered_read_in_data_buf.len, + "before decrypting"); + printf("---------------- calling Decrypt Message\n"); SECURITY_STATUS status = DecryptMessage(&sc_handler->sec_handle, &buffer_desc, 0, NULL); + printf(" status is 0x%X\n", status); - if (status == SEC_E_OK) { + if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE) // sec_i_context_expired + { error = AWS_OP_SUCCESS; /* if SECBUFFER_DATA is the buffer type of the second buffer, we have decrypted data to process. If SECBUFFER_DATA is the type for the fourth buffer we need to keep track of it so we can shift everything before doing another decrypt operation. We don't care what's in the third buffer for TLS usage.*/ - if (input_buffers[1].BufferType == SECBUFFER_DATA) { + if (input_buffers[1].BufferType == SECBUFFER_DATA) + { size_t decrypted_length = input_buffers[1].cbBuffer; AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Decrypted message with length %zu.", (void *)handler, decrypted_length); @@ -1096,14 +1159,36 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { (void)append_failed; /* if we have extra we have to move the pointer and do another Decrypt operation. */ - if (input_buffers[3].BufferType == SECBUFFER_EXTRA) { - sc_handler->read_extra = input_buffers[3].cbBuffer; - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); - } else { + if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) + { + if (input_buffers[3].cbBuffer < read_len) + { + printf("\\\\\\\\\\\\\\\\\\\\\\\\\\\\ input buffers extra less than read len\n"); + print_buffer( + input_buffers[0].pvBuffer, + input_buffers[0].cbBuffer, + "encrypted input buffers input_buffers[0]"); + + print_buffer( + input_buffers[3].pvBuffer, + input_buffers[3].cbBuffer, + "encrypted input buffers input_buffers[3]"); + + //sc_handler->read_extra = input_buffers[3].cbBuffer; + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, + input_buffers[3].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; + } + } + else + { error = AWS_OP_SUCCESS; /* this means we processed everything in the buffer. */ sc_handler->buffered_read_in_data_buf.len = 0; @@ -1116,7 +1201,8 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } /* SEC_E_INCOMPLETE_MESSAGE means the message we tried to decrypt isn't a full record and we need to append our next read to it and try again. */ - else if (status == SEC_E_INCOMPLETE_MESSAGE) { + else if (status == SEC_E_INCOMPLETE_MESSAGE) + { sc_handler->estimated_incomplete_size = input_buffers[1].cbBuffer; AWS_LOGF_TRACE( AWS_LS_IO_TLS, @@ -1132,7 +1218,8 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } /* SEC_I_CONTEXT_EXPIRED means that the message sender has shut down the connection. One such case where this can happen is an unaccepted certificate. */ - else if (status == SEC_I_CONTEXT_EXPIRED) { + else if (status == SEC_I_CONTEXT_EXPIRED) + { AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Alert received. Message sender has shut down the connection. SECURITY_STATUS is %d.", @@ -1142,9 +1229,257 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { struct aws_channel_slot *slot = handler->slot; aws_channel_shutdown(slot->channel, AWS_OP_SUCCESS); error = AWS_OP_SUCCESS; + } + if (status == SEC_I_RENEGOTIATE) { + printf("renegotiating received\n"); + /* if we are the client */ + //char * extra_buffer = NULL; + //size_t buffer_size = 0; + if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) + { + if (input_buffers[3].cbBuffer < read_len) + { + printf( + "\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ extra buffer is less than input buffer read_len %d %d\n", + input_buffers[3].cbBuffer, + read_len); + + //sc_handler->read_extra = input_buffers[3].cbBuffer; + //extra_buffer = input_buffers[0].pvBuffer; + //buffer_size = input_buffers[3].cbBuffer; + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); + } else { + + } + } + + SecBuffer input_buffers2[] = { + [0] = {/* + .pvBuffer = extra_buffer, + .cbBuffer = buffer_size, + .BufferType = SECBUFFER_TOKEN, + */ + + .pvBuffer = malloc(sc_handler->buffered_read_in_data_buf.len), + .cbBuffer = sc_handler->buffered_read_in_data_buf.len, + .BufferType = SECBUFFER_TOKEN, + }, + [1] = + { + .pvBuffer = NULL, + .cbBuffer = 0, + .BufferType = SECBUFFER_EMPTY, + }, + }; + memcpy( + input_buffers2[0].pvBuffer, + sc_handler->buffered_read_in_data_buf.buffer, + sc_handler->buffered_read_in_data_buf.len); + + SecBufferDesc input_bufs_desc = { + .ulVersion = SECBUFFER_VERSION, + .cBuffers = 2, + .pBuffers = input_buffers2, + }; + + SecBuffer output_buffers[3]; + AWS_ZERO_ARRAY(output_buffers); + output_buffers[0].BufferType = SECBUFFER_TOKEN; + output_buffers[1].BufferType = SECBUFFER_ALERT; + output_buffers[2].BufferType = SECBUFFER_EMPTY; + + SecBufferDesc output_buffers_desc = { + .ulVersion = SECBUFFER_VERSION, + .cBuffers = 3, + .pBuffers = output_buffers, + }; + char server_name_cstr[256]; + AWS_ZERO_ARRAY(server_name_cstr); + AWS_FATAL_ASSERT(sc_handler->server_name.len < sizeof(server_name_cstr)); + memcpy(server_name_cstr, sc_handler->server_name.buffer, sc_handler->server_name.len); + status = InitializeSecurityContextA( + &sc_handler->creds, + &sc_handler->sec_handle, + (SEC_CHAR*)server_name_cstr, + sc_handler->ctx_req, + 0, + 0, + &input_bufs_desc, + // NULL, + 0, + NULL, + // &sc_handler->sec_handle, + &output_buffers_desc, + &sc_handler->ctx_ret_flags, + NULL); + error = status; + /* if we are the server */ + AWS_LOGF_ERROR( + AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void*)handler, status); + printf(" renegotiate initializesecuritycontext result %lu \n", status); + if (status == SEC_E_OK) { + //sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_2; + // status = s_do_client_side_negotiation_step_2(handler); + // printf("client negotiation 2 return is 0x%X\n", status); + // break; + } + + for (size_t i = 0; i < output_buffers_desc.cBuffers; ++i) { + //SecBuffer *buf_ptr = &extra_buffer[i]; + SecBuffer *token_ptr; + SecBuffer* buf_ptr = &output_buffers[i]; + printf("output buffers %d token %d size %lu\n", i, output_buffers[i].BufferType, output_buffers[i].cbBuffer); + if (buf_ptr->BufferType == SECBUFFER_TOKEN && buf_ptr->cbBuffer) { + printf(" SECUFFER TOKEN data\n"); + printf("....sending data....\n"); + struct aws_io_message* outgoing_message = aws_channel_acquire_message_from_pool( + sc_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, buf_ptr->cbBuffer); + + if (!outgoing_message) { + FreeContextBuffer(buf_ptr->pvBuffer); + s_invoke_negotiation_error(handler, aws_last_error()); + return AWS_OP_ERR; + } + + memcpy(outgoing_message->message_data.buffer, buf_ptr->pvBuffer, buf_ptr->cbBuffer); + outgoing_message->message_data.len = buf_ptr->cbBuffer; + FreeContextBuffer(buf_ptr->pvBuffer); + printf("=========================== sending message from decrypt\n"); + if (aws_channel_slot_send_message(sc_handler->slot, outgoing_message, AWS_CHANNEL_DIR_WRITE)) { + aws_mem_release(outgoing_message->allocator, outgoing_message); + s_invoke_negotiation_error(handler, aws_last_error()); + printf("error sending packet\n"); + return AWS_OP_ERR; + } + } + } + // should be the mqtt connack + printf("checking Extra buffer\n"); + if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0) + { + printf("Extra buffer size is %lu %lu\n", input_buffers2[1].cbBuffer, sc_handler->buffered_read_in_data_buf.capacity); + //sc_handler->read_extra = input_buffers2[1].cbBuffer; + //input_buffers[0].pvBuffer = input_buffers[1].pvBuffer; + //input_buffers[0].cbBuffer = input_buffers[1].cbBuffer; + //sc_handler->buffered_read_in_data_buf.buffer = input_buffers2[1].pvBuffer; + //sc_handler->buffered_read_in_data_buf.capacity = input_buffers2[1].cbBuffer * 2; + + //if (sc_handler->buffered_read_in_data_buf.capacity < input_buffers2[1].cbBuffer) { + // printf("xxxxxx buffer too small\n"); + // return SEC_E_DECRYPT_FAILURE; + //} +// sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; + if (sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { + printf(" \\\\\\\\\\\\\\ correct size lets copy the buffer\n"); + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - + input_buffers2[1].cbBuffer, + input_buffers2[1].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; + + } + goto label1; + //continue; + + SecBuffer input_buffers3[] = { + [0] = + { + /* + .cbBuffer = input_buffers2[1].cbBuffer, + .pvBuffer = input_buffers2[1].pvBuffer, + .BufferType = SECBUFFER_DATA, + */ + .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, + .cbBuffer = sc_handler->buffered_read_in_data_buf.len, + .BufferType = SECBUFFER_DATA, + }, + // [1] = { + // .pvBuffer = input_buffers[3].pvBuffer, + // .cbBuffer = input_buffers[3].cbBuffer, + // .BufferType = SECBUFFER_TOKEN, + //}, + [1] = { + .pvBuffer = input_buffers[3].pvBuffer, + .cbBuffer = input_buffers[3].cbBuffer, + .BufferType = SECBUFFER_EMPTY, + }, + [2] = { + .pvBuffer = input_buffers[3].pvBuffer, + .cbBuffer = input_buffers[3].cbBuffer, + .BufferType = SECBUFFER_EMPTY, + }, + [3] = { + .pvBuffer = input_buffers[3].pvBuffer, + .cbBuffer = input_buffers[3].cbBuffer, + .BufferType = SECBUFFER_EMPTY, + }, + }; + + // [2]= {.pvBuffer = NULL, .cbBuffer = 0, .BufferType = SECBUFFER_EMPTY, }, + // [3]= {.pvBuffer = NULL, .cbBuffer = 0, .BufferType = SECBUFFER_EMPTY, }, + // }; + + SecBufferDesc buffer_desc2 = { + .ulVersion = SECBUFFER_VERSION, + .cBuffers = 4, + .pBuffers = input_buffers3, + }; + printf("---------------- calling Decrypt Message2 %p\n", sc_handler->sec_handle); + status = DecryptMessage(&sc_handler->sec_handle, &buffer_desc2, 0, NULL); + printf("---------------- Decrypt Message2 status 0x%X\n", status); + return status; + + // memcpy( + // sc_handler->buffered_read_in_data_buf.buffer, input_buffers2[1].pvBuffer, 100); + //memmove( + //memcpy( + // sc_handler->buffered_read_in_data_buf.buffer, input_buffers2[1].pvBuffer, input_buffers2[1].cbBuffer); + + /* memcpy( + sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len, + message_cursor.ptr, + amount_to_move_to_buffer); + */ + + offset = 0; + sc_handler->read_extra = 0; + printf("buffer can fit the extra data\n"); + return s_do_application_data_decrypt(handler); + } + +/* + struct aws_io_message *outgoing_message = aws_channel_acquire_message_from_pool( + sc_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, buf_ptr->cbBuffer); + if (!outgoing_message) { + FreeContextBuffer(output_buffer.pvBuffer); + s_invoke_negotiation_error(handler, aws_last_error()); + return AWS_OP_ERR; + } + + AWS_ASSERT(outgoing_message->message_data.capacity >= data_to_write_len); + memcpy(outgoing_message->message_data.buffer, output_buffer.pvBuffer, output_buffer.cbBuffer); + outgoing_message->message_data.len = output_buffer.cbBuffer; + FreeContextBuffer(output_buffer.pvBuffer); + + if (aws_channel_slot_send_message(sc_handler->slot, outgoing_message, AWS_CHANNEL_DIR_WRITE)) { + aws_mem_release(outgoing_message->allocator, outgoing_message); + s_invoke_negotiation_error(handler, aws_last_error()); + return AWS_OP_ERR; + } + //error = SEC_E_OK; + //continue; + */ + //sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_2; + // s_do_client_side_negotiation_step_2(handler); + break; } else { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %d.", (void *)handler, (int)status); + AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", (void *)handler, (int)status); aws_raise_error(AWS_IO_TLS_ERROR_READ_FAILURE); } } while (sc_handler->read_extra); @@ -1193,7 +1528,9 @@ static int s_process_pending_output_messages(struct aws_channel_handler *handler sc_handler->buffered_read_out_data_buf.len - copy_size); sc_handler->buffered_read_out_data_buf.len -= copy_size; + printf("is on data read is defined 1?\n"); if (sc_handler->on_data_read) { + printf("on data read is defined 1\n"); sc_handler->on_data_read(handler, sc_handler->slot, &read_out_msg->message_data, sc_handler->user_data); } if (aws_channel_slot_send_message(sc_handler->slot, read_out_msg, AWS_CHANNEL_DIR_READ)) { @@ -1206,7 +1543,9 @@ static int s_process_pending_output_messages(struct aws_channel_handler *handler } AWS_LOGF_TRACE(AWS_LS_IO_TLS, "id=%p: Downstream window is %zu", (void *)handler, downstream_window); } else { + printf("is on data read is defined 2?\n"); if (sc_handler->on_data_read) { + printf("on dagta read is defined 2\n"); sc_handler->on_data_read( handler, sc_handler->slot, &sc_handler->buffered_read_out_data_buf, sc_handler->user_data); } @@ -1236,7 +1575,7 @@ static int s_process_read_message( struct aws_io_message *message) { struct secure_channel_handler *sc_handler = handler->impl; - + printf("%s handle %p\n", __FUNCTION__, handler); if (message) { /* note, most of these functions log internally, so the log messages in this function are sparse. */ AWS_LOGF_TRACE( @@ -1245,6 +1584,8 @@ static int s_process_read_message( (void *)handler, message->message_data.len); + print_buffer(message->message_data.buffer, message->message_data.len, "printing received data"); + struct aws_byte_cursor message_cursor = aws_byte_cursor_from_buf(&message->message_data); /* The SSPI interface forces us to manage incomplete records manually. So when we had extra after @@ -1421,6 +1762,31 @@ static int s_process_write_message( .pBuffers = buffers, }; + SecPkgContext_SessionKey session_key; + SecPkgContext_SessionAppData sess_app_data; + SecPkgContext_SessionInfo sess_info; + SecPkgContext_StreamSizes stream_size; + + SECURITY_STATUS status = + // QueryContextAttributesA(&sc_handler->sec_handle, SECPKG_ATTR_STREAM_SIZES, &stream_size); + // if (status == SEC_E_OK) { + // printf("stream size = %lu\n", stream_size.cbMaximumMessage); + // } + + //status = + //QueryContextAttributesA(&sc_handler->sec_handle, SECPKG_ATTR_STREAM_SIZES, &y); + // QueryContextAttributesA(&sc_handler->sec_handle, SECPKG_ATTR_SESSION_KEY, &session_key); + // printf("-----------query context status is %lu\n", status); + // if (status == SEC_E_OK) { + // printf("-----------query context status is ok\n"); + //for (int i = 0; i < sess_key.cbAppData; i++) { + // printf("%X", sess_key.pbAppData[i]); + // } + //printf("\n"); + // } + +// snprintf(stdout, sess_key.SessionKeyLength, "session key is %XX\n", sess_key.SessionKey); + status = EncryptMessage(&sc_handler->sec_handle, 0, &buffer_desc, 0); if (status == SEC_E_OK) { @@ -1519,6 +1885,8 @@ static int s_handler_shutdown( int error_code, bool abort_immediately) { struct secure_channel_handler *sc_handler = handler->impl; + printf("===== > shutting down schannel server\n"); + AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "shutting down schannel server"); if (dir == AWS_CHANNEL_DIR_WRITE) { if (!abort_immediately && error_code != AWS_IO_SOCKET_CLOSED) { @@ -1545,6 +1913,7 @@ static int s_handler_shutdown( if (status != SEC_E_OK) { aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE); + printf("raising sys call failrue\n"); return aws_channel_slot_on_handler_shutdown_complete( slot, dir, AWS_ERROR_SYS_CALL_FAILURE, abort_immediately); } @@ -1586,6 +1955,7 @@ static int s_handler_shutdown( slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, output_buffer.cbBuffer); if (!outgoing_message || outgoing_message->message_data.capacity < output_buffer.cbBuffer) { + printf("exiting line 1600\n"); return aws_channel_slot_on_handler_shutdown_complete(slot, dir, aws_last_error(), true); } memcpy(outgoing_message->message_data.buffer, output_buffer.pvBuffer, output_buffer.cbBuffer); @@ -1599,6 +1969,8 @@ static int s_handler_shutdown( } } + AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "calling handler shutdown complete"); + printf("normal exit %d\n", error_code); return aws_channel_slot_on_handler_shutdown_complete(slot, dir, error_code, abort_immediately); } @@ -1719,20 +2091,50 @@ static struct aws_channel_handler *s_tls_handler_new( struct aws_channel_slot *slot, bool is_client_mode) { AWS_ASSERT(options->ctx); + printf("======================================== creating new handler\n"); struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler)); if (!sc_handler) { return NULL; } + struct secure_channel_ctx *sc_ctx = options->ctx->impl; + + DWORD enabled_protocols = 0; + enabled_protocols |= SP_PROT_TLS1_3_CLIENT; +// enabled_protocols |= SP_PROT_TLS1_2_CLIENT; + // enabled_protocols |= SP_PROT_TLS1_1_CLIENT; + // enabled_protocols |= SP_PROT_TLS1_0_CLIENT; + + //TLS_PARAMETERS tls_parameters = {0}; + //sc_ctx->tls_parameters.cAlpnIds = 0; + //sc_ctx->tls_parameters.rgstrAlpnIds = NULL; + //sc_ctx->tls_parameters.grbitDisabledProtocols = 0;// = (DWORD)~enabled_protocols; // force TLS_1.3 protocol + // sc_ctx->tls_parameters.cDisabledCrypto = 0; + // sc_ctx->tls_parameters.pDisabledCrypto = NULL; + // tls_parameters.pDisabledCrypto = &crypto_settings; + //sc_ctx->tls_parameters.dwFlags = 0; // only set on server; + + //sc_ctx->credentials_new.pTlsParameters = &sc_ctx->tls_parameters; + //sc_ctx->credentials_new.pTlsParameters->grbitDisabledProtocols = (DWORD)~enabled_protocols; + sc_ctx->credentials_new.cTlsParameters = 0; + sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours + //secure_channel_ctx->credentials_new.pTlsParameters->grbitDisabledProtocols + sc_handler->handler.alloc = alloc; sc_handler->handler.impl = sc_handler; sc_handler->handler.vtable = &s_handler_vtable; sc_handler->handler.slot = slot; + sc_ctx->credentials_new.dwFlags = + SCH_CRED_NO_DEFAULT_CREDS | + SCH_CRED_NO_SERVERNAME_CHECK | + SCH_SEND_AUX_RECORD | + SCH_USE_STRONG_CRYPTO | + // SCH_CRED_MANUAL_CRED_VALIDATION | + SCH_CRED_AUTO_CRED_VALIDATION; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); - struct secure_channel_ctx *sc_ctx = options->ctx->impl; unsigned long credential_use = SECPKG_CRED_INBOUND; if (is_client_mode) { @@ -1744,14 +2146,16 @@ static struct aws_channel_handler *s_tls_handler_new( UNISP_NAME, credential_use, NULL, - &sc_ctx->credentials, + // &sc_ctx->credentials, + &sc_ctx->credentials_new, NULL, NULL, &sc_handler->creds, &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status); + printf(" AcquireCredentialsHandle failed status = %X\n", status); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; @@ -1899,7 +2303,20 @@ struct aws_tls_ctx *s_ctx_new( } secure_channel_ctx->verify_peer = options->verify_peer; + + //secure_channel_ctx->credentials_new.dwCredFormat = SCH_CRED_FORMAT_CERT_HASH; + //secure_channel_ctx->credentials_new.dwCredFormat = SCH_CRED_FORMAT_CERT_HASH_STORE; + + //CRYPTO_SETTINGS crypto_settings[4] = { { 0 } }; + //int crypto_settings_num = 0; + + //crypto_settings[crypto_settings_num].eAlgorithmUsage = TlsParametersCngAlgUsageCipher; + secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; + + secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; + secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default + secure_channel_ctx->should_free_pcerts = true; secure_channel_ctx->credentials.grbitEnabledProtocols = 0; @@ -1917,12 +2334,15 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; #endif case AWS_IO_TLSv1_3: -#if defined(SP_PROT_TLS1_3_CLIENT) + printf("tls 1.3 certificate detected\n"); + #if defined(SP_PROT_TLS1_3_CLIENT) secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; #endif break; case AWS_IO_TLS_VER_SYS_DEFAULTS: + printf("default client...testing\n"); secure_channel_ctx->credentials.grbitEnabledProtocols = 0; + //secure_channel_ctx->credentials.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT; break; } } else { @@ -1951,6 +2371,7 @@ struct aws_tls_ctx *s_ctx_new( if (options->verify_peer && aws_tls_options_buf_is_set(&options->ca_file)) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: loading custom CA file."); secure_channel_ctx->credentials.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; + secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; struct aws_byte_cursor ca_blob_cur = aws_byte_cursor_from_buf(&options->ca_file); int error = aws_import_trusted_certificates(alloc, &ca_blob_cur, &secure_channel_ctx->custom_trust_store); @@ -1961,6 +2382,7 @@ struct aws_tls_ctx *s_ctx_new( } } else if (is_client_mode) { secure_channel_ctx->credentials.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; + secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; } if (is_client_mode && !options->verify_peer) { @@ -1973,13 +2395,23 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->credentials.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; + + secure_channel_ctx->credentials_new.dwFlags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); + secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | + SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | + SCH_CRED_MANUAL_CRED_VALIDATION; } else if (is_client_mode) { secure_channel_ctx->credentials.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; + + secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; } /* if someone wants to use broken algorithms like rc4/md5/des they'll need to ask for a special control */ secure_channel_ctx->credentials.dwFlags |= SCH_USE_STRONG_CRYPTO; + secure_channel_ctx->credentials_new.dwFlags |= SCH_USE_STRONG_CRYPTO; + secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; + /* if using a system store. */ if (options->system_certificate_path) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: assuming certificate is in a system store, loading now."); @@ -1990,8 +2422,13 @@ struct aws_tls_ctx *s_ctx_new( goto clean_up; } + secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; secure_channel_ctx->credentials.cCreds = 1; + + secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; + secure_channel_ctx->credentials_new.cCreds = 1; + /* if using traditional PEM armored PKCS#7 and ASN Encoding public/private key pairs */ } else if (aws_tls_options_buf_is_set(&options->certificate) && aws_tls_options_buf_is_set(&options->private_key)) { @@ -2029,6 +2466,10 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; secure_channel_ctx->credentials.cCreds = 1; + + secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; + secure_channel_ctx->credentials_new.cCreds = 1; + secure_channel_ctx->should_free_pcerts = false; } From 6c28ad06a1c318e09622855f47a6a4d6d367dc4c Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Fri, 17 May 2024 20:36:35 -0700 Subject: [PATCH 02/88] add version check --- source/windows/secure_channel_tls_handler.c | 55 +++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 993e1bc2d..7a5500f65 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -141,6 +141,61 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { return sc_handler->stream_sizes.cbTrailer + sc_handler->stream_sizes.cbHeader; } +bool is_windows_equal_or_above_10(void) { + +//Windows 10 1809 +//Windows Server 1809 + + DWORDLONG dwlConditionMask = 0; + int op = VER_GREATER_EQUAL; + OSVERSIONINFOEX osvi; + + NTSTATUS status; + + ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX)); + osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); + // osvi.dwMajorVersion = 5; + // osvi.dwMinorVersion = 0; + //osvi.wServicePackMajor = 0; + // osvi.wServicePackMinor = 0; + osvi.dwBuildNumber = 1809; +/* + VerSetConditionMask = VerSetConditionMask(dwlConditionMask, + VER_MAJORVERSION, op); + VerSetConditionMask = VerSetConditionMask(dwlConditionMask, + VER_MINORVERSION, op); + VerSetConditionMask = VerSetConditionMask(dwlConditionMask, + VER_SERVICEPACKMAJOR, op); + VerSetConditionMask = VerSetConditionMask(dwlConditionMask, + VER_SERVICEPACKMINOR, op); + VerSetConditionMask = VerSetConditionMask(dwlConditionMask, + VER_PRODUCT_TYPE, VER_EQUAL); + VerSetConditionMask = VerSetConditionMask(dwlConditionMask, + VER_PRODUCT_TYPE, VER_EQUAL); +*/ + VerSetConditionMask = VerSetConditionMask(dwlConditionMask, + VER_BUILDNUMBER, op); + + pRtlVerifyVersionInfo = (RTLVERIFYVERSIONINFO_FN) + (GetProcAddress(GetModuleHandleA("ntdll"), "RtlVerifyVersionInfo")); + + if (pRtlVerifyVersionInfo) { + status = !pRtlVerifyVersionInfo(&osvi, + dwTypeMask, + VerSetConditionMask); + } /*else { + status = !!VerifyVersionInfoW((OSVERSIONINFOEXW *)&osvi, + dwTypeMask, + VerSetConditionMask); + }*/ + if (status == STATUS_SUCCESS) { + return true; + } else { + return false; + } +} + + bool aws_tls_is_alpn_available(void) { /* if you built on an old version of windows, still no support, but if you did, we still want to check the OS version at runtime before agreeing to attempt alpn. */ From de09df248a2f9ed832aa973119f814b495f21e08 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Fri, 17 May 2024 20:39:57 -0700 Subject: [PATCH 03/88] add version check --- source/windows/secure_channel_tls_handler.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 7a5500f65..299cef5a3 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2332,6 +2332,9 @@ struct aws_tls_ctx *s_ctx_new( const struct aws_tls_ctx_options *options, bool is_client_mode) { + bool is_above_win_10; + is_above_win_10 = is_windows_equal_or_above_10(); + printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) { aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED); AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: TLS Cipher Preference is not supported: %d.", options->cipher_pref); From 5586e6ae428f862f4b2786f3a996c2ac8d32345f Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Fri, 17 May 2024 21:14:48 -0700 Subject: [PATCH 04/88] sync --- source/windows/secure_channel_tls_handler.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 299cef5a3..bfcbc8d82 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1436,7 +1436,6 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) input_buffers2[1].cbBuffer, input_buffers2[1].cbBuffer); sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; - } goto label1; //continue; From c20a5dd65ec8b730974c213de903e9aa850c7d4d Mon Sep 17 00:00:00 2001 From: alfred2g Date: Fri, 17 May 2024 23:17:07 -0700 Subject: [PATCH 05/88] version info --- source/windows/secure_channel_tls_handler.c | 55 +++++++++------------ 1 file changed, 23 insertions(+), 32 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index bfcbc8d82..489f39344 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -140,11 +140,13 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { return sc_handler->stream_sizes.cbTrailer + sc_handler->stream_sizes.cbHeader; } +//#include "Ntddk.h" bool is_windows_equal_or_above_10(void) { -//Windows 10 1809 -//Windows Server 1809 +// Windows 10 1809 +// Windows Server 1809 +// current 11 22631 DWORDLONG dwlConditionMask = 0; int op = VER_GREATER_EQUAL; @@ -154,36 +156,25 @@ bool is_windows_equal_or_above_10(void) { ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); - // osvi.dwMajorVersion = 5; - // osvi.dwMinorVersion = 0; - //osvi.wServicePackMajor = 0; - // osvi.wServicePackMinor = 0; - osvi.dwBuildNumber = 1809; -/* - VerSetConditionMask = VerSetConditionMask(dwlConditionMask, - VER_MAJORVERSION, op); - VerSetConditionMask = VerSetConditionMask(dwlConditionMask, - VER_MINORVERSION, op); - VerSetConditionMask = VerSetConditionMask(dwlConditionMask, - VER_SERVICEPACKMAJOR, op); - VerSetConditionMask = VerSetConditionMask(dwlConditionMask, - VER_SERVICEPACKMINOR, op); - VerSetConditionMask = VerSetConditionMask(dwlConditionMask, - VER_PRODUCT_TYPE, VER_EQUAL); - VerSetConditionMask = VerSetConditionMask(dwlConditionMask, - VER_PRODUCT_TYPE, VER_EQUAL); -*/ - VerSetConditionMask = VerSetConditionMask(dwlConditionMask, - VER_BUILDNUMBER, op); - - pRtlVerifyVersionInfo = (RTLVERIFYVERSIONINFO_FN) - (GetProcAddress(GetModuleHandleA("ntdll"), "RtlVerifyVersionInfo")); - - if (pRtlVerifyVersionInfo) { - status = !pRtlVerifyVersionInfo(&osvi, - dwTypeMask, - VerSetConditionMask); - } /*else { + osvi.dwBuildNumber = 22632; + + dwlConditionMask = VerSetConditionMask(dwlConditionMask, + VER_BUILDNUMBER, op); + typedef NTSTATUS(WINAPI * pRtlGetVersionInfo)( + PRTL_OSVERSIONINFOW lpVersionInformation, + ULONG TypeMask, + ULONGLONG ConditionMask); + + pRtlGetVersionInfo f; + f = GetProcAddress(GetModuleHandle("ntdll"), "RtlVerifyVersionInfo"); + + if (f) { + status = f(&osvi, VER_BUILDNUMBER, + dwlConditionMask); + } else { + printf(" \\\\\\\\\\\\\\\\ could not load module\n"); + } + /*else { status = !!VerifyVersionInfoW((OSVERSIONINFOEXW *)&osvi, dwTypeMask, VerSetConditionMask); From 4f50b77bc26bad6bfc42a9217ce8ecbc711e79a2 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Sat, 18 May 2024 10:31:02 -0700 Subject: [PATCH 06/88] crate acquire common section --- source/tls_channel_handler.c | 1 + source/windows/secure_channel_tls_handler.c | 204 +++++++++++++------- 2 files changed, 132 insertions(+), 73 deletions(-) diff --git a/source/tls_channel_handler.c b/source/tls_channel_handler.c index 5c6426872..2d84aa949 100644 --- a/source/tls_channel_handler.c +++ b/source/tls_channel_handler.c @@ -733,6 +733,7 @@ void aws_tls_clean_up_static_state(void) {} #endif /* BYO_CRYPTO */ +// XXX: not used function int aws_channel_setup_client_tls( struct aws_channel_slot *right_of_slot, struct aws_tls_connection_options *tls_options) { diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 489f39344..6951d2105 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -73,7 +73,6 @@ struct secure_channel_ctx { struct aws_string *alpn_list; SCHANNEL_CRED credentials; SCH_CREDENTIALS credentials_new; - //TLS_PARAMETERS tls_parameters; PCERT_CONTEXT pcerts; HCERTSTORE cert_store; HCERTSTORE custom_trust_store; @@ -142,7 +141,7 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { } //#include "Ntddk.h" -bool is_windows_equal_or_above_10(void) { +bool s_is_windows_equal_or_above_10(void) { // Windows 10 1809 // Windows Server 1809 @@ -2130,13 +2129,74 @@ static struct aws_channel_handler_vtable s_handler_vtable = { .gather_statistics = s_gather_statistics, }; -static struct aws_channel_handler *s_tls_handler_new( +static struct aws_channel_handler *s_tls_handler_new_common( + struct aws_allocator *alloc, + struct aws_tls_connection_options *options, + struct aws_channel_slot *slot, + bool is_client_mode, + struct secure_channel_handler *sc_handler) { + sc_handler->advertise_alpn_message = options->advertise_alpn_message; + sc_handler->on_data_read = options->on_data_read; + sc_handler->on_error = options->on_error; + sc_handler->on_negotiation_result = options->on_negotiation_result; + sc_handler->user_data = options->user_data; + + if (!options->alpn_list && sc_ctx->alpn_list) { + sc_handler->alpn_list = aws_string_new_from_string(alloc, sc_ctx->alpn_list); + if (!sc_handler->alpn_list) { + goto on_error; + } + } else if (options->alpn_list) { + sc_handler->alpn_list = aws_string_new_from_string(alloc, options->alpn_list); + if (!sc_handler->alpn_list) { + goto on_error; + } + } + + if (options->server_name) { + AWS_LOGF_DEBUG( + AWS_LS_IO_TLS, + "id=%p: Setting SNI to %s", + (void *)&sc_handler->handler, + aws_string_c_str(options->server_name)); + struct aws_byte_cursor server_name_crsr = aws_byte_cursor_from_string(options->server_name); + if (aws_byte_buf_init_copy_from_cursor(&sc_handler->server_name, alloc, server_name_crsr)) { + goto on_error; + } + } + + sc_handler->slot = slot; + + if (is_client_mode) { + sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_1; + } else { + sc_handler->s_connection_state_fn = s_do_server_side_negotiation_step_1; + } + + sc_handler->custom_ca_store = sc_ctx->custom_trust_store; + sc_handler->buffered_read_in_data_buf = + aws_byte_buf_from_array(sc_handler->buffered_read_in_data, sizeof(sc_handler->buffered_read_in_data)); + sc_handler->buffered_read_in_data_buf.len = 0; + sc_handler->buffered_read_out_data_buf = + aws_byte_buf_from_array(sc_handler->buffered_read_out_data, sizeof(sc_handler->buffered_read_out_data)); + sc_handler->buffered_read_out_data_buf.len = 0; + sc_handler->verify_peer = sc_ctx->verify_peer; + + return &sc_handler->handler; + +on_error: + + s_secure_channel_handler_destroy(alloc, sc_handler); + + return NULL; +} + +static struct aws_channel_handler *s_tls_handler_new_win10_plus( struct aws_allocator *alloc, struct aws_tls_connection_options *options, struct aws_channel_slot *slot, bool is_client_mode) { AWS_ASSERT(options->ctx); - printf("======================================== creating new handler\n"); struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler)); if (!sc_handler) { @@ -2144,42 +2204,23 @@ static struct aws_channel_handler *s_tls_handler_new( } struct secure_channel_ctx *sc_ctx = options->ctx->impl; - DWORD enabled_protocols = 0; - enabled_protocols |= SP_PROT_TLS1_3_CLIENT; -// enabled_protocols |= SP_PROT_TLS1_2_CLIENT; - // enabled_protocols |= SP_PROT_TLS1_1_CLIENT; - // enabled_protocols |= SP_PROT_TLS1_0_CLIENT; - - //TLS_PARAMETERS tls_parameters = {0}; - //sc_ctx->tls_parameters.cAlpnIds = 0; - //sc_ctx->tls_parameters.rgstrAlpnIds = NULL; - //sc_ctx->tls_parameters.grbitDisabledProtocols = 0;// = (DWORD)~enabled_protocols; // force TLS_1.3 protocol - // sc_ctx->tls_parameters.cDisabledCrypto = 0; - // sc_ctx->tls_parameters.pDisabledCrypto = NULL; - // tls_parameters.pDisabledCrypto = &crypto_settings; - //sc_ctx->tls_parameters.dwFlags = 0; // only set on server; - - //sc_ctx->credentials_new.pTlsParameters = &sc_ctx->tls_parameters; - //sc_ctx->credentials_new.pTlsParameters->grbitDisabledProtocols = (DWORD)~enabled_protocols; sc_ctx->credentials_new.cTlsParameters = 0; sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours - //secure_channel_ctx->credentials_new.pTlsParameters->grbitDisabledProtocols - + // TODO: try to copy to the common section above sc_handler->handler.alloc = alloc; sc_handler->handler.impl = sc_handler; sc_handler->handler.vtable = &s_handler_vtable; sc_handler->handler.slot = slot; sc_ctx->credentials_new.dwFlags = - SCH_CRED_NO_DEFAULT_CREDS | - SCH_CRED_NO_SERVERNAME_CHECK | - SCH_SEND_AUX_RECORD | + SCH_CRED_NO_DEFAULT_CREDS | + SCH_CRED_NO_SERVERNAME_CHECK | + SCH_SEND_AUX_RECORD | SCH_USE_STRONG_CRYPTO | - // SCH_CRED_MANUAL_CRED_VALIDATION | SCH_CRED_AUTO_CRED_VALIDATION; - aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); + aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); unsigned long credential_use = SECPKG_CRED_INBOUND; if (is_client_mode) { @@ -2191,7 +2232,6 @@ static struct aws_channel_handler *s_tls_handler_new( UNISP_NAME, credential_use, NULL, - // &sc_ctx->credentials, &sc_ctx->credentials_new, NULL, NULL, @@ -2199,61 +2239,68 @@ static struct aws_channel_handler *s_tls_handler_new( &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - printf(" AcquireCredentialsHandle failed status = %X\n", status); AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; } - sc_handler->advertise_alpn_message = options->advertise_alpn_message; - sc_handler->on_data_read = options->on_data_read; - sc_handler->on_error = options->on_error; - sc_handler->on_negotiation_result = options->on_negotiation_result; - sc_handler->user_data = options->user_data; + return s_tls_handler_new_common(alloc, options, slot, is_client_mode, sc_handler); - if (!options->alpn_list && sc_ctx->alpn_list) { - sc_handler->alpn_list = aws_string_new_from_string(alloc, sc_ctx->alpn_list); - if (!sc_handler->alpn_list) { - goto on_error; - } - } else if (options->alpn_list) { - sc_handler->alpn_list = aws_string_new_from_string(alloc, options->alpn_list); - if (!sc_handler->alpn_list) { - goto on_error; - } - } +on_error: - if (options->server_name) { - AWS_LOGF_DEBUG( - AWS_LS_IO_TLS, - "id=%p: Setting SNI to %s", - (void *)&sc_handler->handler, - aws_string_c_str(options->server_name)); - struct aws_byte_cursor server_name_crsr = aws_byte_cursor_from_string(options->server_name); - if (aws_byte_buf_init_copy_from_cursor(&sc_handler->server_name, alloc, server_name_crsr)) { - goto on_error; - } + s_secure_channel_handler_destroy(alloc, sc_handler); + + return NULL; +} + + +static struct aws_channel_handler *s_tls_handler_new( + struct aws_allocator *alloc, + struct aws_tls_connection_options *options, + struct aws_channel_slot *slot, + bool is_client_mode) { + AWS_ASSERT(options->ctx); + + struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler)); + if (!sc_handler) { + return NULL; } - sc_handler->slot = slot; + // TODO: try to copy to the common section above + sc_handler->handler.alloc = alloc; + sc_handler->handler.impl = sc_handler; + sc_handler->handler.vtable = &s_handler_vtable; + sc_handler->handler.slot = slot; + + aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); + + struct secure_channel_ctx *sc_ctx = options->ctx->impl; + unsigned long credential_use = SECPKG_CRED_INBOUND; if (is_client_mode) { - sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_1; - } else { - sc_handler->s_connection_state_fn = s_do_server_side_negotiation_step_1; + credential_use = SECPKG_CRED_OUTBOUND; } - sc_handler->custom_ca_store = sc_ctx->custom_trust_store; - sc_handler->buffered_read_in_data_buf = - aws_byte_buf_from_array(sc_handler->buffered_read_in_data, sizeof(sc_handler->buffered_read_in_data)); - sc_handler->buffered_read_in_data_buf.len = 0; - sc_handler->buffered_read_out_data_buf = - aws_byte_buf_from_array(sc_handler->buffered_read_out_data, sizeof(sc_handler->buffered_read_out_data)); - sc_handler->buffered_read_out_data_buf.len = 0; - sc_handler->verify_peer = sc_ctx->verify_peer; + SECURITY_STATUS status = AcquireCredentialsHandleA( + NULL, + UNISP_NAME, + credential_use, + NULL, + &sc_ctx->credentials, + NULL, + NULL, + &sc_handler->creds, + &sc_handler->sspi_timestamp); - return &sc_handler->handler; + if (status != SEC_E_OK) { + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status); + int aws_error = s_determine_sspi_error(status); + aws_raise_error(aws_error); + goto on_error; + } + + return s_tls_handler_new_common(alloc, options, slot, is_client_mode, sc_handler); on_error: @@ -2261,12 +2308,18 @@ static struct aws_channel_handler *s_tls_handler_new( return NULL; } + + struct aws_channel_handler *aws_tls_client_handler_new( struct aws_allocator *allocator, struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - return s_tls_handler_new(allocator, options, slot, true); + if(s_is_windows_equal_or_above_10()) { + return s_tls_handler_new_win10_plus(allocator, options, slot, true); + else { + return s_tls_handler_new(allocator, options, slot, true); + } } struct aws_channel_handler *aws_tls_server_handler_new( @@ -2274,7 +2327,11 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - return s_tls_handler_new(allocator, options, slot, false); + if(s_is_windows_equal_or_above_10()) { + return s_tls_handler_new_win10_plus(allocator, options, slot, false); + else { + return s_tls_handler_new(allocator, options, slot, false); + } } static void s_secure_channel_ctx_destroy(struct secure_channel_ctx *secure_channel_ctx) { @@ -2323,8 +2380,9 @@ struct aws_tls_ctx *s_ctx_new( bool is_client_mode) { bool is_above_win_10; - is_above_win_10 = is_windows_equal_or_above_10(); + is_above_win_10 = s_is_windows_equal_or_above_10(); printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); + if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) { aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED); AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: TLS Cipher Preference is not supported: %d.", options->cipher_pref); @@ -2359,7 +2417,7 @@ struct aws_tls_ctx *s_ctx_new( //int crypto_settings_num = 0; //crypto_settings[crypto_settings_num].eAlgorithmUsage = TlsParametersCngAlgUsageCipher; - + secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; From a5a33901bdbaaeae4e9cda0b577d578500d6cc25 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Sat, 18 May 2024 21:45:54 -0700 Subject: [PATCH 07/88] Split newer and older versions of windows --- source/windows/secure_channel_tls_handler.c | 224 ++++++++++++-------- 1 file changed, 138 insertions(+), 86 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 6951d2105..00eaee6d2 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2197,6 +2197,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( struct aws_channel_slot *slot, bool is_client_mode) { AWS_ASSERT(options->ctx); + DWORD dwFlags = 0; struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler)); if (!sc_handler) { @@ -2213,12 +2214,13 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( sc_handler->handler.vtable = &s_handler_vtable; sc_handler->handler.slot = slot; - sc_ctx->credentials_new.dwFlags = - SCH_CRED_NO_DEFAULT_CREDS | - SCH_CRED_NO_SERVERNAME_CHECK | - SCH_SEND_AUX_RECORD | - SCH_USE_STRONG_CRYPTO | - SCH_CRED_AUTO_CRED_VALIDATION; + dwFlags = SCH_CRED_NO_DEFAULT_CREDS | + SCH_CRED_NO_SERVERNAME_CHECK | + SCH_SEND_AUX_RECORD | + SCH_USE_STRONG_CRYPTO | + SCH_CRED_AUTO_CRED_VALIDATION; + + sc_ctx->credentials_new.dwFlags |= dwFlags; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); @@ -2374,110 +2376,121 @@ static void s_secure_channel_ctx_destroy(struct secure_channel_ctx *secure_chann aws_mem_release(secure_channel_ctx->ctx.alloc, secure_channel_ctx); } -struct aws_tls_ctx *s_ctx_new( +static struct aws_tls_ctx *s_ctx_new_above_win_10( struct aws_allocator *alloc, const struct aws_tls_ctx_options *options, - bool is_client_mode) { - - bool is_above_win_10; - is_above_win_10 = s_is_windows_equal_or_above_10(); - printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); - - if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) { - aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED); - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: TLS Cipher Preference is not supported: %d.", options->cipher_pref); - return NULL; - } - - struct secure_channel_ctx *secure_channel_ctx = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_ctx)); - if (!secure_channel_ctx) { - return NULL; - } - - secure_channel_ctx->ctx.alloc = alloc; - secure_channel_ctx->ctx.impl = secure_channel_ctx; - aws_ref_count_init( - &secure_channel_ctx->ctx.ref_count, - secure_channel_ctx, - (aws_simple_completion_callback *)s_secure_channel_ctx_destroy); - - if (options->alpn_list) { - secure_channel_ctx->alpn_list = aws_string_new_from_string(alloc, options->alpn_list); - if (!secure_channel_ctx->alpn_list) { - goto clean_up; - } - } - - secure_channel_ctx->verify_peer = options->verify_peer; - - //secure_channel_ctx->credentials_new.dwCredFormat = SCH_CRED_FORMAT_CERT_HASH; - //secure_channel_ctx->credentials_new.dwCredFormat = SCH_CRED_FORMAT_CERT_HASH_STORE; - - //CRYPTO_SETTINGS crypto_settings[4] = { { 0 } }; - //int crypto_settings_num = 0; - - //crypto_settings[crypto_settings_num].eAlgorithmUsage = TlsParametersCngAlgUsageCipher; - - secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; + bool is_client_mode, + struct secure_channel_ctx *secure_channel_ctx) { secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; - secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default + secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default +} - secure_channel_ctx->should_free_pcerts = true; +static struct aws_tls_ctx *s_ctx_new_below_win_10( + struct aws_allocator *alloc, + const struct aws_tls_ctx_options *options, + bool is_client_mode, + struct secure_channel_ctx *secure_channel_ctx ) { - secure_channel_ctx->credentials.grbitEnabledProtocols = 0; +} + +static DWORD getEnabledProtocols( + const struct aws_tls_ctx_options *options, + bool is_client_mode) +{ + DWORD grbitEnabledProtocols = 0; if (is_client_mode) { switch (options->minimum_tls_version) { case AWS_IO_SSLv3: - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_SSL3_CLIENT; + grbitEnabledProtocols |= SP_PROT_SSL3_CLIENT; case AWS_IO_TLSv1: - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_0_CLIENT; + grbitEnabledProtocols |= SP_PROT_TLS1_0_CLIENT; case AWS_IO_TLSv1_1: - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT; + grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT; case AWS_IO_TLSv1_2: #if defined(SP_PROT_TLS1_2_CLIENT) - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; + grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; #endif case AWS_IO_TLSv1_3: - printf("tls 1.3 certificate detected\n"); #if defined(SP_PROT_TLS1_3_CLIENT) - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; + grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; #endif break; case AWS_IO_TLS_VER_SYS_DEFAULTS: - printf("default client...testing\n"); - secure_channel_ctx->credentials.grbitEnabledProtocols = 0; - //secure_channel_ctx->credentials.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT; + grbitEnabledProtocols = 0; break; } } else { switch (options->minimum_tls_version) { case AWS_IO_SSLv3: - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_SSL3_SERVER; + grbitEnabledProtocols |= SP_PROT_SSL3_SERVER; case AWS_IO_TLSv1: - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_0_SERVER; + grbitEnabledProtocols |= SP_PROT_TLS1_0_SERVER; case AWS_IO_TLSv1_1: - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_1_SERVER; + grbitEnabledProtocols |= SP_PROT_TLS1_1_SERVER; case AWS_IO_TLSv1_2: #if defined(SP_PROT_TLS1_2_SERVER) - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_2_SERVER; + grbitEnabledProtocols |= SP_PROT_TLS1_2_SERVER; #endif case AWS_IO_TLSv1_3: #if defined(SP_PROT_TLS1_3_SERVER) - secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_3_SERVER; + grbitEnabledProtocols |= SP_PROT_TLS1_3_SERVER; #endif break; case AWS_IO_TLS_VER_SYS_DEFAULTS: - secure_channel_ctx->credentials.grbitEnabledProtocols = 0; + grbitEnabledProtocols = 0; break; } } + return grbitEnabledProtocols; +} + +struct aws_tls_ctx *s_ctx_new( + struct aws_allocator *alloc, + const struct aws_tls_ctx_options *options, + bool is_client_mode) { + + DWORD dwFlags = 0; + PCCERT_CONTEXT *paCred = NULL; + DWORD cCreds = 1; + + if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) { + aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: TLS Cipher Preference is not supported: %d.", options->cipher_pref); + return NULL; + } + + struct secure_channel_ctx *secure_channel_ctx = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_ctx)); + if (!secure_channel_ctx) { + return NULL; + } + + secure_channel_ctx->ctx.alloc = alloc; + secure_channel_ctx->ctx.impl = secure_channel_ctx; + aws_ref_count_init( + &secure_channel_ctx->ctx.ref_count, + secure_channel_ctx, + (aws_simple_completion_callback *)s_secure_channel_ctx_destroy); + + if (options->alpn_list) { + secure_channel_ctx->alpn_list = aws_string_new_from_string(alloc, options->alpn_list); + if (!secure_channel_ctx->alpn_list) { + goto clean_up; + } + } + + secure_channel_ctx->verify_peer = options->verify_peer; + + + secure_channel_ctx->should_free_pcerts = true; + if (options->verify_peer && aws_tls_options_buf_is_set(&options->ca_file)) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: loading custom CA file."); - secure_channel_ctx->credentials.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; - secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; + dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION; + //secure_channel_ctx->credentials.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; + //secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; struct aws_byte_cursor ca_blob_cur = aws_byte_cursor_from_buf(&options->ca_file); int error = aws_import_trusted_certificates(alloc, &ca_blob_cur, &secure_channel_ctx->custom_trust_store); @@ -2487,8 +2500,9 @@ struct aws_tls_ctx *s_ctx_new( goto clean_up; } } else if (is_client_mode) { - secure_channel_ctx->credentials.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; - secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; + dwFlags |= SCH_CRED_AUTO_CRED_VALIDATION; + //secure_channel_ctx->credentials.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; + //secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; } if (is_client_mode && !options->verify_peer) { @@ -2496,7 +2510,12 @@ struct aws_tls_ctx *s_ctx_new( AWS_LS_IO_TLS, "static: x.509 validation has been disabled. " "If this is not running in a test environment, this is likely a security vulnerability."); + dwFlags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); + dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | + SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | + SCH_CRED_MANUAL_CRED_VALIDATION; + /* secure_channel_ctx->credentials.dwFlags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); secure_channel_ctx->credentials.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | @@ -2506,17 +2525,21 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; + */ } else if (is_client_mode) { - secure_channel_ctx->credentials.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; + dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; + +// secure_channel_ctx->credentials.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; - secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; + // secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; } + dwFlags |= SCH_USE_STRONG_CRYPTO; /* if someone wants to use broken algorithms like rc4/md5/des they'll need to ask for a special control */ - secure_channel_ctx->credentials.dwFlags |= SCH_USE_STRONG_CRYPTO; + //secure_channel_ctx->credentials.dwFlags |= SCH_USE_STRONG_CRYPTO; - secure_channel_ctx->credentials_new.dwFlags |= SCH_USE_STRONG_CRYPTO; - secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; + //secure_channel_ctx->credentials_new.dwFlags |= SCH_USE_STRONG_CRYPTO; + //secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; /* if using a system store. */ if (options->system_certificate_path) { @@ -2527,14 +2550,14 @@ struct aws_tls_ctx *s_ctx_new( AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: failed to load %s", options->system_certificate_path); goto clean_up; } + paCred = &secure_channel_ctx->pcerts; + cCreds = 1; + //secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; + //secure_channel_ctx->credentials.cCreds = 1; - - secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; - secure_channel_ctx->credentials.cCreds = 1; + //secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; + //secure_channel_ctx->credentials_new.cCreds = 1; - secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; - secure_channel_ctx->credentials_new.cCreds = 1; - /* if using traditional PEM armored PKCS#7 and ASN Encoding public/private key pairs */ } else if (aws_tls_options_buf_is_set(&options->certificate) && aws_tls_options_buf_is_set(&options->private_key)) { @@ -2570,15 +2593,44 @@ struct aws_tls_ctx *s_ctx_new( goto clean_up; } - secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; - secure_channel_ctx->credentials.cCreds = 1; + paCred = &secure_channel_ctx->pcerts; + cCreds = 1; + //secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; + //secure_channel_ctx->credentials.cCreds = 1; - secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; - secure_channel_ctx->credentials_new.cCreds = 1; + //secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; + //secure_channel_ctx->credentials_new.cCreds = 1; secure_channel_ctx->should_free_pcerts = false; } + bool is_above_win_10; + is_above_win_10 = s_is_windows_equal_or_above_10(); + printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); + if (is_above_win_10 == true) { + secure_channel_ctx->credentials_new.dwFlags = dwFalgs; + secure_channel_ctx->credentials_new.paCred = paCred; + secure_channel_ctx->credentials_new.cCreds = cCreds; + + s_ctx_new_above( + alloc, + options, + is_client_mode, + secure_channel_ctx ); + } else { + secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; + secure_channel_ctx->credentials.dwFlags = dwFalgs; + secure_channel_ctx->credentials.paCred = paCred; + secure_channel_ctx->credentials.cCreds = cCreds; + secure_channel_ctx->credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); + + s_ctx_new_below_win_10( + alloc, + options, + is_client_mode, + secure_channel_ctx); + } + return &secure_channel_ctx->ctx; clean_up: From 9d7eec04aefddfa3aff6a37750cb088b6e85c341 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Sat, 18 May 2024 21:56:03 -0700 Subject: [PATCH 08/88] more cleanups --- source/windows/secure_channel_tls_handler.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 00eaee6d2..26bc2f869 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2382,8 +2382,6 @@ static struct aws_tls_ctx *s_ctx_new_above_win_10( bool is_client_mode, struct secure_channel_ctx *secure_channel_ctx) { - secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; - secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default } static struct aws_tls_ctx *s_ctx_new_below_win_10( @@ -2608,27 +2606,33 @@ struct aws_tls_ctx *s_ctx_new( is_above_win_10 = s_is_windows_equal_or_above_10(); printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); if (is_above_win_10 == true) { + secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; + secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default secure_channel_ctx->credentials_new.dwFlags = dwFalgs; secure_channel_ctx->credentials_new.paCred = paCred; secure_channel_ctx->credentials_new.cCreds = cCreds; - + /* s_ctx_new_above( alloc, options, is_client_mode, secure_channel_ctx ); + */ } else { secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; + secure_channel_ctx->credentials.dwCredFormat = 0; // kernel-mode only default secure_channel_ctx->credentials.dwFlags = dwFalgs; secure_channel_ctx->credentials.paCred = paCred; secure_channel_ctx->credentials.cCreds = cCreds; secure_channel_ctx->credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); + /* s_ctx_new_below_win_10( alloc, options, is_client_mode, secure_channel_ctx); + */ } return &secure_channel_ctx->ctx; From f8299faaac6657358c0fda13aa2bbdf57ddfc855 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Mon, 20 May 2024 07:56:34 -0700 Subject: [PATCH 09/88] Fix missing definitions sc_ctx --- source/windows/secure_channel_tls_handler.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 26bc2f869..83e4664aa 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2135,6 +2135,8 @@ static struct aws_channel_handler *s_tls_handler_new_common( struct aws_channel_slot *slot, bool is_client_mode, struct secure_channel_handler *sc_handler) { + + struct secure_channel_ctx *sc_ctx = options->ctx->impl; sc_handler->advertise_alpn_message = options->advertise_alpn_message; sc_handler->on_data_read = options->on_data_read; sc_handler->on_error = options->on_error; From f49ae4a60574b4959c795217788eb00bceff9d0b Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 20 May 2024 07:59:03 -0700 Subject: [PATCH 10/88] typo --- source/windows/secure_channel_tls_handler.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 83e4664aa..af3d12d98 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2319,9 +2319,9 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - if(s_is_windows_equal_or_above_10()) { + if (s_is_windows_equal_or_above_10()) { return s_tls_handler_new_win10_plus(allocator, options, slot, true); - else { + } else { return s_tls_handler_new(allocator, options, slot, true); } } @@ -2331,9 +2331,9 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - if(s_is_windows_equal_or_above_10()) { + if (s_is_windows_equal_or_above_10()) { return s_tls_handler_new_win10_plus(allocator, options, slot, false); - else { + } else { return s_tls_handler_new(allocator, options, slot, false); } } @@ -2610,7 +2610,7 @@ struct aws_tls_ctx *s_ctx_new( if (is_above_win_10 == true) { secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default - secure_channel_ctx->credentials_new.dwFlags = dwFalgs; + secure_channel_ctx->credentials_new.dwFlags = dwFlags; secure_channel_ctx->credentials_new.paCred = paCred; secure_channel_ctx->credentials_new.cCreds = cCreds; /* @@ -2623,7 +2623,7 @@ struct aws_tls_ctx *s_ctx_new( } else { secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; secure_channel_ctx->credentials.dwCredFormat = 0; // kernel-mode only default - secure_channel_ctx->credentials.dwFlags = dwFalgs; + secure_channel_ctx->credentials.dwFlags = dwFlags; secure_channel_ctx->credentials.paCred = paCred; secure_channel_ctx->credentials.cCreds = cCreds; secure_channel_ctx->credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); From bcf5e8a2e00c9aab8886c3626a599fe483b82d2e Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Mon, 20 May 2024 08:17:27 -0700 Subject: [PATCH 11/88] Fix dwflags --- source/windows/secure_channel_tls_handler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index af3d12d98..abca8cc53 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2222,7 +2222,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( SCH_USE_STRONG_CRYPTO | SCH_CRED_AUTO_CRED_VALIDATION; - sc_ctx->credentials_new.dwFlags |= dwFlags; + sc_ctx->credentials_new.dwFlags = dwFlags; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); From 462580380a5a1fdf49b2ff93f86a7e2d91ac07da Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 20 May 2024 08:18:54 -0700 Subject: [PATCH 12/88] Fix version number fetch --- source/windows/secure_channel_tls_handler.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index abca8cc53..2914fbdbd 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -151,11 +151,11 @@ bool s_is_windows_equal_or_above_10(void) { int op = VER_GREATER_EQUAL; OSVERSIONINFOEX osvi; - NTSTATUS status; + NTSTATUS status = STATUS_DLL_NOT_FOUND; ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); - osvi.dwBuildNumber = 22632; + osvi.dwBuildNumber = 1809; dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op); @@ -171,6 +171,7 @@ bool s_is_windows_equal_or_above_10(void) { status = f(&osvi, VER_BUILDNUMBER, dwlConditionMask); } else { + status = STATUS_DLL_NOT_FOUND; printf(" \\\\\\\\\\\\\\\\ could not load module\n"); } /*else { @@ -2320,6 +2321,7 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_channel_slot *slot) { if (s_is_windows_equal_or_above_10()) { + printf("\\\\\\\\\\\\\\\\\\\doing windows above 10\n"); return s_tls_handler_new_win10_plus(allocator, options, slot, true); } else { return s_tls_handler_new(allocator, options, slot, true); From 3f25df0fc9f717d78e4ea49becaeb54ba19513df Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Mon, 20 May 2024 10:01:07 -0700 Subject: [PATCH 13/88] separate credentials into common parameter --- source/windows/secure_channel_tls_handler.c | 35 +++++++++++++++------ 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 2914fbdbd..e8df6ba94 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -68,9 +68,16 @@ void aws_tls_init_static_state(struct aws_allocator *alloc) { void aws_tls_clean_up_static_state(void) {} +struct common_credential_params { + DWORD dwFlags; + PCCERT_CONTEXT paCred; + DWORD cCreds; +}; + struct secure_channel_ctx { struct aws_tls_ctx ctx; struct aws_string *alpn_list; + struct common_credential_params; SCHANNEL_CRED credentials; SCH_CREDENTIALS credentials_new; PCERT_CONTEXT pcerts; @@ -2208,6 +2215,16 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( } struct secure_channel_ctx *sc_ctx = options->ctx->impl; + SCH_CREDENTIALS credentials_new2; + credentials_new2.cTlsParameters = 0; + credentials_new2.dwSessionLifespan = 0; // default 10 hours + credentials_new2.dwVersion = SCH_CREDENTIALS_VERSION; + credentials_new2.dwCredFormat = 0; // kernel-mode only default + // + credentials_new2.dwFlags = sc_ctx->credentials_common_params.dwFlags; + credentials_new2.paCreds = sc_ctx->credentials_common_params.pacreds; + credentials_new2.cCreds = sc_ctx->credentials_common_params.cCreds; + sc_ctx->credentials_new.cTlsParameters = 0; sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours @@ -2217,13 +2234,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( sc_handler->handler.vtable = &s_handler_vtable; sc_handler->handler.slot = slot; - dwFlags = SCH_CRED_NO_DEFAULT_CREDS | - SCH_CRED_NO_SERVERNAME_CHECK | - SCH_SEND_AUX_RECORD | - SCH_USE_STRONG_CRYPTO | - SCH_CRED_AUTO_CRED_VALIDATION; - - sc_ctx->credentials_new.dwFlags = dwFlags; + //sc_ctx->credentials_new.dwFlags = dwFlags; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); @@ -2237,7 +2248,8 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( UNISP_NAME, credential_use, NULL, - &sc_ctx->credentials_new, + //&sc_ctx->credentials_new, + &credentials_new2, NULL, NULL, &sc_handler->creds, @@ -2610,11 +2622,14 @@ struct aws_tls_ctx *s_ctx_new( is_above_win_10 = s_is_windows_equal_or_above_10(); printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); if (is_above_win_10 == true) { - secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; - secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default + // secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; + //secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default secure_channel_ctx->credentials_new.dwFlags = dwFlags; secure_channel_ctx->credentials_new.paCred = paCred; secure_channel_ctx->credentials_new.cCreds = cCreds; + secure_channel_ctx->common_credential_params.dwFlags = dwFlags; + secure_channel_ctx->common_credential_params.paCred = paCred; + secure_channel_ctx->common_credential_params.cCreds = cCreds; /* s_ctx_new_above( alloc, From cd615906744c7f82eea81f21ec38086d574fa824 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 20 May 2024 10:06:02 -0700 Subject: [PATCH 14/88] remove duplicate status --- source/windows/secure_channel_tls_handler.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index e8df6ba94..be4fbce4b 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2235,6 +2235,15 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( sc_handler->handler.slot = slot; //sc_ctx->credentials_new.dwFlags = dwFlags; + /* + dwFlags = SCH_CRED_NO_DEFAULT_CREDS | + SCH_CRED_NO_SERVERNAME_CHECK | + SCH_SEND_AUX_RECORD | + SCH_USE_STRONG_CRYPTO | + SCH_CRED_AUTO_CRED_VALIDATION; + */ + +// sc_ctx->credentials_new.dwFlags = dwFlags; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); From ff9ba3b4ba46f4c4503eec2027613334bb56d0b4 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 20 May 2024 10:16:13 -0700 Subject: [PATCH 15/88] fix some errors --- source/windows/secure_channel_tls_handler.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index be4fbce4b..ef9f2ff6b 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -77,7 +77,7 @@ struct common_credential_params { struct secure_channel_ctx { struct aws_tls_ctx ctx; struct aws_string *alpn_list; - struct common_credential_params; + struct common_credential_params schannel_creds; SCHANNEL_CRED credentials; SCH_CREDENTIALS credentials_new; PCERT_CONTEXT pcerts; @@ -2221,9 +2221,9 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( credentials_new2.dwVersion = SCH_CREDENTIALS_VERSION; credentials_new2.dwCredFormat = 0; // kernel-mode only default // - credentials_new2.dwFlags = sc_ctx->credentials_common_params.dwFlags; - credentials_new2.paCreds = sc_ctx->credentials_common_params.pacreds; - credentials_new2.cCreds = sc_ctx->credentials_common_params.cCreds; + credentials_new2.dwFlags = sc_ctx->schannel_creds.dwFlags; + credentials_new2.paCred = sc_ctx->schannel_creds.paCred; + credentials_new2.cCreds = sc_ctx->schannel_creds.cCreds; sc_ctx->credentials_new.cTlsParameters = 0; sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours @@ -2477,6 +2477,7 @@ struct aws_tls_ctx *s_ctx_new( DWORD dwFlags = 0; PCCERT_CONTEXT *paCred = NULL; DWORD cCreds = 1; + printf("\\\\\\\\\\\\\\\\\\ calling this s_ctx_new\n"); if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) { aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED); @@ -2636,9 +2637,9 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->credentials_new.dwFlags = dwFlags; secure_channel_ctx->credentials_new.paCred = paCred; secure_channel_ctx->credentials_new.cCreds = cCreds; - secure_channel_ctx->common_credential_params.dwFlags = dwFlags; - secure_channel_ctx->common_credential_params.paCred = paCred; - secure_channel_ctx->common_credential_params.cCreds = cCreds; + secure_channel_ctx->schannel_creds.dwFlags = dwFlags; + secure_channel_ctx->schannel_creds.paCred = paCred; + secure_channel_ctx->schannel_creds.cCreds = cCreds; /* s_ctx_new_above( alloc, From ec1653bcc76f795376be8cb866493307db3f200b Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 20 May 2024 10:58:34 -0700 Subject: [PATCH 16/88] Add local schannel credential --- source/windows/secure_channel_tls_handler.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index ef9f2ff6b..76369880f 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -77,9 +77,9 @@ struct common_credential_params { struct secure_channel_ctx { struct aws_tls_ctx ctx; struct aws_string *alpn_list; - struct common_credential_params schannel_creds; SCHANNEL_CRED credentials; SCH_CREDENTIALS credentials_new; + struct common_credential_params schannel_creds; PCERT_CONTEXT pcerts; HCERTSTORE cert_store; HCERTSTORE custom_trust_store; @@ -2216,13 +2216,14 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( struct secure_channel_ctx *sc_ctx = options->ctx->impl; SCH_CREDENTIALS credentials_new2; + ZeroMemory(&credentials_new2, 0x00, sizeof(SCH_CREDENTIALS)); credentials_new2.cTlsParameters = 0; credentials_new2.dwSessionLifespan = 0; // default 10 hours credentials_new2.dwVersion = SCH_CREDENTIALS_VERSION; credentials_new2.dwCredFormat = 0; // kernel-mode only default - // credentials_new2.dwFlags = sc_ctx->schannel_creds.dwFlags; credentials_new2.paCred = sc_ctx->schannel_creds.paCred; + //credentials_new2.paCred = &sc_ctx->pcerts; credentials_new2.cCreds = sc_ctx->schannel_creds.cCreds; sc_ctx->credentials_new.cTlsParameters = 0; @@ -2252,6 +2253,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( credential_use = SECPKG_CRED_OUTBOUND; } + printf("\\\\\\\\\\\\\\ before acquire credentials handle\n"); SECURITY_STATUS status = AcquireCredentialsHandleA( NULL, UNISP_NAME, @@ -2263,7 +2265,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( NULL, &sc_handler->creds, &sc_handler->sspi_timestamp); - + printf("\\\\\\\\\\\\\\ out of acquire credentials handle\n"); if (status != SEC_E_OK) { AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status); int aws_error = s_determine_sspi_error(status); @@ -2632,14 +2634,18 @@ struct aws_tls_ctx *s_ctx_new( is_above_win_10 = s_is_windows_equal_or_above_10(); printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); if (is_above_win_10 == true) { - // secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; - //secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default + secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; + secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default secure_channel_ctx->credentials_new.dwFlags = dwFlags; secure_channel_ctx->credentials_new.paCred = paCred; secure_channel_ctx->credentials_new.cCreds = cCreds; + secure_channel_ctx->schannel_creds.dwFlags = dwFlags; + //secure_channel_ctx->schannel_creds.paCred = &secure_channel_ctx->pcerts; secure_channel_ctx->schannel_creds.paCred = paCred; secure_channel_ctx->schannel_creds.cCreds = cCreds; + + /* s_ctx_new_above( alloc, From 07f3959735e147b726dc837661be4c4014b1eb64 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Mon, 20 May 2024 13:49:02 -0700 Subject: [PATCH 17/88] fix reference paCred --- source/windows/secure_channel_tls_handler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 76369880f..d53033f6a 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -70,7 +70,7 @@ void aws_tls_clean_up_static_state(void) {} struct common_credential_params { DWORD dwFlags; - PCCERT_CONTEXT paCred; + PCCERT_CONTEXT *paCred; DWORD cCreds; }; From 41e56525089be8bb79295fac5c49896030022c98 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 20 May 2024 16:29:26 -0700 Subject: [PATCH 18/88] use common code for credentials --- source/windows/secure_channel_tls_handler.c | 101 ++++++++++---------- 1 file changed, 50 insertions(+), 51 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index d53033f6a..94f2cef40 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -50,6 +50,7 @@ static void print_buffer(unsigned char *message, int len, char* print_message) { + return; char *str3 = message; int read_len = len; printf("%s of size: %d\n", print_message, read_len); @@ -77,8 +78,6 @@ struct common_credential_params { struct secure_channel_ctx { struct aws_tls_ctx ctx; struct aws_string *alpn_list; - SCHANNEL_CRED credentials; - SCH_CREDENTIALS credentials_new; struct common_credential_params schannel_creds; PCERT_CONTEXT pcerts; HCERTSTORE cert_store; @@ -149,8 +148,8 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { //#include "Ntddk.h" bool s_is_windows_equal_or_above_10(void) { - -// Windows 10 1809 + // return false; + // Windows 10 1809 // Windows Server 1809 // current 11 22631 @@ -2215,19 +2214,27 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( } struct secure_channel_ctx *sc_ctx = options->ctx->impl; - SCH_CREDENTIALS credentials_new2; + + dwFlags = SCH_CRED_NO_DEFAULT_CREDS | + SCH_CRED_NO_SERVERNAME_CHECK | + SCH_SEND_AUX_RECORD | + SCH_USE_STRONG_CRYPTO | + SCH_CRED_AUTO_CRED_VALIDATION; + + SCH_CREDENTIALS credentials_new2 = { 0 }; + ZeroMemory(&credentials_new2, 0x00, sizeof(SCH_CREDENTIALS)); + credentials_new2.cTlsParameters = 0; credentials_new2.dwSessionLifespan = 0; // default 10 hours credentials_new2.dwVersion = SCH_CREDENTIALS_VERSION; credentials_new2.dwCredFormat = 0; // kernel-mode only default credentials_new2.dwFlags = sc_ctx->schannel_creds.dwFlags; credentials_new2.paCred = sc_ctx->schannel_creds.paCred; - //credentials_new2.paCred = &sc_ctx->pcerts; credentials_new2.cCreds = sc_ctx->schannel_creds.cCreds; - sc_ctx->credentials_new.cTlsParameters = 0; - sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours + //sc_ctx->credentials_new.cTlsParameters = 0; + //sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours // TODO: try to copy to the common section above sc_handler->handler.alloc = alloc; @@ -2236,13 +2243,6 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( sc_handler->handler.slot = slot; //sc_ctx->credentials_new.dwFlags = dwFlags; - /* - dwFlags = SCH_CRED_NO_DEFAULT_CREDS | - SCH_CRED_NO_SERVERNAME_CHECK | - SCH_SEND_AUX_RECORD | - SCH_USE_STRONG_CRYPTO | - SCH_CRED_AUTO_CRED_VALIDATION; - */ // sc_ctx->credentials_new.dwFlags = dwFlags; @@ -2253,7 +2253,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( credential_use = SECPKG_CRED_OUTBOUND; } - printf("\\\\\\\\\\\\\\ before acquire credentials handle\n"); + //printf("\\\\\\\\\\\\\\ before acquire credentials handle %p %p\n", credentials_new2.paCred, sc_ctx->credentials_new.paCred); SECURITY_STATUS status = AcquireCredentialsHandleA( NULL, UNISP_NAME, @@ -2295,6 +2295,17 @@ static struct aws_channel_handler *s_tls_handler_new( return NULL; } + struct secure_channel_ctx *sc_ctx = options->ctx->impl; + + SCHANNEL_CRED credentials = { 0 }; + credentials.dwVersion = SCHANNEL_CRED_VERSION; + credentials.dwCredFormat = 0; // kernel-mode only default + credentials.dwFlags = sc_ctx->schannel_creds.dwFlags; + credentials.paCred = sc_ctx->schannel_creds.paCred; + credentials.cCreds = sc_ctx->schannel_creds.cCreds; + credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); + + // TODO: try to copy to the common section above sc_handler->handler.alloc = alloc; sc_handler->handler.impl = sc_handler; @@ -2303,7 +2314,6 @@ static struct aws_channel_handler *s_tls_handler_new( aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); - struct secure_channel_ctx *sc_ctx = options->ctx->impl; unsigned long credential_use = SECPKG_CRED_INBOUND; if (is_client_mode) { @@ -2315,7 +2325,8 @@ static struct aws_channel_handler *s_tls_handler_new( UNISP_NAME, credential_use, NULL, - &sc_ctx->credentials, + &credentials, + //&sc_ctx->credentials, NULL, NULL, &sc_handler->creds, @@ -2630,44 +2641,32 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->should_free_pcerts = false; } + secure_channel_ctx->schannel_creds.dwFlags = dwFlags; + secure_channel_ctx->schannel_creds.paCred = paCred; + secure_channel_ctx->schannel_creds.cCreds = cCreds; + + bool is_above_win_10; is_above_win_10 = s_is_windows_equal_or_above_10(); printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); if (is_above_win_10 == true) { - secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; - secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default - secure_channel_ctx->credentials_new.dwFlags = dwFlags; - secure_channel_ctx->credentials_new.paCred = paCred; - secure_channel_ctx->credentials_new.cCreds = cCreds; - - secure_channel_ctx->schannel_creds.dwFlags = dwFlags; - //secure_channel_ctx->schannel_creds.paCred = &secure_channel_ctx->pcerts; - secure_channel_ctx->schannel_creds.paCred = paCred; - secure_channel_ctx->schannel_creds.cCreds = cCreds; - - - /* - s_ctx_new_above( - alloc, - options, - is_client_mode, - secure_channel_ctx ); - */ + //secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; + //secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default + //secure_channel_ctx->credentials_new.dwFlags = dwFlags; + //secure_channel_ctx->credentials_new.paCred = paCred; + // printf("paCred is %p\n", paCred); + //secure_channel_ctx->credentials_new.cCreds = cCreds; + + // secure_channel_ctx->schannel_creds.dwFlags = dwFlags; + // secure_channel_ctx->schannel_creds.paCred = paCred; + // secure_channel_ctx->schannel_creds.cCreds = cCreds; } else { - secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; - secure_channel_ctx->credentials.dwCredFormat = 0; // kernel-mode only default - secure_channel_ctx->credentials.dwFlags = dwFlags; - secure_channel_ctx->credentials.paCred = paCred; - secure_channel_ctx->credentials.cCreds = cCreds; - secure_channel_ctx->credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); - - /* - s_ctx_new_below_win_10( - alloc, - options, - is_client_mode, - secure_channel_ctx); - */ +// secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; + // secure_channel_ctx->credentials.dwCredFormat = 0; // kernel-mode only default + // secure_channel_ctx->credentials.dwFlags = dwFlags; + // secure_channel_ctx->credentials.paCred = paCred; + // secure_channel_ctx->credentials.cCreds = cCreds; + // secure_channel_ctx->credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); } return &secure_channel_ctx->ctx; From 3bb33969a22221cea46f7ef8d22fde045b7bd7d5 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 20 May 2024 21:40:41 -0700 Subject: [PATCH 19/88] Remove comments --- source/alpn_handler.c | 1 - source/channel.c | 2 - source/channel_bootstrap.c | 1 - source/socket_channel_handler.c | 7 - source/tls_channel_handler_shared.c | 1 - source/windows/secure_channel_tls_handler.c | 450 ++------------------ 6 files changed, 41 insertions(+), 421 deletions(-) diff --git a/source/alpn_handler.c b/source/alpn_handler.c index c9bbea215..c7d2fa85d 100644 --- a/source/alpn_handler.c +++ b/source/alpn_handler.c @@ -103,7 +103,6 @@ struct aws_channel_handler *aws_tls_alpn_handler_new( alpn_handler->user_data = user_data; channel_handler->impl = alpn_handler; channel_handler->alloc = allocator; - printf("============================= seting write handler to null\n"); channel_handler->vtable = &s_alpn_handler_vtable; return channel_handler; diff --git a/source/channel.c b/source/channel.c index f6333c3da..9155bcd22 100644 --- a/source/channel.c +++ b/source/channel.c @@ -385,7 +385,6 @@ static void s_shutdown_task(struct aws_channel_task *task, void *arg, enum aws_t static int s_channel_shutdown(struct aws_channel *channel, int error_code, bool shutdown_immediately) { bool need_to_schedule = true; - printf("s_channel_shutdown called\n"); aws_mutex_lock(&channel->cross_thread_tasks.lock); if (channel->cross_thread_tasks.shutdown_task.task.task_fn) { need_to_schedule = false; @@ -810,7 +809,6 @@ int aws_channel_slot_send_message( (void *)slot, (void *)slot->adj_left, (void *)slot->adj_left->handler); - printf("%s handler %p\n",__FUNCTION__, slot->adj_left->handler); return aws_channel_handler_process_write_message(slot->adj_left->handler, slot->adj_left, message); } diff --git a/source/channel_bootstrap.c b/source/channel_bootstrap.c index f85866f84..43c486405 100644 --- a/source/channel_bootstrap.c +++ b/source/channel_bootstrap.c @@ -309,7 +309,6 @@ static void s_tls_client_on_negotiation_result( int err_code, void *user_data) { struct client_connection_args *connection_args = user_data; - printf("entering s_tls_client_on_negotiation_resul entering\n"); if (connection_args->channel_data.user_on_negotiation_result) { connection_args->channel_data.user_on_negotiation_result( handler, slot, err_code, connection_args->channel_data.tls_user_data); diff --git a/source/socket_channel_handler.c b/source/socket_channel_handler.c index 3396f1863..57c368b61 100644 --- a/source/socket_channel_handler.c +++ b/source/socket_channel_handler.c @@ -97,7 +97,6 @@ static int s_socket_process_write_message( return aws_raise_error(AWS_IO_SOCKET_CLOSED); } - printf("aws socket write\n"); struct aws_byte_cursor cursor = aws_byte_cursor_from_buf(&message->message_data); if (aws_socket_write(socket_handler->socket, &cursor, s_on_socket_write_complete, message)) { return AWS_OP_ERR; @@ -147,7 +146,6 @@ static void s_do_read(struct socket_handler *socket_handler) { int last_error = 0; while (total_read < max_to_read) { size_t iter_max_read = max_to_read - total_read; - printf("entering s_do_read function\n"); struct aws_io_message *message = aws_channel_acquire_message_from_pool( socket_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, iter_max_read); @@ -159,11 +157,9 @@ static void s_do_read(struct socket_handler *socket_handler) { if (aws_socket_read(socket_handler->socket, &message->message_data, &read)) { last_error = aws_last_error(); aws_mem_release(message->allocator, message); - printf("second break: %d errno %d\n", ret, errno); break; } - printf("total read is %lu max_read is: %lu read is: %lu\n", total_read, max_to_read, read); total_read += read; AWS_LOGF_TRACE( @@ -175,7 +171,6 @@ static void s_do_read(struct socket_handler *socket_handler) { if (aws_channel_slot_send_message(socket_handler->slot, message, AWS_CHANNEL_DIR_READ)) { last_error = aws_last_error(); aws_mem_release(message->allocator, message); - printf("third break\n"); break; } } @@ -383,7 +378,6 @@ static void s_gather_statistics(struct aws_channel_handler *handler, struct aws_ static void s_trigger_read(struct aws_channel_handler *handler) { struct socket_handler *socket_handler = (struct socket_handler *)handler->impl; - // printf("s_trigger read do \n"); AWS_LOGF_TRACE(AWS_LS_IO_SOCKET_HANDLER, " caling s_do_read from s_trigger_read"); s_do_read(socket_handler); } @@ -429,7 +423,6 @@ struct aws_channel_handler *aws_socket_handler_new( if (aws_crt_statistics_socket_init(&impl->stats)) { goto cleanup_handler; } - printf("-------------------------> setting up s_socket_process_write_message handler %p\n", handler); AWS_LOGF_DEBUG( AWS_LS_IO_SOCKET_HANDLER, "id=%p: Socket handler created with max_read_size of %llu", diff --git a/source/tls_channel_handler_shared.c b/source/tls_channel_handler_shared.c index de08ae1c2..472af1dce 100644 --- a/source/tls_channel_handler_shared.c +++ b/source/tls_channel_handler_shared.c @@ -10,7 +10,6 @@ static void s_tls_timeout_task_fn(struct aws_channel_task *channel_task, void *arg, enum aws_task_status status) { (void)channel_task; - printf(" == == == == == == == == timeout\n "); if (status != AWS_TASK_STATUS_RUN_READY) { return; } diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 94f2cef40..e925b5636 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -22,8 +22,6 @@ #include #include -//#include -//#include #include #include @@ -48,20 +46,6 @@ #define EST_TLS_RECORD_OVERHEAD 53 /* 5 byte header + 32 + 16 bytes for padding */ -static void print_buffer(unsigned char *message, int len, char* print_message) -{ - return; - char *str3 = message; - int read_len = len; - printf("%s of size: %d\n", print_message, read_len); - for (int i = 0; i < read_len; i++) { - printf("%.2X ",(unsigned char) str3[i]); - if (i != 0 && i % 32 == 0) - printf("\n"); - } - printf("\n"); -} - void aws_tls_init_static_state(struct aws_allocator *alloc) { AWS_LOGF_INFO(AWS_LS_IO_TLS, "static: Initializing TLS using SecureChannel (SSPI)."); (void)alloc; @@ -145,14 +129,8 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { return sc_handler->stream_sizes.cbTrailer + sc_handler->stream_sizes.cbHeader; } -//#include "Ntddk.h" bool s_is_windows_equal_or_above_10(void) { - // return false; - // Windows 10 1809 -// Windows Server 1809 -// current 11 22631 - DWORDLONG dwlConditionMask = 0; int op = VER_GREATER_EQUAL; OSVERSIONINFOEX osvi; @@ -161,7 +139,7 @@ bool s_is_windows_equal_or_above_10(void) { ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); - osvi.dwBuildNumber = 1809; + osvi.dwBuildNumber = 1809; /* Windows 10 */ dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op); @@ -178,13 +156,7 @@ bool s_is_windows_equal_or_above_10(void) { dwlConditionMask); } else { status = STATUS_DLL_NOT_FOUND; - printf(" \\\\\\\\\\\\\\\\ could not load module\n"); } - /*else { - status = !!VerifyVersionInfoW((OSVERSIONINFOEXW *)&osvi, - dwTypeMask, - VerSetConditionMask); - }*/ if (status == STATUS_SUCCESS) { return true; } else { @@ -435,34 +407,27 @@ static void s_invoke_negotiation_error(struct aws_channel_handler *handler, int static void s_on_negotiation_success(struct aws_channel_handler *handler) { struct secure_channel_handler *sc_handler = handler->impl; - printf("s_on_negotiation_success entering\n"); /* if the user provided an ALPN handler to the channel, we need to let them know what their protocol is. */ if (sc_handler->slot->adj_right && sc_handler->advertise_alpn_message && sc_handler->protocol.len) { - printf("s_on_negotiation_success inside the if\n"); struct aws_io_message *message = aws_channel_acquire_message_from_pool( sc_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, sizeof(struct aws_tls_negotiated_protocol_message)); - printf("s_on_negotiation_success middle part\n"); message->message_tag = AWS_TLS_NEGOTIATED_PROTOCOL_MESSAGE; struct aws_tls_negotiated_protocol_message *protocol_message = (struct aws_tls_negotiated_protocol_message *)message->message_data.buffer; protocol_message->protocol = sc_handler->protocol; message->message_data.len = sizeof(struct aws_tls_negotiated_protocol_message); - printf("s_on_negotiation_success sending message\n"); if (aws_channel_slot_send_message(sc_handler->slot, message, AWS_CHANNEL_DIR_READ)) { aws_mem_release(message->allocator, message); aws_channel_shutdown(sc_handler->slot->channel, aws_last_error()); } } - printf("s_on_negotiation_success calling aws_on_tls_negotiation_completed\n"); aws_on_tls_negotiation_completed(&sc_handler->shared_state, AWS_ERROR_SUCCESS); - printf("s_on_negotiation_success calling aws_on_tls_negotiation_completed finished\n"); if (sc_handler->on_negotiation_result) { - printf("s_on_negotiation_success calling inside the second if\n"); sc_handler->on_negotiation_result(handler, sc_handler->slot, AWS_OP_SUCCESS, sc_handler->user_data); } } @@ -829,7 +794,7 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl handler, (int)status); int aws_error = s_determine_sspi_error(status); - // aws_raise_error(aws_error); + aws_raise_error(aws_error); } } #endif @@ -884,8 +849,7 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONFIDENTIALITY | - ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM | - ISC_REQ_USE_SUPPLIED_CREDS; // Schannel must not attempt to supply credentials for the client automatically. (necessary for SCH_CREDENTIALS for negotiations to work) + ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM | ISC_REQ_USE_SUPPLIED_CREDS; SecBuffer output_buffer = { .pvBuffer = NULL, @@ -903,7 +867,7 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl AWS_ZERO_ARRAY(server_name_cstr); AWS_ASSERT(sc_handler->server_name.len < 256); memcpy(server_name_cstr, sc_handler->server_name.buffer, sc_handler->server_name.len); - // step 1 + SECURITY_STATUS status = InitializeSecurityContextA( &sc_handler->creds, NULL, @@ -918,7 +882,6 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl &sc_handler->ctx_ret_flags, &sc_handler->sspi_timestamp); - printf("first initialize security context called %lu\n", status); if (status != SEC_I_CONTINUE_NEEDED) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, @@ -960,10 +923,8 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl } /* cipher exchange, key exchange etc.... */ -bool second_call = true; static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handler) { struct secure_channel_handler *sc_handler = handler->impl; - printf("-> %s entering\n", __FUNCTION__); AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: running step 2 of client-side negotiation (cipher change, key exchange etc...)", @@ -1011,7 +972,6 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl AWS_FATAL_ASSERT(sc_handler->server_name.len < sizeof(server_name_cstr)); memcpy(server_name_cstr, sc_handler->server_name.buffer, sc_handler->server_name.len); - // step 2 status = InitializeSecurityContextA( &sc_handler->creds, &sc_handler->sec_handle, @@ -1021,15 +981,10 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl 0, &input_buffers_desc, 0, - &sc_handler->sec_handle, //NULL, + &sc_handler->sec_handle, &output_buffers_desc, &sc_handler->ctx_ret_flags, &sc_handler->sspi_timestamp); - printf("second initialize security context called %lu\n", status); - if (status == SEC_I_INCOMPLETE_CREDENTIALS) { - printf("second initialize incomplete credentials %lu\n", status); - // return AWS_OP_SUCCESS; - } if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %lu", (void *)handler, (int)status); @@ -1050,7 +1005,6 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl } if (status == SEC_I_CONTINUE_NEEDED || status == SEC_E_OK) { - printf("sending packets\n"); for (size_t i = 0; i < output_buffers_desc.cBuffers; ++i) { SecBuffer *buf_ptr = &output_buffers[i]; @@ -1071,7 +1025,6 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl if (aws_channel_slot_send_message(sc_handler->slot, outgoing_message, AWS_CHANNEL_DIR_WRITE)) { aws_mem_release(outgoing_message->allocator, outgoing_message); s_invoke_negotiation_error(handler, aws_last_error()); - printf("error sending packet\n"); return AWS_OP_ERR; } } @@ -1085,7 +1038,6 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl input_buffers[1].cbBuffer); sc_handler->read_extra = input_buffers[1].cbBuffer; if (status == SEC_I_CONTINUE_NEEDED) { - printf("sec i continue needed\n"); } } } @@ -1134,25 +1086,16 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl #endif AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "id=%p: TLS handshake completed successfully.", (void *)handler); sc_handler->s_connection_state_fn = s_do_application_data_decrypt; - printf("before on _negotiation success %p\n", handler); - if (second_call == true) { - s_on_negotiation_success(handler); - printf("before on _negotiation success completed\n"); - } - second_call = true; + s_on_negotiation_success(handler); } - printf("returning ok from this function\n"); return AWS_OP_SUCCESS; } /* cipher exchange, key exchange etc.... */ static int s_do_client_side_negotiation_step_3(struct aws_channel_handler *handler) { struct secure_channel_handler *sc_handler = handler->impl; - - } -static int s_do_application_data_decrypt(struct aws_channel_handler *handler) -{ +static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { struct secure_channel_handler *sc_handler = handler->impl; /* I know this is an unncessary initialization, it's initialized here to make linters happy.*/ @@ -1161,7 +1104,6 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) any extra buffers left over, in the last phase, we then go ahead and send the output. This state function will always say BLOCKED_ON_READ, AWS_IO_TLS_ERROR_READ_FAILURE or SUCCESS. There will never be left over reads.*/ do { -label1: error = AWS_OP_ERR; /* 4 buffers are needed, only one is input, the others get zeroed out for the output operation. */ SecBuffer input_buffers[4]; @@ -1182,16 +1124,10 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) .cBuffers = 4, .pBuffers = input_buffers, }; - print_buffer( - sc_handler->buffered_read_in_data_buf.buffer, - sc_handler->buffered_read_in_data_buf.len, - "before decrypting"); - printf("---------------- calling Decrypt Message\n"); SECURITY_STATUS status = DecryptMessage(&sc_handler->sec_handle, &buffer_desc, 0, NULL); - printf(" status is 0x%X\n", status); - if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE) // sec_i_context_expired + if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE || status == SEC_I_CONTEXT_EXPIRED) { error = AWS_OP_SUCCESS; /* if SECBUFFER_DATA is the buffer type of the second buffer, we have decrypted data to process. @@ -1215,18 +1151,6 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { if (input_buffers[3].cbBuffer < read_len) { - printf("\\\\\\\\\\\\\\\\\\\\\\\\\\\\ input buffers extra less than read len\n"); - print_buffer( - input_buffers[0].pvBuffer, - input_buffers[0].cbBuffer, - "encrypted input buffers input_buffers[0]"); - - print_buffer( - input_buffers[3].pvBuffer, - input_buffers[3].cbBuffer, - "encrypted input buffers input_buffers[3]"); - - //sc_handler->read_extra = input_buffers[3].cbBuffer; AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Extra (incomplete) message received with length %zu.", @@ -1283,22 +1207,11 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) error = AWS_OP_SUCCESS; } if (status == SEC_I_RENEGOTIATE) { - printf("renegotiating received\n"); /* if we are the client */ - //char * extra_buffer = NULL; - //size_t buffer_size = 0; if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { - printf( - "\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ extra buffer is less than input buffer read_len %d %d\n", - input_buffers[3].cbBuffer, - read_len); - - //sc_handler->read_extra = input_buffers[3].cbBuffer; - //extra_buffer = input_buffers[0].pvBuffer; - //buffer_size = input_buffers[3].cbBuffer; AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Extra (incomplete) message received with length %zu.", @@ -1310,13 +1223,8 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) } SecBuffer input_buffers2[] = { - [0] = {/* - .pvBuffer = extra_buffer, - .cbBuffer = buffer_size, - .BufferType = SECBUFFER_TOKEN, - */ - - .pvBuffer = malloc(sc_handler->buffered_read_in_data_buf.len), + [0] = { + .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, .cbBuffer = sc_handler->buffered_read_in_data_buf.len, .BufferType = SECBUFFER_TOKEN, }, @@ -1327,10 +1235,6 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) .BufferType = SECBUFFER_EMPTY, }, }; - memcpy( - input_buffers2[0].pvBuffer, - sc_handler->buffered_read_in_data_buf.buffer, - sc_handler->buffered_read_in_data_buf.len); SecBufferDesc input_bufs_desc = { .ulVersion = SECBUFFER_VERSION, @@ -1353,6 +1257,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) AWS_ZERO_ARRAY(server_name_cstr); AWS_FATAL_ASSERT(sc_handler->server_name.len < sizeof(server_name_cstr)); memcpy(server_name_cstr, sc_handler->server_name.buffer, sc_handler->server_name.len); + status = InitializeSecurityContextA( &sc_handler->creds, &sc_handler->sec_handle, @@ -1361,173 +1266,28 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) 0, 0, &input_bufs_desc, - // NULL, 0, NULL, - // &sc_handler->sec_handle, &output_buffers_desc, &sc_handler->ctx_ret_flags, NULL); error = status; - /* if we are the server */ AWS_LOGF_ERROR( AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void*)handler, status); - printf(" renegotiate initializesecuritycontext result %lu \n", status); if (status == SEC_E_OK) { - //sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_2; - // status = s_do_client_side_negotiation_step_2(handler); - // printf("client negotiation 2 return is 0x%X\n", status); - // break; - } - - for (size_t i = 0; i < output_buffers_desc.cBuffers; ++i) { - //SecBuffer *buf_ptr = &extra_buffer[i]; - SecBuffer *token_ptr; - SecBuffer* buf_ptr = &output_buffers[i]; - printf("output buffers %d token %d size %lu\n", i, output_buffers[i].BufferType, output_buffers[i].cbBuffer); - if (buf_ptr->BufferType == SECBUFFER_TOKEN && buf_ptr->cbBuffer) { - printf(" SECUFFER TOKEN data\n"); - printf("....sending data....\n"); - struct aws_io_message* outgoing_message = aws_channel_acquire_message_from_pool( - sc_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, buf_ptr->cbBuffer); - - if (!outgoing_message) { - FreeContextBuffer(buf_ptr->pvBuffer); - s_invoke_negotiation_error(handler, aws_last_error()); - return AWS_OP_ERR; - } - - memcpy(outgoing_message->message_data.buffer, buf_ptr->pvBuffer, buf_ptr->cbBuffer); - outgoing_message->message_data.len = buf_ptr->cbBuffer; - FreeContextBuffer(buf_ptr->pvBuffer); - printf("=========================== sending message from decrypt\n"); - if (aws_channel_slot_send_message(sc_handler->slot, outgoing_message, AWS_CHANNEL_DIR_WRITE)) { - aws_mem_release(outgoing_message->allocator, outgoing_message); - s_invoke_negotiation_error(handler, aws_last_error()); - printf("error sending packet\n"); - return AWS_OP_ERR; - } - } + if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0 && sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - input_buffers2[1].cbBuffer, + input_buffers2[1].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; + sc_handler->read_extra = input_buffers2[1].cbBuffer; + continue; + } + break; + } else { + break; } - // should be the mqtt connack - printf("checking Extra buffer\n"); - if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0) - { - printf("Extra buffer size is %lu %lu\n", input_buffers2[1].cbBuffer, sc_handler->buffered_read_in_data_buf.capacity); - //sc_handler->read_extra = input_buffers2[1].cbBuffer; - //input_buffers[0].pvBuffer = input_buffers[1].pvBuffer; - //input_buffers[0].cbBuffer = input_buffers[1].cbBuffer; - //sc_handler->buffered_read_in_data_buf.buffer = input_buffers2[1].pvBuffer; - //sc_handler->buffered_read_in_data_buf.capacity = input_buffers2[1].cbBuffer * 2; - - //if (sc_handler->buffered_read_in_data_buf.capacity < input_buffers2[1].cbBuffer) { - // printf("xxxxxx buffer too small\n"); - // return SEC_E_DECRYPT_FAILURE; - //} -// sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; - if (sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { - printf(" \\\\\\\\\\\\\\ correct size lets copy the buffer\n"); - memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - - input_buffers2[1].cbBuffer, - input_buffers2[1].cbBuffer); - sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; - } - goto label1; - //continue; - - SecBuffer input_buffers3[] = { - [0] = - { - /* - .cbBuffer = input_buffers2[1].cbBuffer, - .pvBuffer = input_buffers2[1].pvBuffer, - .BufferType = SECBUFFER_DATA, - */ - .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, - .cbBuffer = sc_handler->buffered_read_in_data_buf.len, - .BufferType = SECBUFFER_DATA, - }, - // [1] = { - // .pvBuffer = input_buffers[3].pvBuffer, - // .cbBuffer = input_buffers[3].cbBuffer, - // .BufferType = SECBUFFER_TOKEN, - //}, - [1] = { - .pvBuffer = input_buffers[3].pvBuffer, - .cbBuffer = input_buffers[3].cbBuffer, - .BufferType = SECBUFFER_EMPTY, - }, - [2] = { - .pvBuffer = input_buffers[3].pvBuffer, - .cbBuffer = input_buffers[3].cbBuffer, - .BufferType = SECBUFFER_EMPTY, - }, - [3] = { - .pvBuffer = input_buffers[3].pvBuffer, - .cbBuffer = input_buffers[3].cbBuffer, - .BufferType = SECBUFFER_EMPTY, - }, - }; - - // [2]= {.pvBuffer = NULL, .cbBuffer = 0, .BufferType = SECBUFFER_EMPTY, }, - // [3]= {.pvBuffer = NULL, .cbBuffer = 0, .BufferType = SECBUFFER_EMPTY, }, - // }; - - SecBufferDesc buffer_desc2 = { - .ulVersion = SECBUFFER_VERSION, - .cBuffers = 4, - .pBuffers = input_buffers3, - }; - printf("---------------- calling Decrypt Message2 %p\n", sc_handler->sec_handle); - status = DecryptMessage(&sc_handler->sec_handle, &buffer_desc2, 0, NULL); - printf("---------------- Decrypt Message2 status 0x%X\n", status); - return status; - - // memcpy( - // sc_handler->buffered_read_in_data_buf.buffer, input_buffers2[1].pvBuffer, 100); - //memmove( - //memcpy( - // sc_handler->buffered_read_in_data_buf.buffer, input_buffers2[1].pvBuffer, input_buffers2[1].cbBuffer); - - /* memcpy( - sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len, - message_cursor.ptr, - amount_to_move_to_buffer); - */ - - offset = 0; - sc_handler->read_extra = 0; - printf("buffer can fit the extra data\n"); - return s_do_application_data_decrypt(handler); - } - -/* - struct aws_io_message *outgoing_message = aws_channel_acquire_message_from_pool( - sc_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, buf_ptr->cbBuffer); - if (!outgoing_message) { - FreeContextBuffer(output_buffer.pvBuffer); - s_invoke_negotiation_error(handler, aws_last_error()); - return AWS_OP_ERR; - } - - AWS_ASSERT(outgoing_message->message_data.capacity >= data_to_write_len); - memcpy(outgoing_message->message_data.buffer, output_buffer.pvBuffer, output_buffer.cbBuffer); - outgoing_message->message_data.len = output_buffer.cbBuffer; - FreeContextBuffer(output_buffer.pvBuffer); - - if (aws_channel_slot_send_message(sc_handler->slot, outgoing_message, AWS_CHANNEL_DIR_WRITE)) { - aws_mem_release(outgoing_message->allocator, outgoing_message); - s_invoke_negotiation_error(handler, aws_last_error()); - return AWS_OP_ERR; - } - //error = SEC_E_OK; - //continue; - */ - //sc_handler->s_connection_state_fn = s_do_client_side_negotiation_step_2; - // s_do_client_side_negotiation_step_2(handler); - break; } else { AWS_LOGF_ERROR( AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", (void *)handler, (int)status); @@ -1579,9 +1339,7 @@ static int s_process_pending_output_messages(struct aws_channel_handler *handler sc_handler->buffered_read_out_data_buf.len - copy_size); sc_handler->buffered_read_out_data_buf.len -= copy_size; - printf("is on data read is defined 1?\n"); if (sc_handler->on_data_read) { - printf("on data read is defined 1\n"); sc_handler->on_data_read(handler, sc_handler->slot, &read_out_msg->message_data, sc_handler->user_data); } if (aws_channel_slot_send_message(sc_handler->slot, read_out_msg, AWS_CHANNEL_DIR_READ)) { @@ -1594,9 +1352,7 @@ static int s_process_pending_output_messages(struct aws_channel_handler *handler } AWS_LOGF_TRACE(AWS_LS_IO_TLS, "id=%p: Downstream window is %zu", (void *)handler, downstream_window); } else { - printf("is on data read is defined 2?\n"); if (sc_handler->on_data_read) { - printf("on dagta read is defined 2\n"); sc_handler->on_data_read( handler, sc_handler->slot, &sc_handler->buffered_read_out_data_buf, sc_handler->user_data); } @@ -1626,7 +1382,6 @@ static int s_process_read_message( struct aws_io_message *message) { struct secure_channel_handler *sc_handler = handler->impl; - printf("%s handle %p\n", __FUNCTION__, handler); if (message) { /* note, most of these functions log internally, so the log messages in this function are sparse. */ AWS_LOGF_TRACE( @@ -1635,8 +1390,6 @@ static int s_process_read_message( (void *)handler, message->message_data.len); - print_buffer(message->message_data.buffer, message->message_data.len, "printing received data"); - struct aws_byte_cursor message_cursor = aws_byte_cursor_from_buf(&message->message_data); /* The SSPI interface forces us to manage incomplete records manually. So when we had extra after @@ -1813,31 +1566,6 @@ static int s_process_write_message( .pBuffers = buffers, }; - SecPkgContext_SessionKey session_key; - SecPkgContext_SessionAppData sess_app_data; - SecPkgContext_SessionInfo sess_info; - SecPkgContext_StreamSizes stream_size; - - SECURITY_STATUS status = - // QueryContextAttributesA(&sc_handler->sec_handle, SECPKG_ATTR_STREAM_SIZES, &stream_size); - // if (status == SEC_E_OK) { - // printf("stream size = %lu\n", stream_size.cbMaximumMessage); - // } - - //status = - //QueryContextAttributesA(&sc_handler->sec_handle, SECPKG_ATTR_STREAM_SIZES, &y); - // QueryContextAttributesA(&sc_handler->sec_handle, SECPKG_ATTR_SESSION_KEY, &session_key); - // printf("-----------query context status is %lu\n", status); - // if (status == SEC_E_OK) { - // printf("-----------query context status is ok\n"); - //for (int i = 0; i < sess_key.cbAppData; i++) { - // printf("%X", sess_key.pbAppData[i]); - // } - //printf("\n"); - // } - -// snprintf(stdout, sess_key.SessionKeyLength, "session key is %XX\n", sess_key.SessionKey); - status = EncryptMessage(&sc_handler->sec_handle, 0, &buffer_desc, 0); if (status == SEC_E_OK) { @@ -1936,7 +1664,6 @@ static int s_handler_shutdown( int error_code, bool abort_immediately) { struct secure_channel_handler *sc_handler = handler->impl; - printf("===== > shutting down schannel server\n"); AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "shutting down schannel server"); if (dir == AWS_CHANNEL_DIR_WRITE) { @@ -1964,7 +1691,6 @@ static int s_handler_shutdown( if (status != SEC_E_OK) { aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE); - printf("raising sys call failrue\n"); return aws_channel_slot_on_handler_shutdown_complete( slot, dir, AWS_ERROR_SYS_CALL_FAILURE, abort_immediately); } @@ -2006,7 +1732,6 @@ static int s_handler_shutdown( slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, output_buffer.cbBuffer); if (!outgoing_message || outgoing_message->message_data.capacity < output_buffer.cbBuffer) { - printf("exiting line 1600\n"); return aws_channel_slot_on_handler_shutdown_complete(slot, dir, aws_last_error(), true); } memcpy(outgoing_message->message_data.buffer, output_buffer.pvBuffer, output_buffer.cbBuffer); @@ -2021,7 +1746,6 @@ static int s_handler_shutdown( } AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "calling handler shutdown complete"); - printf("normal exit %d\n", error_code); return aws_channel_slot_on_handler_shutdown_complete(slot, dir, error_code, abort_immediately); } @@ -2161,6 +1885,10 @@ static struct aws_channel_handler *s_tls_handler_new_common( goto on_error; } } + sc_handler->handler.alloc = alloc; + sc_handler->handler.impl = sc_handler; + sc_handler->handler.vtable = &s_handler_vtable; + sc_handler->handler.slot = slot; if (options->server_name) { AWS_LOGF_DEBUG( @@ -2206,45 +1934,24 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( struct aws_channel_slot *slot, bool is_client_mode) { AWS_ASSERT(options->ctx); - DWORD dwFlags = 0; struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler)); if (!sc_handler) { return NULL; } struct secure_channel_ctx *sc_ctx = options->ctx->impl; - - - dwFlags = SCH_CRED_NO_DEFAULT_CREDS | - SCH_CRED_NO_SERVERNAME_CHECK | - SCH_SEND_AUX_RECORD | - SCH_USE_STRONG_CRYPTO | - SCH_CRED_AUTO_CRED_VALIDATION; - SCH_CREDENTIALS credentials_new2 = { 0 }; - - ZeroMemory(&credentials_new2, 0x00, sizeof(SCH_CREDENTIALS)); - - credentials_new2.cTlsParameters = 0; - credentials_new2.dwSessionLifespan = 0; // default 10 hours - credentials_new2.dwVersion = SCH_CREDENTIALS_VERSION; - credentials_new2.dwCredFormat = 0; // kernel-mode only default - credentials_new2.dwFlags = sc_ctx->schannel_creds.dwFlags; - credentials_new2.paCred = sc_ctx->schannel_creds.paCred; - credentials_new2.cCreds = sc_ctx->schannel_creds.cCreds; - - //sc_ctx->credentials_new.cTlsParameters = 0; - //sc_ctx->credentials_new.dwSessionLifespan = 0; // default 10 hours + SCH_CREDENTIALS credentials = { 0 }; - // TODO: try to copy to the common section above - sc_handler->handler.alloc = alloc; - sc_handler->handler.impl = sc_handler; - sc_handler->handler.vtable = &s_handler_vtable; - sc_handler->handler.slot = slot; - - //sc_ctx->credentials_new.dwFlags = dwFlags; + ZeroMemory(&credentials, 0x00, sizeof(SCH_CREDENTIALS)); -// sc_ctx->credentials_new.dwFlags = dwFlags; + credentials.cTlsParameters = 0; + credentials.dwSessionLifespan = 0; /* default 10 hours */ + credentials.dwVersion = SCH_CREDENTIALS_VERSION; + credentials.dwCredFormat = 0; + credentials.dwFlags = sc_ctx->schannel_creds.dwFlags; + credentials.paCred = sc_ctx->schannel_creds.paCred; + credentials.cCreds = sc_ctx->schannel_creds.cCreds; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); @@ -2253,19 +1960,17 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( credential_use = SECPKG_CRED_OUTBOUND; } - //printf("\\\\\\\\\\\\\\ before acquire credentials handle %p %p\n", credentials_new2.paCred, sc_ctx->credentials_new.paCred); SECURITY_STATUS status = AcquireCredentialsHandleA( NULL, UNISP_NAME, credential_use, NULL, - //&sc_ctx->credentials_new, - &credentials_new2, + &credentials, NULL, NULL, &sc_handler->creds, &sc_handler->sspi_timestamp); - printf("\\\\\\\\\\\\\\ out of acquire credentials handle\n"); + if (status != SEC_E_OK) { AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status); int aws_error = s_determine_sspi_error(status); @@ -2299,22 +2004,14 @@ static struct aws_channel_handler *s_tls_handler_new( SCHANNEL_CRED credentials = { 0 }; credentials.dwVersion = SCHANNEL_CRED_VERSION; - credentials.dwCredFormat = 0; // kernel-mode only default + credentials.dwCredFormat = 0; credentials.dwFlags = sc_ctx->schannel_creds.dwFlags; credentials.paCred = sc_ctx->schannel_creds.paCred; credentials.cCreds = sc_ctx->schannel_creds.cCreds; credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); - - - // TODO: try to copy to the common section above - sc_handler->handler.alloc = alloc; - sc_handler->handler.impl = sc_handler; - sc_handler->handler.vtable = &s_handler_vtable; - sc_handler->handler.slot = slot; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); - unsigned long credential_use = SECPKG_CRED_INBOUND; if (is_client_mode) { credential_use = SECPKG_CRED_OUTBOUND; @@ -2326,7 +2023,6 @@ static struct aws_channel_handler *s_tls_handler_new( credential_use, NULL, &credentials, - //&sc_ctx->credentials, NULL, NULL, &sc_handler->creds, @@ -2355,7 +2051,6 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_channel_slot *slot) { if (s_is_windows_equal_or_above_10()) { - printf("\\\\\\\\\\\\\\\\\\\doing windows above 10\n"); return s_tls_handler_new_win10_plus(allocator, options, slot, true); } else { return s_tls_handler_new(allocator, options, slot, true); @@ -2490,7 +2185,6 @@ struct aws_tls_ctx *s_ctx_new( DWORD dwFlags = 0; PCCERT_CONTEXT *paCred = NULL; DWORD cCreds = 1; - printf("\\\\\\\\\\\\\\\\\\ calling this s_ctx_new\n"); if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) { aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED); @@ -2518,16 +2212,11 @@ struct aws_tls_ctx *s_ctx_new( } secure_channel_ctx->verify_peer = options->verify_peer; - - secure_channel_ctx->should_free_pcerts = true; - if (options->verify_peer && aws_tls_options_buf_is_set(&options->ca_file)) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: loading custom CA file."); dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION; - //secure_channel_ctx->credentials.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; - //secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; struct aws_byte_cursor ca_blob_cur = aws_byte_cursor_from_buf(&options->ca_file); int error = aws_import_trusted_certificates(alloc, &ca_blob_cur, &secure_channel_ctx->custom_trust_store); @@ -2538,8 +2227,6 @@ struct aws_tls_ctx *s_ctx_new( } } else if (is_client_mode) { dwFlags |= SCH_CRED_AUTO_CRED_VALIDATION; - //secure_channel_ctx->credentials.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; - //secure_channel_ctx->credentials_new.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; } if (is_client_mode && !options->verify_peer) { @@ -2551,32 +2238,13 @@ struct aws_tls_ctx *s_ctx_new( dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; - - /* - secure_channel_ctx->credentials.dwFlags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); - secure_channel_ctx->credentials.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | - SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | - SCH_CRED_MANUAL_CRED_VALIDATION; - - secure_channel_ctx->credentials_new.dwFlags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); - secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | - SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | - SCH_CRED_MANUAL_CRED_VALIDATION; - */ } else if (is_client_mode) { dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; - -// secure_channel_ctx->credentials.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; - - // secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; } - dwFlags |= SCH_USE_STRONG_CRYPTO; /* if someone wants to use broken algorithms like rc4/md5/des they'll need to ask for a special control */ - //secure_channel_ctx->credentials.dwFlags |= SCH_USE_STRONG_CRYPTO; - - //secure_channel_ctx->credentials_new.dwFlags |= SCH_USE_STRONG_CRYPTO; - //secure_channel_ctx->credentials_new.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; + dwFlags |= SCH_USE_STRONG_CRYPTO; + dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; /* if using a system store. */ if (options->system_certificate_path) { @@ -2589,12 +2257,6 @@ struct aws_tls_ctx *s_ctx_new( } paCred = &secure_channel_ctx->pcerts; cCreds = 1; - //secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; - //secure_channel_ctx->credentials.cCreds = 1; - - //secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; - //secure_channel_ctx->credentials_new.cCreds = 1; - /* if using traditional PEM armored PKCS#7 and ASN Encoding public/private key pairs */ } else if (aws_tls_options_buf_is_set(&options->certificate) && aws_tls_options_buf_is_set(&options->private_key)) { @@ -2632,12 +2294,6 @@ struct aws_tls_ctx *s_ctx_new( paCred = &secure_channel_ctx->pcerts; cCreds = 1; - //secure_channel_ctx->credentials.paCred = &secure_channel_ctx->pcerts; - //secure_channel_ctx->credentials.cCreds = 1; - - //secure_channel_ctx->credentials_new.paCred = &secure_channel_ctx->pcerts; - //secure_channel_ctx->credentials_new.cCreds = 1; - secure_channel_ctx->should_free_pcerts = false; } @@ -2645,30 +2301,6 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->schannel_creds.paCred = paCred; secure_channel_ctx->schannel_creds.cCreds = cCreds; - - bool is_above_win_10; - is_above_win_10 = s_is_windows_equal_or_above_10(); - printf("\\\\\\\\\ windows is above 10? %d\n", is_above_win_10); - if (is_above_win_10 == true) { - //secure_channel_ctx->credentials_new.dwVersion = SCH_CREDENTIALS_VERSION; - //secure_channel_ctx->credentials_new.dwCredFormat = 0; // kernel-mode only default - //secure_channel_ctx->credentials_new.dwFlags = dwFlags; - //secure_channel_ctx->credentials_new.paCred = paCred; - // printf("paCred is %p\n", paCred); - //secure_channel_ctx->credentials_new.cCreds = cCreds; - - // secure_channel_ctx->schannel_creds.dwFlags = dwFlags; - // secure_channel_ctx->schannel_creds.paCred = paCred; - // secure_channel_ctx->schannel_creds.cCreds = cCreds; - } else { -// secure_channel_ctx->credentials.dwVersion = SCHANNEL_CRED_VERSION; - // secure_channel_ctx->credentials.dwCredFormat = 0; // kernel-mode only default - // secure_channel_ctx->credentials.dwFlags = dwFlags; - // secure_channel_ctx->credentials.paCred = paCred; - // secure_channel_ctx->credentials.cCreds = cCreds; - // secure_channel_ctx->credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); - } - return &secure_channel_ctx->ctx; clean_up: From eee6adea0485e0935695b7ea6e288cb227b204f8 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Mon, 20 May 2024 23:47:10 -0700 Subject: [PATCH 20/88] Fix indentation --- source/windows/secure_channel_tls_handler.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index e925b5636..28e338993 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2003,12 +2003,12 @@ static struct aws_channel_handler *s_tls_handler_new( struct secure_channel_ctx *sc_ctx = options->ctx->impl; SCHANNEL_CRED credentials = { 0 }; - credentials.dwVersion = SCHANNEL_CRED_VERSION; - credentials.dwCredFormat = 0; - credentials.dwFlags = sc_ctx->schannel_creds.dwFlags; - credentials.paCred = sc_ctx->schannel_creds.paCred; - credentials.cCreds = sc_ctx->schannel_creds.cCreds; - credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); + credentials.dwVersion = SCHANNEL_CRED_VERSION; + credentials.dwCredFormat = 0; + credentials.dwFlags = sc_ctx->schannel_creds.dwFlags; + credentials.paCred = sc_ctx->schannel_creds.paCred; + credentials.cCreds = sc_ctx->schannel_creds.cCreds; + credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); @@ -2297,9 +2297,9 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->should_free_pcerts = false; } - secure_channel_ctx->schannel_creds.dwFlags = dwFlags; - secure_channel_ctx->schannel_creds.paCred = paCred; - secure_channel_ctx->schannel_creds.cCreds = cCreds; + secure_channel_ctx->schannel_creds.dwFlags = dwFlags; + secure_channel_ctx->schannel_creds.paCred = paCred; + secure_channel_ctx->schannel_creds.cCreds = cCreds; return &secure_channel_ctx->ctx; From 75db3dbe503aae1f58b57e2683f7d62da1b92f20 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Tue, 21 May 2024 00:39:02 -0700 Subject: [PATCH 21/88] Fix warnings --- source/windows/secure_channel_tls_handler.c | 138 +++++++++----------- 1 file changed, 59 insertions(+), 79 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 28e338993..9a195bdb6 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -57,6 +57,7 @@ struct common_credential_params { DWORD dwFlags; PCCERT_CONTEXT *paCred; DWORD cCreds; + DWORD enabledProtocols; }; struct secure_channel_ctx { @@ -131,8 +132,8 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { } bool s_is_windows_equal_or_above_10(void) { - DWORDLONG dwlConditionMask = 0; - int op = VER_GREATER_EQUAL; + ULONGLONG dwlConditionMask = 0; + BYTE op = VER_GREATER_EQUAL; OSVERSIONINFOEX osvi; NTSTATUS status = STATUS_DLL_NOT_FOUND; @@ -144,12 +145,13 @@ bool s_is_windows_equal_or_above_10(void) { dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op); typedef NTSTATUS(WINAPI * pRtlGetVersionInfo)( - PRTL_OSVERSIONINFOW lpVersionInformation, + //PRTL_OSVERSIONINFOW lpVersionInformation, + OSVERSIONINFOEX *lpVersionInformation, ULONG TypeMask, ULONGLONG ConditionMask); pRtlGetVersionInfo f; - f = GetProcAddress(GetModuleHandle("ntdll"), "RtlVerifyVersionInfo"); + f = (pRtlGetVersionInfo)GetProcAddress(GetModuleHandle("ntdll"), "RtlVerifyVersionInfo"); if (f) { status = f(&osvi, VER_BUILDNUMBER, @@ -1091,10 +1093,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl return AWS_OP_SUCCESS; } -/* cipher exchange, key exchange etc.... */ -static int s_do_client_side_negotiation_step_3(struct aws_channel_handler *handler) { - struct secure_channel_handler *sc_handler = handler->impl; -} + static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { struct secure_channel_handler *sc_handler = handler->impl; @@ -1225,7 +1224,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { SecBuffer input_buffers2[] = { [0] = { .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, - .cbBuffer = sc_handler->buffered_read_in_data_buf.len, + .cbBuffer = (unsigned long)sc_handler->buffered_read_in_data_buf.len, .BufferType = SECBUFFER_TOKEN, }, [1] = @@ -1928,6 +1927,54 @@ static struct aws_channel_handler *s_tls_handler_new_common( return NULL; } +static DWORD getEnabledProtocols( const struct aws_tls_ctx_options *options, bool is_client_mode) { + DWORD grbitEnabledProtocols = 0; + if (is_client_mode) { + switch (options->minimum_tls_version) { + case AWS_IO_SSLv3: + grbitEnabledProtocols |= SP_PROT_SSL3_CLIENT; + case AWS_IO_TLSv1: + grbitEnabledProtocols |= SP_PROT_TLS1_0_CLIENT; + case AWS_IO_TLSv1_1: + grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT; + case AWS_IO_TLSv1_2: +#if defined(SP_PROT_TLS1_2_CLIENT) + grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; +#endif + case AWS_IO_TLSv1_3: + #if defined(SP_PROT_TLS1_3_CLIENT) + grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; +#endif + break; + case AWS_IO_TLS_VER_SYS_DEFAULTS: + grbitEnabledProtocols = 0; + break; + } + } else { + switch (options->minimum_tls_version) { + case AWS_IO_SSLv3: + grbitEnabledProtocols |= SP_PROT_SSL3_SERVER; + case AWS_IO_TLSv1: + grbitEnabledProtocols |= SP_PROT_TLS1_0_SERVER; + case AWS_IO_TLSv1_1: + grbitEnabledProtocols |= SP_PROT_TLS1_1_SERVER; + case AWS_IO_TLSv1_2: +#if defined(SP_PROT_TLS1_2_SERVER) + grbitEnabledProtocols |= SP_PROT_TLS1_2_SERVER; +#endif + case AWS_IO_TLSv1_3: +#if defined(SP_PROT_TLS1_3_SERVER) + grbitEnabledProtocols |= SP_PROT_TLS1_3_SERVER; +#endif + break; + case AWS_IO_TLS_VER_SYS_DEFAULTS: + grbitEnabledProtocols = 0; + break; + } + } + return grbitEnabledProtocols; +} + static struct aws_channel_handler *s_tls_handler_new_win10_plus( struct aws_allocator *alloc, struct aws_tls_connection_options *options, @@ -1943,7 +1990,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( SCH_CREDENTIALS credentials = { 0 }; - ZeroMemory(&credentials, 0x00, sizeof(SCH_CREDENTIALS)); + ZeroMemory(&credentials, sizeof(SCH_CREDENTIALS)); credentials.cTlsParameters = 0; credentials.dwSessionLifespan = 0; /* default 10 hours */ @@ -2008,7 +2055,7 @@ static struct aws_channel_handler *s_tls_handler_new( credentials.dwFlags = sc_ctx->schannel_creds.dwFlags; credentials.paCred = sc_ctx->schannel_creds.paCred; credentials.cCreds = sc_ctx->schannel_creds.cCreds; - credentials.grbitEnabledProtocols = getEnabledProtocols( options, is_client_mode); + credentials.grbitEnabledProtocols = sc_ctx->schannel_creds.enabledProtocols; aws_tls_channel_handler_shared_init(&sc_handler->shared_state, &sc_handler->handler, options); @@ -2109,74 +2156,6 @@ static void s_secure_channel_ctx_destroy(struct secure_channel_ctx *secure_chann aws_mem_release(secure_channel_ctx->ctx.alloc, secure_channel_ctx); } -static struct aws_tls_ctx *s_ctx_new_above_win_10( - struct aws_allocator *alloc, - const struct aws_tls_ctx_options *options, - bool is_client_mode, - struct secure_channel_ctx *secure_channel_ctx) { - -} - -static struct aws_tls_ctx *s_ctx_new_below_win_10( - struct aws_allocator *alloc, - const struct aws_tls_ctx_options *options, - bool is_client_mode, - struct secure_channel_ctx *secure_channel_ctx ) { - -} - -static DWORD getEnabledProtocols( - const struct aws_tls_ctx_options *options, - bool is_client_mode) -{ - - DWORD grbitEnabledProtocols = 0; - if (is_client_mode) { - switch (options->minimum_tls_version) { - case AWS_IO_SSLv3: - grbitEnabledProtocols |= SP_PROT_SSL3_CLIENT; - case AWS_IO_TLSv1: - grbitEnabledProtocols |= SP_PROT_TLS1_0_CLIENT; - case AWS_IO_TLSv1_1: - grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT; - case AWS_IO_TLSv1_2: -#if defined(SP_PROT_TLS1_2_CLIENT) - grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; -#endif - case AWS_IO_TLSv1_3: - #if defined(SP_PROT_TLS1_3_CLIENT) - grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; -#endif - break; - case AWS_IO_TLS_VER_SYS_DEFAULTS: - grbitEnabledProtocols = 0; - break; - } - } else { - switch (options->minimum_tls_version) { - case AWS_IO_SSLv3: - grbitEnabledProtocols |= SP_PROT_SSL3_SERVER; - case AWS_IO_TLSv1: - grbitEnabledProtocols |= SP_PROT_TLS1_0_SERVER; - case AWS_IO_TLSv1_1: - grbitEnabledProtocols |= SP_PROT_TLS1_1_SERVER; - case AWS_IO_TLSv1_2: -#if defined(SP_PROT_TLS1_2_SERVER) - grbitEnabledProtocols |= SP_PROT_TLS1_2_SERVER; -#endif - case AWS_IO_TLSv1_3: -#if defined(SP_PROT_TLS1_3_SERVER) - grbitEnabledProtocols |= SP_PROT_TLS1_3_SERVER; -#endif - break; - case AWS_IO_TLS_VER_SYS_DEFAULTS: - grbitEnabledProtocols = 0; - break; - } - } - return grbitEnabledProtocols; -} - struct aws_tls_ctx *s_ctx_new( struct aws_allocator *alloc, const struct aws_tls_ctx_options *options, @@ -2213,6 +2192,7 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->verify_peer = options->verify_peer; secure_channel_ctx->should_free_pcerts = true; + secure_channel_ctx->schannel_creds.enabledProtocols = getEnabledProtocols( options, is_client_mode); if (options->verify_peer && aws_tls_options_buf_is_set(&options->ca_file)) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: loading custom CA file."); From 324ade157f1b876087180e813ca4c6fdef31fcc4 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Tue, 21 May 2024 08:12:15 -0700 Subject: [PATCH 22/88] add logs --- source/channel_bootstrap.c | 4 -- source/tls_channel_handler.c | 1 - source/windows/secure_channel_tls_handler.c | 59 ++++++++++++--------- 3 files changed, 33 insertions(+), 31 deletions(-) diff --git a/source/channel_bootstrap.c b/source/channel_bootstrap.c index 43c486405..b014b2f6f 100644 --- a/source/channel_bootstrap.c +++ b/source/channel_bootstrap.c @@ -190,10 +190,6 @@ static void s_connect_args_setup_callback_safe( AWS_FATAL_ASSERT( (args->requested_event_loop == NULL) || aws_event_loop_thread_is_callers_thread(args->requested_event_loop)); - /* setup_callback is always called exactly once */ - if (args->setup_called) { - return; - } AWS_FATAL_ASSERT(!args->setup_called); AWS_ASSERT((error_code == AWS_OP_SUCCESS) == (channel != NULL)); diff --git a/source/tls_channel_handler.c b/source/tls_channel_handler.c index 2d84aa949..5c6426872 100644 --- a/source/tls_channel_handler.c +++ b/source/tls_channel_handler.c @@ -733,7 +733,6 @@ void aws_tls_clean_up_static_state(void) {} #endif /* BYO_CRYPTO */ -// XXX: not used function int aws_channel_setup_client_tls( struct aws_channel_slot *right_of_slot, struct aws_tls_connection_options *tls_options) { diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 9a195bdb6..59ba9bca9 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -160,8 +160,10 @@ bool s_is_windows_equal_or_above_10(void) { status = STATUS_DLL_NOT_FOUND; } if (status == STATUS_SUCCESS) { + AWS_LOGF_INFO(AWS_LS_IO_TLS, "Checking Windows Version: running windows 10 build 1809 or later"); return true; } else { + AWS_LOGF_INFO(AWS_LS_IO_TLS, "Checking Windows Version: running windows 10 build 1808 or earlier"); return false; } } @@ -1146,33 +1148,33 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { (void)append_failed; /* if we have extra we have to move the pointer and do another Decrypt operation. */ - if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) - { - if (input_buffers[3].cbBuffer < read_len) - { - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); - memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, - input_buffers[3].cbBuffer); - sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; - } - } - else - { - error = AWS_OP_SUCCESS; - /* this means we processed everything in the buffer. */ - sc_handler->buffered_read_in_data_buf.len = 0; - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Decrypt ended exactly on the end of the record, resetting buffer.", - (void *)handler); - } } + if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) + { + if (input_buffers[3].cbBuffer < read_len) + { + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, + input_buffers[3].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; + } + } + else + { + error = AWS_OP_SUCCESS; + /* this means we processed everything in the buffer. */ + sc_handler->buffered_read_in_data_buf.len = 0; + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Decrypt ended exactly on the end of the record, resetting buffer.", + (void *)handler); + } } /* SEC_E_INCOMPLETE_MESSAGE means the message we tried to decrypt isn't a full record and we need to append our next read to it and try again. */ @@ -1206,6 +1208,11 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { error = AWS_OP_SUCCESS; } if (status == SEC_I_RENEGOTIATE) { + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Renegotiation received. SECURITY_STATUS is %d.", + (void *)handler, + (int)status); /* if we are the client */ if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { From e9871c69f1945c6148a44712de4c117e139e34b2 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Tue, 21 May 2024 09:17:09 -0700 Subject: [PATCH 23/88] Fix warnings --- source/alpn_handler.c | 1 + source/channel.c | 3 ++- source/channel_bootstrap.c | 2 ++ source/socket_channel_handler.c | 5 ++--- source/tls_channel_handler_shared.c | 1 + source/windows/secure_channel_tls_handler.c | 16 +++++++++------- 6 files changed, 17 insertions(+), 11 deletions(-) diff --git a/source/alpn_handler.c b/source/alpn_handler.c index c7d2fa85d..5ad288260 100644 --- a/source/alpn_handler.c +++ b/source/alpn_handler.c @@ -103,6 +103,7 @@ struct aws_channel_handler *aws_tls_alpn_handler_new( alpn_handler->user_data = user_data; channel_handler->impl = alpn_handler; channel_handler->alloc = allocator; + channel_handler->vtable = &s_alpn_handler_vtable; return channel_handler; diff --git a/source/channel.c b/source/channel.c index 9155bcd22..48f547139 100644 --- a/source/channel.c +++ b/source/channel.c @@ -984,7 +984,7 @@ int aws_channel_slot_on_handler_shutdown_complete( } if (slot->adj_left && slot->adj_left->handler) { - AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "handler shutdown2 in dir completed. error_code %d", err_code); + AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "handler shutdown2 in dir completed. error_code %d", err_code); return aws_channel_handler_shutdown( slot->adj_left->handler, slot->adj_left, dir, err_code, free_scarce_resources_immediately); } @@ -1033,6 +1033,7 @@ int aws_channel_handler_process_write_message( struct aws_channel_handler *handler, struct aws_channel_slot *slot, struct aws_io_message *message) { + AWS_ASSERT(handler->vtable && handler->vtable->process_write_message); return handler->vtable->process_write_message(handler, slot, message); } diff --git a/source/channel_bootstrap.c b/source/channel_bootstrap.c index b014b2f6f..2ccd3873a 100644 --- a/source/channel_bootstrap.c +++ b/source/channel_bootstrap.c @@ -190,6 +190,7 @@ static void s_connect_args_setup_callback_safe( AWS_FATAL_ASSERT( (args->requested_event_loop == NULL) || aws_event_loop_thread_is_callers_thread(args->requested_event_loop)); + /* setup_callback is always called exactly once */ AWS_FATAL_ASSERT(!args->setup_called); AWS_ASSERT((error_code == AWS_OP_SUCCESS) == (channel != NULL)); @@ -305,6 +306,7 @@ static void s_tls_client_on_negotiation_result( int err_code, void *user_data) { struct client_connection_args *connection_args = user_data; + if (connection_args->channel_data.user_on_negotiation_result) { connection_args->channel_data.user_on_negotiation_result( handler, slot, err_code, connection_args->channel_data.tls_user_data); diff --git a/source/socket_channel_handler.c b/source/socket_channel_handler.c index 57c368b61..c327f6f35 100644 --- a/source/socket_channel_handler.c +++ b/source/socket_channel_handler.c @@ -146,6 +146,7 @@ static void s_do_read(struct socket_handler *socket_handler) { int last_error = 0; while (total_read < max_to_read) { size_t iter_max_read = max_to_read - total_read; + struct aws_io_message *message = aws_channel_acquire_message_from_pool( socket_handler->slot->channel, AWS_IO_MESSAGE_APPLICATION_DATA, iter_max_read); @@ -161,7 +162,6 @@ static void s_do_read(struct socket_handler *socket_handler) { } total_read += read; - AWS_LOGF_TRACE( AWS_LS_IO_SOCKET_HANDLER, "id=%p: read %llu from socket", @@ -249,7 +249,6 @@ static void s_read_task(struct aws_channel_task *task, void *arg, aws_task_statu task->task_fn = NULL; task->arg = NULL; - AWS_LOGF_TRACE(AWS_LS_IO_SOCKET_HANDLER, " caling s_read_task"); if (status == AWS_TASK_STATUS_RUN_READY) { struct socket_handler *socket_handler = arg; s_do_read(socket_handler); @@ -378,7 +377,6 @@ static void s_gather_statistics(struct aws_channel_handler *handler, struct aws_ static void s_trigger_read(struct aws_channel_handler *handler) { struct socket_handler *socket_handler = (struct socket_handler *)handler->impl; - AWS_LOGF_TRACE(AWS_LS_IO_SOCKET_HANDLER, " caling s_do_read from s_trigger_read"); s_do_read(socket_handler); } @@ -423,6 +421,7 @@ struct aws_channel_handler *aws_socket_handler_new( if (aws_crt_statistics_socket_init(&impl->stats)) { goto cleanup_handler; } + AWS_LOGF_DEBUG( AWS_LS_IO_SOCKET_HANDLER, "id=%p: Socket handler created with max_read_size of %llu", diff --git a/source/tls_channel_handler_shared.c b/source/tls_channel_handler_shared.c index 472af1dce..884b09f6f 100644 --- a/source/tls_channel_handler_shared.c +++ b/source/tls_channel_handler_shared.c @@ -10,6 +10,7 @@ static void s_tls_timeout_task_fn(struct aws_channel_task *channel_task, void *arg, enum aws_task_status status) { (void)channel_task; + if (status != AWS_TASK_STATUS_RUN_READY) { return; } diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 59ba9bca9..0a7b0f896 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -576,7 +576,7 @@ static int s_do_server_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ASC_REQ_SEQUENCE_DETECT | ASC_REQ_REPLAY_DETECT | ASC_REQ_CONFIDENTIALITY | - ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM | ASC_REQ_CONNECTION; + ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM;// | ASC_REQ_CONNECTION; if (sc_handler->verify_peer) { AWS_LOGF_DEBUG( @@ -853,7 +853,7 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONFIDENTIALITY | - ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM | ISC_REQ_USE_SUPPLIED_CREDS; + ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM; // | ISC_REQ_USE_SUPPLIED_CREDS; SecBuffer output_buffer = { .pvBuffer = NULL, @@ -985,7 +985,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl 0, &input_buffers_desc, 0, - &sc_handler->sec_handle, + NULL, &output_buffers_desc, &sc_handler->ctx_ret_flags, &sc_handler->sspi_timestamp); @@ -1041,8 +1041,6 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl (void *)handler, input_buffers[1].cbBuffer); sc_handler->read_extra = input_buffers[1].cbBuffer; - if (status == SEC_I_CONTINUE_NEEDED) { - } } } @@ -1090,7 +1088,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl #endif AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "id=%p: TLS handshake completed successfully.", (void *)handler); sc_handler->s_connection_state_fn = s_do_application_data_decrypt; - s_on_negotiation_success(handler); + s_on_negotiation_success(handler); } return AWS_OP_SUCCESS; @@ -1999,7 +1997,11 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( ZeroMemory(&credentials, sizeof(SCH_CREDENTIALS)); - credentials.cTlsParameters = 0; + TLS_PARAMETERS tls_params = {0}; + tls_params.grbitDisabledProtocols = 0; + + credentials.pTlsParameters = &tls_params; + credentials.cTlsParameters = 1; credentials.dwSessionLifespan = 0; /* default 10 hours */ credentials.dwVersion = SCH_CREDENTIALS_VERSION; credentials.dwCredFormat = 0; From bf25cd27aab12a60ac0a6d717ecc83de84ca0169 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 21 May 2024 10:06:35 -0700 Subject: [PATCH 24/88] clang format --- source/windows/secure_channel_tls_handler.c | 146 +++++++++----------- 1 file changed, 64 insertions(+), 82 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 0a7b0f896..0395c0f85 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -25,7 +25,7 @@ #include #include -#include +#include #include #include @@ -142,20 +142,17 @@ bool s_is_windows_equal_or_above_10(void) { osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); osvi.dwBuildNumber = 1809; /* Windows 10 */ - dwlConditionMask = VerSetConditionMask(dwlConditionMask, - VER_BUILDNUMBER, op); + dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op); typedef NTSTATUS(WINAPI * pRtlGetVersionInfo)( - //PRTL_OSVERSIONINFOW lpVersionInformation, - OSVERSIONINFOEX *lpVersionInformation, - ULONG TypeMask, - ULONGLONG ConditionMask); + OSVERSIONINFOEX *lpVersionInformation, + ULONG TypeMask, + ULONGLONG ConditionMask); pRtlGetVersionInfo f; f = (pRtlGetVersionInfo)GetProcAddress(GetModuleHandle("ntdll"), "RtlVerifyVersionInfo"); if (f) { - status = f(&osvi, VER_BUILDNUMBER, - dwlConditionMask); + status = f(&osvi, VER_BUILDNUMBER, dwlConditionMask); } else { status = STATUS_DLL_NOT_FOUND; } @@ -168,7 +165,6 @@ bool s_is_windows_equal_or_above_10(void) { } } - bool aws_tls_is_alpn_available(void) { /* if you built on an old version of windows, still no support, but if you did, we still want to check the OS version at runtime before agreeing to attempt alpn. */ @@ -853,7 +849,7 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONFIDENTIALITY | - ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM; // | ISC_REQ_USE_SUPPLIED_CREDS; + ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM; SecBuffer output_buffer = { .pvBuffer = NULL, @@ -991,7 +987,10 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl &sc_handler->sspi_timestamp); if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %lu", (void *)handler, (int)status); + AWS_LS_IO_TLS, + "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %lu", + (void *)handler, + (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); s_invoke_negotiation_error(handler, aws_error); @@ -1126,15 +1125,13 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { SECURITY_STATUS status = DecryptMessage(&sc_handler->sec_handle, &buffer_desc, 0, NULL); - if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE || status == SEC_I_CONTEXT_EXPIRED) - { + if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE || status == SEC_I_CONTEXT_EXPIRED) { error = AWS_OP_SUCCESS; /* if SECBUFFER_DATA is the buffer type of the second buffer, we have decrypted data to process. If SECBUFFER_DATA is the type for the fourth buffer we need to keep track of it so we can shift everything before doing another decrypt operation. We don't care what's in the third buffer for TLS usage.*/ - if (input_buffers[1].BufferType == SECBUFFER_DATA) - { + if (input_buffers[1].BufferType == SECBUFFER_DATA) { size_t decrypted_length = input_buffers[1].cbBuffer; AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Decrypted message with length %zu.", (void *)handler, decrypted_length); @@ -1144,40 +1141,34 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { int append_failed = aws_byte_buf_append(&sc_handler->buffered_read_out_data_buf, &to_append); AWS_ASSERT(!append_failed); (void)append_failed; - /* if we have extra we have to move the pointer and do another Decrypt operation. */ } - if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) - { - if (input_buffers[3].cbBuffer < read_len) - { - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); - memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, - input_buffers[3].cbBuffer); - sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; - } - } - else - { - error = AWS_OP_SUCCESS; - /* this means we processed everything in the buffer. */ - sc_handler->buffered_read_in_data_buf.len = 0; - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Decrypt ended exactly on the end of the record, resetting buffer.", - (void *)handler); - } + if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { + if (input_buffers[3].cbBuffer < read_len) { + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, + input_buffers[3].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; + } + } else { + error = AWS_OP_SUCCESS; + /* this means we processed everything in the buffer. */ + sc_handler->buffered_read_in_data_buf.len = 0; + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Decrypt ended exactly on the end of the record, resetting buffer.", + (void *)handler); + } } /* SEC_E_INCOMPLETE_MESSAGE means the message we tried to decrypt isn't a full record and we need to append our next read to it and try again. */ - else if (status == SEC_E_INCOMPLETE_MESSAGE) - { + else if (status == SEC_E_INCOMPLETE_MESSAGE) { sc_handler->estimated_incomplete_size = input_buffers[1].cbBuffer; AWS_LOGF_TRACE( AWS_LS_IO_TLS, @@ -1193,8 +1184,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } /* SEC_I_CONTEXT_EXPIRED means that the message sender has shut down the connection. One such case where this can happen is an unaccepted certificate. */ - else if (status == SEC_I_CONTEXT_EXPIRED) - { + else if (status == SEC_I_CONTEXT_EXPIRED) { AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Alert received. Message sender has shut down the connection. SECURITY_STATUS is %d.", @@ -1212,19 +1202,15 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { (void *)handler, (int)status); /* if we are the client */ - if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) - { - if (input_buffers[3].cbBuffer < read_len) - { - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); - } else { - + if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { + if (input_buffers[3].cbBuffer < read_len) { + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); } - } + } SecBuffer input_buffers2[] = { [0] = { @@ -1279,18 +1265,18 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void*)handler, status); if (status == SEC_E_OK) { - if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0 && sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { - memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - input_buffers2[1].cbBuffer, - input_buffers2[1].cbBuffer); - sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; - sc_handler->read_extra = input_buffers2[1].cbBuffer; - continue; - } - break; + if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0 && sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - input_buffers2[1].cbBuffer, + input_buffers2[1].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; + sc_handler->read_extra = input_buffers2[1].cbBuffer; + continue; + } + break; } else { - break; + break; } } else { AWS_LOGF_ERROR( @@ -1668,7 +1654,6 @@ static int s_handler_shutdown( int error_code, bool abort_immediately) { struct secure_channel_handler *sc_handler = handler->impl; - AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "shutting down schannel server"); if (dir == AWS_CHANNEL_DIR_WRITE) { if (!abort_immediately && error_code != AWS_IO_SOCKET_CLOSED) { @@ -1749,7 +1734,7 @@ static int s_handler_shutdown( } } - AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "calling handler shutdown complete"); + AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "calling handler shutdown complete"); return aws_channel_slot_on_handler_shutdown_complete(slot, dir, error_code, abort_immediately); } @@ -1932,7 +1917,7 @@ static struct aws_channel_handler *s_tls_handler_new_common( return NULL; } -static DWORD getEnabledProtocols( const struct aws_tls_ctx_options *options, bool is_client_mode) { +static DWORD getEnabledProtocols(const struct aws_tls_ctx_options *options, bool is_client_mode) { DWORD grbitEnabledProtocols = 0; if (is_client_mode) { switch (options->minimum_tls_version) { @@ -1947,7 +1932,7 @@ static DWORD getEnabledProtocols( const struct aws_tls_ctx_options *options, boo grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; #endif case AWS_IO_TLSv1_3: - #if defined(SP_PROT_TLS1_3_CLIENT) +#if defined(SP_PROT_TLS1_3_CLIENT) grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; #endif break; @@ -1992,8 +1977,8 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( return NULL; } struct secure_channel_ctx *sc_ctx = options->ctx->impl; - - SCH_CREDENTIALS credentials = { 0 }; + + SCH_CREDENTIALS credentials = {0}; ZeroMemory(&credentials, sizeof(SCH_CREDENTIALS)); @@ -2043,7 +2028,6 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( return NULL; } - static struct aws_channel_handler *s_tls_handler_new( struct aws_allocator *alloc, struct aws_tls_connection_options *options, @@ -2100,7 +2084,6 @@ static struct aws_channel_handler *s_tls_handler_new( return NULL; } - struct aws_channel_handler *aws_tls_client_handler_new( struct aws_allocator *allocator, struct aws_tls_connection_options *options, @@ -2201,7 +2184,7 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->verify_peer = options->verify_peer; secure_channel_ctx->should_free_pcerts = true; - secure_channel_ctx->schannel_creds.enabledProtocols = getEnabledProtocols( options, is_client_mode); + secure_channel_ctx->schannel_creds.enabledProtocols = getEnabledProtocols(options, is_client_mode); if (options->verify_peer && aws_tls_options_buf_is_set(&options->ca_file)) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: loading custom CA file."); @@ -2224,9 +2207,8 @@ struct aws_tls_ctx *s_ctx_new( "static: x.509 validation has been disabled. " "If this is not running in a test environment, this is likely a security vulnerability."); dwFlags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); - dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | - SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | - SCH_CRED_MANUAL_CRED_VALIDATION; + dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | + SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; } else if (is_client_mode) { dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; } From f5f8c3b617a1614e4b346e12da84aef0d308466f Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 21 May 2024 10:48:35 -0700 Subject: [PATCH 25/88] clang format --- source/windows/secure_channel_tls_handler.c | 77 ++++++++++----------- 1 file changed, 37 insertions(+), 40 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 0395c0f85..1a1d0b643 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -144,9 +144,7 @@ bool s_is_windows_equal_or_above_10(void) { dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op); typedef NTSTATUS(WINAPI * pRtlGetVersionInfo)( - OSVERSIONINFOEX *lpVersionInformation, - ULONG TypeMask, - ULONGLONG ConditionMask); + OSVERSIONINFOEX *lpVersionInformation, ULONG TypeMask, ULONGLONG ConditionMask); pRtlGetVersionInfo f; f = (pRtlGetVersionInfo)GetProcAddress(GetModuleHandle("ntdll"), "RtlVerifyVersionInfo"); @@ -572,7 +570,7 @@ static int s_do_server_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ASC_REQ_SEQUENCE_DETECT | ASC_REQ_REPLAY_DETECT | ASC_REQ_CONFIDENTIALITY | - ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM;// | ASC_REQ_CONNECTION; + ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM; // | ASC_REQ_CONNECTION; if (sc_handler->verify_peer) { AWS_LOGF_DEBUG( @@ -1125,7 +1123,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { SECURITY_STATUS status = DecryptMessage(&sc_handler->sec_handle, &buffer_desc, 0, NULL); - if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE || status == SEC_I_CONTEXT_EXPIRED) { + if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE || status == SEC_I_CONTEXT_EXPIRED) { error = AWS_OP_SUCCESS; /* if SECBUFFER_DATA is the buffer type of the second buffer, we have decrypted data to process. If SECBUFFER_DATA is the type for the fourth buffer we need to keep track of it so we can shift @@ -1146,24 +1144,24 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, - input_buffers[3].cbBuffer); + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, + input_buffers[3].cbBuffer); sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; } } else { - error = AWS_OP_SUCCESS; - /* this means we processed everything in the buffer. */ - sc_handler->buffered_read_in_data_buf.len = 0; - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Decrypt ended exactly on the end of the record, resetting buffer.", - (void *)handler); + error = AWS_OP_SUCCESS; + /* this means we processed everything in the buffer. */ + sc_handler->buffered_read_in_data_buf.len = 0; + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Decrypt ended exactly on the end of the record, resetting buffer.", + (void *)handler); } } /* SEC_E_INCOMPLETE_MESSAGE means the message we tried to decrypt isn't a full record and we need to @@ -1197,24 +1195,21 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } if (status == SEC_I_RENEGOTIATE) { AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Renegotiation received. SECURITY_STATUS is %d.", - (void *)handler, - (int)status); + AWS_LS_IO_TLS, "id=%p: Renegotiation received. SECURITY_STATUS is %d.", (void *)handler, (int)status); /* if we are the client */ if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); } } SecBuffer input_buffers2[] = { [0] = { - .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, + .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, .cbBuffer = (unsigned long)sc_handler->buffered_read_in_data_buf.len, .BufferType = SECBUFFER_TOKEN, }, @@ -1251,7 +1246,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { status = InitializeSecurityContextA( &sc_handler->creds, &sc_handler->sec_handle, - (SEC_CHAR*)server_name_cstr, + (SEC_CHAR *)server_name_cstr, sc_handler->ctx_req, 0, 0, @@ -1262,17 +1257,16 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { &sc_handler->ctx_ret_flags, NULL); error = status; - AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void*)handler, status); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void*)handler, status); if (status == SEC_E_OK) { if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0 && sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { - memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - input_buffers2[1].cbBuffer, - input_buffers2[1].cbBuffer); - sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; - sc_handler->read_extra = input_buffers2[1].cbBuffer; - continue; + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - input_buffers2[1].cbBuffer, + input_buffers2[1].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; + sc_handler->read_extra = input_buffers2[1].cbBuffer; + continue; } break; } else { @@ -1280,7 +1274,10 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } } else { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", (void *)handler, (int)status); + AWS_LS_IO_TLS, + "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", + (void *)handler, + (int)status); aws_raise_error(AWS_IO_TLS_ERROR_READ_FAILURE); } } while (sc_handler->read_extra); @@ -2042,7 +2039,7 @@ static struct aws_channel_handler *s_tls_handler_new( struct secure_channel_ctx *sc_ctx = options->ctx->impl; - SCHANNEL_CRED credentials = { 0 }; + SCHANNEL_CRED credentials = {0}; credentials.dwVersion = SCHANNEL_CRED_VERSION; credentials.dwCredFormat = 0; credentials.dwFlags = sc_ctx->schannel_creds.dwFlags; From 92c9936d752d296465c63936e3e209a1026b5812 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 21 May 2024 11:21:43 -0700 Subject: [PATCH 26/88] Style: clang-format --- source/windows/secure_channel_tls_handler.c | 55 +++++++++++---------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 1a1d0b643..1c7c484b6 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -144,7 +144,7 @@ bool s_is_windows_equal_or_above_10(void) { dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op); typedef NTSTATUS(WINAPI * pRtlGetVersionInfo)( - OSVERSIONINFOEX *lpVersionInformation, ULONG TypeMask, ULONGLONG ConditionMask); + OSVERSIONINFOEX * lpVersionInformation, ULONG TypeMask, ULONGLONG ConditionMask); pRtlGetVersionInfo f; f = (pRtlGetVersionInfo)GetProcAddress(GetModuleHandle("ntdll"), "RtlVerifyVersionInfo"); @@ -1142,18 +1142,18 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { /* if we have extra we have to move the pointer and do another Decrypt operation. */ } if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { - if (input_buffers[3].cbBuffer < read_len) { - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); - memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, - input_buffers[3].cbBuffer); - sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; - } + if (input_buffers[3].cbBuffer < read_len) { + AWS_LOGF_TRACE( + AWS_LS_IO_TLS, + "id=%p: Extra (incomplete) message received with length %zu.", + (void *)handler, + sc_handler->read_extra); + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, + input_buffers[3].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; + } } else { error = AWS_OP_SUCCESS; /* this means we processed everything in the buffer. */ @@ -1208,17 +1208,18 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } SecBuffer input_buffers2[] = { - [0] = { - .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, - .cbBuffer = (unsigned long)sc_handler->buffered_read_in_data_buf.len, - .BufferType = SECBUFFER_TOKEN, - }, + [0] = + { + .pvBuffer = sc_handler->buffered_read_in_data_buf.buffer, + .cbBuffer = (unsigned long)sc_handler->buffered_read_in_data_buf.len, + .BufferType = SECBUFFER_TOKEN, + }, [1] = - { - .pvBuffer = NULL, - .cbBuffer = 0, - .BufferType = SECBUFFER_EMPTY, - }, + { + .pvBuffer = NULL, + .cbBuffer = 0, + .BufferType = SECBUFFER_EMPTY, + }, }; SecBufferDesc input_bufs_desc = { @@ -1257,12 +1258,14 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { &sc_handler->ctx_ret_flags, NULL); error = status; - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void*)handler, status); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void *)handler, status); if (status == SEC_E_OK) { - if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0 && sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { + if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0 && + sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { memmove( sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - input_buffers2[1].cbBuffer, + (sc_handler->buffered_read_in_data_buf.buffer + sc_handler->buffered_read_in_data_buf.len) - + input_buffers2[1].cbBuffer, input_buffers2[1].cbBuffer); sc_handler->buffered_read_in_data_buf.len = input_buffers2[1].cbBuffer; sc_handler->read_extra = input_buffers2[1].cbBuffer; From 4fa64c28d736041e9c0321790430270dfc58b1df Mon Sep 17 00:00:00 2001 From: alfred2g Date: Tue, 21 May 2024 19:31:21 -0700 Subject: [PATCH 27/88] enable protocol fields --- source/windows/secure_channel_tls_handler.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 1c7c484b6..93650812b 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1983,8 +1983,8 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( ZeroMemory(&credentials, sizeof(SCH_CREDENTIALS)); TLS_PARAMETERS tls_params = {0}; - tls_params.grbitDisabledProtocols = 0; - + //tls_params.grbitDisabledProtocols = 0; + tls_params.grbitDisabledProtocols = ~(sc_ctx->schannel_creds.enabledProtocols | SP_PROT_TLS1_3_CLIENT); credentials.pTlsParameters = &tls_params; credentials.cTlsParameters = 1; credentials.dwSessionLifespan = 0; /* default 10 hours */ From 6c8743fdf20f392ef74afdeb654936c9d5cc7698 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 21 May 2024 19:40:09 -0700 Subject: [PATCH 28/88] clang format --- source/windows/secure_channel_tls_handler.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 93650812b..8a35ddb3e 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1983,8 +1983,7 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( ZeroMemory(&credentials, sizeof(SCH_CREDENTIALS)); TLS_PARAMETERS tls_params = {0}; - //tls_params.grbitDisabledProtocols = 0; - tls_params.grbitDisabledProtocols = ~(sc_ctx->schannel_creds.enabledProtocols | SP_PROT_TLS1_3_CLIENT); + tls_params.grbitDisabledProtocols = ~(sc_ctx->schannel_creds.enabledProtocols | SP_PROT_TLS1_3_CLIENT); credentials.pTlsParameters = &tls_params; credentials.cTlsParameters = 1; credentials.dwSessionLifespan = 0; /* default 10 hours */ From 7469078a71786fe7da13e28a934bec39ea817825 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Tue, 21 May 2024 20:01:23 -0700 Subject: [PATCH 29/88] enable tls1.3 --- source/windows/secure_channel_tls_handler.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 8a35ddb3e..33679390d 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1928,13 +1928,13 @@ static DWORD getEnabledProtocols(const struct aws_tls_ctx_options *options, bool case AWS_IO_TLSv1_1: grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT; case AWS_IO_TLSv1_2: -#if defined(SP_PROT_TLS1_2_CLIENT) +// #if defined(SP_PROT_TLS1_2_CLIENT) grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; -#endif +// #endif case AWS_IO_TLSv1_3: -#if defined(SP_PROT_TLS1_3_CLIENT) +// #if defined(SP_PROT_TLS1_3_CLIENT) grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; -#endif +// #endif break; case AWS_IO_TLS_VER_SYS_DEFAULTS: grbitEnabledProtocols = 0; @@ -1983,7 +1983,8 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( ZeroMemory(&credentials, sizeof(SCH_CREDENTIALS)); TLS_PARAMETERS tls_params = {0}; - tls_params.grbitDisabledProtocols = ~(sc_ctx->schannel_creds.enabledProtocols | SP_PROT_TLS1_3_CLIENT); + // tls_params.grbitDisabledProtocols = 0; + tls_params.grbitDisabledProtocols = ~(sc_ctx->schannel_creds.enabledProtocols); credentials.pTlsParameters = &tls_params; credentials.cTlsParameters = 1; credentials.dwSessionLifespan = 0; /* default 10 hours */ From 228d45bf06362a58ddcc18e10666877fb6932795 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 21 May 2024 20:48:03 -0700 Subject: [PATCH 30/88] Fix enabled protocols --- source/windows/secure_channel_tls_handler.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 33679390d..349aebc75 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1928,13 +1928,13 @@ static DWORD getEnabledProtocols(const struct aws_tls_ctx_options *options, bool case AWS_IO_TLSv1_1: grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT; case AWS_IO_TLSv1_2: -// #if defined(SP_PROT_TLS1_2_CLIENT) +#if defined(SP_PROT_TLS1_2_CLIENT) grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; -// #endif +#endif case AWS_IO_TLSv1_3: -// #if defined(SP_PROT_TLS1_3_CLIENT) +#if defined(SP_PROT_TLS1_3_CLIENT) grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; -// #endif +#endif break; case AWS_IO_TLS_VER_SYS_DEFAULTS: grbitEnabledProtocols = 0; @@ -1983,8 +1983,11 @@ static struct aws_channel_handler *s_tls_handler_new_win10_plus( ZeroMemory(&credentials, sizeof(SCH_CREDENTIALS)); TLS_PARAMETERS tls_params = {0}; - // tls_params.grbitDisabledProtocols = 0; - tls_params.grbitDisabledProtocols = ~(sc_ctx->schannel_creds.enabledProtocols); + if (sc_ctx->schannel_creds.enabledProtocols == 0) { + tls_params.grbitDisabledProtocols = 0; + } else { + tls_params.grbitDisabledProtocols = ~(sc_ctx->schannel_creds.enabledProtocols); + } credentials.pTlsParameters = &tls_params; credentials.cTlsParameters = 1; credentials.dwSessionLifespan = 0; /* default 10 hours */ From 38e9e106dd8e21bde7f9b0a73a48e4d5174c4d46 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Wed, 22 May 2024 11:37:37 -0700 Subject: [PATCH 31/88] Remove some logs --- source/channel.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/source/channel.c b/source/channel.c index 48f547139..36a3975b2 100644 --- a/source/channel.c +++ b/source/channel.c @@ -942,7 +942,6 @@ static void s_run_shutdown_write_direction(struct aws_task *task, void *arg, enu task->fn = NULL; task->arg = NULL; struct aws_channel_slot *slot = shutdown_notify->slot; - AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "s_run_shutdown_write_direction"); aws_channel_handler_shutdown( slot->handler, slot, AWS_CHANNEL_DIR_WRITE, shutdown_notify->error_code, shutdown_notify->shutdown_immediately); } @@ -966,7 +965,6 @@ int aws_channel_slot_on_handler_shutdown_complete( if (dir == AWS_CHANNEL_DIR_READ) { if (slot->adj_right && slot->adj_right->handler) { - AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "handler shutdown in dir completed. error_code %d", err_code); return aws_channel_handler_shutdown( slot->adj_right->handler, slot->adj_right, dir, err_code, free_scarce_resources_immediately); } @@ -984,7 +982,6 @@ int aws_channel_slot_on_handler_shutdown_complete( } if (slot->adj_left && slot->adj_left->handler) { - AWS_LOGF_DEBUG(AWS_LS_IO_CHANNEL, "handler shutdown2 in dir completed. error_code %d", err_code); return aws_channel_handler_shutdown( slot->adj_left->handler, slot->adj_left, dir, err_code, free_scarce_resources_immediately); } From 9841bd3b35fa39eba2793e40ca7ebbd64a3829c0 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 23 May 2024 20:26:09 -0700 Subject: [PATCH 32/88] Fix review comments --- source/windows/secure_channel_tls_handler.c | 33 +++++++++++++-------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 349aebc75..be6d4c90d 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -18,6 +18,7 @@ #include #include +/* To use the SCH_CREDENTIALS structure, define SCHANNEL_USE_BLACKLISTS */ #define SCHANNEL_USE_BLACKLISTS #include @@ -131,7 +132,7 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { return sc_handler->stream_sizes.cbTrailer + sc_handler->stream_sizes.cbHeader; } -bool s_is_windows_equal_or_above_10(void) { +static bool s_is_windows_equal_or_above_10(void) { ULONGLONG dwlConditionMask = 0; BYTE op = VER_GREATER_EQUAL; OSVERSIONINFOEX osvi; @@ -155,10 +156,12 @@ bool s_is_windows_equal_or_above_10(void) { status = STATUS_DLL_NOT_FOUND; } if (status == STATUS_SUCCESS) { - AWS_LOGF_INFO(AWS_LS_IO_TLS, "Checking Windows Version: running windows 10 build 1809 or later"); + AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "Checking Windows Version: running windows 10 build 1809 or later"); return true; } else { - AWS_LOGF_INFO(AWS_LS_IO_TLS, "Checking Windows Version: running windows 10 build 1808 or earlier"); + AWS_LOGF_ERROR( + AWS_LS_IO_TLS, + "Could not load ntdll: Falling back to windows 10 build 1088 or earlier schannel version"); return false; } } @@ -570,7 +573,7 @@ static int s_do_server_side_negotiation_step_1(struct aws_channel_handler *handl #endif /* SECBUFFER_APPLICATION_PROTOCOLS*/ sc_handler->ctx_req = ASC_REQ_SEQUENCE_DETECT | ASC_REQ_REPLAY_DETECT | ASC_REQ_CONFIDENTIALITY | - ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM; // | ASC_REQ_CONNECTION; + ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM; if (sc_handler->verify_peer) { AWS_LOGF_DEBUG( @@ -986,7 +989,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %lu", + "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %d", (void *)handler, (int)status); int aws_error = s_determine_sspi_error(status); @@ -1123,7 +1126,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { SECURITY_STATUS status = DecryptMessage(&sc_handler->sec_handle, &buffer_desc, 0, NULL); - if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE || status == SEC_I_CONTEXT_EXPIRED) { + if (status == SEC_E_OK || status == SEC_I_RENEGOTIATE) { error = AWS_OP_SUCCESS; /* if SECBUFFER_DATA is the buffer type of the second buffer, we have decrypted data to process. If SECBUFFER_DATA is the type for the fourth buffer we need to keep track of it so we can shift @@ -1193,10 +1196,11 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { aws_channel_shutdown(slot->channel, AWS_OP_SUCCESS); error = AWS_OP_SUCCESS; } + /* With TLS1.3 on SChannel a call to DecryptMessage could return SEC_I_RENEGOTIATE, at this point a client must + * call again InitializeSecurityContext with the data received from DecryptMessage until SEC_E_OK is received*/ if (status == SEC_I_RENEGOTIATE) { AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Renegotiation received. SECURITY_STATUS is %d.", (void *)handler, (int)status); - /* if we are the client */ if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { AWS_LOGF_TRACE( @@ -1257,9 +1261,8 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { &output_buffers_desc, &sc_handler->ctx_ret_flags, NULL); - error = status; - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "id=%p: Error renegotiation happened. status %lu", (void *)handler, status); if (status == SEC_E_OK) { + error = AWS_OP_SUCCESS; if (input_buffers2[1].BufferType == SECBUFFER_EXTRA && input_buffers2[1].cbBuffer > 0 && sc_handler->buffered_read_in_data_buf.len > input_buffers2[1].cbBuffer) { memmove( @@ -1273,6 +1276,12 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } break; } else { + AWS_LOGF_ERROR( + AWS_LS_IO_TLS, + "id=%p: Error InitializeSecurityContext after renegotiation. status %lu", + (void *)handler, + status); + error = AWS_OP_ERR; break; } } else { @@ -1965,7 +1974,7 @@ static DWORD getEnabledProtocols(const struct aws_tls_ctx_options *options, bool return grbitEnabledProtocols; } -static struct aws_channel_handler *s_tls_handler_new_win10_plus( +static struct aws_channel_handler *s_tls_handler_support_sch_scredentials( struct aws_allocator *alloc, struct aws_tls_connection_options *options, struct aws_channel_slot *slot, @@ -2093,7 +2102,7 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_channel_slot *slot) { if (s_is_windows_equal_or_above_10()) { - return s_tls_handler_new_win10_plus(allocator, options, slot, true); + return s_tls_handler_support_sch_scredentials(allocator, options, slot, true); } else { return s_tls_handler_new(allocator, options, slot, true); } @@ -2105,7 +2114,7 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_channel_slot *slot) { if (s_is_windows_equal_or_above_10()) { - return s_tls_handler_new_win10_plus(allocator, options, slot, false); + return s_tls_handler_support_sch_scredentials(allocator, options, slot, false); } else { return s_tls_handler_new(allocator, options, slot, false); } From f03bf38e042539c44c9bee372889ea1f0f4b806a Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 23 May 2024 20:31:12 -0700 Subject: [PATCH 33/88] clang-format --- source/windows/secure_channel_tls_handler.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index be6d4c90d..f874c2494 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -160,8 +160,7 @@ static bool s_is_windows_equal_or_above_10(void) { return true; } else { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, - "Could not load ntdll: Falling back to windows 10 build 1088 or earlier schannel version"); + AWS_LS_IO_TLS, "Could not load ntdll: Falling back to windows 10 build 1088 or earlier schannel version"); return false; } } From 5e405dad4d60e62a151c3897202e0a9f0cc80af8 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Fri, 24 May 2024 09:18:14 -0700 Subject: [PATCH 34/88] Better logging for windows version --- source/windows/secure_channel_tls_handler.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index f874c2494..97e4d9405 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -153,16 +153,19 @@ static bool s_is_windows_equal_or_above_10(void) { if (f) { status = f(&osvi, VER_BUILDNUMBER, dwlConditionMask); } else { + AWS_LOGF_ERROR( + AWS_LS_IO_TLS, "Could not load ntdll: Falling back to windows 10 build 1088 or earlier schannel version"); status = STATUS_DLL_NOT_FOUND; } if (status == STATUS_SUCCESS) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "Checking Windows Version: running windows 10 build 1809 or later"); return true; - } else { - AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "Could not load ntdll: Falling back to windows 10 build 1088 or earlier schannel version"); + } else if (status != STATUS_DLL_NOT_FOUND) { + AWS_LOGF_DEBUG( + AWS_LS_IO_TLS, "Checking Windows Version: Running windows 10 build 1088 or earlier"); return false; } + return false; } bool aws_tls_is_alpn_available(void) { From ebf3bbe66f206d8a986e6cec9bd37300e7688847 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 28 May 2024 18:56:31 -0700 Subject: [PATCH 35/88] Add Variable check --- source/windows/secure_channel_tls_handler.c | 69 +++++++++++---------- 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 97e4d9405..6cb64d764 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1144,15 +1144,10 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { int append_failed = aws_byte_buf_append(&sc_handler->buffered_read_out_data_buf, &to_append); AWS_ASSERT(!append_failed); (void)append_failed; - /* if we have extra we have to move the pointer and do another Decrypt operation. */ } + /* if we have extra we have to move the pointer and do another Decrypt operation. */ if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { - AWS_LOGF_TRACE( - AWS_LS_IO_TLS, - "id=%p: Extra (incomplete) message received with length %zu.", - (void *)handler, - sc_handler->read_extra); memmove( sc_handler->buffered_read_in_data_buf.buffer, (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, @@ -1280,16 +1275,16 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } else { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error InitializeSecurityContext after renegotiation. status %lu", + "id=%p: Error InitializeSecurityContext after renegotiation. status %d", (void *)handler, - status); + (int)status); error = AWS_OP_ERR; break; } } else { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", + "id=%p: Error decrypting message. SECURITY_STATUS is %d.", (void *)handler, (int)status); aws_raise_error(AWS_IO_TLS_ERROR_READ_FAILURE); @@ -1976,16 +1971,26 @@ static DWORD getEnabledProtocols(const struct aws_tls_ctx_options *options, bool return grbitEnabledProtocols; } -static struct aws_channel_handler *s_tls_handler_support_sch_scredentials( +static struct aws_channel_handler *s_tls_handler_support_sch_credentials( + struct aws_allocator *alloc, struct aws_tls_connection_options *options, struct aws_channel_slot *slot, bool is_client_mode) { + char buffer[10]; + DWORD ret; + AWS_ASSERT(options->ctx); + ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); + if (ret != 0) { + AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); + return false; + } + struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler)); if (!sc_handler) { - return NULL; + return false; } struct secure_channel_ctx *sc_ctx = options->ctx->impl; @@ -2027,7 +2032,7 @@ static struct aws_channel_handler *s_tls_handler_support_sch_scredentials( &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; @@ -2083,7 +2088,7 @@ static struct aws_channel_handler *s_tls_handler_new( &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (int)status); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; @@ -2104,7 +2109,7 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_channel_slot *slot) { if (s_is_windows_equal_or_above_10()) { - return s_tls_handler_support_sch_scredentials(allocator, options, slot, true); + return s_tls_handler_support_sch_credentials(allocator, options, slot, true); } else { return s_tls_handler_new(allocator, options, slot, true); } @@ -2116,7 +2121,7 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_channel_slot *slot) { if (s_is_windows_equal_or_above_10()) { - return s_tls_handler_support_sch_scredentials(allocator, options, slot, false); + return s_tls_handler_support_sch_credentials(allocator, options, slot, false); } else { return s_tls_handler_new(allocator, options, slot, false); } @@ -2167,9 +2172,9 @@ struct aws_tls_ctx *s_ctx_new( const struct aws_tls_ctx_options *options, bool is_client_mode) { - DWORD dwFlags = 0; - PCCERT_CONTEXT *paCred = NULL; - DWORD cCreds = 1; + DWORD dw_flags = 0; + PCCERT_CONTEXT *pa_cred = NULL; + DWORD creds = 1; if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) { aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED); @@ -2202,7 +2207,7 @@ struct aws_tls_ctx *s_ctx_new( if (options->verify_peer && aws_tls_options_buf_is_set(&options->ca_file)) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: loading custom CA file."); - dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION; + dw_flags |= SCH_CRED_MANUAL_CRED_VALIDATION; struct aws_byte_cursor ca_blob_cur = aws_byte_cursor_from_buf(&options->ca_file); int error = aws_import_trusted_certificates(alloc, &ca_blob_cur, &secure_channel_ctx->custom_trust_store); @@ -2212,7 +2217,7 @@ struct aws_tls_ctx *s_ctx_new( goto clean_up; } } else if (is_client_mode) { - dwFlags |= SCH_CRED_AUTO_CRED_VALIDATION; + dw_flags |= SCH_CRED_AUTO_CRED_VALIDATION; } if (is_client_mode && !options->verify_peer) { @@ -2220,16 +2225,16 @@ struct aws_tls_ctx *s_ctx_new( AWS_LS_IO_TLS, "static: x.509 validation has been disabled. " "If this is not running in a test environment, this is likely a security vulnerability."); - dwFlags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); - dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | + dw_flags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); + dw_flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; } else if (is_client_mode) { - dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; + dw_flags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; } /* if someone wants to use broken algorithms like rc4/md5/des they'll need to ask for a special control */ - dwFlags |= SCH_USE_STRONG_CRYPTO; - dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; + dw_flags |= SCH_USE_STRONG_CRYPTO; + dw_flags |= SCH_CRED_NO_DEFAULT_CREDS; /* if using a system store. */ if (options->system_certificate_path) { @@ -2240,8 +2245,8 @@ struct aws_tls_ctx *s_ctx_new( AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: failed to load %s", options->system_certificate_path); goto clean_up; } - paCred = &secure_channel_ctx->pcerts; - cCreds = 1; + pa_cred = &secure_channel_ctx->pcerts; + creds = 1; /* if using traditional PEM armored PKCS#7 and ASN Encoding public/private key pairs */ } else if (aws_tls_options_buf_is_set(&options->certificate) && aws_tls_options_buf_is_set(&options->private_key)) { @@ -2277,14 +2282,14 @@ struct aws_tls_ctx *s_ctx_new( goto clean_up; } - paCred = &secure_channel_ctx->pcerts; - cCreds = 1; + pa_cred = &secure_channel_ctx->pcerts; + creds = 1; secure_channel_ctx->should_free_pcerts = false; } - secure_channel_ctx->schannel_creds.dwFlags = dwFlags; - secure_channel_ctx->schannel_creds.paCred = paCred; - secure_channel_ctx->schannel_creds.cCreds = cCreds; + secure_channel_ctx->schannel_creds.dwFlags = dw_flags; + secure_channel_ctx->schannel_creds.paCred = pa_cred; + secure_channel_ctx->schannel_creds.cCreds = creds; return &secure_channel_ctx->ctx; From f2564169f02c61ff16974959a34cdc2f9a7b2378 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 28 May 2024 19:23:03 -0700 Subject: [PATCH 36/88] Clang format --- source/windows/secure_channel_tls_handler.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 6cb64d764..78e889ecd 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -161,8 +161,7 @@ static bool s_is_windows_equal_or_above_10(void) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "Checking Windows Version: running windows 10 build 1809 or later"); return true; } else if (status != STATUS_DLL_NOT_FOUND) { - AWS_LOGF_DEBUG( - AWS_LS_IO_TLS, "Checking Windows Version: Running windows 10 build 1088 or earlier"); + AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "Checking Windows Version: Running windows 10 build 1088 or earlier"); return false; } return false; @@ -1283,10 +1282,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } } else { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, - "id=%p: Error decrypting message. SECURITY_STATUS is %d.", - (void *)handler, - (int)status); + AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %d.", (void *)handler, (int)status); aws_raise_error(AWS_IO_TLS_ERROR_READ_FAILURE); } } while (sc_handler->read_extra); @@ -1984,7 +1980,8 @@ static struct aws_channel_handler *s_tls_handler_support_sch_credentials( ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); if (ret != 0) { - AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); + AWS_LOGF_DEBUG( + AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); return false; } @@ -2227,7 +2224,7 @@ struct aws_tls_ctx *s_ctx_new( "If this is not running in a test environment, this is likely a security vulnerability."); dw_flags &= ~(SCH_CRED_AUTO_CRED_VALIDATION); dw_flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | - SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; + SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; } else if (is_client_mode) { dw_flags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; } From 38ee533de37668d7bd5fe2317a7f6c28935a8b30 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 28 May 2024 20:26:18 -0700 Subject: [PATCH 37/88] clang format --- source/windows/secure_channel_tls_handler.c | 37 +++++++++++---------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 78e889ecd..56014bc01 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1153,6 +1153,9 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { input_buffers[3].cbBuffer); sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; } + if (status != SEC_I_RENEGOTIATE) { + sc_handler->read_extra = input_buffers[3].cbBuffer; + } } else { error = AWS_OP_SUCCESS; /* this means we processed everything in the buffer. */ @@ -1193,7 +1196,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { error = AWS_OP_SUCCESS; } /* With TLS1.3 on SChannel a call to DecryptMessage could return SEC_I_RENEGOTIATE, at this point a client must - * call again InitializeSecurityContext with the data received from DecryptMessage until SEC_E_OK is received*/ + * call again InitializeSecurityContext with the data received from DecryptMessage until SEC_E_OK is received */ if (status == SEC_I_RENEGOTIATE) { AWS_LOGF_TRACE( AWS_LS_IO_TLS, "id=%p: Renegotiation received. SECURITY_STATUS is %d.", (void *)handler, (int)status); @@ -1919,52 +1922,52 @@ static struct aws_channel_handler *s_tls_handler_new_common( return NULL; } -static DWORD getEnabledProtocols(const struct aws_tls_ctx_options *options, bool is_client_mode) { - DWORD grbitEnabledProtocols = 0; +static DWORD get_enabled_protocols(const struct aws_tls_ctx_options *options, bool is_client_mode) { + DWORD bit_enabled_protocols = 0; if (is_client_mode) { switch (options->minimum_tls_version) { case AWS_IO_SSLv3: - grbitEnabledProtocols |= SP_PROT_SSL3_CLIENT; + bit_enabled_protocols |= SP_PROT_SSL3_CLIENT; case AWS_IO_TLSv1: - grbitEnabledProtocols |= SP_PROT_TLS1_0_CLIENT; + bit_enabled_protocols |= SP_PROT_TLS1_0_CLIENT; case AWS_IO_TLSv1_1: - grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT; + bit_enabled_protocols |= SP_PROT_TLS1_1_CLIENT; case AWS_IO_TLSv1_2: #if defined(SP_PROT_TLS1_2_CLIENT) - grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; + bit_enabled_protocols |= SP_PROT_TLS1_2_CLIENT; #endif case AWS_IO_TLSv1_3: #if defined(SP_PROT_TLS1_3_CLIENT) - grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; + bit_enabled_protocols |= SP_PROT_TLS1_3_CLIENT; #endif break; case AWS_IO_TLS_VER_SYS_DEFAULTS: - grbitEnabledProtocols = 0; + bit_enabled_protocols = 0; break; } } else { switch (options->minimum_tls_version) { case AWS_IO_SSLv3: - grbitEnabledProtocols |= SP_PROT_SSL3_SERVER; + bit_enabled_protocols |= SP_PROT_SSL3_SERVER; case AWS_IO_TLSv1: - grbitEnabledProtocols |= SP_PROT_TLS1_0_SERVER; + bit_enabled_protocols |= SP_PROT_TLS1_0_SERVER; case AWS_IO_TLSv1_1: - grbitEnabledProtocols |= SP_PROT_TLS1_1_SERVER; + bit_enabled_protocols |= SP_PROT_TLS1_1_SERVER; case AWS_IO_TLSv1_2: #if defined(SP_PROT_TLS1_2_SERVER) - grbitEnabledProtocols |= SP_PROT_TLS1_2_SERVER; + bit_enabled_protocols |= SP_PROT_TLS1_2_SERVER; #endif case AWS_IO_TLSv1_3: #if defined(SP_PROT_TLS1_3_SERVER) - grbitEnabledProtocols |= SP_PROT_TLS1_3_SERVER; + bit_enabled_protocols |= SP_PROT_TLS1_3_SERVER; #endif break; case AWS_IO_TLS_VER_SYS_DEFAULTS: - grbitEnabledProtocols = 0; + bit_enabled_protocols = 0; break; } } - return grbitEnabledProtocols; + return bit_enabled_protocols ; } static struct aws_channel_handler *s_tls_handler_support_sch_credentials( @@ -2200,7 +2203,7 @@ struct aws_tls_ctx *s_ctx_new( secure_channel_ctx->verify_peer = options->verify_peer; secure_channel_ctx->should_free_pcerts = true; - secure_channel_ctx->schannel_creds.enabledProtocols = getEnabledProtocols(options, is_client_mode); + secure_channel_ctx->schannel_creds.enabledProtocols = get_enabled_protocols(options, is_client_mode); if (options->verify_peer && aws_tls_options_buf_is_set(&options->ca_file)) { AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "static: loading custom CA file."); From 69c58da14b766dcc1d819cff102b65f6bcc41545 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 28 May 2024 21:06:18 -0700 Subject: [PATCH 38/88] style: clang-format --- source/windows/secure_channel_tls_handler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 56014bc01..8f15ab2c0 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1967,7 +1967,7 @@ static DWORD get_enabled_protocols(const struct aws_tls_ctx_options *options, bo break; } } - return bit_enabled_protocols ; + return bit_enabled_protocols; } static struct aws_channel_handler *s_tls_handler_support_sch_credentials( From b4a48013a5fd9b462055f6304f9eeb79cedd63ff Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Wed, 29 May 2024 08:54:57 -0700 Subject: [PATCH 39/88] Add comment for the environment variable --- source/windows/secure_channel_tls_handler.c | 1 + 1 file changed, 1 insertion(+) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 8f15ab2c0..aa19030c6 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1981,6 +1981,7 @@ static struct aws_channel_handler *s_tls_handler_support_sch_credentials( AWS_ASSERT(options->ctx); + /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); if (ret != 0) { AWS_LOGF_DEBUG( From 2d697312f90b2d2107d2983c2c7df718ec318888 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Wed, 29 May 2024 09:16:33 -0700 Subject: [PATCH 40/88] test tls1.3 on aws endpoint --- tests/tls_handler_test.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 1a7f94ddf..726c3eb4d 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -949,8 +949,25 @@ AWS_TEST_CASE( tls_client_channel_negotiation_error_broken_crypto_null, s_tls_client_channel_negotiation_error_broken_crypto_null_fn) +AWS_STATIC_STRING_FROM_LITERAL(s_legacy_crypto_tls13_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); +static void s_raise_tls_version_to_13(struct aws_tls_ctx_options *options) { + aws_tls_ctx_options_set_minimum_tls_version(options, AWS_IO_TLSv1_3); +} + +static int s_tls_client_channel_negotiation_error_override_legacy_crypto_tls13_fn( + struct aws_allocator *allocator, + void *ctx) { + (void)ctx; + return s_verify_negotiation_fails(allocator, s_legacy_crypto_tls13_host_name, 1011, &s_raise_tls_version_to_13); +} + +AWS_TEST_CASE( + tls_client_channel_negotiation_error_override_legacy_crypto_tls11, + s_tls_client_channel_negotiation_error_override_legacy_crypto_tls11_fn) + AWS_STATIC_STRING_FROM_LITERAL(s_legacy_crypto_tls10_host_name, "tls-v1-0.badssl.com"); + static void s_raise_tls_version_to_11(struct aws_tls_ctx_options *options) { aws_tls_ctx_options_set_minimum_tls_version(options, AWS_IO_TLSv1_2); } From 1aa6c8dc4eff0f206bea359deea2fb528059c781 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Wed, 29 May 2024 09:26:31 -0700 Subject: [PATCH 41/88] test update --- tests/tls_handler_test.c | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 726c3eb4d..dd812b492 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -949,25 +949,8 @@ AWS_TEST_CASE( tls_client_channel_negotiation_error_broken_crypto_null, s_tls_client_channel_negotiation_error_broken_crypto_null_fn) -AWS_STATIC_STRING_FROM_LITERAL(s_legacy_crypto_tls13_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); -static void s_raise_tls_version_to_13(struct aws_tls_ctx_options *options) { - aws_tls_ctx_options_set_minimum_tls_version(options, AWS_IO_TLSv1_3); -} - -static int s_tls_client_channel_negotiation_error_override_legacy_crypto_tls13_fn( - struct aws_allocator *allocator, - void *ctx) { - (void)ctx; - return s_verify_negotiation_fails(allocator, s_legacy_crypto_tls13_host_name, 1011, &s_raise_tls_version_to_13); -} - -AWS_TEST_CASE( - tls_client_channel_negotiation_error_override_legacy_crypto_tls11, - s_tls_client_channel_negotiation_error_override_legacy_crypto_tls11_fn) - AWS_STATIC_STRING_FROM_LITERAL(s_legacy_crypto_tls10_host_name, "tls-v1-0.badssl.com"); - static void s_raise_tls_version_to_11(struct aws_tls_ctx_options *options) { aws_tls_ctx_options_set_minimum_tls_version(options, AWS_IO_TLSv1_2); } @@ -1231,6 +1214,16 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) +AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); + +static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { + (void)ctx; + return s_verify_good_host(allocator, s_aws_ecc384_host_name, 443, NULL); +} + +AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384_tls1_3, + s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn) + AWS_STATIC_STRING_FROM_LITERAL(s3_host_name, "s3.amazonaws.com"); static void s_disable_verify_peer(struct aws_tls_ctx_options *options) { From ac82db780bc6eb158fcf713b77222a76992e0d49 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Wed, 29 May 2024 10:07:08 -0700 Subject: [PATCH 42/88] clang format --- tests/tls_handler_test.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index dd812b492..095d748cc 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1221,8 +1221,9 @@ static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_ return s_verify_good_host(allocator, s_aws_ecc384_host_name, 443, NULL); } -AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384_tls1_3, - s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn) +AWS_TEST_CASE( + tls_client_channel_negotiation_success_ecc384_tls1_3, + s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn) AWS_STATIC_STRING_FROM_LITERAL(s3_host_name, "s3.amazonaws.com"); From b7f9af3bc973cf39dcb6db2e5dc9ebfca0d560f4 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Wed, 29 May 2024 10:43:03 -0700 Subject: [PATCH 43/88] Enable testcase --- tests/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 67220907c..2a95af76a 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -225,6 +225,7 @@ if(NOT BYO_CRYPTO) add_net_test_case(tls_client_channel_negotiation_success_rsa2048) add_net_test_case(tls_client_channel_negotiation_success_ecc256) add_net_test_case(tls_client_channel_negotiation_success_ecc384) + add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) # add_net_test_case(tls_client_channel_negotiation_success_extended_validation) test disabled until badssl updates cert (expired 2022.08.10) add_net_test_case(tls_client_channel_negotiation_success_mozilla_modern) From d0e8b1865f68e79776d333bf312bf26694ce2c66 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 30 May 2024 21:07:32 -0700 Subject: [PATCH 44/88] send packet to iot core --- tests/tls_handler_test.c | 129 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 128 insertions(+), 1 deletion(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 095d748cc..2c5dfa497 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1189,6 +1189,133 @@ static int s_verify_good_host( return AWS_OP_SUCCESS; } +static int s_verify_good_host_mqtt_connect( + struct aws_allocator *allocator, + const struct aws_string *host_name, + uint32_t port, + void (*override_tls_options_fn)(struct aws_tls_ctx_options *)) { + + aws_io_library_init(allocator); + + ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); + + /* NEW ********/ + struct aws_byte_buf write_tag = aws_byte_buf_from_c_str("Created from a blend of heirloom and cider apples"); + + struct tls_test_rw_args outgoing_rw_args; + ASSERT_SUCCESS(s_tls_rw_args_init( + &outgoing_rw_args, + &c_tester, + aws_byte_buf_from_empty_array(outgoing_received_message, sizeof(outgoing_received_message)))); + + struct aws_channel_handler *outgoing_rw_handler = + rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, 10000, &outgoing_rw_args); + ASSERT_NOT_NULL(outgoing_rw_handler); + + /* end new */ + + struct tls_test_args outgoing_args = { + .mutex = &c_tester.mutex, + .allocator = allocator, + .condition_variable = &c_tester.condition_variable, + .error_invoked = 0, + .rw_handler = outgoing_rw_handler, + .server = false, + .tls_levels_negotiated = 0, + .desired_tls_levels = 1, + .shutdown_finished = false, + }; + + struct aws_tls_ctx_options client_ctx_options; + AWS_ZERO_STRUCT(client_ctx_options); + aws_tls_ctx_options_set_verify_peer(&client_ctx_options, true); + aws_tls_ctx_options_init_default_client(&client_ctx_options, allocator); + aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "http/1.1"); + + if (override_tls_options_fn) { + (*override_tls_options_fn)(&client_ctx_options); + } + + struct aws_tls_ctx *client_ctx = aws_tls_client_ctx_new(allocator, &client_ctx_options); + ASSERT_NOT_NULL(client_ctx); + + struct aws_tls_connection_options tls_client_conn_options; + aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, client_ctx); + aws_tls_connection_options_set_callbacks(&tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); + + struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); + aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); + aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "http/1.1"); + + struct aws_socket_options options; + AWS_ZERO_STRUCT(options); + options.connect_timeout_ms = 10000; + options.type = AWS_SOCKET_STREAM; + options.domain = AWS_SOCKET_IPV4; + + struct aws_client_bootstrap_options bootstrap_options = { + .event_loop_group = c_tester.el_group, + .host_resolver = c_tester.resolver, + }; + struct aws_client_bootstrap *client_bootstrap = aws_client_bootstrap_new(allocator, &bootstrap_options); + ASSERT_NOT_NULL(client_bootstrap); + + struct aws_socket_channel_bootstrap_options channel_options; + AWS_ZERO_STRUCT(channel_options); + channel_options.bootstrap = client_bootstrap; + channel_options.host_name = aws_string_c_str(host_name); + channel_options.port = port; + channel_options.socket_options = &options; + channel_options.tls_options = &tls_client_conn_options; + channel_options.setup_callback = s_tls_handler_test_client_setup_callback; + channel_options.shutdown_callback = s_tls_handler_test_client_shutdown_callback; + channel_options.user_data = &outgoing_args; + + ASSERT_SUCCESS(aws_client_bootstrap_new_socket_channel(&channel_options)); + + /* put this here to verify ownership semantics are correct. This should NOT cause a segfault. If it does, ya + * done messed up. */ + aws_tls_connection_options_clean_up(&tls_client_conn_options); + + ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); + ASSERT_SUCCESS(aws_condition_variable_wait_pred( + &c_tester.condition_variable, &c_tester.mutex, s_tls_channel_setup_predicate, &outgoing_args)); + ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + + ASSERT_FALSE(outgoing_args.error_invoked); + struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("http/1.1"); + /* check ALPN and SNI was properly negotiated */ + + if (aws_tls_is_alpn_available() && client_ctx_options.verify_peer) { + ASSERT_BIN_ARRAYS_EQUALS( + expected_protocol.buffer, + expected_protocol.len, + outgoing_args.negotiated_protocol.buffer, + outgoing_args.negotiated_protocol.len); + } + + ASSERT_BIN_ARRAYS_EQUALS( + host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); + + rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); + ASSERT_SUCCESS(aws_condition_variable_wait_pred( + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); + + ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); + aws_channel_shutdown(outgoing_args.channel, AWS_OP_SUCCESS); + ASSERT_SUCCESS(aws_condition_variable_wait_pred( + &c_tester.condition_variable, &c_tester.mutex, s_tls_channel_shutdown_predicate, &outgoing_args)); + ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + + aws_client_bootstrap_release(client_bootstrap); + + aws_tls_ctx_release(client_ctx); + aws_tls_ctx_options_clean_up(&client_ctx_options); + ASSERT_SUCCESS(s_tls_common_tester_clean_up(&c_tester)); + + return AWS_OP_SUCCESS; +} + static int s_tls_client_channel_negotiation_success_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; return s_verify_good_host(allocator, s_amazon_host_name, 443, NULL); @@ -1218,7 +1345,7 @@ AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.u static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; - return s_verify_good_host(allocator, s_aws_ecc384_host_name, 443, NULL); + return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 443, NULL); } AWS_TEST_CASE( From 1a1c938544bc265daa40339cc3b92f5b5d0404ad Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 30 May 2024 22:24:02 -0700 Subject: [PATCH 45/88] fix build error --- tests/tls_handler_test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 2c5dfa497..7cd33d054 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1200,6 +1200,7 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); /* NEW ********/ + uint8_t outgoing_received_message[128] = {0}; struct aws_byte_buf write_tag = aws_byte_buf_from_c_str("Created from a blend of heirloom and cider apples"); struct tls_test_rw_args outgoing_rw_args; From c2b67dfc961659df9662427ded6ff243e5235766 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Sun, 2 Jun 2024 11:05:12 -0700 Subject: [PATCH 46/88] fix timeout --- tests/tls_handler_test.c | 42 +++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 7cd33d054..68cf7df67 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -481,7 +481,8 @@ static struct aws_byte_buf s_tls_test_handle_write( return (struct aws_byte_buf){0}; } -static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *allocator, void *ctx) { +static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *allocator, + void *ctx) { (void)ctx; aws_io_library_init(allocator); ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); @@ -515,11 +516,13 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all allocator, &local_server_tester, &incoming_args, &c_tester, true, "server.crt", "server.key")); /* make the windows small to make sure back pressure is honored. */ struct aws_channel_handler *outgoing_rw_handler = rw_handler_new( - allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, write_tag.len / 2, &outgoing_rw_args); + allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, + write_tag.len / 2, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); struct aws_channel_handler *incoming_rw_handler = rw_handler_new( - allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, read_tag.len / 2, &incoming_rw_args); + allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, + read_tag.len / 2, &incoming_rw_args); ASSERT_NOT_NULL(incoming_rw_handler); incoming_args.rw_handler = incoming_rw_handler; @@ -600,10 +603,12 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); rw_handler_write(incoming_args.rw_handler, incoming_args.rw_slot, &read_tag); ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); + ASSERT_SUCCESS(aws_condition_variable_wait_pred( &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &incoming_rw_args)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); + ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); incoming_rw_args.invocation_happened = false; @@ -632,7 +637,10 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all incoming_rw_args.received_message.buffer, incoming_rw_args.received_message.len); ASSERT_BIN_ARRAYS_EQUALS( - read_tag.buffer, read_tag.len, outgoing_rw_args.received_message.buffer, outgoing_rw_args.received_message.len); + read_tag.buffer, + read_tag.len, + outgoing_rw_args.received_message.buffer, + outgoing_rw_args.received_message.len); aws_channel_shutdown(incoming_args.channel, AWS_OP_SUCCESS); ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); @@ -1210,7 +1218,8 @@ static int s_verify_good_host_mqtt_connect( aws_byte_buf_from_empty_array(outgoing_received_message, sizeof(outgoing_received_message)))); struct aws_channel_handler *outgoing_rw_handler = - rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, 10000, &outgoing_rw_args); + rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, + true, write_tag.len, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); /* end new */ @@ -1242,7 +1251,8 @@ static int s_verify_good_host_mqtt_connect( struct aws_tls_connection_options tls_client_conn_options; aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, client_ctx); - aws_tls_connection_options_set_callbacks(&tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); + aws_tls_connection_options_set_callbacks( + &tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); @@ -1298,9 +1308,21 @@ static int s_verify_good_host_mqtt_connect( ASSERT_BIN_ARRAYS_EQUALS( host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); + /* XXX: ---- new ----*/ + rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); + ASSERRT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); + ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, + s_tls_test_read_predicate, &outgoing_rw_args)); + + ASSERRT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + + //outgoing_rw_args.invocation_happened = false; + //ASSERT_INT_EQUALS(1, outgoing_rw_args.read_invocations); + + /* ---- */ ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); aws_channel_shutdown(outgoing_args.channel, AWS_OP_SUCCESS); @@ -1856,11 +1878,13 @@ static int s_tls_channel_statistics_test(struct aws_allocator *allocator, void * allocator, &local_server_tester, &incoming_args, &c_tester, false, "server.crt", "server.key")); struct aws_channel_handler *outgoing_rw_handler = - rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, 10000, &outgoing_rw_args); + rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, + true, 10000, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); struct aws_channel_handler *incoming_rw_handler = - rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, 10000, &incoming_rw_args); + rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, + true, 10000, &incoming_rw_args); ASSERT_NOT_NULL(incoming_rw_handler); incoming_args.rw_handler = incoming_rw_handler; From 736873295e81b141002346fb1f031fe8b3844e1a Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Sun, 2 Jun 2024 11:17:03 -0700 Subject: [PATCH 47/88] Fix syntax error --- tests/tls_handler_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 68cf7df67..c10ea9743 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1311,13 +1311,13 @@ static int s_verify_good_host_mqtt_connect( /* XXX: ---- new ----*/ rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); - ASSERRT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); + ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); - ASSERRT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); //outgoing_rw_args.invocation_happened = false; //ASSERT_INT_EQUALS(1, outgoing_rw_args.read_invocations); From 7e90e13c7825f2d0152dcc736efc34b5c0c6181d Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Sun, 2 Jun 2024 18:32:42 -0700 Subject: [PATCH 48/88] certificate --- tests/tls_handler_test.c | 46 ++++++++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index c10ea9743..660a46b9b 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -602,12 +602,16 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all /* Do the IO operations */ rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); rw_handler_write(incoming_args.rw_handler, incoming_args.rw_slot, &read_tag); + ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &incoming_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, + s_tls_test_read_predicate, &incoming_rw_args)); + ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, + s_tls_test_read_predicate, &outgoing_rw_args)); ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); @@ -1207,7 +1211,7 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); - /* NEW ********/ + /* ****** NEW ********/ uint8_t outgoing_received_message[128] = {0}; struct aws_byte_buf write_tag = aws_byte_buf_from_c_str("Created from a blend of heirloom and cider apples"); @@ -1254,6 +1258,25 @@ static int s_verify_good_host_mqtt_connect( aws_tls_connection_options_set_callbacks( &tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); + /* ***** new ****** */ + struct aws_byte_buf cert_buf = {0}; + struct aws_byte_buf key_buf = {0}; + struct aws_tls_ctx_options tls_options = {0}; + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ecc-cert.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ecc-key.pem")); + + struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); + struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); + AWS_FATAL_ASSERT( + AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, + allocator, &cert_cur, &key_cur)); + struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options); + ASSERT_NOT_NULL(tls_context); + /* new */ + tls_client_conn_options.ctx = tls_context; + /* new */ + /* ***** new ****** */ + struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "http/1.1"); @@ -1309,14 +1332,20 @@ static int s_verify_good_host_mqtt_connect( host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); /* XXX: ---- new ----*/ - + /* Do the IO operations */ rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); + + ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); + + + + ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); //outgoing_rw_args.invocation_happened = false; @@ -1938,9 +1967,11 @@ static int s_tls_channel_statistics_test(struct aws_allocator *allocator, void * rw_handler_write(incoming_args.rw_handler, incoming_args.rw_slot, &read_tag); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &incoming_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, + &incoming_rw_args)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, + &outgoing_rw_args)); uint64_t ms_to_ns = aws_timestamp_convert(1, AWS_TIMESTAMP_MILLIS, AWS_TIMESTAMP_NANOS, NULL); @@ -2277,7 +2308,8 @@ static void s_import_cert(void *ctx) { struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&import->key_buf); struct aws_tls_ctx_options tls_options = {0}; AWS_FATAL_ASSERT( - AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, import->allocator, &cert_cur, &key_cur)); + AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, import->allocator, + &cert_cur, &key_cur)); /* import happens in here */ import->tls = aws_tls_client_ctx_new(import->allocator, &tls_options); From 1e781328a731af55afa1104f230fc992d0d5e062 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Mon, 3 Jun 2024 20:49:14 -0700 Subject: [PATCH 49/88] Fix test --- tests/tls_handler_test.c | 62 +++++++++++++++++++++++++++++++--------- 1 file changed, 49 insertions(+), 13 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 660a46b9b..9cc20cc21 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1213,7 +1213,17 @@ static int s_verify_good_host_mqtt_connect( /* ****** NEW ********/ uint8_t outgoing_received_message[128] = {0}; - struct aws_byte_buf write_tag = aws_byte_buf_from_c_str("Created from a blend of heirloom and cider apples"); + //struct aws_byte_buf write_tag = aws_byte_buf_from_c_str("Created from a blend of heirloom and cider apples"); + const uint8_t mqtt_connect_message[] = { + /* connect */ 0x10, + /*packet length */ 0x10, + /* protocol name length */ 0x00, 0x04, + /* MQTT */ 0x4d, 0x51, 0x54, 0x54, + /* protocol version 4 (3.11) */ 0x04, + /* connect flags */ 0x02, + /* keep alive */0x00, 0x3c, + /* client id(size (2) + data(4) */ 0x00, 0x04, 't', 'e', 's', 't'}; + struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char*)mqtt_connect_message, 18); struct tls_test_rw_args outgoing_rw_args; ASSERT_SUCCESS(s_tls_rw_args_init( @@ -1244,7 +1254,7 @@ static int s_verify_good_host_mqtt_connect( AWS_ZERO_STRUCT(client_ctx_options); aws_tls_ctx_options_set_verify_peer(&client_ctx_options, true); aws_tls_ctx_options_init_default_client(&client_ctx_options, allocator); - aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "http/1.1"); + //aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "http/1.1"); if (override_tls_options_fn) { (*override_tls_options_fn)(&client_ctx_options); @@ -1261,15 +1271,21 @@ static int s_verify_good_host_mqtt_connect( /* ***** new ****** */ struct aws_byte_buf cert_buf = {0}; struct aws_byte_buf key_buf = {0}; + struct aws_byte_buf ca_buf = {0}; struct aws_tls_ctx_options tls_options = {0}; - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ecc-cert.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ecc-key.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "server_EC384.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "server_EC384.key")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); + struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); AWS_FATAL_ASSERT( AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur)); + + aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur); + struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options); ASSERT_NOT_NULL(tls_context); /* new */ @@ -1279,7 +1295,7 @@ static int s_verify_good_host_mqtt_connect( struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); - aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "http/1.1"); + //aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "http/1.1"); struct aws_socket_options options; AWS_ZERO_STRUCT(options); @@ -1317,9 +1333,10 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); ASSERT_FALSE(outgoing_args.error_invoked); - struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("http/1.1"); + //struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("http/1.1"); /* check ALPN and SNI was properly negotiated */ + /* if (aws_tls_is_alpn_available() && client_ctx_options.verify_peer) { ASSERT_BIN_ARRAYS_EQUALS( expected_protocol.buffer, @@ -1327,12 +1344,16 @@ static int s_verify_good_host_mqtt_connect( outgoing_args.negotiated_protocol.buffer, outgoing_args.negotiated_protocol.len); } + */ - ASSERT_BIN_ARRAYS_EQUALS( - host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); + // ASSERT_BIN_ARRAYS_EQUALS( + // host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); + /* XXX: ---- new ----*/ /* Do the IO operations */ + printf(" ============================================= doing the io operaion \n"); + outgoing_rw_args.invocation_happened = false; rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); @@ -1343,28 +1364,42 @@ static int s_verify_good_host_mqtt_connect( s_tls_test_read_predicate, &outgoing_rw_args)); - - - ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); //outgoing_rw_args.invocation_happened = false; //ASSERT_INT_EQUALS(1, outgoing_rw_args.read_invocations); + /* + struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); + struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); + struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); + */ /* ---- */ + printf(" ======================================================= freeing memory\n"); + ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); aws_channel_shutdown(outgoing_args.channel, AWS_OP_SUCCESS); ASSERT_SUCCESS(aws_condition_variable_wait_pred( &c_tester.condition_variable, &c_tester.mutex, s_tls_channel_shutdown_predicate, &outgoing_args)); ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + aws_byte_buf_clean_up(&cert_buf); + aws_byte_buf_clean_up(&key_buf ); + aws_byte_buf_clean_up(&ca_buf ); + aws_tls_ctx_release(client_ctx); + aws_tls_ctx_release(client_ctx); + aws_tls_ctx_release(tls_context->impl); + //aws_tls_ctx_release(tls_context->impl); + + aws_tls_ctx_options_clean_up(&tls_options); + aws_client_bootstrap_release(client_bootstrap); - aws_tls_ctx_release(client_ctx); aws_tls_ctx_options_clean_up(&client_ctx_options); ASSERT_SUCCESS(s_tls_common_tester_clean_up(&c_tester)); + return AWS_OP_SUCCESS; } @@ -1393,7 +1428,8 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) -AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); +//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); +AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; From 26ea49d7bc51dfad840415ae0179f18ff65026dc Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 4 Jun 2024 08:54:23 -0700 Subject: [PATCH 50/88] Run 1.3 test only on windows --- tests/CMakeLists.txt | 2 +- tests/tls_handler_test.c | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 2a95af76a..977044f6c 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -80,6 +80,7 @@ add_test_case(socket_validate_port) if(WIN32) add_test_case(local_socket_pipe_connected_race) + add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) endif() add_test_case(channel_setup) @@ -225,7 +226,6 @@ if(NOT BYO_CRYPTO) add_net_test_case(tls_client_channel_negotiation_success_rsa2048) add_net_test_case(tls_client_channel_negotiation_success_ecc256) add_net_test_case(tls_client_channel_negotiation_success_ecc384) - add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) # add_net_test_case(tls_client_channel_negotiation_success_extended_validation) test disabled until badssl updates cert (expired 2022.08.10) add_net_test_case(tls_client_channel_negotiation_success_mozilla_modern) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 9cc20cc21..5625f3c59 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1213,16 +1213,16 @@ static int s_verify_good_host_mqtt_connect( /* ****** NEW ********/ uint8_t outgoing_received_message[128] = {0}; - //struct aws_byte_buf write_tag = aws_byte_buf_from_c_str("Created from a blend of heirloom and cider apples"); const uint8_t mqtt_connect_message[] = { - /* connect */ 0x10, - /*packet length */ 0x10, - /* protocol name length */ 0x00, 0x04, - /* MQTT */ 0x4d, 0x51, 0x54, 0x54, - /* protocol version 4 (3.11) */ 0x04, - /* connect flags */ 0x02, - /* keep alive */0x00, 0x3c, - /* client id(size (2) + data(4) */ 0x00, 0x04, 't', 'e', 's', 't'}; + 0x10, /* connect */ + 0x10,/*packet length */ + 0x00, 0x04,/* protocol name length */ + 0x4d, 0x51, 0x54, 0x54,/* MQTT */ + 0x04,/* protocol version 4 (3.11) */ + 0x02,/* connect flags */ + 0x00, 0x3c,/* keep alive */ + 0x00, 0x04, 't', 'e', 's', 't' /* client id(size (2) + data(4) */ + }; struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char*)mqtt_connect_message, 18); struct tls_test_rw_args outgoing_rw_args; @@ -1429,7 +1429,8 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) //AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); -AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); +//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); +AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; From 7ece56ae338b6c103108cefbdaa4df8f09c91265 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Tue, 4 Jun 2024 19:02:23 -0700 Subject: [PATCH 51/88] run tls1.3 test only on supported windows version --- tests/CMakeLists.txt | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 977044f6c..3d4c683c0 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -79,8 +79,16 @@ add_test_case(sock_write_cb_is_async) add_test_case(socket_validate_port) if(WIN32) - add_test_case(local_socket_pipe_connected_race) - add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) + set(WIN_VERSION ${CMAKE_SYSTEM_VERSION}) + string(REPLACE "." ";" BUILD_VERSION ${CMAKE_SYSTEM_VERSION}) + separate_arguments(BUILD_VERSION) + list(GET BUILD_VERSION 2 BUILD_V) + + if(${BUILD_V} GREATER_EQUAL 22000) + message("Building for version 22000 or higher: supporting TLS1.3") + add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) + endif() + add_test_case(local_socket_pipe_connected_race) endif() add_test_case(channel_setup) From e1ea12e6cbe0bda6478697b71ee7c22820f38c38 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 4 Jun 2024 19:06:08 -0700 Subject: [PATCH 52/88] Remove weird characters --- tests/CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 3d4c683c0..3f9cd72ff 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -86,9 +86,9 @@ if(WIN32) if(${BUILD_V} GREATER_EQUAL 22000) message("Building for version 22000 or higher: supporting TLS1.3") - add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) + add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) endif() - add_test_case(local_socket_pipe_connected_race) + add_test_case(local_socket_pipe_connected_race) endif() add_test_case(channel_setup) From 3c1f42d75dc650375d9458de25e65fbdd4af2df9 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 4 Jun 2024 21:11:07 -0700 Subject: [PATCH 53/88] change license --- tests/resources/ed384_key.pem | 6 ++++++ tests/resources/ed384_server.pem | 20 ++++++++++++++++++++ tests/tls_handler_test.c | 12 ++++++------ 3 files changed, 32 insertions(+), 6 deletions(-) create mode 100644 tests/resources/ed384_key.pem create mode 100644 tests/resources/ed384_server.pem diff --git a/tests/resources/ed384_key.pem b/tests/resources/ed384_key.pem new file mode 100644 index 000000000..54cbac85b --- /dev/null +++ b/tests/resources/ed384_key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDD0SkqkpHm18oqixmyywUU6/1kkNllrVgOXvOlDgBCzrt8Tk0M2BNHT +O0UAdtcgtlOgBwYFK4EEACKhZANiAAQ/wc5xFujGkCKBZ3n+QsbFbcQQTqzeklcN +DhqdozDqt2JUK/9UcAvkgaWqwGbKCOBt5EbFLfbr2EbZbik9Yt1DALNQPsjiVMXp +IURUR8WwDcMf8XxQOfTLmcHD/U0722w= +-----END EC PRIVATE KEY----- diff --git a/tests/resources/ed384_server.pem b/tests/resources/ed384_server.pem new file mode 100644 index 000000000..2d48f6442 --- /dev/null +++ b/tests/resources/ed384_server.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIVAPIqp1OXCHvM6EJ+nIUUVvoC6J5WMA0GCSqGSIb3DQEB +CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t +IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yNDA2MDQxMzU2 +NThaFw00OTEyMzEyMzU5NTlaMIG8MQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2Fz +aGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGQW1hem9uMQwwCgYD +VQQLDANBV1MxNzA1BgNVBAMMLmEyeXZyNWw4c2M5ODE0LWF0cy5pb3QudXMtZWFz +dC0yLmFtYXpvbmF3cy5jb20xLjAsBgkqhkiG9w0BCQEWH2lvdC1kZXZpY2Utc2Rr +LXRlYW1AYW1hem9uLmNvbSAwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ/wc5xFujG +kCKBZ3n+QsbFbcQQTqzeklcNDhqdozDqt2JUK/9UcAvkgaWqwGbKCOBt5EbFLfbr +2EbZbik9Yt1DALNQPsjiVMXpIURUR8WwDcMf8XxQOfTLmcHD/U0722yjYDBeMB8G +A1UdIwQYMBaAFP9Cv6clPA9zRY1Eh8zZbbYhmnjKMB0GA1UdDgQWBBSI5WcAWKtT +xoADWFeZmGfiO7dsxjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkq +hkiG9w0BAQsFAAOCAQEARzfHitEnhwJG07yB9ixPIZrSbawJkMinlkQ61/YMjMyu +16Nr1lyXD6UQvSlQ+9HY55iZ/Lk/7KjkLNWF8WyUaI/JohRDI9Z2E5VizkFtAoU5 +8dHl5WQfOR5PW/ecOguNiNAV992x0IG+8i47Qqoc6mlYbwPVk0vWILQrzZ+f4A74 +yRL4Xl2rV3qK4RArVTqLQqxqD1/nPbw8o2fbh4A4pX6gs5f1UjJb4B8ibYnRPWOC +bG6sv1iHFSQOVXAdWaeHpNnYhXE76nAMn847oIg0jYj/F/6T2vkCXgQjlbg7+kVo +xoDahFFgwa8nI9qRlHHQo5lFbb5XrvkmiYP89ccXYw== +-----END CERTIFICATE----- diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 5625f3c59..f779baa01 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1271,20 +1271,20 @@ static int s_verify_good_host_mqtt_connect( /* ***** new ****** */ struct aws_byte_buf cert_buf = {0}; struct aws_byte_buf key_buf = {0}; - struct aws_byte_buf ca_buf = {0}; + //struct aws_byte_buf ca_buf = {0}; struct aws_tls_ctx_options tls_options = {0}; - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "server_EC384.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "server_EC384.key")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); + //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); - struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); + //struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); AWS_FATAL_ASSERT( AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur)); - aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur); + //aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur); struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options); ASSERT_NOT_NULL(tls_context); From 42ca69860dea0664f491f0786cfb3632aebc6401 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 4 Jun 2024 21:19:24 -0700 Subject: [PATCH 54/88] fix build error --- tests/tls_handler_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index f779baa01..8f06c1985 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1386,7 +1386,7 @@ static int s_verify_good_host_mqtt_connect( aws_byte_buf_clean_up(&cert_buf); aws_byte_buf_clean_up(&key_buf ); - aws_byte_buf_clean_up(&ca_buf ); + //aws_byte_buf_clean_up(&ca_buf ); aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(tls_context->impl); From 69a08230456a27fdba5777f66d928614f6a66ac1 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 4 Jun 2024 21:33:58 -0700 Subject: [PATCH 55/88] print windows machine version --- tests/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 3f9cd72ff..6569b0878 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -83,6 +83,7 @@ if(WIN32) string(REPLACE "." ";" BUILD_VERSION ${CMAKE_SYSTEM_VERSION}) separate_arguments(BUILD_VERSION) list(GET BUILD_VERSION 2 BUILD_V) + message("Windows Version: " ${CMAKE_SYSTEM_VERSION}) if(${BUILD_V} GREATER_EQUAL 22000) message("Building for version 22000 or higher: supporting TLS1.3") From 8c24342ca025905febd5e90e56807829860efc51 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Tue, 4 Jun 2024 23:10:22 -0700 Subject: [PATCH 56/88] add root ca --- tests/CMakeLists.txt | 2 +- tests/resources/AmazonRootCA1.pem | 20 ++++++++++++++++++++ tests/tls_handler_test.c | 10 +++++----- 3 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 tests/resources/AmazonRootCA1.pem diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 6569b0878..8663c7cb5 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -83,7 +83,7 @@ if(WIN32) string(REPLACE "." ";" BUILD_VERSION ${CMAKE_SYSTEM_VERSION}) separate_arguments(BUILD_VERSION) list(GET BUILD_VERSION 2 BUILD_V) - message("Windows Version: " ${CMAKE_SYSTEM_VERSION}) + message("Windows Version " ${CMAKE_SYSTEM_VERSION}) if(${BUILD_V} GREATER_EQUAL 22000) message("Building for version 22000 or higher: supporting TLS1.3") diff --git a/tests/resources/AmazonRootCA1.pem b/tests/resources/AmazonRootCA1.pem new file mode 100644 index 000000000..61ae256dd --- /dev/null +++ b/tests/resources/AmazonRootCA1.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj +ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM +9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw +IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 +VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L +93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm +jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA +A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI +U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs +N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv +o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU +5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy +rqXRfboQnoZsG4q5WTP468SQvvG5 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 8f06c1985..8e2f373f1 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1271,20 +1271,20 @@ static int s_verify_good_host_mqtt_connect( /* ***** new ****** */ struct aws_byte_buf cert_buf = {0}; struct aws_byte_buf key_buf = {0}; - //struct aws_byte_buf ca_buf = {0}; + struct aws_byte_buf ca_buf = {0}; struct aws_tls_ctx_options tls_options = {0}; ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); - //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); - //struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); + struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); AWS_FATAL_ASSERT( AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur)); - //aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur); + aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur); struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options); ASSERT_NOT_NULL(tls_context); @@ -1386,7 +1386,7 @@ static int s_verify_good_host_mqtt_connect( aws_byte_buf_clean_up(&cert_buf); aws_byte_buf_clean_up(&key_buf ); - //aws_byte_buf_clean_up(&ca_buf ); + aws_byte_buf_clean_up(&ca_buf ); aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(tls_context->impl); From 211ba958a8e2e56f69a8ca60cce3c33389da6168 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Wed, 5 Jun 2024 10:19:57 -0700 Subject: [PATCH 57/88] debug print --- tests/tls_handler_test.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 8e2f373f1..290b99d59 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1273,9 +1273,13 @@ static int s_verify_good_host_mqtt_connect( struct aws_byte_buf key_buf = {0}; struct aws_byte_buf ca_buf = {0}; struct aws_tls_ctx_options tls_options = {0}; - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); + //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); + //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); + //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); + + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "server_EC384.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "server_EC384.key")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); @@ -1357,6 +1361,7 @@ static int s_verify_good_host_mqtt_connect( rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); + printf(" ============================================= waiting to read data \n"); ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( @@ -1365,6 +1370,9 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + //printf("conn ack is %d\n", outgoing_rw_args.received_message.buffer[3]); + ASSERT_INT_EQUALS(0, outgoing_rw_args.received_message.buffer[3]); /* conn ack */ + printf(" ============================================= data read\n"); //outgoing_rw_args.invocation_happened = false; //ASSERT_INT_EQUALS(1, outgoing_rw_args.read_invocations); @@ -1429,8 +1437,8 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) //AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); -//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); -AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); +AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); +//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; From ed181f7605a1501a59f28e3ddb513cd727397598 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Wed, 5 Jun 2024 10:40:28 -0700 Subject: [PATCH 58/88] different connect packet --- tests/tls_handler_test.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 290b99d59..9d00beb35 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1213,15 +1213,21 @@ static int s_verify_good_host_mqtt_connect( /* ****** NEW ********/ uint8_t outgoing_received_message[128] = {0}; + /* const uint8_t mqtt_connect_message[] = { - 0x10, /* connect */ - 0x10,/*packet length */ - 0x00, 0x04,/* protocol name length */ - 0x4d, 0x51, 0x54, 0x54,/* MQTT */ - 0x04,/* protocol version 4 (3.11) */ - 0x02,/* connect flags */ - 0x00, 0x3c,/* keep alive */ - 0x00, 0x04, 't', 'e', 's', 't' /* client id(size (2) + data(4) */ + */ + // 0x10, /* connect */ + // 0x10,/*packet length */ + // 0x00, 0x04,/* protocol name length */ + // 0x4d, 0x51, 0x54, 0x54,/* MQTT */ + // 0x04,/* protocol version 4 (3.11) */ + // 0x02,/* connect flags */ + // 0x00, 0x3c,/* keep alive */ + // 0x00, 0x04, 't', 'e', 's', 't' /* client id(size (2) + data(4) */ +// }; + + const uint8_t mqtt_connect_message[128] = { + 0x10, 0x51, 0x00, 0x04, 0x4D, 0x51, 0x54, 0x54, 0x04, 0x80, 0x03, 0xE8, 0x00, 0x29, 0x74, 0x65, 0x73, 0x74, 0x2D, 0x35, 0x62, 0x39, 0x39, 0x36, 0x61, 0x62, 0x63, 0x2D, 0x63, 0x30, 0x38, 0x31, 0x2D, 0x37, 0x36, 0x31, 0x37, 0x2D, 0x64, 0x31, 0x34, 0x33, 0x2D, 0x64, 0x33, 0x35, 0x66, 0x37, 0x32, 0x65, 0x37, 0x36, 0x39, 0x64, 0x62, 0x00, 0x1A, 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 }; struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char*)mqtt_connect_message, 18); From 3f3de38468eb7d4d50220f50aa8034b967abbcef Mon Sep 17 00:00:00 2001 From: alfred2g Date: Wed, 12 Jun 2024 20:17:27 -0700 Subject: [PATCH 59/88] connect test to port 8883 --- source/windows/secure_channel_tls_handler.c | 60 ++++++++-------- tests/tls_handler_test.c | 79 ++++++++++++++------- 2 files changed, 85 insertions(+), 54 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index aa19030c6..61d8a4a45 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -244,9 +244,9 @@ static int s_manually_verify_peer_cert(struct aws_channel_handler *handler) { if (status != SEC_E_OK || !peer_certificate) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: failed to load peer's certificate with SECURITY_STATUS %d", + "id=%p: failed to load peer's certificate with SECURITY_STATUS %lu", (void *)handler, - (int)status); + (unsigned long)status); return AWS_OP_ERR; } @@ -260,10 +260,10 @@ static int s_manually_verify_peer_cert(struct aws_channel_handler *handler) { if (!CertCreateCertificateChainEngine(&engine_config, &engine)) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: failed to load a certificate chain engine with SECURITY_STATUS %d. " + "id=%p: failed to load a certificate chain engine with SECURITY_STATUS %lu. " "Most likely, the configured CA is corrupted.", (void *)handler, - (int)status); + (unsigned long)status); goto done; } @@ -297,9 +297,9 @@ static int s_manually_verify_peer_cert(struct aws_channel_handler *handler) { &cert_chain_ctx)) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: unable to find certificate in chain with SECURITY_STATUS %d.", + "id=%p: unable to find certificate in chain with SECURITY_STATUS %lu.", (void *)handler, - (int)status); + (unsigned long)status); goto done; } @@ -611,9 +611,9 @@ static int s_do_server_side_negotiation_step_1(struct aws_channel_handler *handl if (!(status == SEC_I_CONTINUE_NEEDED || status == SEC_E_OK)) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: error during processing of the ClientHello. SECURITY_STATUS is %d", + "id=%p: error during processing of the ClientHello. SECURITY_STATUS is %lu", (void *)handler, - (int)status); + (unsigned long)status); int error = s_determine_sspi_error(status); aws_raise_error(error); s_invoke_negotiation_error(handler, error); @@ -702,7 +702,7 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error during negotiation. SECURITY_STATUS is %d", (void *)handler, (int)status); + AWS_LS_IO_TLS, "id=%p: Error during negotiation. SECURITY_STATUS is %lu", (void *)handler, (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); s_invoke_negotiation_error(handler, aws_error); @@ -762,11 +762,13 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl "id=%p: Custom CA was configured, evaluating trust before completing connection", (void *)handler); + /* if (s_manually_verify_peer_cert(handler)) { aws_raise_error(AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); s_invoke_negotiation_error(handler, AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); return AWS_OP_ERR; } + */ } sc_handler->negotiation_finished = true; @@ -792,9 +794,9 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl } else { AWS_LOGF_WARN( AWS_LS_IO_TLS, - "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %d", + "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %lu", handler, - (int)status); + (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); } @@ -887,9 +889,9 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl if (status != SEC_I_CONTINUE_NEEDED) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error sending client/receiving server handshake data. SECURITY_STATUS is %d", + "id=%p: Error sending client/receiving server handshake data. SECURITY_STATUS is %lu", (void *)handler, - (int)status); + (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); s_invoke_negotiation_error(handler, aws_error); @@ -990,9 +992,9 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %d", + "id=%p: Error during negotiation. initalizesecuritycontext SECURITY_STATUS is %lu", (void *)handler, - (int)status); + (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); s_invoke_negotiation_error(handler, aws_error); @@ -1053,11 +1055,13 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl AWS_LS_IO_TLS, "id=%p: Custom CA was configured, evaluating trust before completing connection", (void *)handler); + /* if (s_manually_verify_peer_cert(handler)) { aws_raise_error(AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); s_invoke_negotiation_error(handler, AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); return AWS_OP_ERR; } + */ } sc_handler->negotiation_finished = true; /* force the sizes query, so future Encrypt message calls work.*/ @@ -1079,9 +1083,9 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl } else { AWS_LOGF_WARN( AWS_LS_IO_TLS, - "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %d", + "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %lu", handler, - (int)status); + (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); } @@ -1187,9 +1191,9 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { else if (status == SEC_I_CONTEXT_EXPIRED) { AWS_LOGF_TRACE( AWS_LS_IO_TLS, - "id=%p: Alert received. Message sender has shut down the connection. SECURITY_STATUS is %d.", + "id=%p: Alert received. Message sender has shut down the connection. SECURITY_STATUS is %lu.", (void *)handler, - (int)status); + (unsigned long)status); struct aws_channel_slot *slot = handler->slot; aws_channel_shutdown(slot->channel, AWS_OP_SUCCESS); @@ -1199,7 +1203,7 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { * call again InitializeSecurityContext with the data received from DecryptMessage until SEC_E_OK is received */ if (status == SEC_I_RENEGOTIATE) { AWS_LOGF_TRACE( - AWS_LS_IO_TLS, "id=%p: Renegotiation received. SECURITY_STATUS is %d.", (void *)handler, (int)status); + AWS_LS_IO_TLS, "id=%p: Renegotiation received. SECURITY_STATUS is %lu.", (void *)handler, (unsigned long)status); if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { AWS_LOGF_TRACE( @@ -1277,15 +1281,15 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } else { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error InitializeSecurityContext after renegotiation. status %d", + "id=%p: Error InitializeSecurityContext after renegotiation. status %lu", (void *)handler, - (int)status); + (unsigned long)status); error = AWS_OP_ERR; break; } } else { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %d.", (void *)handler, (int)status); + AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", (void *)handler, (unsigned long)status); aws_raise_error(AWS_IO_TLS_ERROR_READ_FAILURE); } } while (sc_handler->read_extra); @@ -1580,9 +1584,9 @@ static int s_process_write_message( } else { AWS_LOGF_TRACE( AWS_LS_IO_TLS, - "id=%p: Error encrypting message. SECURITY_STATUS is %d", + "id=%p: Error encrypting message. SECURITY_STATUS is %lu", (void *)handler, - (int)status); + (unsigned long)status); return aws_raise_error(AWS_IO_TLS_ERROR_WRITE_FAILURE); } } @@ -1606,7 +1610,7 @@ static int s_increment_read_window(struct aws_channel_handler *handler, struct a if (status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: QueryContextAttributes failed with error %d", (void *)handler, (int)status); + AWS_LS_IO_TLS, "id=%p: QueryContextAttributes failed with error %lu", (void *)handler, (unsigned long)status); aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE); aws_channel_shutdown(slot->channel, AWS_ERROR_SYS_CALL_FAILURE); return AWS_OP_ERR; @@ -2033,7 +2037,7 @@ static struct aws_channel_handler *s_tls_handler_support_sch_credentials( &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; @@ -2089,7 +2093,7 @@ static struct aws_channel_handler *s_tls_handler_new( &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status); + AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 9d00beb35..8ad8edf82 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1213,23 +1213,44 @@ static int s_verify_good_host_mqtt_connect( /* ****** NEW ********/ uint8_t outgoing_received_message[128] = {0}; + + // const uint8_t mqtt_connect_message[] = { + + // 0x10, /* connect */ + // 0x10,/*packet length */ + // 0x00, 0x04,/* protocol name length */ + // 0x4d, 0x51, 0x54, 0x54,/* MQTT */ + // 0x04,/* protocol version 4 (3.11) */ + // 0x02,/* connect flags */ + // 0x00, 0x3c,/* keep alive */ + // 0x00, 0x04, 't', 'e', 's', 't' /* client id(size (2) + data(4) */ + //}; + + const uint8_t mqtt_connect_message[] = { + 0x10, 0x51, 0x00, 0x04, 0x4D, 0x51, 0x54, 0x54, 0x04, 0x80, 0x03, 0xE8, 0x00, 0x29, 0x74, 0x65, 0x73, + 0x74, 0x2D, 0x30, 0x62, 0x34, 0x37, 0x36, 0x30, 0x64, 0x35, 0x2D, 0x62, 0x61, 0x39, 0x63, 0x2D, 0x38, + 0x65, 0x66, 0x64, 0x2D, 0x33, 0x32, 0x65, 0x37, 0x2D, 0x34, 0x38, 0x64, 0x30, 0x35, 0x62, 0x62, 0x32, + 0x30, 0x30, 0x65, 0x61, 0x00, 0x1A, 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, + 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 + }; + /* const uint8_t mqtt_connect_message[] = { - */ - // 0x10, /* connect */ - // 0x10,/*packet length */ - // 0x00, 0x04,/* protocol name length */ - // 0x4d, 0x51, 0x54, 0x54,/* MQTT */ - // 0x04,/* protocol version 4 (3.11) */ - // 0x02,/* connect flags */ - // 0x00, 0x3c,/* keep alive */ - // 0x00, 0x04, 't', 'e', 's', 't' /* client id(size (2) + data(4) */ -// }; - - const uint8_t mqtt_connect_message[128] = { - 0x10, 0x51, 0x00, 0x04, 0x4D, 0x51, 0x54, 0x54, 0x04, 0x80, 0x03, 0xE8, 0x00, 0x29, 0x74, 0x65, 0x73, 0x74, 0x2D, 0x35, 0x62, 0x39, 0x39, 0x36, 0x61, 0x62, 0x63, 0x2D, 0x63, 0x30, 0x38, 0x31, 0x2D, 0x37, 0x36, 0x31, 0x37, 0x2D, 0x64, 0x31, 0x34, 0x33, 0x2D, 0x64, 0x33, 0x35, 0x66, 0x37, 0x32, 0x65, 0x37, 0x36, 0x39, 0x64, 0x62, 0x00, 0x1A, 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 + 0x10, 0x51, 0x00, 0x04, 0x4D, 0x51, 0x54, 0x54, 0x04, 0x80, + 0x03, 0xE8, 0x00, 0x29, 0x74, 0x65, 0x73, 0x74, 0x2D, 0x35, + 0x62, 0x39, 0x39, 0x36, 0x61, 0x62, 0x63, 0x2D, 0x63, 0x30, + 0x38, 0x31, 0x2D, 0x37, 0x36, 0x31, 0x37, 0x2D, 0x64, 0x31, + 0x34, 0x33, 0x2D, 0x64, 0x33, 0x35, 0x66, 0x37, 0x32, 0x65, + 0x37, 0x36, 0x39, 0x64, 0x62, 0x00, 0x1A, 0x3F, 0x53, 0x44, + 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, 0x56, 0x65, + 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, 0x31, 0x2E, 0x33, + 0x32, 0x2E, 0x36, 0x00 }; - struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char*)mqtt_connect_message, 18); + */ + +// const uint8_t mqtt_connect_message[] = {'a', 'l', 'f', 'r', 'e', 'd', 0x00, 0x02, 0x01}; + + struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char*)mqtt_connect_message, 83); struct tls_test_rw_args outgoing_rw_args; ASSERT_SUCCESS(s_tls_rw_args_init( @@ -1260,7 +1281,7 @@ static int s_verify_good_host_mqtt_connect( AWS_ZERO_STRUCT(client_ctx_options); aws_tls_ctx_options_set_verify_peer(&client_ctx_options, true); aws_tls_ctx_options_init_default_client(&client_ctx_options, allocator); - //aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "http/1.1"); + //aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "mqtt"); if (override_tls_options_fn) { (*override_tls_options_fn)(&client_ctx_options); @@ -1279,13 +1300,13 @@ static int s_verify_good_host_mqtt_connect( struct aws_byte_buf key_buf = {0}; struct aws_byte_buf ca_buf = {0}; struct aws_tls_ctx_options tls_options = {0}; - //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); - //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); - //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "server_EC384.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "server_EC384.key")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); + // ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "server_EC384.pem")); + // ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "server_EC384.key")); + //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); @@ -1305,7 +1326,7 @@ static int s_verify_good_host_mqtt_connect( struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); - //aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "http/1.1"); + //aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "mqtt"); struct aws_socket_options options; AWS_ZERO_STRUCT(options); @@ -1377,7 +1398,12 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); //printf("conn ack is %d\n", outgoing_rw_args.received_message.buffer[3]); - ASSERT_INT_EQUALS(0, outgoing_rw_args.received_message.buffer[3]); /* conn ack */ + //ASSERT_INT_EQUALS(0x20, outgoing_rw_args.received_message.buffer[0]); /* conn ack */ + //ASSERT_INT_EQUALS(0x01, outgoing_rw_args.received_message.buffer[1]); /* conn ack */ + //ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[2]); /* conn ack */ + //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[0]); /* conn ack */ + //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[1]); /* conn ack */ + //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[2]); /* conn ack */ printf(" ============================================= data read\n"); //outgoing_rw_args.invocation_happened = false; @@ -1443,12 +1469,13 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) //AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); -AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); -//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); +//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); /* mosuquitto/openssl local server */ +AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); +//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "172.17.48.219"); /* s2n windows wsl */ static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; - return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 443, NULL); + return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 8883, NULL); } AWS_TEST_CASE( From 6f1f73cce1432b1fcf24c9bd748e39d160acef27 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Wed, 12 Jun 2024 20:41:19 -0700 Subject: [PATCH 60/88] add connack assertions --- tests/tls_handler_test.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 8ad8edf82..10b087fd0 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1397,10 +1397,18 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + + //printf("=====================================printing message received message buffer\n"); + //for (size_t i = 0; i < outgoing_rw_args.received_message.len; i++) { + // printf(" %.2X ", outgoing_rw_args.received_message.buffer[i]); + // } + // printf("\n"); //printf("conn ack is %d\n", outgoing_rw_args.received_message.buffer[3]); - //ASSERT_INT_EQUALS(0x20, outgoing_rw_args.received_message.buffer[0]); /* conn ack */ - //ASSERT_INT_EQUALS(0x01, outgoing_rw_args.received_message.buffer[1]); /* conn ack */ - //ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[2]); /* conn ack */ + ASSERT_INT_EQUALS(0x20, outgoing_rw_args.received_message.buffer[0]); /* conn ack */ + ASSERT_INT_EQUALS(0x02, outgoing_rw_args.received_message.buffer[1]); /* conn ack */ + ASSERT_INT_EQUALS(0x01, outgoing_rw_args.received_message.buffer[2]); /* conn ack */ + ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[3]); /* conn ack */ + //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[0]); /* conn ack */ //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[1]); /* conn ack */ //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[2]); /* conn ack */ From b8524ec3f4849b9d544e37c494abfe193dcbebb8 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 07:42:16 -0700 Subject: [PATCH 61/88] uncomment code --- source/windows/secure_channel_tls_handler.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 61d8a4a45..d7524f1d2 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -762,13 +762,11 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl "id=%p: Custom CA was configured, evaluating trust before completing connection", (void *)handler); - /* if (s_manually_verify_peer_cert(handler)) { aws_raise_error(AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); s_invoke_negotiation_error(handler, AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); return AWS_OP_ERR; } - */ } sc_handler->negotiation_finished = true; @@ -1055,13 +1053,11 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl AWS_LS_IO_TLS, "id=%p: Custom CA was configured, evaluating trust before completing connection", (void *)handler); - /* if (s_manually_verify_peer_cert(handler)) { aws_raise_error(AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); s_invoke_negotiation_error(handler, AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE); return AWS_OP_ERR; } - */ } sc_handler->negotiation_finished = true; /* force the sizes query, so future Encrypt message calls work.*/ From 7331dfce541cfd3e53772587df463886ad311633 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 08:02:23 -0700 Subject: [PATCH 62/88] clang format --- tests/tls_handler_test.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 10b087fd0..d5cabfb19 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -481,8 +481,7 @@ static struct aws_byte_buf s_tls_test_handle_write( return (struct aws_byte_buf){0}; } -static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *allocator, - void *ctx) { +static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; aws_io_library_init(allocator); ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); @@ -516,13 +515,11 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all allocator, &local_server_tester, &incoming_args, &c_tester, true, "server.crt", "server.key")); /* make the windows small to make sure back pressure is honored. */ struct aws_channel_handler *outgoing_rw_handler = rw_handler_new( - allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, - write_tag.len / 2, &outgoing_rw_args); + allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, write_tag.len / 2, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); struct aws_channel_handler *incoming_rw_handler = rw_handler_new( - allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, - read_tag.len / 2, &incoming_rw_args); + allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, read_tag.len / 2, &incoming_rw_args); ASSERT_NOT_NULL(incoming_rw_handler); incoming_args.rw_handler = incoming_rw_handler; @@ -606,12 +603,10 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, - s_tls_test_read_predicate, &incoming_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &incoming_rw_args)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, - s_tls_test_read_predicate, &outgoing_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); @@ -641,10 +636,7 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all incoming_rw_args.received_message.buffer, incoming_rw_args.received_message.len); ASSERT_BIN_ARRAYS_EQUALS( - read_tag.buffer, - read_tag.len, - outgoing_rw_args.received_message.buffer, - outgoing_rw_args.received_message.len); + read_tag.buffer, read_tag.len, outgoing_rw_args.received_message.buffer, outgoing_rw_args.received_message.len); aws_channel_shutdown(incoming_args.channel, AWS_OP_SUCCESS); ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); From 6d3e19da285f7bdbd2816305d2dd4869361f00b5 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 08:04:50 -0700 Subject: [PATCH 63/88] remove blank lines --- tests/tls_handler_test.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index d5cabfb19..0e2402a0c 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -599,15 +599,11 @@ static int s_tls_channel_echo_and_backpressure_test_fn(struct aws_allocator *all /* Do the IO operations */ rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); rw_handler_write(incoming_args.rw_handler, incoming_args.rw_slot, &read_tag); - ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); - ASSERT_SUCCESS(aws_condition_variable_wait_pred( &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &incoming_rw_args)); - ASSERT_SUCCESS(aws_condition_variable_wait_pred( &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); - ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); incoming_rw_args.invocation_happened = false; From 19fa6da3146dd5746a078459075e4cd96e1dfa72 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Thu, 13 Jun 2024 09:35:58 -0700 Subject: [PATCH 64/88] add alpn protocol --- tests/tls_handler_test.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 0e2402a0c..8592ca398 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1269,7 +1269,7 @@ static int s_verify_good_host_mqtt_connect( AWS_ZERO_STRUCT(client_ctx_options); aws_tls_ctx_options_set_verify_peer(&client_ctx_options, true); aws_tls_ctx_options_init_default_client(&client_ctx_options, allocator); - //aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "mqtt"); + aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "x-amzn-mqtt-ca"); if (override_tls_options_fn) { (*override_tls_options_fn)(&client_ctx_options); @@ -1314,7 +1314,7 @@ static int s_verify_good_host_mqtt_connect( struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); - //aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "mqtt"); + aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "x-amzn-mqtt-ca"); struct aws_socket_options options; AWS_ZERO_STRUCT(options); @@ -1352,10 +1352,10 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); ASSERT_FALSE(outgoing_args.error_invoked); - //struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("http/1.1"); + struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("x-amzn-mqtt-ca"); /* check ALPN and SNI was properly negotiated */ - /* + if (aws_tls_is_alpn_available() && client_ctx_options.verify_peer) { ASSERT_BIN_ARRAYS_EQUALS( expected_protocol.buffer, @@ -1363,7 +1363,7 @@ static int s_verify_good_host_mqtt_connect( outgoing_args.negotiated_protocol.buffer, outgoing_args.negotiated_protocol.len); } - */ + // ASSERT_BIN_ARRAYS_EQUALS( // host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); @@ -1383,19 +1383,21 @@ static int s_verify_good_host_mqtt_connect( &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); - ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); - //printf("=====================================printing message received message buffer\n"); - //for (size_t i = 0; i < outgoing_rw_args.received_message.len; i++) { - // printf(" %.2X ", outgoing_rw_args.received_message.buffer[i]); - // } - // printf("\n"); + aws_mutex_lock(outgoing_rw_args.mutex); + printf("=====================================printing message received message buffer\n"); + for (size_t i = 0; i < outgoing_rw_args.received_message.len; i++) { + printf(" %.2X ", outgoing_rw_args.received_message.buffer[i]); + } + printf("\n"); //printf("conn ack is %d\n", outgoing_rw_args.received_message.buffer[3]); + ASSERT_INT_EQUALS(0x20, outgoing_rw_args.received_message.buffer[0]); /* conn ack */ ASSERT_INT_EQUALS(0x02, outgoing_rw_args.received_message.buffer[1]); /* conn ack */ ASSERT_INT_EQUALS(0x01, outgoing_rw_args.received_message.buffer[2]); /* conn ack */ ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[3]); /* conn ack */ + aws_mutex_unlock(outgoing_rw_args.mutex); //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[0]); /* conn ack */ //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[1]); /* conn ack */ @@ -1471,7 +1473,8 @@ AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.u static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; - return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 8883, NULL); + //return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 8883, NULL); + return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 443, NULL); } AWS_TEST_CASE( From bafa0bc56720757f6e3a4a599be882632df5a44c Mon Sep 17 00:00:00 2001 From: alfred2g Date: Thu, 13 Jun 2024 10:17:55 -0700 Subject: [PATCH 65/88] remove commented code --- tests/tls_handler_test.c | 114 +++++++++------------------------------ 1 file changed, 25 insertions(+), 89 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 8592ca398..f56685788 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1199,44 +1199,27 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); - /* ****** NEW ********/ uint8_t outgoing_received_message[128] = {0}; - // const uint8_t mqtt_connect_message[] = { - - // 0x10, /* connect */ - // 0x10,/*packet length */ - // 0x00, 0x04,/* protocol name length */ - // 0x4d, 0x51, 0x54, 0x54,/* MQTT */ - // 0x04,/* protocol version 4 (3.11) */ - // 0x02,/* connect flags */ - // 0x00, 0x3c,/* keep alive */ - // 0x00, 0x04, 't', 'e', 's', 't' /* client id(size (2) + data(4) */ - //}; - - const uint8_t mqtt_connect_message[] = { - 0x10, 0x51, 0x00, 0x04, 0x4D, 0x51, 0x54, 0x54, 0x04, 0x80, 0x03, 0xE8, 0x00, 0x29, 0x74, 0x65, 0x73, - 0x74, 0x2D, 0x30, 0x62, 0x34, 0x37, 0x36, 0x30, 0x64, 0x35, 0x2D, 0x62, 0x61, 0x39, 0x63, 0x2D, 0x38, - 0x65, 0x66, 0x64, 0x2D, 0x33, 0x32, 0x65, 0x37, 0x2D, 0x34, 0x38, 0x64, 0x30, 0x35, 0x62, 0x62, 0x32, - 0x30, 0x30, 0x65, 0x61, 0x00, 0x1A, 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, - 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 - }; - - /* const uint8_t mqtt_connect_message[] = { - 0x10, 0x51, 0x00, 0x04, 0x4D, 0x51, 0x54, 0x54, 0x04, 0x80, - 0x03, 0xE8, 0x00, 0x29, 0x74, 0x65, 0x73, 0x74, 0x2D, 0x35, - 0x62, 0x39, 0x39, 0x36, 0x61, 0x62, 0x63, 0x2D, 0x63, 0x30, - 0x38, 0x31, 0x2D, 0x37, 0x36, 0x31, 0x37, 0x2D, 0x64, 0x31, - 0x34, 0x33, 0x2D, 0x64, 0x33, 0x35, 0x66, 0x37, 0x32, 0x65, - 0x37, 0x36, 0x39, 0x64, 0x62, 0x00, 0x1A, 0x3F, 0x53, 0x44, - 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, 0x56, 0x65, - 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, 0x31, 0x2E, 0x33, - 0x32, 0x2E, 0x36, 0x00 + 0x10, /* connect packet */ + 0x51, /* packet length */ + 0x00, 0x04, /* protocol name length */ + 0x4D, 0x51, 0x54, 0x54, /* M Q T T */ + 0x04, /* protocol version 3.11 = 4 */ + 0x82, /* connect flags user name + clean session */ + 0x03, 0xE8, // keep alive + 0x00, 0x29, /* client id size */ + 0x74, 0x65, 0x73, 0x74, 0x2D, 0x30, 0x62, 0x34, 0x37, 0x36, + 0x30, 0x64, 0x35, 0x2D, 0x62, 0x61, 0x39, 0x63, 0x2D, 0x38, + 0x65, 0x66, 0x64, 0x2D, 0x33, 0x32, 0x65, 0x37, 0x2D, 0x34, + 0x38, 0x64, 0x30, 0x35, 0x62, 0x62, 0x32, 0x30, 0x30, 0x65, + 0x61, /* client id */ + 0x00, 0x1A, /* user name length */ + 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, + 0x26, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, + 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 /* user name */ }; - */ - -// const uint8_t mqtt_connect_message[] = {'a', 'l', 'f', 'r', 'e', 'd', 0x00, 0x02, 0x01}; struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char*)mqtt_connect_message, 83); @@ -1251,8 +1234,6 @@ static int s_verify_good_host_mqtt_connect( true, write_tag.len, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); - /* end new */ - struct tls_test_args outgoing_args = { .mutex = &c_tester.mutex, .allocator = allocator, @@ -1283,18 +1264,14 @@ static int s_verify_good_host_mqtt_connect( aws_tls_connection_options_set_callbacks( &tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); - /* ***** new ****** */ struct aws_byte_buf cert_buf = {0}; struct aws_byte_buf key_buf = {0}; struct aws_byte_buf ca_buf = {0}; struct aws_tls_ctx_options tls_options = {0}; - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); - // ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "server_EC384.pem")); - // ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "server_EC384.key")); - //ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "ca.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); @@ -1307,10 +1284,7 @@ static int s_verify_good_host_mqtt_connect( struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options); ASSERT_NOT_NULL(tls_context); - /* new */ tls_client_conn_options.ctx = tls_context; - /* new */ - /* ***** new ****** */ struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); @@ -1354,8 +1328,6 @@ static int s_verify_good_host_mqtt_connect( ASSERT_FALSE(outgoing_args.error_invoked); struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("x-amzn-mqtt-ca"); /* check ALPN and SNI was properly negotiated */ - - if (aws_tls_is_alpn_available() && client_ctx_options.verify_peer) { ASSERT_BIN_ARRAYS_EQUALS( expected_protocol.buffer, @@ -1364,19 +1336,12 @@ static int s_verify_good_host_mqtt_connect( outgoing_args.negotiated_protocol.len); } + ASSERT_BIN_ARRAYS_EQUALS( + host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); - // ASSERT_BIN_ARRAYS_EQUALS( - // host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); - - - /* XXX: ---- new ----*/ /* Do the IO operations */ - printf(" ============================================= doing the io operaion \n"); outgoing_rw_args.invocation_happened = false; rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag); - - - printf(" ============================================= waiting to read data \n"); ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( @@ -1386,36 +1351,13 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); aws_mutex_lock(outgoing_rw_args.mutex); - printf("=====================================printing message received message buffer\n"); - for (size_t i = 0; i < outgoing_rw_args.received_message.len; i++) { - printf(" %.2X ", outgoing_rw_args.received_message.buffer[i]); - } - printf("\n"); - //printf("conn ack is %d\n", outgoing_rw_args.received_message.buffer[3]); ASSERT_INT_EQUALS(0x20, outgoing_rw_args.received_message.buffer[0]); /* conn ack */ - ASSERT_INT_EQUALS(0x02, outgoing_rw_args.received_message.buffer[1]); /* conn ack */ - ASSERT_INT_EQUALS(0x01, outgoing_rw_args.received_message.buffer[2]); /* conn ack */ - ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[3]); /* conn ack */ + ASSERT_INT_EQUALS(0x02, outgoing_rw_args.received_message.buffer[1]); + ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[2]); /* clean session */ + ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[3]); aws_mutex_unlock(outgoing_rw_args.mutex); - //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[0]); /* conn ack */ - //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[1]); /* conn ack */ - //ASSERT_INT_EQUALS('0', outgoing_rw_args.received_message.buffer[2]); /* conn ack */ - printf(" ============================================= data read\n"); - - //outgoing_rw_args.invocation_happened = false; - //ASSERT_INT_EQUALS(1, outgoing_rw_args.read_invocations); - - /* - struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); - struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); - struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); - */ - /* ---- */ - - printf(" ======================================================= freeing memory\n"); - ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); aws_channel_shutdown(outgoing_args.channel, AWS_OP_SUCCESS); ASSERT_SUCCESS(aws_condition_variable_wait_pred( @@ -1428,7 +1370,6 @@ static int s_verify_good_host_mqtt_connect( aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(tls_context->impl); - //aws_tls_ctx_release(tls_context->impl); aws_tls_ctx_options_clean_up(&tls_options); @@ -1465,15 +1406,10 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat } AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) - -//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2w1wmp9234lcw-ats.iot.us-west-2.amazonaws.com"); -//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "192.168.1.152"); /* mosuquitto/openssl local server */ AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); -//AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "172.17.48.219"); /* s2n windows wsl */ static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; - //return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 8883, NULL); return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 443, NULL); } From e0560043df95cc6e5d1723674d5d63539defc106 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 11:04:32 -0700 Subject: [PATCH 66/88] clang format --- source/windows/secure_channel_tls_handler.c | 25 ++++++-- tests/tls_handler_test.c | 67 +++++++++------------ 2 files changed, 48 insertions(+), 44 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index d7524f1d2..f2f1c4e0b 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -702,7 +702,9 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error during negotiation. SECURITY_STATUS is %lu", (void *)handler, (unsigned long)status); + AWS_LS_IO_TLS, "id=%p: Error during negotiation. SECURITY_STATUS is %lu", + (void *)handler, + (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); s_invoke_negotiation_error(handler, aws_error); @@ -1199,7 +1201,10 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { * call again InitializeSecurityContext with the data received from DecryptMessage until SEC_E_OK is received */ if (status == SEC_I_RENEGOTIATE) { AWS_LOGF_TRACE( - AWS_LS_IO_TLS, "id=%p: Renegotiation received. SECURITY_STATUS is %lu.", (void *)handler, (unsigned long)status); + AWS_LS_IO_TLS, + "id=%p: Renegotiation received. SECURITY_STATUS is %lu.", + (void *)handler, + (unsigned long)status); if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { AWS_LOGF_TRACE( @@ -1285,7 +1290,10 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } } else { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", (void *)handler, (unsigned long)status); + AWS_LS_IO_TLS, + "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", + (void *)handler, + (unsigned long)status); aws_raise_error(AWS_IO_TLS_ERROR_READ_FAILURE); } } while (sc_handler->read_extra); @@ -1606,7 +1614,10 @@ static int s_increment_read_window(struct aws_channel_handler *handler, struct a if (status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: QueryContextAttributes failed with error %lu", (void *)handler, (unsigned long)status); + AWS_LS_IO_TLS, + "id=%p: QueryContextAttributes failed with error %lu", + (void *)handler, + (unsigned long)status); aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE); aws_channel_shutdown(slot->channel, AWS_ERROR_SYS_CALL_FAILURE); return AWS_OP_ERR; @@ -2033,7 +2044,8 @@ static struct aws_channel_handler *s_tls_handler_support_sch_credentials( &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); + AWS_LOGF_ERROR( + AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; @@ -2089,7 +2101,8 @@ static struct aws_channel_handler *s_tls_handler_new( &sc_handler->sspi_timestamp); if (status != SEC_E_OK) { - AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); + AWS_LOGF_ERROR( + AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index f56685788..8089b204c 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1200,28 +1200,28 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); uint8_t outgoing_received_message[128] = {0}; - + const uint8_t mqtt_connect_message[] = { - 0x10, /* connect packet */ - 0x51, /* packet length */ - 0x00, 0x04, /* protocol name length */ - 0x4D, 0x51, 0x54, 0x54, /* M Q T T */ - 0x04, /* protocol version 3.11 = 4 */ - 0x82, /* connect flags user name + clean session */ - 0x03, 0xE8, // keep alive - 0x00, 0x29, /* client id size */ + 0x10,/* connect packet */ + 0x51,/* packet length */ + 0x00, 0x04,/* protocol name length */ + 0x4D, 0x51, 0x54, 0x54,/* M Q T T */ + 0x04,/* protocol version 3.11 = 4 */ + 0x82,/* connect flags user name + clean session */ + 0x03, 0xE8,/* keep alive */ + 0x00, 0x29,/* client id size */ 0x74, 0x65, 0x73, 0x74, 0x2D, 0x30, 0x62, 0x34, 0x37, 0x36, 0x30, 0x64, 0x35, 0x2D, 0x62, 0x61, 0x39, 0x63, 0x2D, 0x38, 0x65, 0x66, 0x64, 0x2D, 0x33, 0x32, 0x65, 0x37, 0x2D, 0x34, 0x38, 0x64, 0x30, 0x35, 0x62, 0x62, 0x32, 0x30, 0x30, 0x65, - 0x61, /* client id */ - 0x00, 0x1A, /* user name length */ + 0x61,/* client id */ + 0x00, 0x1A,/* user name length */ 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, - 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 /* user name */ + 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36/* user name */ }; - struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char*)mqtt_connect_message, 83); + struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char *)mqtt_connect_message, 83); struct tls_test_rw_args outgoing_rw_args; ASSERT_SUCCESS(s_tls_rw_args_init( @@ -1231,7 +1231,7 @@ static int s_verify_good_host_mqtt_connect( struct aws_channel_handler *outgoing_rw_handler = rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, - true, write_tag.len, &outgoing_rw_args); + true, write_tag.len, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); struct tls_test_args outgoing_args = { @@ -1261,24 +1261,22 @@ static int s_verify_good_host_mqtt_connect( struct aws_tls_connection_options tls_client_conn_options; aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, client_ctx); - aws_tls_connection_options_set_callbacks( - &tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); + aws_tls_connection_options_set_callbacks(&tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); struct aws_byte_buf cert_buf = {0}; struct aws_byte_buf key_buf = {0}; struct aws_byte_buf ca_buf = {0}; struct aws_tls_ctx_options tls_options = {0}; - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); AWS_FATAL_ASSERT( - AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, - allocator, &cert_cur, &key_cur)); + AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur)); aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur); @@ -1335,7 +1333,7 @@ static int s_verify_good_host_mqtt_connect( outgoing_args.negotiated_protocol.buffer, outgoing_args.negotiated_protocol.len); } - + ASSERT_BIN_ARRAYS_EQUALS( host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len); @@ -1345,8 +1343,7 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, - s_tls_test_read_predicate, &outgoing_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); @@ -1355,7 +1352,7 @@ static int s_verify_good_host_mqtt_connect( ASSERT_INT_EQUALS(0x20, outgoing_rw_args.received_message.buffer[0]); /* conn ack */ ASSERT_INT_EQUALS(0x02, outgoing_rw_args.received_message.buffer[1]); ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[2]); /* clean session */ - ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[3]); + ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[3]); aws_mutex_unlock(outgoing_rw_args.mutex); ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex)); @@ -1365,8 +1362,8 @@ static int s_verify_good_host_mqtt_connect( ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); aws_byte_buf_clean_up(&cert_buf); - aws_byte_buf_clean_up(&key_buf ); - aws_byte_buf_clean_up(&ca_buf ); + aws_byte_buf_clean_up(&key_buf); + aws_byte_buf_clean_up(&ca_buf); aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(client_ctx); aws_tls_ctx_release(tls_context->impl); @@ -1378,7 +1375,6 @@ static int s_verify_good_host_mqtt_connect( aws_tls_ctx_options_clean_up(&client_ctx_options); ASSERT_SUCCESS(s_tls_common_tester_clean_up(&c_tester)); - return AWS_OP_SUCCESS; } @@ -1920,13 +1916,11 @@ static int s_tls_channel_statistics_test(struct aws_allocator *allocator, void * allocator, &local_server_tester, &incoming_args, &c_tester, false, "server.crt", "server.key")); struct aws_channel_handler *outgoing_rw_handler = - rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, - true, 10000, &outgoing_rw_args); + rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, 10000, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); struct aws_channel_handler *incoming_rw_handler = - rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, - true, 10000, &incoming_rw_args); + rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, 10000, &incoming_rw_args); ASSERT_NOT_NULL(incoming_rw_handler); incoming_args.rw_handler = incoming_rw_handler; @@ -1980,11 +1974,9 @@ static int s_tls_channel_statistics_test(struct aws_allocator *allocator, void * rw_handler_write(incoming_args.rw_handler, incoming_args.rw_slot, &read_tag); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, - &incoming_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &incoming_rw_args)); ASSERT_SUCCESS(aws_condition_variable_wait_pred( - &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, - &outgoing_rw_args)); + &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args)); uint64_t ms_to_ns = aws_timestamp_convert(1, AWS_TIMESTAMP_MILLIS, AWS_TIMESTAMP_NANOS, NULL); @@ -2321,8 +2313,7 @@ static void s_import_cert(void *ctx) { struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&import->key_buf); struct aws_tls_ctx_options tls_options = {0}; AWS_FATAL_ASSERT( - AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, import->allocator, - &cert_cur, &key_cur)); + AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, import->allocator, &cert_cur, &key_cur)); /* import happens in here */ import->tls = aws_tls_client_ctx_new(import->allocator, &tls_options); From 98a9ebcfcd100e71838677cecbc5ae953f03ad3f Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 11:09:43 -0700 Subject: [PATCH 67/88] clang-format --- source/windows/secure_channel_tls_handler.c | 3 ++- tests/tls_handler_test.c | 12 ++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index f2f1c4e0b..38195066d 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -702,7 +702,8 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl if (status != SEC_E_INCOMPLETE_MESSAGE && status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "id=%p: Error during negotiation. SECURITY_STATUS is %lu", + AWS_LS_IO_TLS, + "id=%p: Error during negotiation. SECURITY_STATUS is %lu", (void *)handler, (unsigned long)status); int aws_error = s_determine_sspi_error(status); diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 8089b204c..e1268c9db 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1202,7 +1202,7 @@ static int s_verify_good_host_mqtt_connect( uint8_t outgoing_received_message[128] = {0}; const uint8_t mqtt_connect_message[] = { - 0x10,/* connect packet */ + 0x10, /* connect packet */ 0x51,/* packet length */ 0x00, 0x04,/* protocol name length */ 0x4D, 0x51, 0x54, 0x54,/* M Q T T */ @@ -1229,9 +1229,13 @@ static int s_verify_good_host_mqtt_connect( &c_tester, aws_byte_buf_from_empty_array(outgoing_received_message, sizeof(outgoing_received_message)))); - struct aws_channel_handler *outgoing_rw_handler = - rw_handler_new(allocator, s_tls_test_handle_read, s_tls_test_handle_write, - true, write_tag.len, &outgoing_rw_args); + struct aws_channel_handler *outgoing_rw_handler = rw_handler_new( + allocator, + s_tls_test_handle_read, + s_tls_test_handle_write, + true, + write_tag.len, + &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); struct tls_test_args outgoing_args = { From 895c348896f2cbefc6576998c3a0b59653edd481 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 11:16:48 -0700 Subject: [PATCH 68/88] clang-format --- tests/tls_handler_test.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index e1268c9db..7c9341da7 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1230,12 +1230,7 @@ static int s_verify_good_host_mqtt_connect( aws_byte_buf_from_empty_array(outgoing_received_message, sizeof(outgoing_received_message)))); struct aws_channel_handler *outgoing_rw_handler = rw_handler_new( - allocator, - s_tls_test_handle_read, - s_tls_test_handle_write, - true, - write_tag.len, - &outgoing_rw_args); + allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, write_tag.len, &outgoing_rw_args); ASSERT_NOT_NULL(outgoing_rw_handler); struct tls_test_args outgoing_args = { From 4cf7d05f420771d7e495c9c5c3fe7d2b6caef920 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 11:19:15 -0700 Subject: [PATCH 69/88] clang-format --- tests/tls_handler_test.c | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 7c9341da7..39cf86407 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1202,23 +1202,34 @@ static int s_verify_good_host_mqtt_connect( uint8_t outgoing_received_message[128] = {0}; const uint8_t mqtt_connect_message[] = { - 0x10, /* connect packet */ - 0x51,/* packet length */ - 0x00, 0x04,/* protocol name length */ - 0x4D, 0x51, 0x54, 0x54,/* M Q T T */ - 0x04,/* protocol version 3.11 = 4 */ - 0x82,/* connect flags user name + clean session */ - 0x03, 0xE8,/* keep alive */ - 0x00, 0x29,/* client id size */ + /* connect packet */ + 0x10, + /* packet length */ + 0x51, + /* protocol name length */ + 0x00, 0x04, + /* M Q T T */ + 0x4D, 0x51, 0x54, 0x54, + /* protocol version 3.11 = 4 */ + 0x04, + /* connect flags user name + clean session */ + 0x82, + /* keep alive */ + 0x03, 0xE8, + /* client id size */ + 0x00, 0x29, + /* client id */ 0x74, 0x65, 0x73, 0x74, 0x2D, 0x30, 0x62, 0x34, 0x37, 0x36, 0x30, 0x64, 0x35, 0x2D, 0x62, 0x61, 0x39, 0x63, 0x2D, 0x38, 0x65, 0x66, 0x64, 0x2D, 0x33, 0x32, 0x65, 0x37, 0x2D, 0x34, 0x38, 0x64, 0x30, 0x35, 0x62, 0x62, 0x32, 0x30, 0x30, 0x65, - 0x61,/* client id */ - 0x00, 0x1A,/* user name length */ + 0x61, + /* user name length */ + 0x00, 0x1A, + /* user name */ 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, 0x26, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, - 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36/* user name */ + 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 }; struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char *)mqtt_connect_message, 83); From 8c84482ce77aa31716ee4f7e7c5f22aefec3fcb7 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 11:26:14 -0700 Subject: [PATCH 70/88] clang format --- tests/tls_handler_test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 39cf86407..cb8f370c3 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1201,7 +1201,8 @@ static int s_verify_good_host_mqtt_connect( uint8_t outgoing_received_message[128] = {0}; - const uint8_t mqtt_connect_message[] = { + const uint8_t mqtt_connect_message[] = + { /* connect packet */ 0x10, /* packet length */ From fc984554535e2f6a661a1de12422d6a4bdade9c6 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 11:32:48 -0700 Subject: [PATCH 71/88] clang format --- tests/tls_handler_test.c | 125 +++++++++++++++++++++++++++++---------- 1 file changed, 94 insertions(+), 31 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index cb8f370c3..f1d4160ad 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1201,37 +1201,100 @@ static int s_verify_good_host_mqtt_connect( uint8_t outgoing_received_message[128] = {0}; - const uint8_t mqtt_connect_message[] = - { - /* connect packet */ - 0x10, - /* packet length */ - 0x51, - /* protocol name length */ - 0x00, 0x04, - /* M Q T T */ - 0x4D, 0x51, 0x54, 0x54, - /* protocol version 3.11 = 4 */ - 0x04, - /* connect flags user name + clean session */ - 0x82, - /* keep alive */ - 0x03, 0xE8, - /* client id size */ - 0x00, 0x29, - /* client id */ - 0x74, 0x65, 0x73, 0x74, 0x2D, 0x30, 0x62, 0x34, 0x37, 0x36, - 0x30, 0x64, 0x35, 0x2D, 0x62, 0x61, 0x39, 0x63, 0x2D, 0x38, - 0x65, 0x66, 0x64, 0x2D, 0x33, 0x32, 0x65, 0x37, 0x2D, 0x34, - 0x38, 0x64, 0x30, 0x35, 0x62, 0x62, 0x32, 0x30, 0x30, 0x65, - 0x61, - /* user name length */ - 0x00, 0x1A, - /* user name */ - 0x3F, 0x53, 0x44, 0x4B, 0x3D, 0x43, 0x50, 0x50, 0x76, 0x32, - 0x26, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x76, - 0x31, 0x2E, 0x33, 0x32, 0x2E, 0x36 - }; + const uint8_t mqtt_connect_message[] = {/* connect packet */ + 0x10, + /* packet length */ + 0x51, + /* protocol name length */ + 0x00, + 0x04, + /* M Q T T */ + 0x4D, + 0x51, + 0x54, + 0x54, + /* protocol version 3.11 = 4 */ + 0x04, + /* connect flags user name + clean session */ + 0x82, + /* keep alive */ + 0x03, + 0xE8, + /* client id size */ + 0x00, + 0x29, + /* client id */ + 0x74, + 0x65, + 0x73, + 0x74, + 0x2D, + 0x30, + 0x62, + 0x34, + 0x37, + 0x36, + 0x30, + 0x64, + 0x35, + 0x2D, + 0x62, + 0x61, + 0x39, + 0x63, + 0x2D, + 0x38, + 0x65, + 0x66, + 0x64, + 0x2D, + 0x33, + 0x32, + 0x65, + 0x37, + 0x2D, + 0x34, + 0x38, + 0x64, + 0x30, + 0x35, + 0x62, + 0x62, + 0x32, + 0x30, + 0x30, + 0x65, + 0x61, + /* user name length */ + 0x00, + 0x1A, + /* user name */ + 0x3F, + 0x53, + 0x44, + 0x4B, + 0x3D, + 0x43, + 0x50, + 0x50, + 0x76, + 0x32, + 0x26, + 0x56, + 0x65, + 0x72, + 0x73, + 0x69, + 0x6F, + 0x6E, + 0x3D, + 0x76, + 0x31, + 0x2E, + 0x33, + 0x32, + 0x2E, + 0x36}; struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char *)mqtt_connect_message, 83); From 558f075e355a702de2d09a5596a5e1fa75b63eee Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 21:19:45 -0700 Subject: [PATCH 72/88] Add and remove environment variable --- tests/tls_handler_test.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index f1d4160ad..49371a918 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1474,10 +1474,33 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat (void)ctx; return s_verify_good_host(allocator, s_badssl_ecc384_host_name, 443, NULL); } - AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) -AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); +#ifdef _WIN32 + +static int s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn( + struct aws_allocator *allocator, void *ctx) { + (void)ctx; + DWORD ret; + ret = SetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", "true"); + if (ret == 0) { + ASSERT_TRUE(0); + } + return s_verify_good_host(allocator, s_badssl_ecc384_host_name, 443, NULL); + ret = SetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", NULL); + if (ret == 0) { + ASSERT_TRUE(0); + } +} + +AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384_deprecated, + s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn) +#endif + + + + +AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 443, NULL); From e3be4f55fd464c4fc5ea41bb5a22a65032501cb1 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 21:28:21 -0700 Subject: [PATCH 73/88] Add test case to cmakefiles --- tests/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 8663c7cb5..3b42196b8 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -90,6 +90,7 @@ if(WIN32) add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) endif() add_test_case(local_socket_pipe_connected_race) + add_test_case(tls_client_channel_negotiation_success_ecc384_deprecated) endif() add_test_case(channel_setup) From d6bef11eaf774d2d81a6fed320ad39bb86c2581b Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 21:33:17 -0700 Subject: [PATCH 74/88] Fix unreachable code --- tests/tls_handler_test.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 49371a918..d0351e22c 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1486,20 +1486,18 @@ static int s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn( if (ret == 0) { ASSERT_TRUE(0); } - return s_verify_good_host(allocator, s_badssl_ecc384_host_name, 443, NULL); + s_verify_good_host(allocator, s_badssl_ecc384_host_name, 443, NULL); ret = SetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", NULL); if (ret == 0) { ASSERT_TRUE(0); } + return AWS_OP_SUCCESS; } AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384_deprecated, s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn) #endif - - - AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { (void)ctx; From 3ecbac8acdb762a0ecf3b83b31a6fac14296ee96 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 21:35:03 -0700 Subject: [PATCH 75/88] clang-format --- tests/tls_handler_test.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index d0351e22c..5a3e1b536 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1476,10 +1476,11 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat } AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn) -#ifdef _WIN32 +# ifdef _WIN32 static int s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn( - struct aws_allocator *allocator, void *ctx) { + struct aws_allocator *allocator, + void *ctx) { (void)ctx; DWORD ret; ret = SetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", "true"); @@ -1494,9 +1495,10 @@ static int s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn( return AWS_OP_SUCCESS; } -AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384_deprecated, - s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn) -#endif +AWS_TEST_CASE( + tls_client_channel_negotiation_success_ecc384_deprecated, + s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn) +# endif AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com"); static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) { From 279c609c599bd991bdb12ff7eb2c94ff97373c73 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 23:21:45 -0700 Subject: [PATCH 76/88] Fix environment variable --- source/windows/secure_channel_tls_handler.c | 27 +++++++++++++-------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 38195066d..b773d4e2a 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1989,21 +1989,12 @@ static struct aws_channel_handler *s_tls_handler_support_sch_credentials( struct aws_channel_slot *slot, bool is_client_mode) { char buffer[10]; - DWORD ret; AWS_ASSERT(options->ctx); - /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ - ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); - if (ret != 0) { - AWS_LOGF_DEBUG( - AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); - return false; - } - struct secure_channel_handler *sc_handler = aws_mem_calloc(alloc, 1, sizeof(struct secure_channel_handler)); if (!sc_handler) { - return false; + return NULL; } struct secure_channel_ctx *sc_ctx = options->ctx->impl; @@ -2122,8 +2113,16 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_allocator *allocator, struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { + DWORD ret; if (s_is_windows_equal_or_above_10()) { + /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ + ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); + if (ret != 0) { + AWS_LOGF_DEBUG( + AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); + return s_tls_handler_new(allocator, options, slot, true); + } return s_tls_handler_support_sch_credentials(allocator, options, slot, true); } else { return s_tls_handler_new(allocator, options, slot, true); @@ -2134,8 +2133,16 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_allocator *allocator, struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { + DWORD ret; if (s_is_windows_equal_or_above_10()) { + /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ + ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); + if (ret != 0) { + AWS_LOGF_DEBUG( + AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); + return s_tls_handler_new(allocator, options, slot, false); + } return s_tls_handler_support_sch_credentials(allocator, options, slot, false); } else { return s_tls_handler_new(allocator, options, slot, false); From a5b4131f00e49116c2d4cc791717c5cee3c9d3b0 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 23:22:35 -0700 Subject: [PATCH 77/88] fix syntax error --- source/windows/secure_channel_tls_handler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index b773d4e2a..4ebd3b58a 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1988,7 +1988,6 @@ static struct aws_channel_handler *s_tls_handler_support_sch_credentials( struct aws_tls_connection_options *options, struct aws_channel_slot *slot, bool is_client_mode) { - char buffer[10]; AWS_ASSERT(options->ctx); @@ -2114,6 +2113,7 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { DWORD ret; + char buffer[10]; if (s_is_windows_equal_or_above_10()) { /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ From 2380f9ee11466003b087a734eb0bbd9fa6e5fc03 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 23:27:00 -0700 Subject: [PATCH 78/88] syntax error --- source/windows/secure_channel_tls_handler.c | 1 + 1 file changed, 1 insertion(+) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 4ebd3b58a..1d83b0be2 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2134,6 +2134,7 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { DWORD ret; + char buffer[10]; if (s_is_windows_equal_or_above_10()) { /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ From adb7b431e007e80ebcc80f1fc912bad6615221df Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 23:58:19 -0700 Subject: [PATCH 79/88] get environment variable --- source/windows/secure_channel_tls_handler.c | 31 +++++++++++---------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 1d83b0be2..3be9bd42f 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2108,19 +2108,28 @@ static struct aws_channel_handler *s_tls_handler_new( return NULL; } +static bool s_is_testing_deprecated_schannel_creds_defined() +{ + DWORD ret; + char buffer[10]; + + /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ + ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); + if (ret != 0) { + AWS_LOGF_DEBUG( + AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); + return true; + } + return false; +} + struct aws_channel_handler *aws_tls_client_handler_new( struct aws_allocator *allocator, struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - DWORD ret; - char buffer[10]; if (s_is_windows_equal_or_above_10()) { - /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ - ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); - if (ret != 0) { - AWS_LOGF_DEBUG( - AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); + if (s_is_testing_deprecated_schannel_creds_defined()) { return s_tls_handler_new(allocator, options, slot, true); } return s_tls_handler_support_sch_credentials(allocator, options, slot, true); @@ -2133,15 +2142,9 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_allocator *allocator, struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - DWORD ret; - char buffer[10]; if (s_is_windows_equal_or_above_10()) { - /* Used for testing: if defined to any value, we run the deprecarted SCHANNEL_CREDS on newer windows versions */ - ret = GetEnvironmentVariable("TEST_DEPRECATED_SCHANNEL_CREDS", buffer, 10); - if (ret != 0) { - AWS_LOGF_DEBUG( - AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); + if (s_is_testing_deprecated_schannel_creds_defined()) { return s_tls_handler_new(allocator, options, slot, false); } return s_tls_handler_support_sch_credentials(allocator, options, slot, false); From e7b5a59878d4d7f81bd4a6b0df649111567bcd72 Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Thu, 13 Jun 2024 23:59:20 -0700 Subject: [PATCH 80/88] clang format --- source/windows/secure_channel_tls_handler.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 3be9bd42f..4b8029481 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2108,8 +2108,7 @@ static struct aws_channel_handler *s_tls_handler_new( return NULL; } -static bool s_is_testing_deprecated_schannel_creds_defined() -{ +static bool s_is_testing_deprecated_schannel_creds_defined() { DWORD ret; char buffer[10]; From acabfe51aadaa120a221a191d389fd7f487d2bdd Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Fri, 14 Jun 2024 00:00:31 -0700 Subject: [PATCH 81/88] clang format --- source/windows/secure_channel_tls_handler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 4b8029481..b09c9c2c2 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -2117,7 +2117,7 @@ static bool s_is_testing_deprecated_schannel_creds_defined() { if (ret != 0) { AWS_LOGF_DEBUG( AWS_LS_IO_TLS, "Variable TEST_DEPRECATED_SCHANNEL_CREDS is defined testing deprecated structure"); - return true; + return true; } return false; } From 50d7064bcc8a617ddaf900d5c78f01a059b08a5b Mon Sep 17 00:00:00 2001 From: Alfred Gedeon Date: Fri, 14 Jun 2024 09:57:10 -0700 Subject: [PATCH 82/88] Change build version for server 2022 --- tests/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 3b42196b8..59f623f32 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -85,7 +85,7 @@ if(WIN32) list(GET BUILD_VERSION 2 BUILD_V) message("Windows Version " ${CMAKE_SYSTEM_VERSION}) - if(${BUILD_V} GREATER_EQUAL 22000) + if(${BUILD_V} GREATER_EQUAL 20348) message("Building for version 22000 or higher: supporting TLS1.3") add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3) endif() From 6d37fd84132869b7846f305ff86862ea41acd351 Mon Sep 17 00:00:00 2001 From: alfred2g Date: Tue, 18 Jun 2024 08:59:03 -0700 Subject: [PATCH 83/88] fix memory cleanup --- tests/tls_handler_test.c | 64 +++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 37 deletions(-) diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c index 5a3e1b536..452f2bd5f 100644 --- a/tests/tls_handler_test.c +++ b/tests/tls_handler_test.c @@ -1195,6 +1195,18 @@ static int s_verify_good_host_mqtt_connect( uint32_t port, void (*override_tls_options_fn)(struct aws_tls_ctx_options *)) { + struct aws_byte_buf cert_buf = {0}; + struct aws_byte_buf key_buf = {0}; + struct aws_byte_buf ca_buf = {0}; + + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); + ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); + + struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); + struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); + struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); + aws_io_library_init(allocator); ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester)); @@ -1320,44 +1332,27 @@ static int s_verify_good_host_mqtt_connect( .shutdown_finished = false, }; - struct aws_tls_ctx_options client_ctx_options; - AWS_ZERO_STRUCT(client_ctx_options); - aws_tls_ctx_options_set_verify_peer(&client_ctx_options, true); - aws_tls_ctx_options_init_default_client(&client_ctx_options, allocator); - aws_tls_ctx_options_set_alpn_list(&client_ctx_options, "x-amzn-mqtt-ca"); + struct aws_tls_ctx_options tls_options = {0}; + AWS_ZERO_STRUCT(tls_options); + + AWS_FATAL_ASSERT( + AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur)); + aws_tls_ctx_options_set_verify_peer(&tls_options, true); + aws_tls_ctx_options_set_alpn_list(&tls_options, "x-amzn-mqtt-ca"); + + struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options); + ASSERT_NOT_NULL(tls_context); if (override_tls_options_fn) { - (*override_tls_options_fn)(&client_ctx_options); + (*override_tls_options_fn)(&tls_options); } - struct aws_tls_ctx *client_ctx = aws_tls_client_ctx_new(allocator, &client_ctx_options); - ASSERT_NOT_NULL(client_ctx); - struct aws_tls_connection_options tls_client_conn_options; - aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, client_ctx); + aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, tls_context); aws_tls_connection_options_set_callbacks(&tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args); - struct aws_byte_buf cert_buf = {0}; - struct aws_byte_buf key_buf = {0}; - struct aws_byte_buf ca_buf = {0}; - struct aws_tls_ctx_options tls_options = {0}; - - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem")); - ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem")); - - struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf); - struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf); - struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf); - AWS_FATAL_ASSERT( - AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur)); - aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur); - struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options); - ASSERT_NOT_NULL(tls_context); - tls_client_conn_options.ctx = tls_context; - struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name); aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur); aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "x-amzn-mqtt-ca"); @@ -1400,7 +1395,7 @@ static int s_verify_good_host_mqtt_connect( ASSERT_FALSE(outgoing_args.error_invoked); struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("x-amzn-mqtt-ca"); /* check ALPN and SNI was properly negotiated */ - if (aws_tls_is_alpn_available() && client_ctx_options.verify_peer) { + if (aws_tls_is_alpn_available() && tls_options.verify_peer) { ASSERT_BIN_ARRAYS_EQUALS( expected_protocol.buffer, expected_protocol.len, @@ -1435,18 +1430,13 @@ static int s_verify_good_host_mqtt_connect( &c_tester.condition_variable, &c_tester.mutex, s_tls_channel_shutdown_predicate, &outgoing_args)); ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex)); + /* cleanups */ aws_byte_buf_clean_up(&cert_buf); aws_byte_buf_clean_up(&key_buf); aws_byte_buf_clean_up(&ca_buf); - aws_tls_ctx_release(client_ctx); - aws_tls_ctx_release(client_ctx); - aws_tls_ctx_release(tls_context->impl); - + aws_tls_ctx_release(tls_context); aws_tls_ctx_options_clean_up(&tls_options); - aws_client_bootstrap_release(client_bootstrap); - - aws_tls_ctx_options_clean_up(&client_ctx_options); ASSERT_SUCCESS(s_tls_common_tester_clean_up(&c_tester)); return AWS_OP_SUCCESS; From 57e5cb3c41c20cf4b3be376db39fae5a4e550b65 Mon Sep 17 00:00:00 2001 From: Steve Kim Date: Mon, 16 Sep 2024 10:41:52 -0700 Subject: [PATCH 84/88] missing close bracket --- source/windows/secure_channel_tls_handler.c | 23 +++++++++++---------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 987e4bdba..0bab86884 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -1155,18 +1155,19 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { aws_byte_cursor_from_array(input_buffers[1].pvBuffer, decrypted_length); int append_failed = aws_byte_buf_append(&sc_handler->buffered_read_out_data_buf, &to_append); AWS_FATAL_ASSERT(!append_failed); + } - /* if we have extra we have to move the pointer and do another Decrypt operation. */ - if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { - if (input_buffers[3].cbBuffer < read_len) { - memmove( - sc_handler->buffered_read_in_data_buf.buffer, - (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, - input_buffers[3].cbBuffer); - sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; - } - if (status != SEC_I_RENEGOTIATE) { - sc_handler->read_extra = input_buffers[3].cbBuffer; + /* if we have extra we have to move the pointer and do another Decrypt operation. */ + if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { + if (input_buffers[3].cbBuffer < read_len) { + memmove( + sc_handler->buffered_read_in_data_buf.buffer, + (sc_handler->buffered_read_in_data_buf.buffer + read_len) - input_buffers[3].cbBuffer, + input_buffers[3].cbBuffer); + sc_handler->buffered_read_in_data_buf.len = input_buffers[3].cbBuffer; + } + if (status != SEC_I_RENEGOTIATE) { + sc_handler->read_extra = input_buffers[3].cbBuffer; // AWS_LOGF_TRACE( // AWS_LS_IO_TLS, // "id=%p: Extra (incomplete) message received with length %zu.", From a8edf64c150fecbc4c7d5d6306863dd6927e78f0 Mon Sep 17 00:00:00 2001 From: Steve Kim Date: Mon, 16 Sep 2024 10:51:37 -0700 Subject: [PATCH 85/88] remove duplicate pcerts --- source/windows/secure_channel_tls_handler.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 0bab86884..26da4a718 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -65,7 +65,6 @@ struct secure_channel_ctx { struct aws_tls_ctx ctx; struct aws_string *alpn_list; struct common_credential_params schannel_creds; - PCERT_CONTEXT pcerts; SCHANNEL_CRED credentials; PCCERT_CONTEXT pcerts; HCERTSTORE cert_store; From 640e48d4ddb3b3d07579e7dc3fbb95ee44a31223 Mon Sep 17 00:00:00 2001 From: Steve Kim Date: Mon, 16 Sep 2024 13:31:49 -0700 Subject: [PATCH 86/88] Windows version check renaming --- source/windows/secure_channel_tls_handler.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index 26da4a718..e22efc1c7 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -137,7 +137,10 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) { return sc_handler->stream_sizes.cbTrailer + sc_handler->stream_sizes.cbHeader; } -static bool s_is_windows_equal_or_above_10(void) { +/* Checks whether current system is running Windows 10 version 1809 (build 17_763) or later. This check is used + to determin availability of TLS 1.3. This will continue to be a valid check in Windows 11 and later as the + build number continues to increment upwards. e.g. Windows 11 starts at version 21H2 (build 22_000) */ +static bool s_is_windows_equal_or_above_version_1809(void) { ULONGLONG dwlConditionMask = 0; BYTE op = VER_GREATER_EQUAL; OSVERSIONINFOEX osvi; @@ -146,7 +149,7 @@ static bool s_is_windows_equal_or_above_10(void) { ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); - osvi.dwBuildNumber = 1809; /* Windows 10 */ + osvi.dwBuildNumber = 1809; /* Windows 10 build 1809 */ dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op); typedef NTSTATUS(WINAPI * pRtlGetVersionInfo)( @@ -2212,7 +2215,7 @@ struct aws_channel_handler *aws_tls_client_handler_new( struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - if (s_is_windows_equal_or_above_10()) { + if (s_is_windows_equal_or_above_version_1809()) { if (s_is_testing_deprecated_schannel_creds_defined()) { return s_tls_handler_new(allocator, options, slot, true); } @@ -2227,7 +2230,7 @@ struct aws_channel_handler *aws_tls_server_handler_new( struct aws_tls_connection_options *options, struct aws_channel_slot *slot) { - if (s_is_windows_equal_or_above_10()) { + if (s_is_windows_equal_or_above_version_1809()) { if (s_is_testing_deprecated_schannel_creds_defined()) { return s_tls_handler_new(allocator, options, slot, false); } From 2f932ed76e1c36529e5b7d9be6879bcf624ccfaa Mon Sep 17 00:00:00 2001 From: Steve Kim Date: Mon, 16 Sep 2024 13:42:07 -0700 Subject: [PATCH 87/88] there is no need to convert to ul. If there is an issue with int, it's already occurred on assignment of status --- source/windows/secure_channel_tls_handler.c | 40 ++++++++++----------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index e22efc1c7..fefabf897 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -252,9 +252,9 @@ static int s_manually_verify_peer_cert(struct aws_channel_handler *handler) { if (status != SEC_E_OK || !peer_certificate) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: failed to load peer's certificate with SECURITY_STATUS %lu", + "id=%p: failed to load peer's certificate with SECURITY_STATUS %d", (void *)handler, - (unsigned long)status); + (int)status); return AWS_OP_ERR; } @@ -268,10 +268,10 @@ static int s_manually_verify_peer_cert(struct aws_channel_handler *handler) { if (!CertCreateCertificateChainEngine(&engine_config, &engine)) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: failed to load a certificate chain engine with SECURITY_STATUS %lu. " + "id=%p: failed to load a certificate chain engine with SECURITY_STATUS %d. " "Most likely, the configured CA is corrupted.", (void *)handler, - (unsigned long)status); + (int)status); goto done; } @@ -305,9 +305,9 @@ static int s_manually_verify_peer_cert(struct aws_channel_handler *handler) { &cert_chain_ctx)) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: unable to find certificate in chain with SECURITY_STATUS %lu.", + "id=%p: unable to find certificate in chain with SECURITY_STATUS %d.", (void *)handler, - (unsigned long)status); + (int)status); goto done; } @@ -1218,9 +1218,9 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { else if (status == SEC_I_CONTEXT_EXPIRED) { AWS_LOGF_TRACE( AWS_LS_IO_TLS, - "id=%p: Alert received. Message sender has shut down the connection. SECURITY_STATUS is %lu.", + "id=%p: Alert received. Message sender has shut down the connection. SECURITY_STATUS is %d.", (void *)handler, - (unsigned long)status); + (int)status); struct aws_channel_slot *slot = handler->slot; aws_channel_shutdown(slot->channel, AWS_OP_SUCCESS); @@ -1231,9 +1231,9 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { if (status == SEC_I_RENEGOTIATE) { AWS_LOGF_TRACE( AWS_LS_IO_TLS, - "id=%p: Renegotiation received. SECURITY_STATUS is %lu.", + "id=%p: Renegotiation received. SECURITY_STATUS is %d.", (void *)handler, - (unsigned long)status); + (int)status); if (input_buffers[3].BufferType == SECBUFFER_EXTRA && input_buffers[3].cbBuffer > 0) { if (input_buffers[3].cbBuffer < read_len) { AWS_LOGF_TRACE( @@ -1311,18 +1311,18 @@ static int s_do_application_data_decrypt(struct aws_channel_handler *handler) { } else { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error InitializeSecurityContext after renegotiation. status %lu", + "id=%p: Error InitializeSecurityContext after renegotiation. status %d", (void *)handler, - (unsigned long)status); + (int)status); error = AWS_OP_ERR; break; } } else { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error decrypting message. SECURITY_STATUS is %lu.", + "id=%p: Error decrypting message. SECURITY_STATUS is %d.", (void *)handler, - (unsigned long)status); + (int)status); aws_raise_error(AWS_IO_TLS_ERROR_READ_FAILURE); } } while (sc_handler->read_extra); @@ -1619,9 +1619,9 @@ static int s_process_write_message( } else { AWS_LOGF_TRACE( AWS_LS_IO_TLS, - "id=%p: Error encrypting message. SECURITY_STATUS is %lu", + "id=%p: Error encrypting message. SECURITY_STATUS is %d", (void *)handler, - (unsigned long)status); + (int)status); return aws_raise_error(AWS_IO_TLS_ERROR_WRITE_FAILURE); } } @@ -1649,9 +1649,9 @@ static int s_increment_read_window(struct aws_channel_handler *handler, struct a if (status != SEC_E_OK) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: QueryContextAttributes failed with error %lu", + "id=%p: QueryContextAttributes failed with error %d", (void *)handler, - (unsigned long)status); + (int)status); aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE); aws_channel_shutdown(slot->channel, AWS_ERROR_SYS_CALL_FAILURE); return AWS_OP_ERR; @@ -2124,7 +2124,7 @@ static struct aws_channel_handler *s_tls_handler_support_sch_credentials( if (status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); + AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; @@ -2181,7 +2181,7 @@ static struct aws_channel_handler *s_tls_handler_new( if (status != SEC_E_OK) { AWS_LOGF_ERROR( - AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %lu", (unsigned long)status); + AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status); int aws_error = s_determine_sspi_error(status); aws_raise_error(aws_error); goto on_error; From a798351ac1b42f96caa0d8e53f337097209c1442 Mon Sep 17 00:00:00 2001 From: Steve Kim Date: Mon, 16 Sep 2024 13:44:40 -0700 Subject: [PATCH 88/88] missed a few --- source/windows/secure_channel_tls_handler.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c index fefabf897..344b06d0f 100644 --- a/source/windows/secure_channel_tls_handler.c +++ b/source/windows/secure_channel_tls_handler.c @@ -618,7 +618,7 @@ static int s_do_server_side_negotiation_step_1(struct aws_channel_handler *handl if (!(status == SEC_I_CONTINUE_NEEDED || status == SEC_E_OK)) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: error during processing of the ClientHello. SECURITY_STATUS is %lu", + "id=%p: error during processing of the ClientHello. SECURITY_STATUS is %d", (void *)handler, (int)status); aws_error = s_determine_sspi_error(status); @@ -792,7 +792,7 @@ static int s_do_server_side_negotiation_step_2(struct aws_channel_handler *handl } else { AWS_LOGF_WARN( AWS_LS_IO_TLS, - "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %lu", + "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %d", handler, (int)status); aws_error = s_determine_sspi_error(status); @@ -901,7 +901,7 @@ static int s_do_client_side_negotiation_step_1(struct aws_channel_handler *handl if (status != SEC_I_CONTINUE_NEEDED) { AWS_LOGF_ERROR( AWS_LS_IO_TLS, - "id=%p: Error sending client/receiving server handshake data. SECURITY_STATUS is %lu", + "id=%p: Error sending client/receiving server handshake data. SECURITY_STATUS is %d", (void *)handler, (int)status); aws_error = s_determine_sspi_error(status); @@ -1083,7 +1083,7 @@ static int s_do_client_side_negotiation_step_2(struct aws_channel_handler *handl } else { AWS_LOGF_WARN( AWS_LS_IO_TLS, - "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %lu", + "id=%p: Error retrieving negotiated protocol. SECURITY_STATUS is %d", handler, (int)status); aws_error = s_determine_sspi_error(status);