search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
makefiles: Explicitly create destination dirs when installing symlinks.
[wine/zf.git] / dlls / secur32 / tests / schannel.c
blob30022437bc0d3053b010d7926fd67a522e05130a
1 /*
2 * Schannel tests
3 *
4 * Copyright 2006 Juan Lang
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 */
20
21 #include <stdarg.h>
22 #include <windef.h>
23 #include <winsock2.h>
24 #include <ws2tcpip.h>
25 #include <stdio.h>
26 #define SECURITY_WIN32
27 #include <security.h>
28 #include <schannel.h>
29
30 #include "wine/test.h"
31
32 static QUERY_CONTEXT_ATTRIBUTES_FN_A pQueryContextAttributesA;
33
34 static const BYTE bigCert[] = { 0x30, 0x7a, 0x02, 0x01, 0x01, 0x30, 0x02, 0x06,
35 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
36 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30, 0x22,
37 0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30,
38 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30,
39 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30,
40 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20,
41 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30, 0x07, 0x30, 0x02, 0x06, 0x00, 0x03, 0x01,
42 0x00, 0xa3, 0x16, 0x30, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
43 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01 };
44 static WCHAR cspNameW[] = { 'W','i','n','e','C','r','y','p','t','T','e',
45 'm','p',0 };
46 static BYTE privKey[] = {
47 0x07, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x52, 0x53, 0x41, 0x32, 0x00,
48 0x02, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x79, 0x10, 0x1c, 0xd0, 0x6b, 0x10,
49 0x18, 0x30, 0x94, 0x61, 0xdc, 0x0e, 0xcb, 0x96, 0x4e, 0x21, 0x3f, 0x79, 0xcd,
50 0xa9, 0x17, 0x62, 0xbc, 0xbb, 0x61, 0x4c, 0xe0, 0x75, 0x38, 0x6c, 0xf3, 0xde,
51 0x60, 0x86, 0x03, 0x97, 0x65, 0xeb, 0x1e, 0x6b, 0xdb, 0x53, 0x85, 0xad, 0x68,
52 0x21, 0xf1, 0x5d, 0xe7, 0x1f, 0xe6, 0x53, 0xb4, 0xbb, 0x59, 0x3e, 0x14, 0x27,
53 0xb1, 0x83, 0xa7, 0x3a, 0x54, 0xe2, 0x8f, 0x65, 0x8e, 0x6a, 0x4a, 0xcf, 0x3b,
54 0x1f, 0x65, 0xff, 0xfe, 0xf1, 0x31, 0x3a, 0x37, 0x7a, 0x8b, 0xcb, 0xc6, 0xd4,
55 0x98, 0x50, 0x36, 0x67, 0xe4, 0xa1, 0xe8, 0x7e, 0x8a, 0xc5, 0x23, 0xf2, 0x77,
56 0xf5, 0x37, 0x61, 0x49, 0x72, 0x59, 0xe8, 0x3d, 0xf7, 0x60, 0xb2, 0x77, 0xca,
57 0x78, 0x54, 0x6d, 0x65, 0x9e, 0x03, 0x97, 0x1b, 0x61, 0xbd, 0x0c, 0xd8, 0x06,
58 0x63, 0xe2, 0xc5, 0x48, 0xef, 0xb3, 0xe2, 0x6e, 0x98, 0x7d, 0xbd, 0x4e, 0x72,
59 0x91, 0xdb, 0x31, 0x57, 0xe3, 0x65, 0x3a, 0x49, 0xca, 0xec, 0xd2, 0x02, 0x4e,
60 0x22, 0x7e, 0x72, 0x8e, 0xf9, 0x79, 0x84, 0x82, 0xdf, 0x7b, 0x92, 0x2d, 0xaf,
61 0xc9, 0xe4, 0x33, 0xef, 0x89, 0x5c, 0x66, 0x99, 0xd8, 0x80, 0x81, 0x47, 0x2b,
62 0xb1, 0x66, 0x02, 0x84, 0x59, 0x7b, 0xc3, 0xbe, 0x98, 0x45, 0x4a, 0x3d, 0xdd,
63 0xea, 0x2b, 0xdf, 0x4e, 0xb4, 0x24, 0x6b, 0xec, 0xe7, 0xd9, 0x0c, 0x45, 0xb8,
64 0xbe, 0xca, 0x69, 0x37, 0x92, 0x4c, 0x38, 0x6b, 0x96, 0x6d, 0xcd, 0x86, 0x67,
65 0x5c, 0xea, 0x54, 0x94, 0xa4, 0xca, 0xa4, 0x02, 0xa5, 0x21, 0x4d, 0xae, 0x40,
66 0x8f, 0x9d, 0x51, 0x83, 0xf2, 0x3f, 0x33, 0xc1, 0x72, 0xb4, 0x1d, 0x94, 0x6e,
67 0x7d, 0xe4, 0x27, 0x3f, 0xea, 0xff, 0xe5, 0x9b, 0xa7, 0x5e, 0x55, 0x8e, 0x0d,
68 0x69, 0x1c, 0x7a, 0xff, 0x81, 0x9d, 0x53, 0x52, 0x97, 0x9a, 0x76, 0x79, 0xda,
69 0x93, 0x32, 0x16, 0xec, 0x69, 0x51, 0x1a, 0x4e, 0xc3, 0xf1, 0x72, 0x80, 0x78,
70 0x5e, 0x66, 0x4a, 0x8d, 0x85, 0x2f, 0x3f, 0xb2, 0xa7 };
71
72 static const BYTE selfSignedCert[] = {
73 0x30, 0x82, 0x01, 0x1f, 0x30, 0x81, 0xce, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
74 0x10, 0xeb, 0x0d, 0x57, 0x2a, 0x9c, 0x09, 0xba, 0xa4, 0x4a, 0xb7, 0x25, 0x49,
75 0xd9, 0x3e, 0xb5, 0x73, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1d,
76 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03,
77 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30,
78 0x1e, 0x17, 0x0d, 0x30, 0x36, 0x30, 0x36, 0x32, 0x39, 0x30, 0x35, 0x30, 0x30,
79 0x34, 0x36, 0x5a, 0x17, 0x0d, 0x30, 0x37, 0x30, 0x36, 0x32, 0x39, 0x31, 0x31,
80 0x30, 0x30, 0x34, 0x36, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
81 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e,
82 0x67, 0x00, 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
83 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41,
84 0x00, 0xe2, 0x54, 0x3a, 0xa7, 0x83, 0xb1, 0x27, 0x14, 0x3e, 0x59, 0xbb, 0xb4,
85 0x53, 0xe6, 0x1f, 0xe7, 0x5d, 0xf1, 0x21, 0x68, 0xad, 0x85, 0x53, 0xdb, 0x6b,
86 0x1e, 0xeb, 0x65, 0x97, 0x03, 0x86, 0x60, 0xde, 0xf3, 0x6c, 0x38, 0x75, 0xe0,
87 0x4c, 0x61, 0xbb, 0xbc, 0x62, 0x17, 0xa9, 0xcd, 0x79, 0x3f, 0x21, 0x4e, 0x96,
88 0xcb, 0x0e, 0xdc, 0x61, 0x94, 0x30, 0x18, 0x10, 0x6b, 0xd0, 0x1c, 0x10, 0x79,
89 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02,
90 0x1d, 0x05, 0x00, 0x03, 0x41, 0x00, 0x25, 0x90, 0x53, 0x34, 0xd9, 0x56, 0x41,
91 0x5e, 0xdb, 0x7e, 0x01, 0x36, 0xec, 0x27, 0x61, 0x5e, 0xb7, 0x4d, 0x90, 0x66,
92 0xa2, 0xe1, 0x9d, 0x58, 0x76, 0xd4, 0x9c, 0xba, 0x2c, 0x84, 0xc6, 0x83, 0x7a,
93 0x22, 0x0d, 0x03, 0x69, 0x32, 0x1a, 0x6d, 0xcb, 0x0c, 0x15, 0xb3, 0x6b, 0xc7,
94 0x0a, 0x8c, 0xb4, 0x5c, 0x34, 0x78, 0xe0, 0x3c, 0x9c, 0xe9, 0xf3, 0x30, 0x9f,
95 0xa8, 0x76, 0x57, 0x92, 0x36 };
96
97 static CHAR unisp_name_a[] = UNISP_NAME_A;
98
99 static const char *algid_to_str(ALG_ID alg)
100 {
101 static char buf[12];
102 switch(alg) {
103 #define X(x) case x: return #x
104 X(CALG_MD2);
105 X(CALG_MD4);
106 X(CALG_MD5);
107 X(CALG_SHA1); /* same as CALG_SHA */
108 X(CALG_MAC);
109 X(CALG_RSA_SIGN);
110 X(CALG_DSS_SIGN);
111 X(CALG_NO_SIGN);
112 X(CALG_RSA_KEYX);
113 X(CALG_DES);
114 X(CALG_3DES_112);
115 X(CALG_3DES);
116 X(CALG_DESX);
117 X(CALG_RC2);
118 X(CALG_RC4);
119 X(CALG_SEAL);
120 X(CALG_DH_SF);
121 X(CALG_DH_EPHEM);
122 X(CALG_AGREEDKEY_ANY);
123 X(CALG_KEA_KEYX);
124 X(CALG_HUGHES_MD5);
125 X(CALG_SKIPJACK);
126 X(CALG_TEK);
127 X(CALG_CYLINK_MEK);
128 X(CALG_SSL3_SHAMD5);
129 X(CALG_SSL3_MASTER);
130 X(CALG_SCHANNEL_MASTER_HASH);
131 X(CALG_SCHANNEL_MAC_KEY);
132 X(CALG_SCHANNEL_ENC_KEY);
133 X(CALG_PCT1_MASTER);
134 X(CALG_SSL2_MASTER);
135 X(CALG_TLS1_MASTER);
136 X(CALG_RC5);
137 X(CALG_HMAC);
138 X(CALG_TLS1PRF);
139 X(CALG_HASH_REPLACE_OWF);
140 X(CALG_AES_128);
141 X(CALG_AES_192);
142 X(CALG_AES_256);
143 X(CALG_AES);
144 X(CALG_SHA_256);
145 X(CALG_SHA_384);
146 X(CALG_SHA_512);
147 X(CALG_ECDH);
148 X(CALG_ECMQV);
149 X(CALG_ECDSA);
150 #undef X
151 }
152
153 sprintf(buf, "%x", alg);
154 return buf;
155 }
156
157 static void init_cred(SCHANNEL_CRED *cred)
158 {
159 cred->dwVersion = SCHANNEL_CRED_VERSION;
160 cred->cCreds = 0;
161 cred->paCred = 0;
162 cred->hRootStore = NULL;
163 cred->cMappers = 0;
164 cred->aphMappers = NULL;
165 cred->cSupportedAlgs = 0;
166 cred->palgSupportedAlgs = NULL;
167 cred->grbitEnabledProtocols = 0;
168 cred->dwMinimumCipherStrength = 0;
169 cred->dwMaximumCipherStrength = 0;
170 cred->dwSessionLifespan = 0;
171 cred->dwFlags = 0;
172 }
173
174 static void test_strength(PCredHandle handle)
175 {
176 SecPkgCred_CipherStrengths strength = {-1,-1};
177 SECURITY_STATUS st;
178
179 st = QueryCredentialsAttributesA(handle, SECPKG_ATTR_CIPHER_STRENGTHS, &strength);
180 ok(st == SEC_E_OK, "QueryCredentialsAttributesA failed: %u\n", GetLastError());
181 ok(strength.dwMinimumCipherStrength, "dwMinimumCipherStrength not changed\n");
182 ok(strength.dwMaximumCipherStrength, "dwMaximumCipherStrength not changed\n");
183 trace("strength %d - %d\n", strength.dwMinimumCipherStrength, strength.dwMaximumCipherStrength);
184 }
185
186 static void test_supported_protocols(CredHandle *handle, unsigned exprots)
187 {
188 SecPkgCred_SupportedProtocols protocols;
189 SECURITY_STATUS status;
190
191 status = QueryCredentialsAttributesA(handle, SECPKG_ATTR_SUPPORTED_PROTOCOLS, &protocols);
192 ok(status == SEC_E_OK, "QueryCredentialsAttributes failed: %08x\n", status);
193
194 if(exprots)
195 ok(protocols.grbitProtocol == exprots, "protocols.grbitProtocol = %x, expected %x\n", protocols.grbitProtocol, exprots);
196
197 trace("Supported protocols:\n");
198
199 #define X(flag, name) do { if(protocols.grbitProtocol & flag) { trace(name "\n"); protocols.grbitProtocol &= ~flag; } }while(0)
200 X(SP_PROT_SSL2_CLIENT, "SSL 2 client");
201 X(SP_PROT_SSL3_CLIENT, "SSL 3 client");
202 X(SP_PROT_TLS1_0_CLIENT, "TLS 1.0 client");
203 X(SP_PROT_TLS1_1_CLIENT, "TLS 1.1 client");
204 X(SP_PROT_TLS1_2_CLIENT, "TLS 1.2 client");
205 X(SP_PROT_TLS1_3_CLIENT, "TLS 1.3 client");
206 #undef X
207
208 if(protocols.grbitProtocol)
209 trace("Unknown flags: %x\n", protocols.grbitProtocol);
210 }
211
212 static void test_supported_algs(CredHandle *handle)
213 {
214 SecPkgCred_SupportedAlgs algs;
215 SECURITY_STATUS status;
216 unsigned i;
217
218 status = QueryCredentialsAttributesA(handle, SECPKG_ATTR_SUPPORTED_ALGS, &algs);
219 todo_wine ok(status == SEC_E_OK, "QueryCredentialsAttributes failed: %08x\n", status);
220 if(status != SEC_E_OK)
221 return;
222
223 trace("Supported algorithms (%d):\n", algs.cSupportedAlgs);
224 for(i=0; i < algs.cSupportedAlgs; i++)
225 trace(" %s\n", algid_to_str(algs.palgSupportedAlgs[i]));
226
227 FreeContextBuffer(algs.palgSupportedAlgs);
228 }
229
230 static void test_cread_attrs(void)
231 {
232 SCHANNEL_CRED schannel_cred;
233 SECURITY_STATUS status;
234 CredHandle cred;
235
236 status = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
237 NULL, NULL, NULL, NULL, &cred, NULL);
238 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %x\n", status);
239
240 test_supported_protocols(&cred, 0);
241 test_supported_algs(&cred);
242
243 status = QueryCredentialsAttributesA(&cred, SECPKG_ATTR_SUPPORTED_PROTOCOLS, NULL);
244 ok(status == SEC_E_INTERNAL_ERROR, "QueryCredentialsAttributes failed: %08x, expected SEC_E_INTERNAL_ERROR\n", status);
245
246 status = QueryCredentialsAttributesA(&cred, SECPKG_ATTR_SUPPORTED_ALGS, NULL);
247 ok(status == SEC_E_INTERNAL_ERROR, "QueryCredentialsAttributes failed: %08x, expected SEC_E_INTERNAL_ERROR\n", status);
248
249 FreeCredentialsHandle(&cred);
250
251 init_cred(&schannel_cred);
252 schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
253 status = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
254 NULL, &schannel_cred, NULL, NULL, &cred, NULL);
255 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %x\n", status);
256
257 test_supported_protocols(&cred, SP_PROT_TLS1_CLIENT);
258 test_supported_algs(&cred);
259
260 FreeCredentialsHandle(&cred);
261 }
262
263 static void testAcquireSecurityContext(void)
264 {
265 BOOL has_schannel = FALSE;
266 SecPkgInfoA *package_info;
267 ULONG i;
268 SECURITY_STATUS st;
269 CredHandle cred;
270 SecPkgCredentials_NamesA names;
271 TimeStamp exp;
272 SCHANNEL_CRED schanCred;
273 PCCERT_CONTEXT certs[2];
274 HCRYPTPROV csp;
275 WCHAR ms_def_prov_w[MAX_PATH];
276 BOOL ret;
277 HCRYPTKEY key;
278 CRYPT_KEY_PROV_INFO keyProvInfo;
279
280
281 if (SUCCEEDED(EnumerateSecurityPackagesA(&i, &package_info)))
282 {
283 while(i--)
284 {
285 if (!strcmp(package_info[i].Name, unisp_name_a))
286 {
287 has_schannel = TRUE;
288 break;
289 }
290 }
291 FreeContextBuffer(package_info);
292 }
293 if (!has_schannel)
294 {
295 skip("Schannel not available\n");
296 return;
297 }
298
299 lstrcpyW(ms_def_prov_w, MS_DEF_PROV_W);
300
301 keyProvInfo.pwszContainerName = cspNameW;
302 keyProvInfo.pwszProvName = ms_def_prov_w;
303 keyProvInfo.dwProvType = PROV_RSA_FULL;
304 keyProvInfo.dwFlags = 0;
305 keyProvInfo.cProvParam = 0;
306 keyProvInfo.rgProvParam = NULL;
307 keyProvInfo.dwKeySpec = AT_SIGNATURE;
308
309 certs[0] = CertCreateCertificateContext(X509_ASN_ENCODING, bigCert, sizeof(bigCert));
310 certs[1] = CertCreateCertificateContext(X509_ASN_ENCODING, selfSignedCert, sizeof(selfSignedCert));
311
312 SetLastError(0xdeadbeef);
313 ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
314 CRYPT_DELETEKEYSET);
315 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
316 {
317 /* WinMe would crash on some tests */
318 win_skip("CryptAcquireContextW is not implemented\n");
319 return;
320 }
321
322 st = AcquireCredentialsHandleA(NULL, NULL, 0, NULL, NULL, NULL, NULL, NULL,
323 NULL);
324 ok(st == SEC_E_SECPKG_NOT_FOUND,
325 "Expected SEC_E_SECPKG_NOT_FOUND, got %08x\n", st);
326 if (0)
327 {
328 /* Crashes on Win2K */
329 st = AcquireCredentialsHandleA(NULL, unisp_name_a, 0, NULL, NULL, NULL,
330 NULL, NULL, NULL);
331 ok(st == SEC_E_NO_CREDENTIALS, "Expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
332
333 /* Crashes on WinNT */
334 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_BOTH, NULL,
335 NULL, NULL, NULL, NULL, NULL);
336 ok(st == SEC_E_NO_CREDENTIALS, "Expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
337
338 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
339 NULL, NULL, NULL, NULL, NULL, NULL);
340 ok(st == SEC_E_NO_CREDENTIALS, "Expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
341
342 /* Crashes */
343 AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
344 NULL, NULL, NULL, NULL, NULL, NULL);
345 }
346 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
347 NULL, NULL, NULL, NULL, &cred, NULL);
348 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
349 if(st == SEC_E_OK)
350 FreeCredentialsHandle(&cred);
351 memset(&cred, 0, sizeof(cred));
352 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
353 NULL, NULL, NULL, NULL, &cred, &exp);
354 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
355 /* expriy is indeterminate in win2k3 */
356 trace("expiry: %08x%08x\n", exp.HighPart, exp.LowPart);
357
358 st = QueryCredentialsAttributesA(&cred, SECPKG_CRED_ATTR_NAMES, &names);
359 ok(st == SEC_E_NO_CREDENTIALS || st == SEC_E_UNSUPPORTED_FUNCTION /* before Vista */, "expected SEC_E_NO_CREDENTIALS, got %08x\n", st);
360
361 FreeCredentialsHandle(&cred);
362
363 /* Bad version in SCHANNEL_CRED */
364 memset(&schanCred, 0, sizeof(schanCred));
365 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
366 NULL, &schanCred, NULL, NULL, NULL, NULL);
367 ok(st == SEC_E_INTERNAL_ERROR ||
368 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */ ||
369 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
370 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
371 NULL, &schanCred, NULL, NULL, NULL, NULL);
372 ok(st == SEC_E_INTERNAL_ERROR ||
373 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */ ||
374 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
375
376 /* No cert in SCHANNEL_CRED succeeds for outbound.. */
377 schanCred.dwVersion = SCHANNEL_CRED_VERSION;
378 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
379 NULL, &schanCred, NULL, NULL, &cred, NULL);
380 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
381 FreeCredentialsHandle(&cred);
382 /* but fails for inbound. */
383 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
384 NULL, &schanCred, NULL, NULL, &cred, NULL);
385 ok(st == SEC_E_NO_CREDENTIALS ||
386 st == SEC_E_OK /* Vista/win2k8 */,
387 "Expected SEC_E_NO_CREDENTIALS or SEC_E_OK, got %08x\n", st);
388
389 if (0)
390 {
391 /* Crashes with bad paCred pointer */
392 schanCred.cCreds = 1;
393 AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
394 NULL, &schanCred, NULL, NULL, NULL, NULL);
395 }
396
397 /* Bogus cert in SCHANNEL_CRED. Windows fails with
398 * SEC_E_UNKNOWN_CREDENTIALS, but I'll accept SEC_E_NO_CREDENTIALS too.
399 */
400 schanCred.cCreds = 1;
401 schanCred.paCred = &certs[0];
402 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
403 NULL, &schanCred, NULL, NULL, NULL, NULL);
404 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
405 st == SEC_E_NO_CREDENTIALS ||
406 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
407 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
408 NULL, &schanCred, NULL, NULL, NULL, NULL);
409 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
410 st == SEC_E_NO_CREDENTIALS ||
411 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
412
413 /* Good cert, but missing private key. Windows fails with
414 * SEC_E_NO_CREDENTIALS, but I'll accept SEC_E_UNKNOWN_CREDENTIALS too.
415 */
416 schanCred.cCreds = 1;
417 schanCred.paCred = &certs[1];
418 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
419 NULL, &schanCred, NULL, NULL, &cred, NULL);
420 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_NO_CREDENTIALS ||
421 st == SEC_E_INTERNAL_ERROR, /* win2k */
422 "Expected SEC_E_UNKNOWN_CREDENTIALS, SEC_E_NO_CREDENTIALS "
423 "or SEC_E_INTERNAL_ERROR, got %08x\n", st);
424 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
425 NULL, &schanCred, NULL, NULL, NULL, NULL);
426 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_NO_CREDENTIALS ||
427 st == SEC_E_INTERNAL_ERROR, /* win2k */
428 "Expected SEC_E_UNKNOWN_CREDENTIALS, SEC_E_NO_CREDENTIALS "
429 "or SEC_E_INTERNAL_ERROR, got %08x\n", st);
430
431 /* Good cert, with CRYPT_KEY_PROV_INFO set before it's had a key loaded. */
432 ret = CertSetCertificateContextProperty(certs[1],
433 CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo);
434 schanCred.dwVersion = SCH_CRED_V3;
435 ok(ret, "CertSetCertificateContextProperty failed: %08x\n", GetLastError());
436 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
437 NULL, &schanCred, NULL, NULL, &cred, NULL);
438 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */ ||
439 st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
440 "Expected SEC_E_UNKNOWN_CREDENTIALS or SEC_E_INTERNAL_ERROR, got %08x\n", st);
441 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
442 NULL, &schanCred, NULL, NULL, &cred, NULL);
443 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */ ||
444 st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
445 "Expected SEC_E_UNKNOWN_CREDENTIALS or SEC_E_INTERNAL_ERROR, got %08x\n", st);
446
447 ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
448 CRYPT_NEWKEYSET);
449 ok(ret, "CryptAcquireContextW failed: %08x\n", GetLastError());
450 ret = 0;
451
452 ret = CryptImportKey(csp, privKey, sizeof(privKey), 0, 0, &key);
453 ok(ret, "CryptImportKey failed: %08x\n", GetLastError());
454 if (ret)
455 {
456 PCCERT_CONTEXT tmp;
457
458 if (0)
459 {
460 /* Crashes */
461 AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
462 NULL, &schanCred, NULL, NULL, NULL, NULL);
463
464 /* Crashes on WinNT */
465 /* Good cert with private key, bogus version */
466 schanCred.dwVersion = SCH_CRED_V1;
467 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
468 NULL, &schanCred, NULL, NULL, &cred, NULL);
469 ok(st == SEC_E_INTERNAL_ERROR ||
470 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
471 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
472 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
473 NULL, &schanCred, NULL, NULL, &cred, NULL);
474 ok(st == SEC_E_INTERNAL_ERROR ||
475 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
476 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
477 schanCred.dwVersion = SCH_CRED_V2;
478 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
479 NULL, &schanCred, NULL, NULL, &cred, NULL);
480 ok(st == SEC_E_INTERNAL_ERROR ||
481 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
482 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
483 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
484 NULL, &schanCred, NULL, NULL, &cred, NULL);
485 ok(st == SEC_E_INTERNAL_ERROR ||
486 st == SEC_E_UNKNOWN_CREDENTIALS /* Vista/win2k8 */,
487 "Expected SEC_E_INTERNAL_ERROR or SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
488 }
489
490 /* Succeeds on V3 or higher */
491 schanCred.dwVersion = SCH_CRED_V3;
492 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
493 NULL, &schanCred, NULL, NULL, &cred, NULL);
494 ok(st == SEC_E_OK || st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
495 "AcquireCredentialsHandleA failed: %08x\n", st);
496 FreeCredentialsHandle(&cred);
497 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
498 NULL, &schanCred, NULL, NULL, &cred, NULL);
499 ok(st == SEC_E_OK || st == SEC_E_UNKNOWN_CREDENTIALS /* win2k3 */ ||
500 st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
501 "AcquireCredentialsHandleA failed: %08x\n", st);
502 FreeCredentialsHandle(&cred);
503 schanCred.dwVersion = SCHANNEL_CRED_VERSION;
504 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
505 NULL, &schanCred, NULL, NULL, &cred, NULL);
506 ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
507 FreeCredentialsHandle(&cred);
508 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
509 NULL, &schanCred, NULL, NULL, &cred, NULL);
510 ok(st == SEC_E_OK ||
511 st == SEC_E_UNKNOWN_CREDENTIALS, /* win2k3 */
512 "AcquireCredentialsHandleA failed: %08x\n", st);
513 if (st == SEC_E_OK) test_strength(&cred);
514 FreeCredentialsHandle(&cred);
515
516 /* How about more than one cert? */
517 schanCred.cCreds = 2;
518 schanCred.paCred = certs;
519 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
520 NULL, &schanCred, NULL, NULL, &cred, NULL);
521 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
522 st == SEC_E_NO_CREDENTIALS /* Vista/win2k8 */ ||
523 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
524 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
525 NULL, &schanCred, NULL, NULL, &cred, NULL);
526 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
527 st == SEC_E_NO_CREDENTIALS ||
528 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
529 tmp = certs[0];
530 certs[0] = certs[1];
531 certs[1] = tmp;
532 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
533 NULL, &schanCred, NULL, NULL, &cred, NULL);
534 ok(st == SEC_E_UNKNOWN_CREDENTIALS ||
535 st == SEC_E_NO_CREDENTIALS ||
536 st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
537 st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
538 NULL, &schanCred, NULL, NULL, &cred, NULL);
539 ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_NO_CREDENTIALS,
540 "Expected SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
541 /* FIXME: what about two valid certs? */
542
543 CryptDestroyKey(key);
544 }
545
546 CryptReleaseContext(csp, 0);
547 CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL, CRYPT_DELETEKEYSET);
548
549 CertFreeCertificateContext(certs[0]);
550 CertFreeCertificateContext(certs[1]);
551 }
552
553 static void test_remote_cert(PCCERT_CONTEXT remote_cert)
554 {
555 PCCERT_CONTEXT iter = NULL;
556 BOOL incl_remote = FALSE;
557 unsigned cert_cnt = 0;
558
559 ok(remote_cert->hCertStore != NULL, "hCertStore == NULL\n");
560
561 while((iter = CertEnumCertificatesInStore(remote_cert->hCertStore, iter))) {
562 if(iter == remote_cert)
563 incl_remote = TRUE;
564 cert_cnt++;
565 }
566
567 ok(cert_cnt == 2, "cert_cnt = %u\n", cert_cnt);
568 ok(incl_remote, "context does not contain cert itself\n");
569 }
570
571 static const char http_request[] = "HEAD /test.html HTTP/1.1\r\nHost: test.winehq.org\r\nConnection: close\r\n\r\n";
572
573 static void init_buffers(SecBufferDesc *desc, unsigned count, unsigned size)
574 {
575 desc->ulVersion = SECBUFFER_VERSION;
576 desc->cBuffers = count;
577 desc->pBuffers = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, count*sizeof(SecBuffer));
578
579 desc->pBuffers[0].cbBuffer = size;
580 desc->pBuffers[0].pvBuffer = HeapAlloc(GetProcessHeap(), 0, size);
581 }
582
583 static void reset_buffers(SecBufferDesc *desc)
584 {
585 unsigned i;
586
587 for (i = 0; i < desc->cBuffers; ++i)
588 {
589 desc->pBuffers[i].BufferType = SECBUFFER_EMPTY;
590 if (i > 0)
591 {
592 desc->pBuffers[i].cbBuffer = 0;
593 desc->pBuffers[i].pvBuffer = NULL;
594 }
595 }
596 }
597
598 static void free_buffers(SecBufferDesc *desc)
599 {
600 HeapFree(GetProcessHeap(), 0, desc->pBuffers[0].pvBuffer);
601 HeapFree(GetProcessHeap(), 0, desc->pBuffers);
602 }
603
604 static int receive_data(SOCKET sock, SecBuffer *buf)
605 {
606 unsigned received = 0;
607
608 while (1)
609 {
610 unsigned char *data = buf->pvBuffer;
611 unsigned expected = 0;
612 int ret;
613
614 ret = recv(sock, (char *)data+received, buf->cbBuffer-received, 0);
615 if (ret == -1)
616 {
617 skip("recv failed\n");
618 return -1;
619 }
620 else if(ret == 0)
621 {
622 skip("connection closed\n");
623 return -1;
624 }
625 received += ret;
626
627 while (expected < received)
628 {
629 unsigned frame_size = 5 + ((data[3]<<8) | data[4]);
630 expected += frame_size;
631 data += frame_size;
632 }
633
634 if (expected == received)
635 break;
636 }
637
638 buf->cbBuffer = received;
639
640 return received;
641 }
642
643 static void test_InitializeSecurityContext(void)
644 {
645 SCHANNEL_CRED cred;
646 CredHandle cred_handle;
647 CtxtHandle context;
648 SECURITY_STATUS status;
649 SecBuffer out_buffer = {1000, SECBUFFER_TOKEN, NULL};
650 SecBuffer in_buffer = {0, SECBUFFER_EMPTY, NULL};
651 SecBufferDesc out_buffers = {SECBUFFER_VERSION, 1, &out_buffer};
652 SecBufferDesc in_buffers = {SECBUFFER_VERSION, 1, &in_buffer};
653 ULONG attrs;
654
655 init_cred(&cred);
656 cred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
657 cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS|SCH_CRED_MANUAL_CRED_VALIDATION;
658 status = AcquireCredentialsHandleA(NULL, (SEC_CHAR *)UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
659 &cred, NULL, NULL, &cred_handle, NULL);
660 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", status);
661 if (status != SEC_E_OK) return;
662
663 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
664 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM|ISC_REQ_ALLOCATE_MEMORY,
665 0, 0, &in_buffers, 0, &context, &out_buffers, &attrs, NULL);
666 ok(status == SEC_I_CONTINUE_NEEDED, "Expected SEC_I_CONTINUE_NEEDED, got %08x\n", status);
667
668 FreeContextBuffer(out_buffer.pvBuffer);
669 DeleteSecurityContext(&context);
670 FreeCredentialsHandle(&cred_handle);
671 }
672
673 static SOCKET create_ssl_socket( const char *hostname )
674 {
675 struct hostent *host;
676 struct sockaddr_in addr;
677 SOCKET sock;
678
679 if (!(host = gethostbyname(hostname)))
680 {
681 skip("Can't resolve \"%s\"\n", hostname);
682 return -1;
683 }
684
685 addr.sin_family = host->h_addrtype;
686 addr.sin_addr = *(struct in_addr *)host->h_addr_list[0];
687 addr.sin_port = htons(443);
688 if ((sock = socket(host->h_addrtype, SOCK_STREAM, 0)) == -1)
689 {
690 skip("Can't create socket\n");
691 return 1;
692 }
693
694 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
695 {
696 skip("Can't connect to \"%s\"\n", hostname);
697 closesocket(sock);
698 return -1;
699 }
700
701 return sock;
702 }
703
704 static void test_communication(void)
705 {
706 int ret;
707 SOCKET sock;
708
709 SECURITY_STATUS status;
710 ULONG attrs;
711
712 SCHANNEL_CRED cred;
713 CredHandle cred_handle;
714 CtxtHandle context;
715 SecPkgCredentials_NamesA names;
716 SecPkgContext_StreamSizes sizes;
717 SecPkgContext_ConnectionInfo conn_info;
718 SecPkgContext_KeyInfoA key_info;
719 CERT_CONTEXT *cert;
720 SecPkgContext_NegotiationInfoA info;
721
722 SecBufferDesc buffers[2];
723 SecBuffer *buf;
724 unsigned buf_size = 8192;
725 unsigned char *data;
726 unsigned data_size;
727
728 if (!pQueryContextAttributesA)
729 {
730 win_skip("Required secur32 functions not available\n");
731 return;
732 }
733
734 /* Create a socket and connect to test.winehq.org */
735 if ((sock = create_ssl_socket( "test.winehq.org" )) == -1) return;
736
737 /* Create client credentials */
738 init_cred(&cred);
739 cred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
740 cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS|SCH_CRED_MANUAL_CRED_VALIDATION;
741
742 status = AcquireCredentialsHandleA(NULL, (SEC_CHAR *)UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
743 &cred, NULL, NULL, &cred_handle, NULL);
744 ok(status == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", status);
745 if (status != SEC_E_OK) return;
746
747 /* Initialize the connection */
748 init_buffers(&buffers[0], 4, buf_size);
749 init_buffers(&buffers[1], 4, buf_size);
750
751 buffers[0].pBuffers[0].BufferType = SECBUFFER_TOKEN;
752 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
753 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
754 0, 0, NULL, 0, &context, &buffers[0], &attrs, NULL);
755 ok(status == SEC_I_CONTINUE_NEEDED, "Expected SEC_I_CONTINUE_NEEDED, got %08x\n", status);
756
757 buffers[1].cBuffers = 1;
758 buffers[1].pBuffers[0].BufferType = SECBUFFER_TOKEN;
759 buffers[0].pBuffers[0].cbBuffer = 1;
760 memset(buffers[1].pBuffers[0].pvBuffer, 0xfa, buf_size);
761 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
762 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
763 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
764 todo_wine
765 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
766 todo_wine
767 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
768
769 buffers[1].cBuffers = 1;
770 buffers[1].pBuffers[0].BufferType = SECBUFFER_TOKEN;
771 buffers[0].pBuffers[0].cbBuffer = 1;
772 memset(buffers[1].pBuffers[0].pvBuffer, 0, buf_size);
773 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
774 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
775 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
776 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
777 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
778
779 buffers[0].pBuffers[0].cbBuffer = 0;
780 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
781 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
782 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
783 todo_wine
784 ok(status == SEC_E_INSUFFICIENT_MEMORY || status == SEC_E_INVALID_TOKEN,
785 "Expected SEC_E_INSUFFICIENT_MEMORY or SEC_E_INVALID_TOKEN, got %08x\n", status);
786 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
787
788 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
789 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
790 0, 0, NULL, 0, &context, NULL, &attrs, NULL);
791 todo_wine
792 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
793
794 buffers[0].pBuffers[0].cbBuffer = buf_size;
795 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
796 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
797 0, 0, NULL, 0, &context, &buffers[0], &attrs, NULL);
798 ok(status == SEC_I_CONTINUE_NEEDED, "Expected SEC_I_CONTINUE_NEEDED, got %08x\n", status);
799
800 buf = &buffers[0].pBuffers[0];
801 send(sock, buf->pvBuffer, buf->cbBuffer, 0);
802 buf->cbBuffer = buf_size;
803
804 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
805 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
806 0, 0, NULL, 0, NULL, &buffers[0], &attrs, NULL);
807 ok(status == SEC_E_INCOMPLETE_MESSAGE, "Got unexpected status %#x.\n", status);
808 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
809 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
810
811 buffers[1].cBuffers = 1;
812 buffers[1].pBuffers[0].cbBuffer = 0;
813
814 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
815 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
816 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
817 ok(status == SEC_E_INCOMPLETE_MESSAGE, "Got unexpected status %#x.\n", status);
818 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
819 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
820
821 buf = &buffers[1].pBuffers[0];
822 buf->cbBuffer = buf_size;
823 ret = receive_data(sock, buf);
824 if (ret == -1)
825 return;
826
827 buffers[1].pBuffers[0].cbBuffer = 4;
828 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
829 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
830 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
831 ok(status == SEC_E_INCOMPLETE_MESSAGE || status == SEC_E_INVALID_TOKEN,
832 "Got unexpected status %#x.\n", status);
833 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
834 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
835
836 buffers[1].pBuffers[0].cbBuffer = 5;
837 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
838 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM,
839 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
840 ok(status == SEC_E_INCOMPLETE_MESSAGE || status == SEC_E_INVALID_TOKEN,
841 "Got unexpected status %#x.\n", status);
842 ok(buffers[0].pBuffers[0].cbBuffer == buf_size, "Output buffer size changed.\n");
843 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_TOKEN, "Output buffer type changed.\n");
844
845 buffers[1].pBuffers[0].cbBuffer = ret;
846 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
847 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM|ISC_REQ_USE_SUPPLIED_CREDS,
848 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
849 buffers[1].pBuffers[0].cbBuffer = buf_size;
850 while (status == SEC_I_CONTINUE_NEEDED)
851 {
852 buf = &buffers[0].pBuffers[0];
853 send(sock, buf->pvBuffer, buf->cbBuffer, 0);
854 buf->cbBuffer = buf_size;
855
856 buf = &buffers[1].pBuffers[0];
857 ret = receive_data(sock, buf);
858 if (ret == -1)
859 return;
860
861 buf->BufferType = SECBUFFER_TOKEN;
862
863 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
864 ISC_REQ_USE_SUPPLIED_CREDS,
865 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
866 buffers[1].pBuffers[0].cbBuffer = buf_size;
867 }
868
869 ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
870 ok(status == SEC_E_OK || broken(status == SEC_E_ILLEGAL_MESSAGE) /* winxp */,
871 "InitializeSecurityContext failed: %08x\n", status);
872 if(status != SEC_E_OK) {
873 skip("Handshake failed\n");
874 return;
875 }
876 ok(attrs == (ISC_RET_REPLAY_DETECT|ISC_RET_SEQUENCE_DETECT|ISC_RET_CONFIDENTIALITY|ISC_RET_STREAM|ISC_RET_USED_SUPPLIED_CREDS),
877 "got %08x\n", attrs);
878
879 status = QueryCredentialsAttributesA(&cred_handle, SECPKG_CRED_ATTR_NAMES, &names);
880 ok(status == SEC_E_NO_CREDENTIALS || status == SEC_E_UNSUPPORTED_FUNCTION /* before Vista */, "expected SEC_E_NO_CREDENTIALS, got %08x\n", status);
881
882 status = pQueryContextAttributesA(&context, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (void*)&cert);
883 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_REMOTE_CERT_CONTEXT) failed: %08x\n", status);
884 if(status == SEC_E_OK) {
885 SecPkgContext_Bindings bindings = {0xdeadbeef, (void*)0xdeadbeef};
886
887 test_remote_cert(cert);
888
889 status = pQueryContextAttributesA(&context, SECPKG_ATTR_ENDPOINT_BINDINGS, &bindings);
890 ok(status == SEC_E_OK || broken(status == SEC_E_UNSUPPORTED_FUNCTION),
891 "QueryContextAttributesW(SECPKG_ATTR_ENDPOINT_BINDINGS) failed: %08x\n", status);
892 if(status == SEC_E_OK) {
893 static const char prefix[] = "tls-server-end-point:";
894 const char *p;
895 BYTE hash[64];
896 DWORD hash_size;
897
898 ok(bindings.BindingsLength == sizeof(*bindings.Bindings) + sizeof(prefix)-1 + 32 /* hash size */,
899 "bindings.BindingsLength = %u\n", bindings.BindingsLength);
900 ok(!bindings.Bindings->dwInitiatorAddrType, "dwInitiatorAddrType = %x\n", bindings.Bindings->dwInitiatorAddrType);
901 ok(!bindings.Bindings->cbInitiatorLength, "cbInitiatorLength = %x\n", bindings.Bindings->cbInitiatorLength);
902 ok(!bindings.Bindings->dwInitiatorOffset, "dwInitiatorOffset = %x\n", bindings.Bindings->dwInitiatorOffset);
903 ok(!bindings.Bindings->dwAcceptorAddrType, "dwAcceptorAddrType = %x\n", bindings.Bindings->dwAcceptorAddrType);
904 ok(!bindings.Bindings->cbAcceptorLength, "cbAcceptorLength = %x\n", bindings.Bindings->cbAcceptorLength);
905 ok(!bindings.Bindings->dwAcceptorOffset, "dwAcceptorOffset = %x\n", bindings.Bindings->dwAcceptorOffset);
906 ok(sizeof(*bindings.Bindings) + bindings.Bindings->cbApplicationDataLength == bindings.BindingsLength,
907 "cbApplicationDataLength = %x\n", bindings.Bindings->cbApplicationDataLength);
908 ok(bindings.Bindings->dwApplicationDataOffset == sizeof(*bindings.Bindings),
909 "dwApplicationDataOffset = %x\n", bindings.Bindings->dwApplicationDataOffset);
910 p = (const char*)(bindings.Bindings+1);
911 ok(!memcmp(p, prefix, sizeof(prefix)-1), "missing prefix\n");
912 p += sizeof(prefix)-1;
913
914 hash_size = sizeof(hash);
915 ret = CryptHashCertificate(0, CALG_SHA_256, 0, cert->pbCertEncoded, cert->cbCertEncoded, hash, &hash_size);
916 if(ret) {
917 ok(hash_size == 32, "hash_size = %u\n", hash_size);
918 ok(!memcmp(hash, p, hash_size), "unexpected hash part\n");
919 }else {
920 win_skip("SHA 256 hash not supported.\n");
921 }
922
923 FreeContextBuffer(bindings.Bindings);
924 }else {
925 win_skip("SECPKG_ATTR_ENDPOINT_BINDINGS not supported\n");
926 }
927
928 CertFreeCertificateContext(cert);
929 }
930
931 status = pQueryContextAttributesA(&context, SECPKG_ATTR_CONNECTION_INFO, (void*)&conn_info);
932 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_CONNECTION_INFO) failed: %08x\n", status);
933 if(status == SEC_E_OK) {
934 ok(conn_info.dwCipherStrength >= 128, "conn_info.dwCipherStrength = %d\n", conn_info.dwCipherStrength);
935 ok(conn_info.dwHashStrength >= 128, "conn_info.dwHashStrength = %d\n", conn_info.dwHashStrength);
936 }
937
938 status = pQueryContextAttributesA(&context, SECPKG_ATTR_KEY_INFO, &key_info);
939 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_KEY_INFO) failed: %08x\n", status);
940 if(status == SEC_E_OK) {
941 ok(broken(key_info.SignatureAlgorithm == 0 /* WinXP,2003 */) ||
942 key_info.SignatureAlgorithm == CALG_RSA_SIGN,
943 "key_info.SignatureAlgorithm = %04x\n", key_info.SignatureAlgorithm);
944 ok(broken(key_info.SignatureAlgorithm == 0 /* WinXP,2003 */) ||
945 !strcmp(key_info.sSignatureAlgorithmName, "RSA"),
946 "key_info.sSignatureAlgorithmName = %s\n", key_info.sSignatureAlgorithmName);
947 ok(key_info.KeySize >= 128, "key_info.KeySize = %d\n", key_info.KeySize);
948 }
949
950 status = pQueryContextAttributesA(&context, SECPKG_ATTR_STREAM_SIZES, &sizes);
951 ok(status == SEC_E_OK, "QueryContextAttributesW(SECPKG_ATTR_STREAM_SIZES) failed: %08x\n", status);
952
953 status = pQueryContextAttributesA(&context, SECPKG_ATTR_NEGOTIATION_INFO, &info);
954 ok(status == SEC_E_UNSUPPORTED_FUNCTION, "QueryContextAttributesA returned %08x\n", status);
955
956 reset_buffers(&buffers[0]);
957
958 /* Send a simple request so we get data for testing DecryptMessage */
959 buf = &buffers[0].pBuffers[0];
960 data = buf->pvBuffer;
961 buf->BufferType = SECBUFFER_STREAM_HEADER;
962 buf->cbBuffer = sizes.cbHeader;
963 ++buf;
964 buf->BufferType = SECBUFFER_DATA;
965 buf->pvBuffer = data + sizes.cbHeader;
966 buf->cbBuffer = sizeof(http_request) - 1;
967 memcpy(buf->pvBuffer, http_request, sizeof(http_request) - 1);
968 ++buf;
969 buf->BufferType = SECBUFFER_STREAM_TRAILER;
970 buf->pvBuffer = data + sizes.cbHeader + sizeof(http_request) -1;
971 buf->cbBuffer = sizes.cbTrailer;
972
973 status = EncryptMessage(&context, 0, &buffers[0], 0);
974 ok(status == SEC_E_OK, "EncryptMessage failed: %08x\n", status);
975 if (status != SEC_E_OK)
976 return;
977
978 buf = &buffers[0].pBuffers[0];
979 send(sock, buf->pvBuffer, buffers[0].pBuffers[0].cbBuffer + buffers[0].pBuffers[1].cbBuffer + buffers[0].pBuffers[2].cbBuffer, 0);
980
981 reset_buffers(&buffers[0]);
982 buf->cbBuffer = buf_size;
983 data_size = receive_data(sock, buf);
984
985 /* Too few buffers */
986 --buffers[0].cBuffers;
987 status = DecryptMessage(&context, &buffers[0], 0, NULL);
988 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
989
990 /* No data buffer */
991 ++buffers[0].cBuffers;
992 status = DecryptMessage(&context, &buffers[0], 0, NULL);
993 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
994
995 /* Two data buffers */
996 buffers[0].pBuffers[0].BufferType = SECBUFFER_DATA;
997 buffers[0].pBuffers[1].BufferType = SECBUFFER_DATA;
998 status = DecryptMessage(&context, &buffers[0], 0, NULL);
999 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
1000
1001 /* Too few empty buffers */
1002 buffers[0].pBuffers[1].BufferType = SECBUFFER_EXTRA;
1003 status = DecryptMessage(&context, &buffers[0], 0, NULL);
1004 ok(status == SEC_E_INVALID_TOKEN, "Expected SEC_E_INVALID_TOKEN, got %08x\n", status);
1005
1006 /* Incomplete data */
1007 buffers[0].pBuffers[1].BufferType = SECBUFFER_EMPTY;
1008 buffers[0].pBuffers[0].cbBuffer = (data[3]<<8) | data[4];
1009 status = DecryptMessage(&context, &buffers[0], 0, NULL);
1010 ok(status == SEC_E_INCOMPLETE_MESSAGE, "Expected SEC_E_INCOMPLETE_MESSAGE, got %08x\n", status);
1011 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_MISSING, "Expected first buffer to be SECBUFFER_MISSING\n");
1012 ok(buffers[0].pBuffers[0].cbBuffer == 5, "Expected first buffer to be a five bytes\n");
1013
1014 buffers[0].pBuffers[0].cbBuffer = data_size;
1015 buffers[0].pBuffers[0].BufferType = SECBUFFER_DATA;
1016 buffers[0].pBuffers[1].BufferType = SECBUFFER_EMPTY;
1017 status = DecryptMessage(&context, &buffers[0], 0, NULL);
1018 ok(status == SEC_E_OK, "DecryptMessage failed: %08x\n", status);
1019 if (status == SEC_E_OK)
1020 {
1021 ok(buffers[0].pBuffers[0].BufferType == SECBUFFER_STREAM_HEADER, "Expected first buffer to be SECBUFFER_STREAM_HEADER\n");
1022 ok(buffers[0].pBuffers[1].BufferType == SECBUFFER_DATA, "Expected second buffer to be SECBUFFER_DATA\n");
1023 ok(buffers[0].pBuffers[2].BufferType == SECBUFFER_STREAM_TRAILER, "Expected third buffer to be SECBUFFER_STREAM_TRAILER\n");
1024
1025 data = buffers[0].pBuffers[1].pvBuffer;
1026 data[buffers[0].pBuffers[1].cbBuffer] = 0;
1027 }
1028
1029 DeleteSecurityContext(&context);
1030 FreeCredentialsHandle(&cred_handle);
1031
1032 free_buffers(&buffers[0]);
1033 free_buffers(&buffers[1]);
1034
1035 closesocket(sock);
1036 }
1037
1038 static void test_application_protocol_negotiation(void)
1039 {
1040 int ret;
1041 SOCKET sock;
1042 SECURITY_STATUS status;
1043 ULONG attrs;
1044 SCHANNEL_CRED cred;
1045 CredHandle cred_handle;
1046 CtxtHandle context;
1047 SecPkgContext_ApplicationProtocol protocol;
1048 SecBufferDesc buffers[3];
1049 SecBuffer *buf;
1050 unsigned buf_size = 8192;
1051 unsigned char *alpn_buffer;
1052 unsigned int *extension_len;
1053 unsigned short *list_len;
1054 int list_start_index, offset = 0;
1055
1056 if (!pQueryContextAttributesA)
1057 {
1058 win_skip("Required secur32 functions not available\n");
1059 return;
1060 }
1061
1062 if ((sock = create_ssl_socket( "test.winehq.org" )) == -1) return;
1063
1064 init_cred(&cred);
1065 cred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
1066 cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS|SCH_CRED_MANUAL_CRED_VALIDATION;
1067
1068 status = AcquireCredentialsHandleA(NULL, (SEC_CHAR *)UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
1069 &cred, NULL, NULL, &cred_handle, NULL);
1070 ok(status == SEC_E_OK, "got %08x\n", status);
1071 if (status != SEC_E_OK) return;
1072
1073 init_buffers(&buffers[0], 4, buf_size);
1074 init_buffers(&buffers[1], 4, buf_size);
1075 init_buffers(&buffers[2], 1, 128);
1076
1077 alpn_buffer = buffers[2].pBuffers[0].pvBuffer;
1078 extension_len = (unsigned int *)&alpn_buffer[offset];
1079 offset += sizeof(*extension_len);
1080 *(unsigned int *)&alpn_buffer[offset] = SecApplicationProtocolNegotiationExt_ALPN;
1081 offset += sizeof(unsigned int);
1082 list_len = (unsigned short *)&alpn_buffer[offset];
1083 offset += sizeof(*list_len);
1084 list_start_index = offset;
1085
1086 alpn_buffer[offset++] = sizeof("http/1.1") - 1;
1087 memcpy(&alpn_buffer[offset], "http/1.1", sizeof("http/1.1") - 1);
1088 offset += sizeof("http/1.1") - 1;
1089 alpn_buffer[offset++] = sizeof("h2") - 1;
1090 memcpy(&alpn_buffer[offset], "h2", sizeof("h2") - 1);
1091 offset += sizeof("h2") - 1;
1092
1093 *list_len = offset - list_start_index;
1094 *extension_len = *list_len + sizeof(*extension_len) + sizeof(*list_len);
1095
1096 buffers[2].pBuffers[0].BufferType = SECBUFFER_APPLICATION_PROTOCOLS;
1097 buffers[2].pBuffers[0].cbBuffer = offset;
1098
1099 buffers[0].pBuffers[0].BufferType = SECBUFFER_TOKEN;
1100 status = InitializeSecurityContextA(&cred_handle, NULL, (SEC_CHAR *)"localhost",
1101 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM, 0, 0, &buffers[2], 0, &context, &buffers[0], &attrs, NULL);
1102 ok(status == SEC_I_CONTINUE_NEEDED, "got %08x\n", status);
1103
1104 buf = &buffers[0].pBuffers[0];
1105 send(sock, buf->pvBuffer, buf->cbBuffer, 0);
1106 buf->cbBuffer = buf_size;
1107
1108 buf = &buffers[1].pBuffers[0];
1109 buf->cbBuffer = buf_size;
1110 ret = receive_data(sock, buf);
1111 if (ret == -1)
1112 return;
1113
1114 buffers[1].pBuffers[0].BufferType = SECBUFFER_TOKEN;
1115 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
1116 ISC_REQ_CONFIDENTIALITY|ISC_REQ_STREAM|ISC_REQ_USE_SUPPLIED_CREDS, 0, 0, &buffers[1], 0, NULL,
1117 &buffers[0], &attrs, NULL);
1118 buffers[1].pBuffers[0].cbBuffer = buf_size;
1119 while (status == SEC_I_CONTINUE_NEEDED)
1120 {
1121 buf = &buffers[0].pBuffers[0];
1122 send(sock, buf->pvBuffer, buf->cbBuffer, 0);
1123 buf->cbBuffer = buf_size;
1124
1125 buf = &buffers[1].pBuffers[0];
1126 ret = receive_data(sock, buf);
1127 if (ret == -1)
1128 return;
1129
1130 buf->BufferType = SECBUFFER_TOKEN;
1131 status = InitializeSecurityContextA(&cred_handle, &context, (SEC_CHAR *)"localhost",
1132 ISC_REQ_USE_SUPPLIED_CREDS, 0, 0, &buffers[1], 0, NULL, &buffers[0], &attrs, NULL);
1133 buffers[1].pBuffers[0].cbBuffer = buf_size;
1134 }
1135
1136 ok (status == SEC_E_OK || broken(status == SEC_E_ILLEGAL_MESSAGE) /* winxp */, "got %08x\n", status);
1137 if (status != SEC_E_OK)
1138 {
1139 skip("Handshake failed\n");
1140 return;
1141 }
1142
1143 memset(&protocol, 0, sizeof(protocol));
1144 status = pQueryContextAttributesA(&context, SECPKG_ATTR_APPLICATION_PROTOCOL, &protocol);
1145 ok(status == SEC_E_OK || broken(status == SEC_E_UNSUPPORTED_FUNCTION) /* win2k8 */, "got %08x\n", status);
1146 if (status == SEC_E_OK)
1147 {
1148 ok(protocol.ProtoNegoStatus == SecApplicationProtocolNegotiationStatus_Success, "got %u\n", protocol.ProtoNegoStatus);
1149 ok(protocol.ProtoNegoExt == SecApplicationProtocolNegotiationExt_ALPN, "got %u\n", protocol.ProtoNegoExt);
1150 ok(protocol.ProtocolIdSize == 8, "got %u\n", protocol.ProtocolIdSize);
1151 ok(!memcmp(protocol.ProtocolId, "http/1.1", 8), "wrong protocol id\n");
1152 }
1153
1154 DeleteSecurityContext(&context);
1155 FreeCredentialsHandle(&cred_handle);
1156
1157 free_buffers(&buffers[0]);
1158 free_buffers(&buffers[1]);
1159 free_buffers(&buffers[2]);
1160
1161 closesocket(sock);
1162 }
1163
1164 START_TEST(schannel)
1165 {
1166 WSADATA wsa_data;
1167 pQueryContextAttributesA = (void*)GetProcAddress(GetModuleHandleA("secur32.dll"), "QueryContextAttributesA");
1168
1169 WSAStartup(0x0202, &wsa_data);
1170
1171 test_cread_attrs();
1172 testAcquireSecurityContext();
1173 test_InitializeSecurityContext();
1174 test_communication();
1175 test_application_protocol_negotiation();
1176 }
Zebediah Figura's local tree