Use SCH_CREDENTIALS instead of SCHANNEL_CREDS (#111)

anrossi · web-flow · commit 451f79aa476f · 2020-02-07T15:56:25.000-08:00
This change updates the Schannel platform code to use the newer SCH_CREDENTIALS struct instead of the legacy SCHANNEL_CREDS struct.
Also added an -InitialBreak flag to test.ps1 which helps debugging.
diff --git a/build.ps1 b/build.ps1
@@ -134,10 +134,10 @@ function Install-Azure-Dependencies {
     if ($IsWindows) {
         # Enable SChannel TLS 1.3 (client and server).
         $TlsServerKeyPath = "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server"
-        reg.exe add $TlsServerKeyPath /v DisabledByDefault /t REG_DWORD /d 1 /f | Out-Null
+        # reg.exe add $TlsServerKeyPath /v DisabledByDefault /t REG_DWORD /d 1 /f | Out-Null
         reg.exe add $TlsServerKeyPath /v Enabled /t REG_DWORD /d 1 /f | Out-Null
         $TlsClientKeyPath = "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client"
-        reg.exe add $TlsClientKeyPath /v DisabledByDefault /t REG_DWORD /d 1 /f | Out-Null
+        # reg.exe add $TlsClientKeyPath /v DisabledByDefault /t REG_DWORD /d 1 /f | Out-Null
         reg.exe add $TlsClientKeyPath /v Enabled /t REG_DWORD /d 1 /f | Out-Null
         # Make sure procdump is installed
         Install-ProcDump
diff --git a/src/platform/tls_schannel.c b/src/platform/tls_schannel.c
@@ -49,6 +49,7 @@
 #include <winerror.h>
 #endif
 
+#define SCHANNEL_USE_BLACKLISTS
 #include <schannel.h>
 
 uint16_t QuicTlsTPHeaderSize = FIELD_OFFSET(SEND_GENERIC_TLS_EXTENSION, Buffer);
@@ -125,7 +126,12 @@ typedef struct QUIC_ACHA_CONTEXT {
     //
     // Holds the credentials configuration for the lifetime of the async call.
     //
-    SCHANNEL_CRED Credentials;
+    SCH_CREDENTIALS Credentials;
+
+    //
+    // Holds TLS configuration for the lifetime of the async call.
+    //
+    TLS_PARAMETERS TlsParameter;
 
 } QUIC_ACHA_CONTEXT;
 #endif
@@ -670,25 +676,35 @@ QuicTlsServerSecConfigCreate(
         goto Error;
     }
 
-    PSCHANNEL_CRED Credentials = &AchaContext->Credentials;
+    PSCH_CREDENTIALS Credentials = &AchaContext->Credentials;
+    Credentials->pTlsParameters = &AchaContext->TlsParameters;
+    Credentials->cTlsParameters = 1;
 #else
-    SCHANNEL_CRED LocalCredentials = { 0 };
-    PSCHANNEL_CRED Credentials = &LocalCredentials;
+    SCH_CREDENTIALS LocalCredentials = { 0 };
+    TLS_PARAMETERS LocalTlsParameters = { 0 };
+    PSCH_CREDENTIALS Credentials = &LocalCredentials;
+    Credentials->pTlsParameters = &LocalTlsParameters;
+    Credentials->cTlsParameters = 1;
 #endif
 
     //
     // Initialize user/kernel-common configuration.
     //
-    Credentials->dwVersion = SCHANNEL_CRED_VERSION;
-    Credentials->grbitEnabledProtocols = SP_PROT_TLS1_3_SERVER;
-    Credentials->cSupportedAlgs = 0;
-    Credentials->palgSupportedAlgs = NULL;
+    Credentials->dwVersion = SCH_CREDENTIALS_VERSION;
+    Credentials->pTlsParameters->grbitDisabledProtocols = (DWORD) ~SP_PROT_TLS1_3_SERVER;
+    Credentials->pTlsParameters->cAlpnIds = 0;
+    Credentials->pTlsParameters->rgstrAlpnIds = NULL; // QUIC manages all the ALPN matching.
+    Credentials->pTlsParameters->cDisabledCrypto = 0;
+    //
+    // TODO: Disallow AES_CCM_8 algorithm, which are undefined in the QUIC-TLS spec.
+    //
+    Credentials->pTlsParameters->pDisabledCrypto = NULL;
     Credentials->dwFlags |= SCH_CRED_NO_SYSTEM_MAPPER;
 
     //
-    // This flag is required to prevent the SSL BEAST attack.
+    // This flag disables known-weak crypto algorithms.
     //
-    Credentials->dwFlags |= SCH_SEND_AUX_RECORD;
+    Credentials->dwFlags |= SCH_USE_STRONG_CRYPTO;
 
     if (Flags & QUIC_SEC_CONFIG_FLAG_ENABLE_OCSP) {
         Credentials->dwFlags |= SCH_CRED_SNI_ENABLE_OCSP;
@@ -917,7 +933,8 @@ QuicTlsClientSecConfigCreate(
     )
 {
     TimeStamp CredExpiration;
-    SCHANNEL_CRED SchannelCred = { 0 };
+    TLS_PARAMETERS TlsParameters = { 0 };
+    SCH_CREDENTIALS SchannelCred = { 0 };
     SECURITY_STATUS SecStatus;
     QUIC_STATUS Status = QUIC_STATUS_SUCCESS;
 
@@ -936,6 +953,7 @@ QuicTlsClientSecConfigCreate(
     Config->RefCount = 1;
 
     SchannelCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS;
+    SchannelCred.dwFlags |= SCH_USE_STRONG_CRYPTO;
     if (Flags & QUIC_CERTIFICATE_FLAG_DISABLE_CERT_VALIDATION) {
         SchannelCred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION;
     } else if (Flags != 0) {
@@ -946,10 +964,17 @@ QuicTlsClientSecConfigCreate(
         SchannelCred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION;
     }
 
-    SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
-    SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
-    SchannelCred.cSupportedAlgs = 0;
-    SchannelCred.palgSupportedAlgs = NULL;
+    TlsParameters.grbitDisabledProtocols = (DWORD) ~SP_PROT_TLS1_3_CLIENT;
+    TlsParameters.cAlpnIds = 0;
+    TlsParameters.rgstrAlpnIds = NULL; // Only used on server.
+    TlsParameters.cDisabledCrypto = 0;
+    //
+    // TODO: Disallow AES_CCM_8 algorithm, which are undefined in the QUIC-TLS spec.
+    //
+    TlsParameters.pDisabledCrypto = NULL;
+    SchannelCred.cTlsParameters = 1;
+    SchannelCred.pTlsParameters = &TlsParameters;
+    SchannelCred.dwVersion = SCH_CREDENTIALS_VERSION;
 #ifdef _KERNEL_MODE
     PSECURITY_STRING PackageName = (PSECURITY_STRING) &QuicTlsPackageName;
 #else
diff --git a/test.ps1 b/test.ps1
@@ -30,6 +30,9 @@ This script provides helpers for running executing the MsQuic tests.
 .PARAMETER Debugger
     Attaches the debugger to each test case run.
 
+.PARAMETER InitialBreak
+    Debugger starts broken into the process to allow setting breakpoints, etc.
+
 .PARAMETER BreakOnFailure
     Triggers a break point on a test failure.
 
@@ -92,6 +95,9 @@ param (
     [Parameter(Mandatory = $false)]
     [switch]$Debugger = $false,
 
+    [Parameter(Mandatory = $false)]
+    [switch]$InitialBreak = $false,
+
     [Parameter(Mandatory = $false)]
     [switch]$BreakOnFailure = $false,
 
@@ -222,15 +228,23 @@ function Start-MsQuicTest([String]$Arguments, [String]$OutputDir) {
     if ($IsWindows) {
         if ($Debugger) {
             $pinfo.FileName = "windbg"
-            $pinfo.Arguments = "-g -G $($MsQuicTest) $($Arguments)"
+            if ($InitialBreak) {
+                $pinfo.Arguments = "-G $($MsQuicTest) $($Arguments)"
+            } else {
+                $pinfo.Arguments = "-g -G $($MsQuicTest) $($Arguments)"
+            }
         } else {
             $pinfo.FileName = $ProcDumpExe
             $pinfo.Arguments = "-ma -e -b -l -accepteula -x $($OutputDir) $($MsQuicTest) $($Arguments)"
         }
     } else {
         if ($Debugger) {
             $pinfo.FileName = "gdb"
-            $pinfo.Arguments = "--args $MsQuicTest $Arguments"
+            if ($InitialBreak) {
+                $pinfo.Arguments = "--args $($MsQuicTest) $($Arguments)"
+            } else {
+                $pinfo.Arguments = "-ex=r --args $($MsQuicTest) $($Arguments)"
+            }
         } else {
             $pinfo.FileName = $MsQuicTest
             $pinfo.Arguments = $Arguments
