Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

TLS: Revise Schannel flags

Browse Source 
- SCH_USE_STRONG_CRYPTO is now declared in the Windows SDK included with
  Visual Studio 2019. No need to enter this flag numerically any more.

- m_sc_ctx.initialize() and m_sc_ctx.process() should use same flags.
  They are actually. Rather than copy&paste them, declare them in a
  single place.

- Add ISC_REQ_USE_SUPPLIED_CREDS flag. Use the client certificate we
  supply or none at all.

- Add ISC_REQ_MANUAL_CRED_VALIDATION flag. We validate the server
  certificate.

Signed-off-by: Simon Rozman <simon@rozman.si>
This commit is contained in:
Simon Rozman 2020-02-07 12:58:43 +01:00
parent dedaee0693
commit 8c2225992e
1 changed files with 36 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lib/TLS/src/Method.cpp
View File

@ -243,8 +243,8 @@ void eap::method_tls::begin_session(
SCH_CRED_IGNORE_NO_REVOCATION_CHECK | // dwFlags: Ignore no-revocation-check errors - as we cannot check for revocation, it makes little sense to insist certificate has to have revocation set-up
SCH_CRED_IGNORE_REVOCATION_OFFLINE | // dwFlags: Ignore offline-revocation errors - we do not expect to have network connection yet
SCH_CRED_NO_DEFAULT_CREDS | // dwFlags: If client certificate we provided is not acceptable, do not try to select one on your own
(m_cfg.m_server_names.empty() ? SCH_CRED_NO_SERVERNAME_CHECK : 0) | // dwFlags: When no expected server name is given, do not do the server name check.
0x00400000ul /*SCH_USE_STRONG_CRYPTO*/, // dwFlags: Do not use broken ciphers
(m_cfg.m_server_names.empty() ? SCH_CRED_NO_SERVERNAME_CHECK : 0ul) | // dwFlags: When no expected server name is given, do not do the server name check.
SCH_USE_STRONG_CRYPTO, // dwFlags: Do not use broken ciphers
0 // dwCredFormat
};
SECURITY_STATUS stat = m_sc_cred.acquire(NULL, UNISP_NAME, SECPKG_CRED_OUTBOUND, NULL, &cred);
@ -269,6 +269,19 @@ EapPeerMethodResponseAction eap::method_tls::process_request_packet(
{
assert(pReceivedPacket || dwReceivedPacketSize == 0);
static const ULONG sc_flags =
ISC_REQ_REPLAY_DETECT | // Detect replayed messages that have been encoded by using the EncryptMessage or MakeSignature functions.
ISC_REQ_SEQUENCE_DETECT | // Detect messages received out of sequence.
ISC_REQ_CONFIDENTIALITY | // Encrypt messages by using the EncryptMessage function.
ISC_REQ_INTEGRITY | // Sign messages and verify signatures by using the EncryptMessage and MakeSignature functions.
#if EAP_TLS < EAP_TLS_SCHANNEL_FULL
ISC_REQ_MANUAL_CRED_VALIDATION | // Schannel must not authenticate the server automatically.
#endif
ISC_REQ_STREAM | // Support a stream-oriented connection.
ISC_REQ_USE_SUPPLIED_CREDS | // Schannel must not attempt to supply credentials for the client automatically.
ISC_REQ_EXTENDED_ERROR | // When errors occur, the remote party will be notified.
ISC_REQ_ALLOCATE_MEMORY; // The security package allocates output buffers for us. We are using sec_buffer_desc helper class to FreeContextBuffer() them.
user_impersonator impersonating(m_user_ctx);
switch (m_phase) {
@ -293,7 +306,7 @@ EapPeerMethodResponseAction eap::method_tls::process_request_packet(
SECURITY_STATUS status = m_sc_ctx.initialize(
m_sc_cred,
!m_sc_target_name.empty() ? m_sc_target_name.c_str() : NULL,
ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_STREAM | /*ISC_REQ_USE_SUPPLIED_CREDS |*/ ISC_REQ_EXTENDED_ERROR | ISC_REQ_ALLOCATE_MEMORY,
sc_flags,
0,
&buf_in_desc,
&buf_out_desc);
@ -355,7 +368,7 @@ EapPeerMethodResponseAction eap::method_tls::process_request_packet(
SECURITY_STATUS status = m_sc_ctx.process(
m_sc_cred,
!m_sc_target_name.empty() ? m_sc_target_name.c_str() : NULL,
ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_STREAM | /*ISC_REQ_USE_SUPPLIED_CREDS |*/ ISC_REQ_EXTENDED_ERROR | ISC_REQ_ALLOCATE_MEMORY,
sc_flags,
0,
&buf_in_desc,
&buf_out_desc);