Commit 610fd134 authored by Evan Tang's avatar Evan Tang Committed by Alexandre Julliard

secur32: Fix schannel AcquireCredentialsHandle algorithm mismatch error return.

parent ee0c01cb
......@@ -555,16 +555,15 @@ static SECURITY_STATUS acquire_credentials_handle(ULONG fCredentialUse,
if (schanCred)
{
const unsigned dtls_protocols = SP_PROT_DTLS_CLIENT | SP_PROT_DTLS1_2_CLIENT;
const unsigned tls_protocols = SP_PROT_TLS1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT |
SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_3_CLIENT;
const unsigned dtls_protocols = SP_PROT_DTLS1_X;
const unsigned non_dtls_protocols = (SP_PROT_X_CLIENTS | SP_PROT_X_SERVERS) & ~SP_PROT_DTLS1_X;
status = get_cert(schanCred, &cert);
if (status != SEC_E_OK && status != SEC_E_NO_CREDENTIALS)
return status;
cred_enabled_protocols = get_enabled_protocols(schanCred);
if ((cred_enabled_protocols & tls_protocols) &&
if ((cred_enabled_protocols & non_dtls_protocols) &&
(cred_enabled_protocols & dtls_protocols)) return SEC_E_ALGORITHM_MISMATCH;
status = SEC_E_OK;
......@@ -579,9 +578,13 @@ static SECURITY_STATUS acquire_credentials_handle(ULONG fCredentialUse,
enabled_protocols = cred_enabled_protocols & config_enabled_protocols;
else
enabled_protocols = config_enabled_protocols & ~config_default_disabled_protocols;
if (!(fCredentialUse & SECPKG_CRED_OUTBOUND))
enabled_protocols &= ~SP_PROT_X_CLIENTS;
if (!(fCredentialUse & SECPKG_CRED_INBOUND))
enabled_protocols &= ~SP_PROT_X_SERVERS;
if(!enabled_protocols) {
ERR("Could not find matching protocol\n");
return SEC_E_NO_AUTHENTICATING_AUTHORITY;
return SEC_E_ALGORITHM_MISMATCH;
}
if (!(creds = malloc(sizeof(*creds)))) return SEC_E_INSUFFICIENT_MEMORY;
......
......@@ -351,6 +351,8 @@ static void testAcquireSecurityContext(void)
ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08lx\n", st);
if(st == SEC_E_OK)
FreeCredentialsHandle(&cred);
st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &cred, NULL);
ok(st == SEC_E_NO_CREDENTIALS, "st = %08lx\n", st);
memset(&cred, 0, sizeof(cred));
st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
NULL, NULL, NULL, NULL, &cred, &exp);
......@@ -363,6 +365,22 @@ static void testAcquireSecurityContext(void)
FreeCredentialsHandle(&cred);
/* Should fail if no enabled protocols are available */
init_cred(&schanCred);
schanCred.grbitEnabledProtocols = SP_PROT_TLS1_X_SERVER;
st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND, NULL, &schanCred, NULL, NULL, &cred, &exp);
ok(st == SEC_E_ALGORITHM_MISMATCH, "st = %08lx\n", st);
st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND, NULL, &schanCred, NULL, NULL, &cred, &exp);
ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08lx\n", st);
FreeCredentialsHandle(&cred);
schanCred.grbitEnabledProtocols = SP_PROT_TLS1_X_CLIENT;
st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND, NULL, &schanCred, NULL, NULL, &cred, &exp);
ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08lx\n", st);
FreeCredentialsHandle(&cred);
st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND, NULL, &schanCred, NULL, NULL, &cred, &exp);
ok(st == SEC_E_ALGORITHM_MISMATCH, "st = %08lx\n", st);
/* Bad version in SCHANNEL_CRED */
memset(&schanCred, 0, sizeof(schanCred));
st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
......@@ -1668,7 +1686,7 @@ static void test_dtls(void)
SECURITY_STATUS status;
TimeStamp exp;
SCHANNEL_CRED cred;
CredHandle cred_handle;
CredHandle cred_handle, cred_handle2;
CtxtHandle ctx_handle, ctx_handle2;
SecBufferDesc buffers[3];
ULONG flags_req, flags_ret, attr, prev_buf_len;
......@@ -1687,6 +1705,19 @@ static void test_dtls(void)
}
ok( status == SEC_E_OK, "got %08lx\n", status );
/* Should fail if both DTLS and TLS protocols are requested */
cred.grbitEnabledProtocols |= SP_PROT_TLS1_CLIENT;
status = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND, NULL, &cred, NULL, NULL, &cred_handle2, &exp);
ok(status == SEC_E_ALGORITHM_MISMATCH, "status = %08lx\n", status);
cred.grbitEnabledProtocols = SP_PROT_DTLS1_X_CLIENT | SP_PROT_TLS1_SERVER;
status = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND, NULL, &cred, NULL, NULL, &cred_handle2, &exp);
ok(status == SEC_E_ALGORITHM_MISMATCH, "status = got %08lx\n", status);
cred.grbitEnabledProtocols = SP_PROT_DTLS1_X_CLIENT | SP_PROT_SSL3_SERVER;
status = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND, NULL, &cred, NULL, NULL, &cred_handle2, &exp);
ok(status == SEC_E_ALGORITHM_MISMATCH, "status = got %08lx\n", status);
flags_req = ISC_REQ_MANUAL_CRED_VALIDATION | ISC_REQ_EXTENDED_ERROR | ISC_REQ_DATAGRAM | ISC_REQ_USE_SUPPLIED_CREDS |
ISC_REQ_CONFIDENTIALITY | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT;
test_context_output_buffer_size(SP_PROT_DTLS_CLIENT | SP_PROT_DTLS1_2_CLIENT, SCH_CRED_NO_DEFAULT_CREDS, flags_req);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment