Efer/wincrypto fixes (algesten#729)

* fix minor issues in wincrypto

* set_active should never fail, it takes no user input, so it should succeed always on a functioning system

Author: efer-ms

wincrypto/src/dtls.rs

@@ -1,38 +1,70 @@
-use super::{Certificate, WinCryptoError};
-use std::{
-    collections::VecDeque,
-    sync::Arc,
-    time::{Duration, Instant},
-};
-use windows::Win32::{
-    Foundation::{
-        SEC_E_MESSAGE_ALTERED, SEC_E_OK, SEC_E_OUT_OF_SEQUENCE, SEC_I_CONTEXT_EXPIRED,
-        SEC_I_CONTINUE_NEEDED, SEC_I_MESSAGE_FRAGMENT, SEC_I_RENEGOTIATE,
-    },
-    Security::{
-        Authentication::Identity::{
-            AcceptSecurityContext, AcquireCredentialsHandleW, DecryptMessage,
-            DeleteSecurityContext, EncryptMessage, FreeContextBuffer, FreeCredentialsHandle,
-            InitializeSecurityContextW, QueryContextAttributesExW, QueryContextAttributesW,
-            SecBuffer, SecBufferDesc, SecPkgContext_KeyingMaterial,
-            SecPkgContext_KeyingMaterialInfo, SecPkgContext_SrtpParameters,
-            SecPkgContext_StreamSizes, SetContextAttributesW, ASC_REQ_CONFIDENTIALITY,
-            ASC_REQ_DATAGRAM, ASC_REQ_EXTENDED_ERROR, ASC_REQ_INTEGRITY, ASC_REQ_MUTUAL_AUTH,
-            ISC_REQ_CONFIDENTIALITY, ISC_REQ_DATAGRAM, ISC_REQ_EXTENDED_ERROR, ISC_REQ_INTEGRITY,
-            ISC_REQ_MANUAL_CRED_VALIDATION, ISC_REQ_USE_SUPPLIED_CREDS, SCHANNEL_CRED,
-            SCHANNEL_CRED_VERSION, SCH_CRED_MANUAL_CRED_VALIDATION, SECBUFFER_ALERT,
-            SECBUFFER_DATA, SECBUFFER_DTLS_MTU, SECBUFFER_EMPTY, SECBUFFER_EXTRA,
-            SECBUFFER_SRTP_PROTECTION_PROFILES, SECBUFFER_STREAM_HEADER, SECBUFFER_STREAM_TRAILER,
-            SECBUFFER_TOKEN, SECBUFFER_VERSION, SECPKG_ATTR, SECPKG_ATTR_KEYING_MATERIAL,
-            SECPKG_ATTR_KEYING_MATERIAL_INFO, SECPKG_ATTR_REMOTE_CERT_CONTEXT,
-            SECPKG_ATTR_SRTP_PARAMETERS, SECPKG_ATTR_STREAM_SIZES, SECPKG_CRED_INBOUND,
-            SECPKG_CRED_OUTBOUND, SECURITY_NATIVE_DREP, SEC_DTLS_MTU, SP_PROT_DTLS1_2_CLIENT,
-            SP_PROT_DTLS1_2_SERVER, UNISP_NAME_W,
-        },
-        Credentials::SecHandle,
-        Cryptography::CERT_CONTEXT,
-    },
-};
+use super::Certificate;
+use super::WinCryptoError;
+use std::collections::VecDeque;
+use std::sync::Arc;
+use std::time::Duration;
+use std::time::Instant;
+use windows::Win32::Foundation::SEC_E_MESSAGE_ALTERED;
+use windows::Win32::Foundation::SEC_E_OK;
+use windows::Win32::Foundation::SEC_E_OUT_OF_SEQUENCE;
+use windows::Win32::Foundation::SEC_I_CONTEXT_EXPIRED;
+use windows::Win32::Foundation::SEC_I_MESSAGE_FRAGMENT;
+use windows::Win32::Foundation::SEC_I_RENEGOTIATE;
+use windows::Win32::Security::Authentication::Identity::AcceptSecurityContext;
+use windows::Win32::Security::Authentication::Identity::AcquireCredentialsHandleW;
+use windows::Win32::Security::Authentication::Identity::DecryptMessage;
+use windows::Win32::Security::Authentication::Identity::DeleteSecurityContext;
+use windows::Win32::Security::Authentication::Identity::EncryptMessage;
+use windows::Win32::Security::Authentication::Identity::FreeContextBuffer;
+use windows::Win32::Security::Authentication::Identity::FreeCredentialsHandle;
+use windows::Win32::Security::Authentication::Identity::InitializeSecurityContextW;
+use windows::Win32::Security::Authentication::Identity::QueryContextAttributesExW;
+use windows::Win32::Security::Authentication::Identity::QueryContextAttributesW;
+use windows::Win32::Security::Authentication::Identity::SecBuffer;
+use windows::Win32::Security::Authentication::Identity::SecBufferDesc;
+use windows::Win32::Security::Authentication::Identity::SecPkgContext_KeyingMaterial;
+use windows::Win32::Security::Authentication::Identity::SecPkgContext_KeyingMaterialInfo;
+use windows::Win32::Security::Authentication::Identity::SecPkgContext_SrtpParameters;
+use windows::Win32::Security::Authentication::Identity::SecPkgContext_StreamSizes;
+use windows::Win32::Security::Authentication::Identity::SetContextAttributesW;
+use windows::Win32::Security::Authentication::Identity::ASC_REQ_CONFIDENTIALITY;
+use windows::Win32::Security::Authentication::Identity::ASC_REQ_DATAGRAM;
+use windows::Win32::Security::Authentication::Identity::ASC_REQ_EXTENDED_ERROR;
+use windows::Win32::Security::Authentication::Identity::ASC_REQ_INTEGRITY;
+use windows::Win32::Security::Authentication::Identity::ASC_REQ_MUTUAL_AUTH;
+use windows::Win32::Security::Authentication::Identity::ISC_REQ_CONFIDENTIALITY;
+use windows::Win32::Security::Authentication::Identity::ISC_REQ_DATAGRAM;
+use windows::Win32::Security::Authentication::Identity::ISC_REQ_EXTENDED_ERROR;
+use windows::Win32::Security::Authentication::Identity::ISC_REQ_INTEGRITY;
+use windows::Win32::Security::Authentication::Identity::ISC_REQ_MANUAL_CRED_VALIDATION;
+use windows::Win32::Security::Authentication::Identity::ISC_REQ_USE_SUPPLIED_CREDS;
+use windows::Win32::Security::Authentication::Identity::SCH_CREDENTIALS;
+use windows::Win32::Security::Authentication::Identity::SCH_CREDENTIALS_VERSION;
+use windows::Win32::Security::Authentication::Identity::SCH_CRED_FORMAT_CERT_CONTEXT;
+use windows::Win32::Security::Authentication::Identity::SCH_USE_DTLS_ONLY;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_ALERT;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_DATA;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_DTLS_MTU;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_EMPTY;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_EXTRA;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_SRTP_PROTECTION_PROFILES;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_STREAM_HEADER;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_STREAM_TRAILER;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_TOKEN;
+use windows::Win32::Security::Authentication::Identity::SECBUFFER_VERSION;
+use windows::Win32::Security::Authentication::Identity::SECPKG_ATTR;
+use windows::Win32::Security::Authentication::Identity::SECPKG_ATTR_KEYING_MATERIAL;
+use windows::Win32::Security::Authentication::Identity::SECPKG_ATTR_KEYING_MATERIAL_INFO;
+use windows::Win32::Security::Authentication::Identity::SECPKG_ATTR_REMOTE_CERT_CONTEXT;
+use windows::Win32::Security::Authentication::Identity::SECPKG_ATTR_SRTP_PARAMETERS;
+use windows::Win32::Security::Authentication::Identity::SECPKG_ATTR_STREAM_SIZES;
+use windows::Win32::Security::Authentication::Identity::SECPKG_CRED_INBOUND;
+use windows::Win32::Security::Authentication::Identity::SECPKG_CRED_OUTBOUND;
+use windows::Win32::Security::Authentication::Identity::SECURITY_NATIVE_DREP;
+use windows::Win32::Security::Authentication::Identity::SEC_DTLS_MTU;
+use windows::Win32::Security::Authentication::Identity::UNISP_NAME_W;
+use windows::Win32::Security::Credentials::SecHandle;
+use windows::Win32::Security::Cryptography::CERT_CONTEXT;
 
 #[repr(C)]
 struct SrtpProtectionProfilesBuffer {
@@ -126,30 +158,18 @@ impl Dtls {
         self.is_client = Some(active);
 
         let mut cert_contexts = [self.cert.context()];
-        let schannel_cred = SCHANNEL_CRED {
-            dwVersion: SCHANNEL_CRED_VERSION,
-            hRootStore: windows::Win32::Security::Cryptography::HCERTSTORE(std::ptr::null_mut()),
-
-            grbitEnabledProtocols: if active {
-                SP_PROT_DTLS1_2_CLIENT
-            } else {
-                SP_PROT_DTLS1_2_SERVER
-            },
-
+        let sch_cred = SCH_CREDENTIALS {
+            dwVersion: SCH_CREDENTIALS_VERSION,
+            dwCredFormat: SCH_CRED_FORMAT_CERT_CONTEXT,
             cCreds: cert_contexts.len() as u32,
             paCred: cert_contexts.as_mut_ptr() as *mut *mut CERT_CONTEXT,
-
+            hRootStore: windows::Win32::Security::Cryptography::HCERTSTORE(std::ptr::null_mut()),
             cMappers: 0,
             aphMappers: std::ptr::null_mut(),
-
-            cSupportedAlgs: 0,
-            palgSupportedAlgs: std::ptr::null_mut(),
-
-            dwMinimumCipherStrength: 128,
-            dwMaximumCipherStrength: 256,
             dwSessionLifespan: 0,
-            dwFlags: SCH_CRED_MANUAL_CRED_VALIDATION,
-            dwCredFormat: 0,
+            dwFlags: SCH_USE_DTLS_ONLY,
+            cTlsParameters: 0,
+            pTlsParameters: std::ptr::null_mut(),
         };
 
         // These are the outputs of AcquireCredentialsHandleA
@@ -169,7 +189,7 @@ impl Dtls {
                     SECPKG_CRED_INBOUND
                 },
                 None,
-                Some(&schannel_cred as *const _ as *const std::ffi::c_void),
+                Some(&sch_cred as *const _ as *const std::ffi::c_void),
                 None,
                 None,
                 &mut cred_handle,
@@ -390,26 +410,30 @@ impl Dtls {
 
         debug!("DTLS Handshake status: {status}");
         self.security_ctx = Some(new_ctx_handle);
-        if out_buffers[0].cbBuffer > 0 {
+
+        // Only output datagram if we have data to send and we didn't fail.
+        if (status.is_ok() || status == SEC_E_OK) && out_buffers[0].cbBuffer > 0 {
             let len = out_buffers[0].cbBuffer;
             self.output_datagrams
                 .push_back(token_buffer[..len as usize].to_vec());
         }
+
         return match status {
             SEC_E_OK => {
                 // Move to Done
                 self.transition_to_completed()
             }
-            SEC_I_CONTINUE_NEEDED => {
-                // Stay in handshake while we wait for the other side to respond.
-                debug!("Wait for peer");
-                Ok(DtlsEvent::None)
-            }
             SEC_I_MESSAGE_FRAGMENT => {
                 // Fragment was sent, we need to call again to send the next fragment.
                 debug!("Sent handshake fragment");
                 self.handshake(None)
             }
+            status if status.is_ok() => {
+                // For any other "OK" status, we just wait for the peer, this
+                // includes SEC_I_CONTINUE_NEEDED.
+                debug!(?status, "Wait for peer");
+                Ok(DtlsEvent::None)
+            }
             e => {
                 // Failed
                 self.state = EstablishmentState::Failed;