awslabs · bretambrose · May 16, 2024 · May 18, 2024 · May 18, 2024 · May 18, 2024
diff --git a/include/aws/io/private/tls_channel_handler_private.h b/include/aws/io/private/tls_channel_handler_private.h
@@ -0,0 +1,22 @@
+#ifndef AWS_IO_TLS_CHANNEL_HANDLER_PRIVATE_H
+#define AWS_IO_TLS_CHANNEL_HANDLER_PRIVATE_H
+
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/io/io.h>
+
+AWS_EXTERN_C_BEGIN
+
+#ifdef _WIN32
+/**
+ * Force to use schannel creds. Default to false.
+ * For windows build above WINDOWS_BUILD_1809, we have deprecated CHANNEL_CREDS.
+ * Set the value to true to force to use CHANNEL_CREDS.
+ */
+AWS_IO_API void aws_windows_force_schannel_creds(bool use_schannel_creds);
+#endif
+
+AWS_EXTERN_C_END
+#endif /* AWS_IO_TLS_CHANNEL_HANDLER_PRIVATE_H */
diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -82,7 +82,18 @@ add_test_case(sock_write_cb_is_async)
 add_test_case(socket_validate_port)
 
 if(WIN32)
+    set(WIN_VERSION ${CMAKE_SYSTEM_VERSION})
+    string(REPLACE "." ";" BUILD_VERSION ${CMAKE_SYSTEM_VERSION})
+    separate_arguments(BUILD_VERSION)
+    list(GET BUILD_VERSION 2 BUILD_V)
+    message("Windows Version " ${CMAKE_SYSTEM_VERSION})
+
+    if(${BUILD_V} GREATER_EQUAL 20348)
+        message("Building for version 22000 or higher: supporting TLS1.3")
+        add_net_test_case(tls_client_channel_negotiation_success_ecc384_tls1_3)
+    endif()
     add_test_case(local_socket_pipe_connected_race)
+    add_test_case(tls_client_channel_negotiation_success_ecc384_deprecated)
 endif()
 
 add_test_case(channel_setup)

diff --git a/tests/resources/AmazonRootCA1.pem b/tests/resources/AmazonRootCA1.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
+ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
+ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
+9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
+IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
+VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
+93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
+jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
+A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
+U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
+N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
+o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
+5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
+rqXRfboQnoZsG4q5WTP468SQvvG5
+-----END CERTIFICATE-----
diff --git a/tests/resources/ed384_key.pem b/tests/resources/ed384_key.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDD0SkqkpHm18oqixmyywUU6/1kkNllrVgOXvOlDgBCzrt8Tk0M2BNHT
+O0UAdtcgtlOgBwYFK4EEACKhZANiAAQ/wc5xFujGkCKBZ3n+QsbFbcQQTqzeklcN
+DhqdozDqt2JUK/9UcAvkgaWqwGbKCOBt5EbFLfbr2EbZbik9Yt1DALNQPsjiVMXp
+IURUR8WwDcMf8XxQOfTLmcHD/U0722w=
+-----END EC PRIVATE KEY-----
diff --git a/tests/resources/ed384_server.pem b/tests/resources/ed384_server.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIVAPIqp1OXCHvM6EJ+nIUUVvoC6J5WMA0GCSqGSIb3DQEB
+CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t
+IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yNDA2MDQxMzU2
+NThaFw00OTEyMzEyMzU5NTlaMIG8MQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2Fz
+aGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGQW1hem9uMQwwCgYD
+VQQLDANBV1MxNzA1BgNVBAMMLmEyeXZyNWw4c2M5ODE0LWF0cy5pb3QudXMtZWFz
+dC0yLmFtYXpvbmF3cy5jb20xLjAsBgkqhkiG9w0BCQEWH2lvdC1kZXZpY2Utc2Rr
+LXRlYW1AYW1hem9uLmNvbSAwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ/wc5xFujG
+kCKBZ3n+QsbFbcQQTqzeklcNDhqdozDqt2JUK/9UcAvkgaWqwGbKCOBt5EbFLfbr
+2EbZbik9Yt1DALNQPsjiVMXpIURUR8WwDcMf8XxQOfTLmcHD/U0722yjYDBeMB8G
+A1UdIwQYMBaAFP9Cv6clPA9zRY1Eh8zZbbYhmnjKMB0GA1UdDgQWBBSI5WcAWKtT
+xoADWFeZmGfiO7dsxjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkq
+hkiG9w0BAQsFAAOCAQEARzfHitEnhwJG07yB9ixPIZrSbawJkMinlkQ61/YMjMyu
+16Nr1lyXD6UQvSlQ+9HY55iZ/Lk/7KjkLNWF8WyUaI/JohRDI9Z2E5VizkFtAoU5
+8dHl5WQfOR5PW/ecOguNiNAV992x0IG+8i47Qqoc6mlYbwPVk0vWILQrzZ+f4A74
+yRL4Xl2rV3qK4RArVTqLQqxqD1/nPbw8o2fbh4A4pX6gs5f1UjJb4B8ibYnRPWOC
+bG6sv1iHFSQOVXAdWaeHpNnYhXE76nAMn847oIg0jYj/F/6T2vkCXgQjlbg7+kVo
+xoDahFFgwa8nI9qRlHHQo5lFbb5XrvkmiYP89ccXYw==
+-----END CERTIFICATE-----
diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c
@@ -24,6 +24,7 @@
 #    include <statistics_handler_test.h>
 
 #    include <aws/io/private/pki_utils.h>
+#    include <aws/io/private/tls_channel_handler_private.h>
 
 /* badssl.com has occasional lags, make this timeout longer so we have a
  * higher chance of actually testing something. */
@@ -1435,6 +1436,259 @@ static int s_verify_good_host(
     return AWS_OP_SUCCESS;
 }
 
+static int s_verify_good_host_mqtt_connect(
+    struct aws_allocator *allocator,
+    const struct aws_string *host_name,
+    uint32_t port,
+    void (*override_tls_options_fn)(struct aws_tls_ctx_options *)) {
+
+    struct aws_byte_buf cert_buf = {0};
+    struct aws_byte_buf key_buf = {0};
+    struct aws_byte_buf ca_buf = {0};
+
+    ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "ed384_server.pem"));
+    ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "ed384_key.pem"));
+    ASSERT_SUCCESS(aws_byte_buf_init_from_file(&ca_buf, allocator, "AmazonRootCA1.pem"));
+
+    struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf);
+    struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf);
+    struct aws_byte_cursor ca_cur = aws_byte_cursor_from_buf(&ca_buf);
+
+    aws_io_library_init(allocator);
+
+    ASSERT_SUCCESS(s_tls_common_tester_init(allocator, &c_tester));
+
+    uint8_t outgoing_received_message[128] = {0};
+
+    const uint8_t mqtt_connect_message[] = {/* connect packet */
+                                            0x10,
+                                            /* packet length */
+                                            0x51,
+                                            /* protocol name length */
+                                            0x00,
+                                            0x04,
+                                            /* M Q T T */
+                                            0x4D,
+                                            0x51,
+                                            0x54,
+                                            0x54,
+                                            /* protocol version 3.11 = 4 */
+                                            0x04,
+                                            /* connect flags  user name + clean session */
+                                            0x82,
+                                            /* keep alive */
+                                            0x03,
+                                            0xE8,
+                                            /* client id size */
+                                            0x00,
+                                            0x29,
+                                            /* client id */
+                                            0x74,
+                                            0x65,
+                                            0x73,
+                                            0x74,
+                                            0x2D,
+                                            0x30,
+                                            0x62,
+                                            0x34,
+                                            0x37,
+                                            0x36,
+                                            0x30,
+                                            0x64,
+                                            0x35,
+                                            0x2D,
+                                            0x62,
+                                            0x61,
+                                            0x39,
+                                            0x63,
+                                            0x2D,
+                                            0x38,
+                                            0x65,
+                                            0x66,
+                                            0x64,
+                                            0x2D,
+                                            0x33,
+                                            0x32,
+                                            0x65,
+                                            0x37,
+                                            0x2D,
+                                            0x34,
+                                            0x38,
+                                            0x64,
+                                            0x30,
+                                            0x35,
+                                            0x62,
+                                            0x62,
+                                            0x32,
+                                            0x30,
+                                            0x30,
+                                            0x65,
+                                            0x61,
+                                            /* user name length */
+                                            0x00,
+                                            0x1A,
+                                            /* user name */
+                                            0x3F,
+                                            0x53,
+                                            0x44,
+                                            0x4B,
+                                            0x3D,
+                                            0x43,
+                                            0x50,
+                                            0x50,
+                                            0x76,
+                                            0x32,
+                                            0x26,
+                                            0x56,
+                                            0x65,
+                                            0x72,
+                                            0x73,
+                                            0x69,
+                                            0x6F,
+                                            0x6E,
+                                            0x3D,
+                                            0x76,
+                                            0x31,
+                                            0x2E,
+                                            0x33,
+                                            0x32,
+                                            0x2E,
+                                            0x36};
+
+    struct aws_byte_buf write_tag = aws_byte_buf_from_array((const char *)mqtt_connect_message, 83);
+
+    struct tls_test_rw_args outgoing_rw_args;
+    ASSERT_SUCCESS(s_tls_rw_args_init(
+        &outgoing_rw_args,
+        &c_tester,
+        aws_byte_buf_from_empty_array(outgoing_received_message, sizeof(outgoing_received_message))));
+
+    struct aws_channel_handler *outgoing_rw_handler = rw_handler_new(
+        allocator, s_tls_test_handle_read, s_tls_test_handle_write, true, write_tag.len, &outgoing_rw_args);
+    ASSERT_NOT_NULL(outgoing_rw_handler);
+
+    struct tls_test_args outgoing_args = {
+        .mutex = &c_tester.mutex,
+        .allocator = allocator,
+        .condition_variable = &c_tester.condition_variable,
+        .error_invoked = 0,
+        .rw_handler = outgoing_rw_handler,
+        .server = false,
+        .tls_levels_negotiated = 0,
+        .desired_tls_levels = 1,
+        .shutdown_finished = false,
+    };
+
+    struct aws_tls_ctx_options tls_options = {0};
+    AWS_ZERO_STRUCT(tls_options);
+
+    AWS_FATAL_ASSERT(
+        AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur));
+    aws_tls_ctx_options_set_verify_peer(&tls_options, true);
+    aws_tls_ctx_options_set_alpn_list(&tls_options, "x-amzn-mqtt-ca");
+
+    struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options);
+    ASSERT_NOT_NULL(tls_context);
+
+    if (override_tls_options_fn) {
+        (*override_tls_options_fn)(&tls_options);
+    }
+
+    struct aws_tls_connection_options tls_client_conn_options;
+    aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, tls_context);
+    aws_tls_connection_options_set_callbacks(&tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args);
+
+    aws_tls_ctx_options_override_default_trust_store(&tls_options, &ca_cur);
+
+    struct aws_byte_cursor host_name_cur = aws_byte_cursor_from_string(host_name);
+    aws_tls_connection_options_set_server_name(&tls_client_conn_options, allocator, &host_name_cur);
+    aws_tls_connection_options_set_alpn_list(&tls_client_conn_options, allocator, "x-amzn-mqtt-ca");
+
+    struct aws_socket_options options;
+    AWS_ZERO_STRUCT(options);
+    options.connect_timeout_ms = 10000;
+    options.type = AWS_SOCKET_STREAM;
+    options.domain = AWS_SOCKET_IPV4;
+
+    struct aws_client_bootstrap_options bootstrap_options = {
+        .event_loop_group = c_tester.el_group,
+        .host_resolver = c_tester.resolver,
+    };
+    struct aws_client_bootstrap *client_bootstrap = aws_client_bootstrap_new(allocator, &bootstrap_options);
+    ASSERT_NOT_NULL(client_bootstrap);
+
+    struct aws_socket_channel_bootstrap_options channel_options;
+    AWS_ZERO_STRUCT(channel_options);
+    channel_options.bootstrap = client_bootstrap;
+    channel_options.host_name = aws_string_c_str(host_name);
+    channel_options.port = port;
+    channel_options.socket_options = &options;
+    channel_options.tls_options = &tls_client_conn_options;
+    channel_options.setup_callback = s_tls_handler_test_client_setup_callback;
+    channel_options.shutdown_callback = s_tls_handler_test_client_shutdown_callback;
+    channel_options.user_data = &outgoing_args;
+
+    ASSERT_SUCCESS(aws_client_bootstrap_new_socket_channel(&channel_options));
+
+    /* put this here to verify ownership semantics are correct. This should NOT cause a segfault. If it does, ya
+     * done messed up. */
+    aws_tls_connection_options_clean_up(&tls_client_conn_options);
+
+    ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex));
+    ASSERT_SUCCESS(aws_condition_variable_wait_pred(
+        &c_tester.condition_variable, &c_tester.mutex, s_tls_channel_setup_predicate, &outgoing_args));
+    ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex));
+
+    ASSERT_FALSE(outgoing_args.error_invoked);
+    struct aws_byte_buf expected_protocol = aws_byte_buf_from_c_str("x-amzn-mqtt-ca");
+    /* check ALPN and SNI was properly negotiated */
+    if (aws_tls_is_alpn_available() && tls_options.verify_peer) {
+        ASSERT_BIN_ARRAYS_EQUALS(
+            expected_protocol.buffer,
+            expected_protocol.len,
+            outgoing_args.negotiated_protocol.buffer,
+            outgoing_args.negotiated_protocol.len);
+    }
+
+    ASSERT_BIN_ARRAYS_EQUALS(
+        host_name->bytes, host_name->len, outgoing_args.server_name.buffer, outgoing_args.server_name.len);
+
+    /* Do the IO operations */
+    outgoing_rw_args.invocation_happened = false;
+    rw_handler_write(outgoing_args.rw_handler, outgoing_args.rw_slot, &write_tag);
+    ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex));
+
+    ASSERT_SUCCESS(aws_condition_variable_wait_pred(
+        &c_tester.condition_variable, &c_tester.mutex, s_tls_test_read_predicate, &outgoing_rw_args));
+
+    ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex));
+
+    aws_mutex_lock(outgoing_rw_args.mutex);
+
+    ASSERT_INT_EQUALS(0x20, outgoing_rw_args.received_message.buffer[0]); /* conn ack */
+    ASSERT_INT_EQUALS(0x02, outgoing_rw_args.received_message.buffer[1]);
+    ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[2]); /* clean session */
+    ASSERT_INT_EQUALS(0x00, outgoing_rw_args.received_message.buffer[3]);
+    aws_mutex_unlock(outgoing_rw_args.mutex);
+
+    ASSERT_SUCCESS(aws_mutex_lock(&c_tester.mutex));
+    aws_channel_shutdown(outgoing_args.channel, AWS_OP_SUCCESS);
+    ASSERT_SUCCESS(aws_condition_variable_wait_pred(
+        &c_tester.condition_variable, &c_tester.mutex, s_tls_channel_shutdown_predicate, &outgoing_args));
+    ASSERT_SUCCESS(aws_mutex_unlock(&c_tester.mutex));
+
+    /* cleanups */
+    aws_byte_buf_clean_up(&cert_buf);
+    aws_byte_buf_clean_up(&key_buf);
+    aws_byte_buf_clean_up(&ca_buf);
+    aws_tls_ctx_release(tls_context);
+    aws_tls_ctx_options_clean_up(&tls_options);
+    aws_client_bootstrap_release(client_bootstrap);
+    ASSERT_SUCCESS(s_tls_common_tester_clean_up(&c_tester));
+
+    return AWS_OP_SUCCESS;
+}
+
 static int s_tls_client_channel_negotiation_success_fn(struct aws_allocator *allocator, void *ctx) {
     (void)ctx;
     return s_verify_good_host(allocator, s_amazon_host_name, 443, NULL);
@@ -1457,9 +1711,37 @@ static int s_tls_client_channel_negotiation_success_ecc384_fn(struct aws_allocat
     (void)ctx;
     return s_verify_good_host(allocator, s_badssl_ecc384_host_name, 443, NULL);
 }
-
 AWS_TEST_CASE(tls_client_channel_negotiation_success_ecc384, s_tls_client_channel_negotiation_success_ecc384_fn)
 
+#    ifdef _WIN32
+
+static int s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn(
+    struct aws_allocator *allocator,
+    void *ctx) {
+    (void)ctx;
+
+    // Force using SCHANNEL_CREDS for testing
+    aws_windows_force_schannel_creds(true);
+    s_verify_good_host(allocator, s_badssl_ecc384_host_name, 443, NULL);
+    aws_windows_force_schannel_creds(false); // reset
+    return AWS_OP_SUCCESS;
+}
+
+AWS_TEST_CASE(
+    tls_client_channel_negotiation_success_ecc384_deprecated,
+    s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn)
+#    endif
+
+AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "a2yvr5l8sc9814-ats.iot.us-east-2.amazonaws.com");
+static int s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn(struct aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+    return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 443, NULL);
+}
+
+AWS_TEST_CASE(
+    tls_client_channel_negotiation_success_ecc384_tls1_3,
+    s_tls_client_channel_negotiation_success_ecc384_tls1_3_fn)
+
 AWS_STATIC_STRING_FROM_LITERAL(s3_host_name, "s3.amazonaws.com");
 
 static void s_disable_verify_peer(struct aws_tls_ctx_options *options) {