Unit SChannel.Utils

Mainly for internal use

Exceptions raised

ESSPIError

on error

Mainly for internal use.

Parameters

SchannelCred

- [?IN/OUT] If SchannelCred.dwVersion = SCHANNEL_CRED_VERSION, the parameter is considered "IN/OUT" and won't be modified before AcquireCredentialsHandle call. Otherwise the parameter is considered "OUT" and is init-ed with default values. Thus user can pass desired values to AcquireCredentialsHandle function.

Exceptions raised

ESSPIError

on error

Validate certificate. Mainly for internal use. Gets called by CheckServerCert

Parameters

pServerCert

- pointer to cert context

szServerName

- host name of the server to check. Could be empty but appropriate flags must be set as well, otherwise the function will raise error

dwCertFlags

- value of SSL_EXTRA_CERT_CHAIN_POLICY_PARA.fdwChecks field: flags defining errors to ignore. 0 to ignore nothing

Exceptions raised

ESSPIError

on error

Retrieve server certificate. Mainly for internal use. Gets called by CheckServerCert. Returned result must be freed via CertFreeCertificateContext.

Parameters

hContext

- current session context

Returns

server certificate data

Exceptions raised

ESSPIError

on error

Load global stuff. Must be called before any other function called. Could be called multiple times without checks.
Thread-unsafe! Uses global variables

Exceptions raised

ESSPIError

on error

Dispose and nullify global stuff. Could be called multiple times without checks.
Thread-unsafe! Uses global variables

Init session creds, return data record to be used in calling other functions. Could be called multiple times (nothing will be done on already init-ed record)

Parameters

SessionCreds

- [IN, OUT] record that receives values. On first call must be zeroed. Alternatively, user could fill SessionCreds.SchannelCred with desired values to tune channel properties.

Exceptions raised

ESSPIError

on error

Shared creds factory

Finalize session creds

Finalize session, free credentials

Print debug message either with user-defined function if set or default one (TDefaultDebugFnHoster.Debug method)

Function to prepare all necessary handshake data. No transport level actions.

Function to prepare all necessary handshake data. No transport level actions. Function actions and returning data depending on input stage:

• HandShakeData.Stage = hssNotStarted. Generate client hello.
  Output stage: hssSendCliHello.
  Caller action: send returned data (client hello) to server
  Input data:

  • ServerName - host we're connecting to

  Output data:

  • hContext - handle to secure context

  • OutBuffers - array with single item that must be finally disposed with g_pSSPI.FreeContextBuffer

• HandShakeData.Stage = hssSendCliHello. Not handled by DoClientHandshake
  

• HandShakeData.Stage = hssReadSrvHello, hssReadSrvHelloNoRead, hssReadSrvHelloContNeed. Handle server hello

  Output stage: hssReadSrvHello, hssReadSrvHelloNoRead, hssReadSrvHelloContNeed, hssReadSrvHelloOK.
  Caller action:

  • hssReadSrvHello: read data from server and call DoClientHandshake again

  • hssReadSrvHelloNoRead: call DoClientHandshake again without reading

  • hssReadSrvHelloContNeed: send token returned in OutBuffers and call DoClientHandshake again

  • hssReadSrvHelloOK: send token returned in OutBuffers and finish

  Input data:

  • ServerName - host we're connecting to

  • IoBuffer - buffer with data from server

  • cbIoBuffer - size of data in buffer

  Output data:

  • IoBuffer - buffer with unprocessed data from server

  • cbIoBuffer - length of unprocessed data from server

  • OutBuffers - array with single item that must be finally disposed with g_pSSPI.FreeContextBuffer (hssReadSrvHelloContNeed, hssReadSrvHelloOK)

• HandShakeData.Stage = hssReadSrvHelloOK. Not handled by DoClientHandshake
  

• HandShakeData.Stage = hssDone. Not handled by DoClientHandshake
  

Parameters

SessionData

- [IN/OUT] record with session data

HandShakeData

- [IN/OUT] record with handshake data

DebugLogFn

- logging callback, could be Nil

Exceptions raised

ESSPIError

on error

ESSPIError

on error

Generate data to send to a server on connection shutdown

Exceptions raised

ESSPIError

on error

Retrieve server certificate linked to current context. More suitable for userland application than GetCertContext, without any SChannel-specific stuff.

Parameters

hContext

- current session context

Returns

server certificate data

Exceptions raised

ESSPIError

on error

Check server certificate with a certificate that contains a common name that is not valid will be ignored. (SECURITY_FLAG_IGNORE_CERT_CN_INVALID flag will be set calling CertVerifyCertificateChainPolicy)

Parameters

hContext

- current session context

ServerName

- host name of the server to check. If empty, errors associated

TrustedCerts

- list of trusted certs. If cert is in this list, it won't be checked by system

CertCheckIgnoreFlags

- set of cert aspects to ignore when checking.

Returns

Result of cert check

Exceptions raised

ESSPIError

on error

Check server certificate - variant using SessionData only

Returns

Result of cert check

Exceptions raised

ESSPIError

on error

Dispose and nullify security context

Receive size values for current session and init buffer length to contain full message including header and trailer

Exceptions raised

ESSPIError

on error

Encrypt data (prepare for sending to server).

Parameters

hContext

- current session context

Sizes

- current session sizes

pbMessage

- input data to encrypt

cbMessage

- length of input data

pbIoBuffer

- buffer to receive encrypted data

pbIoBufferLength

- size of buffer

cbWritten

- [OUT] size of encrypted data written to buffer

Exceptions raised

ESSPIError

on error

Decrypt data received from server. If input data is not processed completely, unprocessed chunk is copied to beginning of buffer. Thus subsequent call to Recv could just receive to @Buffer[DataLength]

Parameters

hContext

- current session context

Sizes

- current session sizes

pbIoBuffer

- input encrypted data to decrypt

cbEncData

- [IN/OUT] length of encrypted data in buffer. After function call it is set to amount of unprocessed data that is placed from the beginning of the buffer

pbDecData

- buffer to receive decrypted data

cbDecDataLength

- size of buffer

cbWritten

- [OUT] size of decrypted data written to buffer

Returns

• SEC_I_CONTEXT_EXPIRED - server signaled end of session

• SEC_E_OK - message processed fully

• SEC_E_INCOMPLETE_MESSAGE - need more data

• SEC_I_RENEGOTIATE - server wants to perform another handshake sequence

Exceptions raised

ESSPIError

on error or if Result is not one of above mentioned values

Check if handle x is null (has both fields equal to zero)

Returns string representaion of given security status (locale message + constant name + numeric value)

Returns string representaion of given verify trust error (locale message + constant name + numeric value)

Check if status is likely a Windows TLS v1.2 handshake bug (SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED status is returned by InitializeSecurityContext on handshake). This function only checks if parameter is one of these two values.

Return effective pointer to session credentials - either personal or shared

Detect replayed messages that have been encoded by using the EncryptMessage or MakeSignature functions Encrypt messages by using the EncryptMessage function When errors occur, the remote party will be notified The security package allocates output buffers for you. When you have finished using the output buffers, free them by calling the FreeContextBuffer function Stage of handshake

Values

• hssNotStarted: Initial stage
• hssSendCliHello: Sending client hello
• hssReadSrvHello: Reading server hello - general
• hssReadSrvHelloNoRead: Reading server hello - repeat call without reading
• hssReadSrvHelloContNeed: Reading server hello - in process, send token
• hssReadSrvHelloOK: Reading server hello - success, send token
• hssDone: Final stage

State of secure channel

Values

• chsNotStarted: Initial stage
• chsHandshake: Handshaking with server
• chsEstablished: Channel established successfully
• chsShutdown: Sending shutdown signal and closing connection

Session options

Values

• sfNoServerVerify: If set, SChannel won't automatically verify server certificate by setting ISC_REQ_MANUAL_CRED_VALIDATION flag in InitializeSecurityContextW call. User has to call manual verification via CheckServerCert after handshake is established (this allows connecting to an IP, domains with custom certs, expired certs, valid certs if system CRL is expired etc).

Logging method that is used by functions to report non-critical errors and handshake details.

Flags to ignore some cert aspects when checking manually via CheckServerCert. Mirror of SECURITY_FLAG_IGNORE_* constants

Values

• ignRevokation: don't check cert revokation (useful if CRL is unavailable)
• ignUnknownCA: don't check CA
• ignWrongUsage
• ignCertCNInvalid: don't check cert name (useful when connecting by IP)
• ignCertDateInvalid: don't check expiration date

Result of CheckServerCert function

Values

• ccrValid: Cert is valid
• ccrTrusted: Cert was in trusted list, no check was performed
• ccrValidWithFlags: Cert is valid with some ignore flags

Just a suggested prefix for log output

Size of handshake buffer

Set of used protocols. Note: TLS 1.0 is not used by default, add SP_PROT_TLS1_0 if needed

Detect messages received out of sequence

Support a stream-oriented connection

Set of cert validation ignore flags that has all items set - use it to ignore everything

Messages that could be written to log by various implementations. None of these are used in this unit