Handle old Windows

sfodagain · sfodagain · commit 86575bdac513 · 2025-05-22T11:03:13.000-07:00
diff --git a/source/windows/secure_channel_tls_handler.c b/source/windows/secure_channel_tls_handler.c
@@ -45,7 +45,7 @@
 #define READ_OUT_SIZE (16 * KB_1)
 #define READ_IN_SIZE READ_OUT_SIZE
 #define EST_HANDSHAKE_SIZE (7 * KB_1)
-#define WINDOWS_BUILD_1809 1809
+#define WINDOWS_BUILD_17763 17763
 
 #define EST_TLS_RECORD_OVERHEAD 53 /* 5 byte header + 32 + 16 bytes for padding */
 
@@ -142,20 +142,24 @@ static size_t s_message_overhead(struct aws_channel_handler *handler) {
     return sc_handler->stream_sizes.cbTrailer + sc_handler->stream_sizes.cbHeader;
 }
 
-/* Checks whether current system is running Windows 10 version `build_number` or later. This check is used
-   to determin availability of TLS 1.3. This will continue to be a valid check in Windows 11 and later as the
-   build number continues to increment upwards. e.g. Windows 11 starts at version 21H2 (build 22_000) */
-static bool s_is_windows_equal_or_above_version(DWORD build_number) {
-    ULONGLONG dwlConditionMask = 0;
-    BYTE op = VER_GREATER_EQUAL;
-    OSVERSIONINFOEX osvi;
-
+/* Checks whether the current system is running Windows of a specific build number or later.
+ *
+ * This check is used to determine the availability of TLS 1.3. This will continue to be a valid check in the future
+ * versions of Windows as the build number continues to increment upwards. E.g., Windows 11 starts at build 22000.
+ *
+ * For more information see https://learn.microsoft.com/en-us/windows/release-health/release-information and
+ * https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information */
+static bool s_is_windows_equal_or_above_build_number(DWORD build_number) {
     NTSTATUS status = STATUS_DLL_NOT_FOUND;
 
+    OSVERSIONINFOEX osvi;
     ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
+
     osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
     osvi.dwBuildNumber = build_number;
 
+    ULONGLONG dwlConditionMask = 0;
+    BYTE op = VER_GREATER_EQUAL;
     dwlConditionMask = VerSetConditionMask(dwlConditionMask, VER_BUILDNUMBER, op);
     typedef NTSTATUS(WINAPI * pRtlGetVersionInfo)(
         OSVERSIONINFOEX * lpVersionInformation, ULONG TypeMask, ULONGLONG ConditionMask);
@@ -2142,8 +2146,10 @@ static DWORD s_get_enabled_protocols(enum aws_tls_versions minimum_tls_version,
     return bit_enabled_protocols;
 }
 
-static struct aws_channel_handler *s_tls_handler_sch_credentials_new(
+#if NTDDI_VERSION >= 0x0A000006 /* Windows SDK 10.1.17763.0 or later */
 
+/* The SCH_CREDENTIALS and few other structures became available starting with Windows SDK 10.1.17763.0. */
+static struct aws_channel_handler *s_tls_handler_sch_credentials_new(
     struct aws_allocator *alloc,
     struct aws_tls_connection_options *options,
     struct aws_channel_slot *slot,
@@ -2193,7 +2199,7 @@ static struct aws_channel_handler *s_tls_handler_sch_credentials_new(
         &sc_handler->sspi_timestamp);
 
     if (status != SEC_E_OK) {
-        AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is %d", (int)status);
+        AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Error on AcquireCredentialsHandle. SECURITY_STATUS is 0x%X", (int)status);
         int aws_error = s_determine_sspi_error(status);
         aws_raise_error(aws_error);
         goto on_error;
@@ -2208,6 +2214,8 @@ static struct aws_channel_handler *s_tls_handler_sch_credentials_new(
     return NULL;
 }
 
+#endif /* NTDDI_VERSION >= 0x0A000006 */
+
 static struct aws_channel_handler *s_tls_handler_schannel_cred_new(
     struct aws_allocator *alloc,
     struct aws_tls_connection_options *options,
@@ -2281,10 +2289,12 @@ static struct aws_channel_handler *s_tls_handler_new(
     struct aws_channel_slot *slot,
     bool is_client_mode) {
 
+#if NTDDI_VERSION >= 0x0A000006 /* Windows SDK 10.1.17763.0 or later */
     /* check if run on Windows 10 build 1809, (build 17_763) */
-    if (s_is_windows_equal_or_above_version(WINDOWS_BUILD_1809) && !s_use_schannel_creds) {
+    if (s_is_windows_equal_or_above_build_number(WINDOWS_BUILD_17763) && !s_use_schannel_creds) {
         return s_tls_handler_sch_credentials_new(alloc, options, slot, is_client_mode);
     }
+#endif
     return s_tls_handler_schannel_cred_new(alloc, options, slot, is_client_mode);
 }
 
diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c
@@ -1494,13 +1494,13 @@ static int s_verify_good_host_mqtt_connect(
     aws_tls_ctx_options_set_verify_peer(&tls_options, false);
     aws_tls_ctx_options_set_alpn_list(&tls_options, "x-amzn-mqtt-ca");
 
-    struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options);
-    ASSERT_NOT_NULL(tls_context);
-
     if (override_tls_options_fn) {
         (*override_tls_options_fn)(&tls_options);
     }
 
+    struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options);
+    ASSERT_NOT_NULL(tls_context);
+
     struct aws_tls_connection_options tls_client_conn_options;
     aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, tls_context);
     aws_tls_connection_options_set_callbacks(&tls_client_conn_options, s_tls_on_negotiated, NULL, NULL, &outgoing_args);
@@ -1621,10 +1621,14 @@ AWS_TEST_CASE(
     s_tls_client_channel_negotiation_success_ecc384_SCHANNEL_CREDS_fn)
 #    endif
 
+static void s_raise_tls_version_to_13(struct aws_tls_ctx_options *options) {
+    aws_tls_ctx_options_set_minimum_tls_version(options, AWS_IO_TLSv1_3);
+}
+
 AWS_STATIC_STRING_FROM_LITERAL(s_aws_ecc384_host_name, "127.0.0.1");
 static int s_tls_client_channel_negotiation_success_mtls_tls1_3_fn(struct aws_allocator *allocator, void *ctx) {
     (void)ctx;
-    return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 59443, NULL);
+    return s_verify_good_host_mqtt_connect(allocator, s_aws_ecc384_host_name, 59443, s_raise_tls_version_to_13);
 }
 
 AWS_TEST_CASE(
