Hi Akihiro, Thanks for working on that. I have a few comments to the patch. On 17.04.2017 16:26, Akihiro Sagawa wrote:

diff --git a/dlls/secur32/schannel.c b/dlls/secur32/schannel.c index 6914837..317686f 100644 --- a/dlls/secur32/schannel.c +++ b/dlls/secur32/schannel.c @@ -54,11 +54,14 @@ struct schan_handle enum schan_handle_type type; };

+#define SCHAN_KEY_NAME_MAX 8 struct schan_context { schan_imp_session session; ULONG req_ctx_attr; const CERT_CONTEXT *cert; + SEC_WCHAR key_signature_name[SCHAN_KEY_NAME_MAX]; + SEC_WCHAR key_encrypt_name[SCHAN_KEY_NAME_MAX];

Those should not be needed. You could for example store both WCHAR and char strings inside alg_name_map.

};

static struct schan_handle *schan_handle_table; @@ -962,6 +965,53 @@ static SECURITY_STATUS SEC_ENTRY schan_InitializeSecurityContextA( return ret; }

+struct schan_alg_id_name { + ALG_ID alg_id; + const char* name; +}; + +static int comp_alg_id(const void *a, const void *b) +{ + const struct schan_alg_id_name *lhs = a; + const struct schan_alg_id_name *rhs = b; + return (int)lhs->alg_id - (int)rhs->alg_id; +} + +static void fill_alg_name(ALG_ID id, void *buffer, BOOL wide)

If you change the patch as I suggested above, this could be something like: static void *get_alg_name(ALF_ID id, BOOL wide)

+{ + static const struct schan_alg_id_name alg_name_map[] = { + { CALG_ECDSA, "ECDSA" }, + { CALG_RSA_SIGN, "RSA" }, + { CALG_DES, "DES" }, + { CALG_RC2, "RC2" }, + { CALG_3DES, "3DES" }, + { CALG_AES_128, "AES" }, + { CALG_AES_192, "AES" }, + { CALG_AES_256, "AES" }, + { CALG_RC4, "RC4" }, + }; + const struct schan_alg_id_name *res; + struct schan_alg_id_name key; + const char *name; + + key.alg_id = id; + res = bsearch(&key, alg_name_map, + sizeof(alg_name_map)/sizeof(alg_name_map[0]), sizeof(alg_name_map[0]), + comp_alg_id); + if (res) + name = res->name; + else + { + TRACE("Unknown ALG_ID %04x\n", id); + name = "???"; + }

A FIXME would would be nice here. Also, I think you could just return NULL in this case.

+ + if (wide) + MultiByteToWideChar(CP_ACP, 0, name, -1, (SEC_WCHAR*)buffer, SCHAN_KEY_NAME_MAX); + else + strcpy((SEC_CHAR*)buffer, name); +} + static SECURITY_STATUS ensure_remote_cert(struct schan_context *ctx) { HCERTSTORE cert_store; @@ -989,6 +1039,7 @@ static SECURITY_STATUS SEC_ENTRY schan_QueryContextAttributesW(

if (!context_handle) return SEC_E_INVALID_HANDLE; ctx = schan_get_object(context_handle->dwLower, SCHAN_HANDLE_CTX); + if (!ctx) return SEC_E_INVALID_HANDLE;

This has an effect outside of scope of this patch. This should be be a separated patch, with a test case.

switch(attribute) { @@ -1016,6 +1067,19 @@ static SECURITY_STATUS SEC_ENTRY schan_QueryContextAttributesW(

return status; } + case SECPKG_ATTR_KEY_INFO: + { + SecPkgContext_KeyInfoW *info = buffer; + SECURITY_STATUS status = schan_imp_get_key_info(ctx->session, info); + if (status == SEC_E_OK) + { + info->sSignatureAlgorithmName = ctx->key_signature_name; + info->sEncryptAlgorithmName = ctx->key_encrypt_name; + fill_alg_name(info->SignatureAlgorithm, info->sSignatureAlgorithmName, TRUE); + fill_alg_name(info->EncryptAlgorithm, info->sEncryptAlgorithmName, TRUE); + } + return status; + } case SECPKG_ATTR_REMOTE_CERT_CONTEXT: { PCCERT_CONTEXT *cert = buffer; @@ -1091,6 +1155,24 @@ static SECURITY_STATUS SEC_ENTRY schan_QueryContextAttributesA( { case SECPKG_ATTR_STREAM_SIZES: return schan_QueryContextAttributesW(context_handle, attribute, buffer); + case SECPKG_ATTR_KEY_INFO: + { + SecPkgContext_KeyInfoA *info = buffer; + struct schan_context *ctx; + SECURITY_STATUS status; + if (!context_handle) return SEC_E_INVALID_HANDLE; + ctx = schan_get_object(context_handle->dwLower, SCHAN_HANDLE_CTX); + if (!ctx) return SEC_E_INVALID_HANDLE; + status = schan_imp_get_key_info(ctx->session, (SecPkgContext_KeyInfoW*)info); + if (status == SEC_E_OK) + { + info->sSignatureAlgorithmName = (SEC_CHAR *)ctx->key_signature_name; + info->sEncryptAlgorithmName = (SEC_CHAR *)ctx->key_encrypt_name; + fill_alg_name(info->SignatureAlgorithm, info->sSignatureAlgorithmName, FALSE); + fill_alg_name(info->EncryptAlgorithm, info->sEncryptAlgorithmName, FALSE); + } + return status; + } case SECPKG_ATTR_REMOTE_CERT_CONTEXT: return schan_QueryContextAttributesW(context_handle, attribute, buffer); case SECPKG_ATTR_CONNECTION_INFO: diff --git a/dlls/secur32/schannel_gnutls.c b/dlls/secur32/schannel_gnutls.c index 30640d3..ddf33a8 100644 --- a/dlls/secur32/schannel_gnutls.c +++ b/dlls/secur32/schannel_gnutls.c @@ -363,6 +363,22 @@ static ALG_ID schannel_get_kx_algid(int kx) } }

+static ALG_ID schannel_get_kx_signature_algid(gnutls_kx_algorithm_t kx) +{ + switch (kx) + { + case GNUTLS_KX_UNKNOWN: return 0; + case GNUTLS_KX_RSA: + case GNUTLS_KX_RSA_EXPORT: + case GNUTLS_KX_DHE_RSA: + case GNUTLS_KX_ECDHE_RSA: return CALG_RSA_SIGN; + case GNUTLS_KX_ECDHE_ECDSA: return CALG_ECDSA; + default: + FIXME("unknown algorithm %d\n", kx); + return 0; + } +} + unsigned int schan_imp_get_session_cipher_block_size(schan_imp_session session) { gnutls_session_t s = (gnutls_session_t)session; @@ -394,6 +410,23 @@ SECURITY_STATUS schan_imp_get_connection_info(schan_imp_session session, return SEC_E_OK; }

+SECURITY_STATUS schan_imp_get_key_info(schan_imp_session session, SecPkgContext_KeyInfoW *info) +{ + gnutls_session_t s = (gnutls_session_t)session; + gnutls_cipher_algorithm_t alg = pgnutls_cipher_get(s); + gnutls_kx_algorithm_t kx = pgnutls_kx_get(s); + + TRACE("(%p,%p)\n", session, info); + + info->sSignatureAlgorithmName = NULL; /* filled later */ + info->sEncryptAlgorithmName = NULL; /* filled later */ + info->KeySize = pgnutls_cipher_get_key_size(alg) * 8; + info->SignatureAlgorithm = schannel_get_kx_signature_algid(kx); + info->EncryptAlgorithm = schannel_get_cipher_algid(alg); + + return SEC_E_OK; +}

I don't think such helper that fills output partially is the right solution here. You could use schan_imp_get_connection_info to get all info you need except signature algorithm. For signature algorithm, you may introduce a new, simpler, function. Thanks, Jacek