From a7d92f809f3d05a22c38ec6f77f9c62190d2deb0 Mon Sep 17 00:00:00 2001
From: Tobias Koenig <tobias.koenig@kdab.com>
Date: Fri, 28 Apr 2023 10:41:56 +0200
Subject: Schannel: Remove deprecated SCHANNEL_CRED based code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since the required minimum version of Qt is Windows 10 (1809),
the deprecated SCHANNEL_CRED code path to initialize TLS
connections can be removed and the SCH_CREDENTIALS based
path is used for all connections.

Change-Id: I2aef919a45373e55ae96405b7c6f2264378f4464
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
 src/plugins/tls/schannel/qtls_schannel.cpp | 81 +++++++-----------------------
 1 file changed, 17 insertions(+), 64 deletions(-)

(limited to 'src/plugins/tls')

diff --git a/src/plugins/tls/schannel/qtls_schannel.cpp b/src/plugins/tls/schannel/qtls_schannel.cpp
index b230f2f787..6043918276 100644
--- a/src/plugins/tls/schannel/qtls_schannel.cpp
+++ b/src/plugins/tls/schannel/qtls_schannel.cpp
@@ -31,12 +31,6 @@
 #define SUPPORTS_ALPN 1
 #endif
 
-// Redstone 5/1809 has all the API available, but TLS 1.3 is not enabled until a later version of
-// Win 10, checked at runtime in supportsTls13()
-#if defined(NTDDI_WIN10_RS5) && NTDDI_VERSION >= NTDDI_WIN10_RS5
-#define SUPPORTS_TLS13 1
-#endif
-
 // Not defined in MinGW
 #ifndef SECBUFFER_ALERT
 #define SECBUFFER_ALERT 17
@@ -383,7 +377,6 @@ QString schannelErrorToString(qint32 status)
 
 bool supportsTls13()
 {
-#ifdef SUPPORTS_TLS13
     static bool supported = []() {
         const auto current = QOperatingSystemVersion::current();
         // 20221 just happens to be the preview version I run on my laptop where I tested TLS 1.3.
@@ -391,10 +384,8 @@ bool supportsTls13()
                 QOperatingSystemVersion(QOperatingSystemVersion::Windows, 10, 0, 20221);
         return current >= minimum;
     }();
+
     return supported;
-#else
-    return false;
-#endif
 }
 
 DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
@@ -459,7 +450,6 @@ QT_WARNING_POP
     return protocols;
 }
 
-#ifdef SUPPORTS_TLS13
 // In the new API that descended down upon us we are not asked which protocols we want
 // but rather which protocols we don't want. So now we have this function to disable
 // anything that is not enabled.
@@ -469,7 +459,6 @@ DWORD toSchannelProtocolNegated(QSsl::SslProtocol protocol)
     protocols &= ~toSchannelProtocol(protocol); // minus the one(s) we want
     return protocols;
 }
-#endif
 
 /*!
     \internal
@@ -838,8 +827,7 @@ bool TlsCryptographSchannel::acquireCredentialsHandle()
         certsCount = 1;
         Q_ASSERT(localCertContext);
     }
-    void *credentials = nullptr;
-#ifdef SUPPORTS_TLS13
+
     TLS_PARAMETERS tlsParameters = {
         0,
         nullptr,
@@ -848,68 +836,33 @@ bool TlsCryptographSchannel::acquireCredentialsHandle()
         nullptr,
         0
     };
-    if (supportsTls13()) {
-        SCH_CREDENTIALS *cred = new SCH_CREDENTIALS{
-            SCH_CREDENTIALS_VERSION,
-            0,
-            certsCount,
-            &localCertContext,
-            nullptr,
-            0,
-            nullptr,
-            0,
-            SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | defaultCredsFlag(),
-            1,
-            &tlsParameters
-        };
-        credentials = cred;
-    } else
-#endif // SUPPORTS_TLS13
-    {
-        SCHANNEL_CRED *cred = new SCHANNEL_CRED{
-            SCHANNEL_CRED_VERSION, // dwVersion
-            certsCount, // cCreds
-            &localCertContext, // paCred (certificate(s) containing a private key for authentication)
-            nullptr, // hRootStore
-
-            0, // cMappers (reserved)
-            nullptr, // aphMappers (reserved)
-
-            0, // cSupportedAlgs
-            nullptr, // palgSupportedAlgs (nullptr = system default)
-
-            protocols, // grbitEnabledProtocols
-            0, // dwMinimumCipherStrength (0 = system default)
-            0, // dwMaximumCipherStrength (0 = system default)
-            0, // dwSessionLifespan (0 = schannel default, 10 hours)
-            SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | defaultCredsFlag(), // dwFlags
-            0 // dwCredFormat (must be 0)
-        };
-        credentials = cred;
-    }
-    Q_ASSERT(credentials != nullptr);
+
+    SCH_CREDENTIALS credentials = {
+        SCH_CREDENTIALS_VERSION,
+        0,
+        certsCount,
+        &localCertContext,
+        nullptr,
+        0,
+        nullptr,
+        0,
+        SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | defaultCredsFlag(),
+        1,
+        &tlsParameters
+    };
 
     TimeStamp expiration{};
     auto status = AcquireCredentialsHandle(nullptr, // pszPrincipal (unused)
                                            const_cast<wchar_t *>(UNISP_NAME), // pszPackage
                                            isClient ? SECPKG_CRED_OUTBOUND : SECPKG_CRED_INBOUND, // fCredentialUse
                                            nullptr, // pvLogonID (unused)
-                                           credentials, // pAuthData
+                                           &credentials, // pAuthData
                                            nullptr, // pGetKeyFn (unused)
                                            nullptr, // pvGetKeyArgument (unused)
                                            &credentialHandle, // phCredential
                                            &expiration // ptsExpir
     );
 
-#ifdef SUPPORTS_TLS13
-    if (supportsTls13()) {
-        delete static_cast<SCH_CREDENTIALS *>(credentials);
-    } else
-#endif // SUPPORTS_TLS13
-    {
-        delete static_cast<SCHANNEL_CRED *>(credentials);
-    }
-
     if (status != SEC_E_OK) {
         setErrorAndEmit(d, QAbstractSocket::SslInternalError, schannelErrorToString(status));
         return false;
-- 
cgit v1.2.3