[Bug 50721] New: IDA Pro 7.5: Lumina can't contact server, complains about Schannel security attributes

WineHQ Bugzilla wine-bugs at winehq.org
Wed Feb 24 08:59:58 CST 2021 

https://bugs.winehq.org/show_bug.cgi?id=50721

            Bug ID: 50721
           Summary: IDA Pro 7.5: Lumina can't contact server, complains
                    about Schannel security attributes
           Product: Wine
           Version: unspecified
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: secur32
          Assignee: wine-bugs at winehq.org
          Reporter: thotypous at gmail.com
      Distribution: ---

Using Wine Staging, IDA Pro fails to contact the Lumina server when trying to
do any operation that depends on it (e.g. Lumina menu -> Pull All Metadata).
The IDA's output window shows "lumina: Schannel does not support the requested
security attributes"


By tracing secur32, it turns out that InitializeSecurityContextA is being
called with fContextReq flags ISC_REQ_EXTENDED_ERROR and
ISC_REQ_MANUAL_CRED_VALIDATION, which are not handled by Wine:

00f4:trace:secur32:InitializeSecurityContextA 0x3436e40 0x3436e50 (null)
0x0008c110 0 0 0x529b58 0 (nil) 0x529af8 0x3436e9c (nil)


Now regarding each flag:


1. ISC_REQ_EXTENDED_ERROR: according to MSDN, this flag means "When errors
occur, the remote party will be notified."

However, modern TLS does not have any mechanism to notify the remote party
about errors. Thus it seems unlikely that this flag causes any difference in
behavior, at least when the remote party is not running Microsoft's TLS
implementation.

When researching about the flag, I found
https://mskb.pkisolutions.com/kb/975858, which states Windows 7 used to ignore
this flag, but since it caused issues with some applications, they changed
schannel to return ISC_RET_EXTENDED_ERROR (via pfContextAttr) when the flag is
set. The KB does not describe any other change deployed by the upgrade. This
fact further supports the hypothesis that the flag does not change the behavior
of the protocol.

In short, up-to-date Windows 7 seems to just return ISC_RET_EXTENDED_ERROR when
ISC_REQ_EXTENDED_ERROR is set, but otherwise ignores it.


2. ISC_REQ_MANUAL_CRED_VALIDATION: according to MSDN, this flag means "By
default, Schannel validates the server certificate by calling the
WinVerifyTrust function; however, if you have disabled this feature using the
ISC_REQ_MANUAL_CRED_VALIDATION flag, you must validate the certificate provided
by the server that is attempting to establish its identity."

However, Wine currently does not carry automatic server certificate validation
at all. The OSX implementation always calls "SSLSetEnableCertVerify(s->context,
FALSE)" to disable it explicitly. The GnuTLS implementation never calls
"gnutls_session_set_verify_cert", which would be required to enable server
certificate validation.

Strictly speaking, the current implementation of Schannel in Wine is insecure,
but fixing it would require more extensive changes to the code and could cause
regression bugs with other applications. Thus, I argue it should be dealt with
by another bug entry and fixed by another patch.

Therefore, the attached patch restricts itself to return
ISC_RET_MANUAL_CRED_VALIDATION when ISC_REQ_MANUAL_CRED_VALIDATION is set, and
to better document the current situation in the code.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list