2
0

schannel.h 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199
  1. #ifndef HEADER_CURL_SCHANNEL_H
  2. #define HEADER_CURL_SCHANNEL_H
  3. /***************************************************************************
  4. * _ _ ____ _
  5. * Project ___| | | | _ \| |
  6. * / __| | | | |_) | |
  7. * | (__| |_| | _ <| |___
  8. * \___|\___/|_| \_\_____|
  9. *
  10. * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
  11. * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  12. *
  13. * This software is licensed as described in the file COPYING, which
  14. * you should have received as part of this distribution. The terms
  15. * are also available at https://curl.se/docs/copyright.html.
  16. *
  17. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  18. * copies of the Software, and permit persons to whom the Software is
  19. * furnished to do so, under the terms of the COPYING file.
  20. *
  21. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  22. * KIND, either express or implied.
  23. *
  24. * SPDX-License-Identifier: curl
  25. *
  26. ***************************************************************************/
  27. #include "curl_setup.h"
  28. #ifdef USE_SCHANNEL
  29. #define SCHANNEL_USE_BLACKLISTS 1
  30. #ifdef _MSC_VER
  31. #pragma warning(push)
  32. #pragma warning(disable: 4201)
  33. #endif
  34. #include <subauth.h>
  35. #ifdef _MSC_VER
  36. #pragma warning(pop)
  37. #endif
  38. /* Wincrypt must be included before anything that could include OpenSSL. */
  39. #if defined(USE_WIN32_CRYPTO)
  40. #include <wincrypt.h>
  41. /* Undefine wincrypt conflicting symbols for BoringSSL. */
  42. #undef X509_NAME
  43. #undef X509_EXTENSIONS
  44. #undef PKCS7_ISSUER_AND_SERIAL
  45. #undef PKCS7_SIGNER_INFO
  46. #undef OCSP_REQUEST
  47. #undef OCSP_RESPONSE
  48. #endif
  49. #include <schnlsp.h>
  50. #include <schannel.h>
  51. #include "curl_sspi.h"
  52. #include "cfilters.h"
  53. #include "urldata.h"
  54. /* <wincrypt.h> has been included via the above <schnlsp.h>.
  55. * Or in case of ldap.c, it was included via <winldap.h>.
  56. * And since <wincrypt.h> has this:
  57. * #define X509_NAME ((LPCSTR) 7)
  58. *
  59. * And in BoringSSL's <openssl/base.h> there is:
  60. * typedef struct X509_name_st X509_NAME;
  61. * etc.
  62. *
  63. * this will cause all kinds of C-preprocessing paste errors in
  64. * BoringSSL's <openssl/x509.h>: So just undefine those defines here
  65. * (and only here).
  66. */
  67. #if defined(HAVE_BORINGSSL) || defined(OPENSSL_IS_BORINGSSL)
  68. # undef X509_NAME
  69. # undef X509_CERT_PAIR
  70. # undef X509_EXTENSIONS
  71. #endif
  72. extern const struct Curl_ssl Curl_ssl_schannel;
  73. CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
  74. struct Curl_easy *data);
  75. /* structs to expose only in schannel.c and schannel_verify.c */
  76. #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
  77. #ifdef __MINGW32__
  78. #ifdef __MINGW64_VERSION_MAJOR
  79. #define HAS_MANUAL_VERIFY_API
  80. #endif
  81. #else
  82. #ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
  83. #define HAS_MANUAL_VERIFY_API
  84. #endif
  85. #endif
  86. #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \
  87. && !defined(DISABLE_SCHANNEL_CLIENT_CERT)
  88. #define HAS_CLIENT_CERT_PATH
  89. #endif
  90. #ifndef SCH_CREDENTIALS_VERSION
  91. #define SCH_CREDENTIALS_VERSION 0x00000005
  92. typedef enum _eTlsAlgorithmUsage
  93. {
  94. TlsParametersCngAlgUsageKeyExchange,
  95. TlsParametersCngAlgUsageSignature,
  96. TlsParametersCngAlgUsageCipher,
  97. TlsParametersCngAlgUsageDigest,
  98. TlsParametersCngAlgUsageCertSig
  99. } eTlsAlgorithmUsage;
  100. typedef struct _CRYPTO_SETTINGS
  101. {
  102. eTlsAlgorithmUsage eAlgorithmUsage;
  103. UNICODE_STRING strCngAlgId;
  104. DWORD cChainingModes;
  105. PUNICODE_STRING rgstrChainingModes;
  106. DWORD dwMinBitLength;
  107. DWORD dwMaxBitLength;
  108. } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
  109. typedef struct _TLS_PARAMETERS
  110. {
  111. DWORD cAlpnIds;
  112. PUNICODE_STRING rgstrAlpnIds;
  113. DWORD grbitDisabledProtocols;
  114. DWORD cDisabledCrypto;
  115. PCRYPTO_SETTINGS pDisabledCrypto;
  116. DWORD dwFlags;
  117. } TLS_PARAMETERS, * PTLS_PARAMETERS;
  118. typedef struct _SCH_CREDENTIALS
  119. {
  120. DWORD dwVersion;
  121. DWORD dwCredFormat;
  122. DWORD cCreds;
  123. PCCERT_CONTEXT* paCred;
  124. HCERTSTORE hRootStore;
  125. DWORD cMappers;
  126. struct _HMAPPER **aphMappers;
  127. DWORD dwSessionLifespan;
  128. DWORD dwFlags;
  129. DWORD cTlsParameters;
  130. PTLS_PARAMETERS pTlsParameters;
  131. } SCH_CREDENTIALS, * PSCH_CREDENTIALS;
  132. #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
  133. #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
  134. #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
  135. #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
  136. #endif
  137. struct Curl_schannel_cred {
  138. CredHandle cred_handle;
  139. TimeStamp time_stamp;
  140. TCHAR *sni_hostname;
  141. #ifdef HAS_CLIENT_CERT_PATH
  142. HCERTSTORE client_cert_store;
  143. #endif
  144. int refcount;
  145. };
  146. struct Curl_schannel_ctxt {
  147. CtxtHandle ctxt_handle;
  148. TimeStamp time_stamp;
  149. };
  150. struct ssl_backend_data {
  151. struct Curl_schannel_cred *cred;
  152. struct Curl_schannel_ctxt *ctxt;
  153. SecPkgContext_StreamSizes stream_sizes;
  154. size_t encdata_length, decdata_length;
  155. size_t encdata_offset, decdata_offset;
  156. unsigned char *encdata_buffer, *decdata_buffer;
  157. /* encdata_is_incomplete: if encdata contains only a partial record that
  158. can't be decrypted without another Curl_read_plain (that is, status is
  159. SEC_E_INCOMPLETE_MESSAGE) then set this true. after Curl_read_plain writes
  160. more bytes into encdata then set this back to false. */
  161. bool encdata_is_incomplete;
  162. unsigned long req_flags, ret_flags;
  163. CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
  164. bool recv_sspi_close_notify; /* true if connection closed by close_notify */
  165. bool recv_connection_closed; /* true if connection closed, regardless how */
  166. bool recv_renegotiating; /* true if recv is doing renegotiation */
  167. bool use_alpn; /* true if ALPN is used for this connection */
  168. #ifdef HAS_MANUAL_VERIFY_API
  169. bool use_manual_cred_validation; /* true if manual cred validation is used */
  170. #endif
  171. };
  172. #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
  173. #endif /* USE_SCHANNEL */
  174. #endif /* HEADER_CURL_SCHANNEL_H */