2
0

schannel_int.h 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198
  1. #ifndef HEADER_CURL_SCHANNEL_INT_H
  2. #define HEADER_CURL_SCHANNEL_INT_H
  3. /***************************************************************************
  4. * _ _ ____ _
  5. * Project ___| | | | _ \| |
  6. * / __| | | | |_) | |
  7. * | (__| |_| | _ <| |___
  8. * \___|\___/|_| \_\_____|
  9. *
  10. * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al.
  11. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  12. *
  13. * This software is licensed as described in the file COPYING, which
  14. * you should have received as part of this distribution. The terms
  15. * are also available at https://curl.se/docs/copyright.html.
  16. *
  17. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  18. * copies of the Software, and permit persons to whom the Software is
  19. * furnished to do so, under the terms of the COPYING file.
  20. *
  21. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  22. * KIND, either express or implied.
  23. *
  24. * SPDX-License-Identifier: curl
  25. *
  26. ***************************************************************************/
  27. #include "curl_setup.h"
  28. #ifdef USE_SCHANNEL
  29. #include "vtls.h"
  30. #if (defined(__MINGW32__) || defined(CERT_CHAIN_REVOCATION_CHECK_CHAIN)) \
  31. && !defined(CURL_WINDOWS_UWP)
  32. #define HAS_MANUAL_VERIFY_API
  33. #endif
  34. #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \
  35. && !defined(DISABLE_SCHANNEL_CLIENT_CERT)
  36. #define HAS_CLIENT_CERT_PATH
  37. #endif
  38. #ifndef CRYPT_DECODE_NOCOPY_FLAG
  39. #define CRYPT_DECODE_NOCOPY_FLAG 0x1
  40. #endif
  41. #ifndef CRYPT_DECODE_ALLOC_FLAG
  42. #define CRYPT_DECODE_ALLOC_FLAG 0x8000
  43. #endif
  44. #ifndef CERT_ALT_NAME_DNS_NAME
  45. #define CERT_ALT_NAME_DNS_NAME 3
  46. #endif
  47. #ifndef CERT_ALT_NAME_IP_ADDRESS
  48. #define CERT_ALT_NAME_IP_ADDRESS 8
  49. #endif
  50. #if defined(_MSC_VER) && (_MSC_VER <= 1600)
  51. /* Workaround for warning:
  52. 'type cast' : conversion from 'int' to 'LPCSTR' of greater size */
  53. #undef CERT_STORE_PROV_MEMORY
  54. #undef CERT_STORE_PROV_SYSTEM_A
  55. #undef CERT_STORE_PROV_SYSTEM_W
  56. #define CERT_STORE_PROV_MEMORY ((LPCSTR)(size_t)2)
  57. #define CERT_STORE_PROV_SYSTEM_A ((LPCSTR)(size_t)9)
  58. #define CERT_STORE_PROV_SYSTEM_W ((LPCSTR)(size_t)10)
  59. #endif
  60. #ifndef SCH_CREDENTIALS_VERSION
  61. #define SCH_CREDENTIALS_VERSION 0x00000005
  62. typedef enum _eTlsAlgorithmUsage
  63. {
  64. TlsParametersCngAlgUsageKeyExchange,
  65. TlsParametersCngAlgUsageSignature,
  66. TlsParametersCngAlgUsageCipher,
  67. TlsParametersCngAlgUsageDigest,
  68. TlsParametersCngAlgUsageCertSig
  69. } eTlsAlgorithmUsage;
  70. typedef struct _CRYPTO_SETTINGS
  71. {
  72. eTlsAlgorithmUsage eAlgorithmUsage;
  73. UNICODE_STRING strCngAlgId;
  74. DWORD cChainingModes;
  75. PUNICODE_STRING rgstrChainingModes;
  76. DWORD dwMinBitLength;
  77. DWORD dwMaxBitLength;
  78. } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
  79. typedef struct _TLS_PARAMETERS
  80. {
  81. DWORD cAlpnIds;
  82. PUNICODE_STRING rgstrAlpnIds;
  83. DWORD grbitDisabledProtocols;
  84. DWORD cDisabledCrypto;
  85. PCRYPTO_SETTINGS pDisabledCrypto;
  86. DWORD dwFlags;
  87. } TLS_PARAMETERS, * PTLS_PARAMETERS;
  88. typedef struct _SCH_CREDENTIALS
  89. {
  90. DWORD dwVersion;
  91. DWORD dwCredFormat;
  92. DWORD cCreds;
  93. PCCERT_CONTEXT* paCred;
  94. HCERTSTORE hRootStore;
  95. DWORD cMappers;
  96. struct _HMAPPER **aphMappers;
  97. DWORD dwSessionLifespan;
  98. DWORD dwFlags;
  99. DWORD cTlsParameters;
  100. PTLS_PARAMETERS pTlsParameters;
  101. } SCH_CREDENTIALS, * PSCH_CREDENTIALS;
  102. #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
  103. #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
  104. #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
  105. #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
  106. #endif /* SCH_CREDENTIALS_VERSION */
  107. struct Curl_schannel_cred {
  108. CredHandle cred_handle;
  109. TimeStamp time_stamp;
  110. TCHAR *sni_hostname;
  111. #ifdef HAS_CLIENT_CERT_PATH
  112. HCERTSTORE client_cert_store;
  113. #endif
  114. int refcount;
  115. };
  116. struct Curl_schannel_ctxt {
  117. CtxtHandle ctxt_handle;
  118. TimeStamp time_stamp;
  119. };
  120. struct schannel_ssl_backend_data {
  121. struct Curl_schannel_cred *cred;
  122. struct Curl_schannel_ctxt *ctxt;
  123. SecPkgContext_StreamSizes stream_sizes;
  124. size_t encdata_length, decdata_length;
  125. size_t encdata_offset, decdata_offset;
  126. unsigned char *encdata_buffer, *decdata_buffer;
  127. /* encdata_is_incomplete: if encdata contains only a partial record that
  128. cannot be decrypted without another recv() (that is, status is
  129. SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds
  130. more bytes into encdata then set this back to false. */
  131. bool encdata_is_incomplete;
  132. unsigned long req_flags, ret_flags;
  133. CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
  134. bool recv_sspi_close_notify; /* true if connection closed by close_notify */
  135. bool recv_connection_closed; /* true if connection closed, regardless how */
  136. bool recv_renegotiating; /* true if recv is doing renegotiation */
  137. bool use_alpn; /* true if ALPN is used for this connection */
  138. #ifdef HAS_MANUAL_VERIFY_API
  139. bool use_manual_cred_validation; /* true if manual cred validation is used */
  140. #endif
  141. BIT(sent_shutdown);
  142. };
  143. /* key to use at `multi->proto_hash` */
  144. #define MPROTO_SCHANNEL_CERT_SHARE_KEY "tls:schannel:cert:share"
  145. struct schannel_cert_share {
  146. unsigned char CAinfo_blob_digest[CURL_SHA256_DIGEST_LENGTH];
  147. size_t CAinfo_blob_size; /* CA info blob size */
  148. char *CAfile; /* CAfile path used to generate
  149. certificate store */
  150. HCERTSTORE cert_store; /* cached certificate store or
  151. NULL if none */
  152. struct curltime time; /* when the cached store was created */
  153. };
  154. /*
  155. * size of the structure: 20 bytes.
  156. */
  157. struct num_ip_data {
  158. DWORD size; /* 04 bytes */
  159. union {
  160. struct in_addr ia; /* 04 bytes */
  161. struct in6_addr ia6; /* 16 bytes */
  162. } bData;
  163. };
  164. HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf,
  165. const struct Curl_easy *data);
  166. bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf,
  167. const struct Curl_easy *data,
  168. HCERTSTORE cert_store);
  169. #endif /* USE_SCHANNEL */
  170. #endif /* HEADER_CURL_SCHANNEL_INT_H */