• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #ifndef HEADER_CURL_SCHANNEL_INT_H
2 #define HEADER_CURL_SCHANNEL_INT_H
3 /***************************************************************************
4  *                                  _   _ ____  _
5  *  Project                     ___| | | |  _ \| |
6  *                             / __| | | | |_) | |
7  *                            | (__| |_| |  _ <| |___
8  *                             \___|\___/|_| \_\_____|
9  *
10  * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al.
11  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
12  *
13  * This software is licensed as described in the file COPYING, which
14  * you should have received as part of this distribution. The terms
15  * are also available at https://curl.se/docs/copyright.html.
16  *
17  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
18  * copies of the Software, and permit persons to whom the Software is
19  * furnished to do so, under the terms of the COPYING file.
20  *
21  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
22  * KIND, either express or implied.
23  *
24  * SPDX-License-Identifier: curl
25  *
26  ***************************************************************************/
27 #include "curl_setup.h"
28 
29 #ifdef USE_SCHANNEL
30 
31 #if defined(__MINGW32__) || defined(CERT_CHAIN_REVOCATION_CHECK_CHAIN)
32 #define HAS_MANUAL_VERIFY_API
33 #endif
34 
35 #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX)   \
36   && !defined(DISABLE_SCHANNEL_CLIENT_CERT)
37 #define HAS_CLIENT_CERT_PATH
38 #endif
39 
40 #ifndef CRYPT_DECODE_NOCOPY_FLAG
41 #define CRYPT_DECODE_NOCOPY_FLAG 0x1
42 #endif
43 
44 #ifndef CRYPT_DECODE_ALLOC_FLAG
45 #define CRYPT_DECODE_ALLOC_FLAG 0x8000
46 #endif
47 
48 #ifndef CERT_ALT_NAME_DNS_NAME
49 #define CERT_ALT_NAME_DNS_NAME 3
50 #endif
51 
52 #ifndef CERT_ALT_NAME_IP_ADDRESS
53 #define CERT_ALT_NAME_IP_ADDRESS 8
54 #endif
55 
56 
57 #ifndef SCH_CREDENTIALS_VERSION
58 
59 #define SCH_CREDENTIALS_VERSION  0x00000005
60 
61 typedef enum _eTlsAlgorithmUsage
62 {
63     TlsParametersCngAlgUsageKeyExchange,
64     TlsParametersCngAlgUsageSignature,
65     TlsParametersCngAlgUsageCipher,
66     TlsParametersCngAlgUsageDigest,
67     TlsParametersCngAlgUsageCertSig
68 } eTlsAlgorithmUsage;
69 
70 typedef struct _CRYPTO_SETTINGS
71 {
72     eTlsAlgorithmUsage  eAlgorithmUsage;
73     UNICODE_STRING      strCngAlgId;
74     DWORD               cChainingModes;
75     PUNICODE_STRING     rgstrChainingModes;
76     DWORD               dwMinBitLength;
77     DWORD               dwMaxBitLength;
78 } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
79 
80 typedef struct _TLS_PARAMETERS
81 {
82     DWORD               cAlpnIds;
83     PUNICODE_STRING     rgstrAlpnIds;
84     DWORD               grbitDisabledProtocols;
85     DWORD               cDisabledCrypto;
86     PCRYPTO_SETTINGS    pDisabledCrypto;
87     DWORD               dwFlags;
88 } TLS_PARAMETERS, * PTLS_PARAMETERS;
89 
90 typedef struct _SCH_CREDENTIALS
91 {
92     DWORD               dwVersion;
93     DWORD               dwCredFormat;
94     DWORD               cCreds;
95     PCCERT_CONTEXT* paCred;
96     HCERTSTORE          hRootStore;
97 
98     DWORD               cMappers;
99     struct _HMAPPER **aphMappers;
100 
101     DWORD               dwSessionLifespan;
102     DWORD               dwFlags;
103     DWORD               cTlsParameters;
104     PTLS_PARAMETERS     pTlsParameters;
105 } SCH_CREDENTIALS, * PSCH_CREDENTIALS;
106 
107 #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
108 #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
109 #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
110 #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
111 
112 #endif /* SCH_CREDENTIALS_VERSION */
113 
114 struct Curl_schannel_cred {
115   CredHandle cred_handle;
116   TimeStamp time_stamp;
117   TCHAR *sni_hostname;
118 #ifdef HAS_CLIENT_CERT_PATH
119   HCERTSTORE client_cert_store;
120 #endif
121   int refcount;
122 };
123 
124 struct Curl_schannel_ctxt {
125   CtxtHandle ctxt_handle;
126   TimeStamp time_stamp;
127 };
128 
129 struct schannel_ssl_backend_data {
130   struct Curl_schannel_cred *cred;
131   struct Curl_schannel_ctxt *ctxt;
132   SecPkgContext_StreamSizes stream_sizes;
133   size_t encdata_length, decdata_length;
134   size_t encdata_offset, decdata_offset;
135   unsigned char *encdata_buffer, *decdata_buffer;
136   /* encdata_is_incomplete: if encdata contains only a partial record that
137      can't be decrypted without another recv() (that is, status is
138      SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds
139      more bytes into encdata then set this back to false. */
140   bool encdata_is_incomplete;
141   unsigned long req_flags, ret_flags;
142   CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
143   bool recv_sspi_close_notify; /* true if connection closed by close_notify */
144   bool recv_connection_closed; /* true if connection closed, regardless how */
145   bool recv_renegotiating;     /* true if recv is doing renegotiation */
146   bool use_alpn; /* true if ALPN is used for this connection */
147 #ifdef HAS_MANUAL_VERIFY_API
148   bool use_manual_cred_validation; /* true if manual cred validation is used */
149 #endif
150 };
151 
152 #endif /* USE_SCHANNEL */
153 #endif /* HEADER_CURL_SCHANNEL_INT_H */
154