1 #ifndef HEADER_CURL_SCHANNEL_INT_H 2 #define HEADER_CURL_SCHANNEL_INT_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al. 11 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 12 * 13 * This software is licensed as described in the file COPYING, which 14 * you should have received as part of this distribution. The terms 15 * are also available at https://curl.se/docs/copyright.html. 16 * 17 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 18 * copies of the Software, and permit persons to whom the Software is 19 * furnished to do so, under the terms of the COPYING file. 20 * 21 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 22 * KIND, either express or implied. 23 * 24 * SPDX-License-Identifier: curl 25 * 26 ***************************************************************************/ 27 #include "curl_setup.h" 28 29 #ifdef USE_SCHANNEL 30 31 #if defined(__MINGW32__) || defined(CERT_CHAIN_REVOCATION_CHECK_CHAIN) 32 #define HAS_MANUAL_VERIFY_API 33 #endif 34 35 #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \ 36 && !defined(DISABLE_SCHANNEL_CLIENT_CERT) 37 #define HAS_CLIENT_CERT_PATH 38 #endif 39 40 #ifndef CRYPT_DECODE_NOCOPY_FLAG 41 #define CRYPT_DECODE_NOCOPY_FLAG 0x1 42 #endif 43 44 #ifndef CRYPT_DECODE_ALLOC_FLAG 45 #define CRYPT_DECODE_ALLOC_FLAG 0x8000 46 #endif 47 48 #ifndef CERT_ALT_NAME_DNS_NAME 49 #define CERT_ALT_NAME_DNS_NAME 3 50 #endif 51 52 #ifndef CERT_ALT_NAME_IP_ADDRESS 53 #define CERT_ALT_NAME_IP_ADDRESS 8 54 #endif 55 56 #if defined(_MSC_VER) && (_MSC_VER <= 1600) 57 /* Workaround for warning: 58 'type cast' : conversion from 'int' to 'LPCSTR' of greater size */ 59 #undef CERT_STORE_PROV_MEMORY 60 #undef CERT_STORE_PROV_SYSTEM_A 61 #undef CERT_STORE_PROV_SYSTEM_W 62 #define CERT_STORE_PROV_MEMORY ((LPCSTR)(size_t)2) 63 #define CERT_STORE_PROV_SYSTEM_A ((LPCSTR)(size_t)9) 64 #define CERT_STORE_PROV_SYSTEM_W ((LPCSTR)(size_t)10) 65 #endif 66 67 #ifndef SCH_CREDENTIALS_VERSION 68 69 #define SCH_CREDENTIALS_VERSION 0x00000005 70 71 typedef enum _eTlsAlgorithmUsage 72 { 73 TlsParametersCngAlgUsageKeyExchange, 74 TlsParametersCngAlgUsageSignature, 75 TlsParametersCngAlgUsageCipher, 76 TlsParametersCngAlgUsageDigest, 77 TlsParametersCngAlgUsageCertSig 78 } eTlsAlgorithmUsage; 79 80 typedef struct _CRYPTO_SETTINGS 81 { 82 eTlsAlgorithmUsage eAlgorithmUsage; 83 UNICODE_STRING strCngAlgId; 84 DWORD cChainingModes; 85 PUNICODE_STRING rgstrChainingModes; 86 DWORD dwMinBitLength; 87 DWORD dwMaxBitLength; 88 } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS; 89 90 typedef struct _TLS_PARAMETERS 91 { 92 DWORD cAlpnIds; 93 PUNICODE_STRING rgstrAlpnIds; 94 DWORD grbitDisabledProtocols; 95 DWORD cDisabledCrypto; 96 PCRYPTO_SETTINGS pDisabledCrypto; 97 DWORD dwFlags; 98 } TLS_PARAMETERS, * PTLS_PARAMETERS; 99 100 typedef struct _SCH_CREDENTIALS 101 { 102 DWORD dwVersion; 103 DWORD dwCredFormat; 104 DWORD cCreds; 105 PCCERT_CONTEXT* paCred; 106 HCERTSTORE hRootStore; 107 108 DWORD cMappers; 109 struct _HMAPPER **aphMappers; 110 111 DWORD dwSessionLifespan; 112 DWORD dwFlags; 113 DWORD cTlsParameters; 114 PTLS_PARAMETERS pTlsParameters; 115 } SCH_CREDENTIALS, * PSCH_CREDENTIALS; 116 117 #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16 118 #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16 119 #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16 120 #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16 121 122 #endif /* SCH_CREDENTIALS_VERSION */ 123 124 struct Curl_schannel_cred { 125 CredHandle cred_handle; 126 TimeStamp time_stamp; 127 TCHAR *sni_hostname; 128 #ifdef HAS_CLIENT_CERT_PATH 129 HCERTSTORE client_cert_store; 130 #endif 131 int refcount; 132 }; 133 134 struct Curl_schannel_ctxt { 135 CtxtHandle ctxt_handle; 136 TimeStamp time_stamp; 137 }; 138 139 struct schannel_ssl_backend_data { 140 struct Curl_schannel_cred *cred; 141 struct Curl_schannel_ctxt *ctxt; 142 SecPkgContext_StreamSizes stream_sizes; 143 size_t encdata_length, decdata_length; 144 size_t encdata_offset, decdata_offset; 145 unsigned char *encdata_buffer, *decdata_buffer; 146 /* encdata_is_incomplete: if encdata contains only a partial record that 147 can't be decrypted without another recv() (that is, status is 148 SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds 149 more bytes into encdata then set this back to false. */ 150 bool encdata_is_incomplete; 151 unsigned long req_flags, ret_flags; 152 CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */ 153 bool recv_sspi_close_notify; /* true if connection closed by close_notify */ 154 bool recv_connection_closed; /* true if connection closed, regardless how */ 155 bool recv_renegotiating; /* true if recv is doing renegotiation */ 156 bool use_alpn; /* true if ALPN is used for this connection */ 157 #ifdef HAS_MANUAL_VERIFY_API 158 bool use_manual_cred_validation; /* true if manual cred validation is used */ 159 #endif 160 }; 161 162 struct schannel_multi_ssl_backend_data { 163 unsigned char *CAinfo_blob_digest; /* CA info blob digest */ 164 size_t CAinfo_blob_size; /* CA info blob size */ 165 char *CAfile; /* CAfile path used to generate 166 certificate store */ 167 HCERTSTORE cert_store; /* cached certificate store or 168 NULL if none */ 169 struct curltime time; /* when the cached store was created */ 170 }; 171 172 HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf, 173 const struct Curl_easy *data); 174 175 bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf, 176 const struct Curl_easy *data, 177 HCERTSTORE cert_store); 178 179 #endif /* USE_SCHANNEL */ 180 #endif /* HEADER_CURL_SCHANNEL_INT_H */ 181