1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9  * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>
10  * Copyright (C) Mark Salisbury, <mark.salisbury@hp.com>
11  *
12  * This software is licensed as described in the file COPYING, which
13  * you should have received as part of this distribution. The terms
14  * are also available at https://curl.se/docs/copyright.html.
15  *
16  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17  * copies of the Software, and permit persons to whom the Software is
18  * furnished to do so, under the terms of the COPYING file.
19  *
20  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21  * KIND, either express or implied.
22  *
23  * SPDX-License-Identifier: curl
24  *
25  ***************************************************************************/
26 
27 /*
28  * Source file for all Schannel-specific code for the TLS/SSL layer. No code
29  * but vtls.c should ever call or use these functions.
30  */
31 
32 #include "curl_setup.h"
33 
34 #ifdef USE_SCHANNEL
35 
36 #ifndef USE_WINDOWS_SSPI
37 #  error "cannot compile SCHANNEL support without SSPI."
38 #endif
39 
40 #include "schannel.h"
41 #include "schannel_int.h"
42 #include "vtls.h"
43 #include "vtls_int.h"
44 #include "vtls_scache.h"
45 #include "strcase.h"
46 #include "sendf.h"
47 #include "connect.h" /* for the connect timeout */
48 #include "strerror.h"
49 #include "select.h" /* for the socket readiness */
50 #include "inet_pton.h" /* for IP addr SNI check */
51 #include "curl_multibyte.h"
52 #include "warnless.h"
53 #include "x509asn1.h"
54 #include "curl_printf.h"
55 #include "multiif.h"
56 #include "version_win32.h"
57 #include "rand.h"
58 
59 /* The last #include file should be: */
60 #include "curl_memory.h"
61 #include "memdebug.h"
62 
63 /* Some verbose debug messages are wrapped by SCH_DEV() instead of DEBUGF()
64  * and only shown if CURL_SCHANNEL_DEV_DEBUG was defined at build time. These
65  * messages are extra verbose and intended for curl developers debugging
66  * Schannel recv decryption.
67  */
68 #ifdef CURL_SCHANNEL_DEV_DEBUG
69 #define SCH_DEV(x) x
70 #else
71 #define SCH_DEV(x) do { } while(0)
72 #endif
73 
74 /* ALPN requires version 8.1 of the Windows SDK, which was
75    shipped with Visual Studio 2013, aka _MSC_VER 1800:
76 
77    https://technet.microsoft.com/en-us/library/hh831771%28v=ws.11%29.aspx
78 */
79 #if defined(_MSC_VER) && (_MSC_VER >= 1800) && !defined(_USING_V110_SDK71_)
80 #  define HAS_ALPN 1
81 #endif
82 
83 #ifndef BCRYPT_CHACHA20_POLY1305_ALGORITHM
84 #define BCRYPT_CHACHA20_POLY1305_ALGORITHM L"CHACHA20_POLY1305"
85 #endif
86 
87 #ifndef BCRYPT_CHAIN_MODE_CCM
88 #define BCRYPT_CHAIN_MODE_CCM L"ChainingModeCCM"
89 #endif
90 
91 #ifndef BCRYPT_CHAIN_MODE_GCM
92 #define BCRYPT_CHAIN_MODE_GCM L"ChainingModeGCM"
93 #endif
94 
95 #ifndef BCRYPT_AES_ALGORITHM
96 #define BCRYPT_AES_ALGORITHM L"AES"
97 #endif
98 
99 #ifndef BCRYPT_SHA256_ALGORITHM
100 #define BCRYPT_SHA256_ALGORITHM L"SHA256"
101 #endif
102 
103 #ifndef BCRYPT_SHA384_ALGORITHM
104 #define BCRYPT_SHA384_ALGORITHM L"SHA384"
105 #endif
106 
107 #ifdef HAS_CLIENT_CERT_PATH
108 #ifdef UNICODE
109 #define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_W
110 #else
111 #define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_A
112 #endif
113 #endif
114 
115 #ifndef SP_PROT_TLS1_0_CLIENT
116 #define SP_PROT_TLS1_0_CLIENT           SP_PROT_TLS1_CLIENT
117 #endif
118 
119 #ifndef SP_PROT_TLS1_1_CLIENT
120 #define SP_PROT_TLS1_1_CLIENT           0x00000200
121 #endif
122 
123 #ifndef SP_PROT_TLS1_2_CLIENT
124 #define SP_PROT_TLS1_2_CLIENT           0x00000800
125 #endif
126 
127 #ifndef SP_PROT_TLS1_3_CLIENT
128 #define SP_PROT_TLS1_3_CLIENT           0x00002000
129 #endif
130 
131 #ifndef SCH_USE_STRONG_CRYPTO
132 #define SCH_USE_STRONG_CRYPTO           0x00400000
133 #endif
134 
135 #ifndef SECBUFFER_ALERT
136 #define SECBUFFER_ALERT                 17
137 #endif
138 
139 /* Both schannel buffer sizes must be > 0 */
140 #define CURL_SCHANNEL_BUFFER_INIT_SIZE   4096
141 #define CURL_SCHANNEL_BUFFER_FREE_SIZE   1024
142 
143 #define CERT_THUMBPRINT_STR_LEN 40
144 #define CERT_THUMBPRINT_DATA_LEN 20
145 
146 /* Uncomment to force verbose output
147  * #define infof(x, y, ...) printf(y, __VA_ARGS__)
148  * #define failf(x, y, ...) printf(y, __VA_ARGS__)
149  */
150 
151 #ifndef CALG_SHA_256
152 #define CALG_SHA_256 0x0000800c
153 #endif
154 
155 #ifndef PKCS12_NO_PERSIST_KEY
156 #define PKCS12_NO_PERSIST_KEY 0x00008000
157 #endif
158 
159 static CURLcode schannel_pkp_pin_peer_pubkey(struct Curl_cfilter *cf,
160                                              struct Curl_easy *data,
161                                              const char *pinnedpubkey);
162 
InitSecBuffer(SecBuffer * buffer,unsigned long BufType,void * BufDataPtr,unsigned long BufByteSize)163 static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType,
164                           void *BufDataPtr, unsigned long BufByteSize)
165 {
166   buffer->cbBuffer = BufByteSize;
167   buffer->BufferType = BufType;
168   buffer->pvBuffer = BufDataPtr;
169 }
170 
InitSecBufferDesc(SecBufferDesc * desc,SecBuffer * BufArr,unsigned long NumArrElem)171 static void InitSecBufferDesc(SecBufferDesc *desc, SecBuffer *BufArr,
172                               unsigned long NumArrElem)
173 {
174   desc->ulVersion = SECBUFFER_VERSION;
175   desc->pBuffers = BufArr;
176   desc->cBuffers = NumArrElem;
177 }
178 
179 static CURLcode
schannel_set_ssl_version_min_max(DWORD * enabled_protocols,struct Curl_cfilter * cf,struct Curl_easy * data)180 schannel_set_ssl_version_min_max(DWORD *enabled_protocols,
181                                  struct Curl_cfilter *cf,
182                                  struct Curl_easy *data)
183 {
184   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
185   long ssl_version = conn_config->version;
186   long ssl_version_max = (long)conn_config->version_max;
187   long i = ssl_version;
188 
189   switch(ssl_version_max) {
190   case CURL_SSLVERSION_MAX_NONE:
191   case CURL_SSLVERSION_MAX_DEFAULT:
192 
193     /* Windows Server 2022 and newer (including Windows 11) support TLS 1.3
194        built-in. Previous builds of Windows 10 had broken TLS 1.3
195        implementations that could be enabled via registry.
196     */
197     if(curlx_verify_windows_version(10, 0, 20348, PLATFORM_WINNT,
198                                     VERSION_GREATER_THAN_EQUAL)) {
199       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;
200     }
201     else /* Windows 10 and older */
202       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
203 
204     break;
205   }
206 
207   for(; i <= (ssl_version_max >> 16); ++i) {
208     switch(i) {
209     case CURL_SSLVERSION_TLSv1_0:
210       (*enabled_protocols) |= SP_PROT_TLS1_0_CLIENT;
211       break;
212     case CURL_SSLVERSION_TLSv1_1:
213       (*enabled_protocols) |= SP_PROT_TLS1_1_CLIENT;
214       break;
215     case CURL_SSLVERSION_TLSv1_2:
216       (*enabled_protocols) |= SP_PROT_TLS1_2_CLIENT;
217       break;
218     case CURL_SSLVERSION_TLSv1_3:
219 
220       /* Windows Server 2022 and newer */
221       if(curlx_verify_windows_version(10, 0, 20348, PLATFORM_WINNT,
222                                       VERSION_GREATER_THAN_EQUAL)) {
223         (*enabled_protocols) |= SP_PROT_TLS1_3_CLIENT;
224         break;
225       }
226       else { /* Windows 10 and older */
227         failf(data, "schannel: TLS 1.3 not supported on Windows prior to 11");
228         return CURLE_SSL_CONNECT_ERROR;
229       }
230     }
231   }
232   return CURLE_OK;
233 }
234 
235 /* longest is 26, buffer is slightly bigger */
236 #define LONGEST_ALG_ID 32
237 #define CIPHEROPTION(x) {#x, x}
238 
239 struct algo {
240   const char *name;
241   int id;
242 };
243 
244 static const struct algo algs[]= {
245   CIPHEROPTION(CALG_MD2),
246   CIPHEROPTION(CALG_MD4),
247   CIPHEROPTION(CALG_MD5),
248   CIPHEROPTION(CALG_SHA),
249   CIPHEROPTION(CALG_SHA1),
250   CIPHEROPTION(CALG_MAC),
251   CIPHEROPTION(CALG_RSA_SIGN),
252   CIPHEROPTION(CALG_DSS_SIGN),
253 /* ifdefs for the options that are defined conditionally in wincrypt.h */
254 #ifdef CALG_NO_SIGN
255   CIPHEROPTION(CALG_NO_SIGN),
256 #endif
257   CIPHEROPTION(CALG_RSA_KEYX),
258   CIPHEROPTION(CALG_DES),
259 #ifdef CALG_3DES_112
260   CIPHEROPTION(CALG_3DES_112),
261 #endif
262   CIPHEROPTION(CALG_3DES),
263   CIPHEROPTION(CALG_DESX),
264   CIPHEROPTION(CALG_RC2),
265   CIPHEROPTION(CALG_RC4),
266   CIPHEROPTION(CALG_SEAL),
267 #ifdef CALG_DH_SF
268   CIPHEROPTION(CALG_DH_SF),
269 #endif
270   CIPHEROPTION(CALG_DH_EPHEM),
271 #ifdef CALG_AGREEDKEY_ANY
272   CIPHEROPTION(CALG_AGREEDKEY_ANY),
273 #endif
274 #ifdef CALG_HUGHES_MD5
275   CIPHEROPTION(CALG_HUGHES_MD5),
276 #endif
277   CIPHEROPTION(CALG_SKIPJACK),
278 #ifdef CALG_TEK
279   CIPHEROPTION(CALG_TEK),
280 #endif
281   CIPHEROPTION(CALG_CYLINK_MEK),
282   CIPHEROPTION(CALG_SSL3_SHAMD5),
283 #ifdef CALG_SSL3_MASTER
284   CIPHEROPTION(CALG_SSL3_MASTER),
285 #endif
286 #ifdef CALG_SCHANNEL_MASTER_HASH
287   CIPHEROPTION(CALG_SCHANNEL_MASTER_HASH),
288 #endif
289 #ifdef CALG_SCHANNEL_MAC_KEY
290   CIPHEROPTION(CALG_SCHANNEL_MAC_KEY),
291 #endif
292 #ifdef CALG_SCHANNEL_ENC_KEY
293   CIPHEROPTION(CALG_SCHANNEL_ENC_KEY),
294 #endif
295 #ifdef CALG_PCT1_MASTER
296   CIPHEROPTION(CALG_PCT1_MASTER),
297 #endif
298 #ifdef CALG_SSL2_MASTER
299   CIPHEROPTION(CALG_SSL2_MASTER),
300 #endif
301 #ifdef CALG_TLS1_MASTER
302   CIPHEROPTION(CALG_TLS1_MASTER),
303 #endif
304 #ifdef CALG_RC5
305   CIPHEROPTION(CALG_RC5),
306 #endif
307 #ifdef CALG_HMAC
308   CIPHEROPTION(CALG_HMAC),
309 #endif
310 #ifdef CALG_TLS1PRF
311   CIPHEROPTION(CALG_TLS1PRF),
312 #endif
313 #ifdef CALG_HASH_REPLACE_OWF
314   CIPHEROPTION(CALG_HASH_REPLACE_OWF),
315 #endif
316 #ifdef CALG_AES_128
317   CIPHEROPTION(CALG_AES_128),
318 #endif
319 #ifdef CALG_AES_192
320   CIPHEROPTION(CALG_AES_192),
321 #endif
322 #ifdef CALG_AES_256
323   CIPHEROPTION(CALG_AES_256),
324 #endif
325 #ifdef CALG_AES
326   CIPHEROPTION(CALG_AES),
327 #endif
328 #ifdef CALG_SHA_256
329   CIPHEROPTION(CALG_SHA_256),
330 #endif
331 #ifdef CALG_SHA_384
332   CIPHEROPTION(CALG_SHA_384),
333 #endif
334 #ifdef CALG_SHA_512
335   CIPHEROPTION(CALG_SHA_512),
336 #endif
337 #ifdef CALG_ECDH
338   CIPHEROPTION(CALG_ECDH),
339 #endif
340 #ifdef CALG_ECMQV
341   CIPHEROPTION(CALG_ECMQV),
342 #endif
343 #ifdef CALG_ECDSA
344   CIPHEROPTION(CALG_ECDSA),
345 #endif
346 #ifdef CALG_ECDH_EPHEM
347   CIPHEROPTION(CALG_ECDH_EPHEM),
348 #endif
349   {NULL, 0},
350 };
351 
352 static int
get_alg_id_by_name(char * name)353 get_alg_id_by_name(char *name)
354 {
355   char *nameEnd = strchr(name, ':');
356   size_t n = nameEnd ? (size_t)(nameEnd - name) : strlen(name);
357   int i;
358 
359   for(i = 0; algs[i].name; i++) {
360     if((n == strlen(algs[i].name) && !strncmp(algs[i].name, name, n)))
361       return algs[i].id;
362   }
363   return 0; /* not found */
364 }
365 
366 #define NUM_CIPHERS 47 /* There are 47 options listed above */
367 
368 static CURLcode
set_ssl_ciphers(SCHANNEL_CRED * schannel_cred,char * ciphers,ALG_ID * algIds)369 set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
370                 ALG_ID *algIds)
371 {
372   char *startCur = ciphers;
373   int algCount = 0;
374   while(startCur && (0 != *startCur) && (algCount < NUM_CIPHERS)) {
375     long alg = strtol(startCur, 0, 0);
376     if(!alg)
377       alg = get_alg_id_by_name(startCur);
378     if(alg)
379       algIds[algCount++] = (ALG_ID)alg;
380     else if(!strncmp(startCur, "USE_STRONG_CRYPTO",
381                      sizeof("USE_STRONG_CRYPTO") - 1) ||
382             !strncmp(startCur, "SCH_USE_STRONG_CRYPTO",
383                      sizeof("SCH_USE_STRONG_CRYPTO") - 1))
384       schannel_cred->dwFlags |= SCH_USE_STRONG_CRYPTO;
385     else
386       return CURLE_SSL_CIPHER;
387     startCur = strchr(startCur, ':');
388     if(startCur)
389       startCur++;
390   }
391   schannel_cred->palgSupportedAlgs = algIds;
392   schannel_cred->cSupportedAlgs = (DWORD)algCount;
393   return CURLE_OK;
394 }
395 
396 #ifdef HAS_CLIENT_CERT_PATH
397 
398 /* Function allocates memory for store_path only if CURLE_OK is returned */
399 static CURLcode
get_cert_location(TCHAR * path,DWORD * store_name,TCHAR ** store_path,TCHAR ** thumbprint)400 get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
401                   TCHAR **thumbprint)
402 {
403   TCHAR *sep;
404   TCHAR *store_path_start;
405   size_t store_name_len;
406 
407   sep = _tcschr(path, TEXT('\\'));
408   if(!sep)
409     return CURLE_SSL_CERTPROBLEM;
410 
411   store_name_len = sep - path;
412 
413   if(_tcsncmp(path, TEXT("CurrentUser"), store_name_len) == 0)
414     *store_name = CERT_SYSTEM_STORE_CURRENT_USER;
415   else if(_tcsncmp(path, TEXT("LocalMachine"), store_name_len) == 0)
416     *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE;
417   else if(_tcsncmp(path, TEXT("CurrentService"), store_name_len) == 0)
418     *store_name = CERT_SYSTEM_STORE_CURRENT_SERVICE;
419   else if(_tcsncmp(path, TEXT("Services"), store_name_len) == 0)
420     *store_name = CERT_SYSTEM_STORE_SERVICES;
421   else if(_tcsncmp(path, TEXT("Users"), store_name_len) == 0)
422     *store_name = CERT_SYSTEM_STORE_USERS;
423   else if(_tcsncmp(path, TEXT("CurrentUserGroupPolicy"),
424                    store_name_len) == 0)
425     *store_name = CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY;
426   else if(_tcsncmp(path, TEXT("LocalMachineGroupPolicy"),
427                    store_name_len) == 0)
428     *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY;
429   else if(_tcsncmp(path, TEXT("LocalMachineEnterprise"),
430                    store_name_len) == 0)
431     *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE;
432   else
433     return CURLE_SSL_CERTPROBLEM;
434 
435   store_path_start = sep + 1;
436 
437   sep = _tcschr(store_path_start, TEXT('\\'));
438   if(!sep)
439     return CURLE_SSL_CERTPROBLEM;
440 
441   *thumbprint = sep + 1;
442   if(_tcslen(*thumbprint) != CERT_THUMBPRINT_STR_LEN)
443     return CURLE_SSL_CERTPROBLEM;
444 
445   *sep = TEXT('\0');
446   *store_path = _tcsdup(store_path_start);
447   *sep = TEXT('\\');
448   if(!*store_path)
449     return CURLE_OUT_OF_MEMORY;
450 
451   return CURLE_OK;
452 }
453 #endif
454 
455 static CURLcode
schannel_acquire_credential_handle(struct Curl_cfilter * cf,struct Curl_easy * data)456 schannel_acquire_credential_handle(struct Curl_cfilter *cf,
457                                    struct Curl_easy *data)
458 {
459   struct ssl_connect_data *connssl = cf->ctx;
460   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
461   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
462 
463 #ifdef HAS_CLIENT_CERT_PATH
464   PCCERT_CONTEXT client_certs[1] = { NULL };
465   HCERTSTORE client_cert_store = NULL;
466 #endif
467   SECURITY_STATUS sspi_status = SEC_E_OK;
468   CURLcode result;
469 
470   /* setup Schannel API options */
471   DWORD flags = 0;
472   DWORD enabled_protocols = 0;
473 
474   struct schannel_ssl_backend_data *backend =
475     (struct schannel_ssl_backend_data *)(connssl->backend);
476 
477   DEBUGASSERT(backend);
478 
479   if(conn_config->verifypeer) {
480 #ifdef HAS_MANUAL_VERIFY_API
481     if(backend->use_manual_cred_validation)
482       flags = SCH_CRED_MANUAL_CRED_VALIDATION;
483     else
484 #endif
485       flags = SCH_CRED_AUTO_CRED_VALIDATION;
486 
487     if(ssl_config->no_revoke) {
488       flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
489         SCH_CRED_IGNORE_REVOCATION_OFFLINE;
490 
491       DEBUGF(infof(data, "schannel: disabled server certificate revocation "
492                    "checks"));
493     }
494     else if(ssl_config->revoke_best_effort) {
495       flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
496         SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN;
497 
498       DEBUGF(infof(data, "schannel: ignore revocation offline errors"));
499     }
500     else {
501       flags |= SCH_CRED_REVOCATION_CHECK_CHAIN;
502 
503       DEBUGF(infof(data,
504                    "schannel: checking server certificate revocation"));
505     }
506   }
507   else {
508     flags = SCH_CRED_MANUAL_CRED_VALIDATION |
509       SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
510       SCH_CRED_IGNORE_REVOCATION_OFFLINE;
511     DEBUGF(infof(data,
512                  "schannel: disabled server cert revocation checks"));
513   }
514 
515   if(!conn_config->verifyhost) {
516     flags |= SCH_CRED_NO_SERVERNAME_CHECK;
517     DEBUGF(infof(data, "schannel: verifyhost setting prevents Schannel from "
518                  "comparing the supplied target name with the subject "
519                  "names in server certificates."));
520   }
521 
522   if(!ssl_config->auto_client_cert) {
523     flags &= ~(DWORD)SCH_CRED_USE_DEFAULT_CREDS;
524     flags |= SCH_CRED_NO_DEFAULT_CREDS;
525     infof(data, "schannel: disabled automatic use of client certificate");
526   }
527   else
528     infof(data, "schannel: enabled automatic use of client certificate");
529 
530   switch(conn_config->version) {
531   case CURL_SSLVERSION_DEFAULT:
532   case CURL_SSLVERSION_TLSv1:
533   case CURL_SSLVERSION_TLSv1_0:
534   case CURL_SSLVERSION_TLSv1_1:
535   case CURL_SSLVERSION_TLSv1_2:
536   case CURL_SSLVERSION_TLSv1_3:
537   {
538     result = schannel_set_ssl_version_min_max(&enabled_protocols, cf, data);
539     if(result != CURLE_OK)
540       return result;
541     break;
542   }
543   case CURL_SSLVERSION_SSLv3:
544   case CURL_SSLVERSION_SSLv2:
545     failf(data, "SSL versions not supported");
546     return CURLE_NOT_BUILT_IN;
547   default:
548     failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
549     return CURLE_SSL_CONNECT_ERROR;
550   }
551 
552 #ifdef HAS_CLIENT_CERT_PATH
553   /* client certificate */
554   if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) {
555     DWORD cert_store_name = 0;
556     TCHAR *cert_store_path = NULL;
557     TCHAR *cert_thumbprint_str = NULL;
558     CRYPT_HASH_BLOB cert_thumbprint;
559     BYTE cert_thumbprint_data[CERT_THUMBPRINT_DATA_LEN];
560     HCERTSTORE cert_store = NULL;
561     FILE *fInCert = NULL;
562     void *certdata = NULL;
563     size_t certsize = 0;
564     bool blob = data->set.ssl.primary.cert_blob != NULL;
565     TCHAR *cert_path = NULL;
566     if(blob) {
567       certdata = data->set.ssl.primary.cert_blob->data;
568       certsize = data->set.ssl.primary.cert_blob->len;
569     }
570     else {
571       cert_path = curlx_convert_UTF8_to_tchar(
572         data->set.ssl.primary.clientcert);
573       if(!cert_path)
574         return CURLE_OUT_OF_MEMORY;
575 
576       result = get_cert_location(cert_path, &cert_store_name,
577                                  &cert_store_path, &cert_thumbprint_str);
578 
579       if(result && (data->set.ssl.primary.clientcert[0]!='\0'))
580         fInCert = fopen(data->set.ssl.primary.clientcert, "rb");
581 
582       if(result && !fInCert) {
583         failf(data, "schannel: Failed to get certificate location"
584               " or file for %s",
585               data->set.ssl.primary.clientcert);
586         curlx_unicodefree(cert_path);
587         return result;
588       }
589     }
590 
591     if((fInCert || blob) && (data->set.ssl.cert_type) &&
592        (!strcasecompare(data->set.ssl.cert_type, "P12"))) {
593       failf(data, "schannel: certificate format compatibility error "
594             " for %s",
595             blob ? "(memory blob)" : data->set.ssl.primary.clientcert);
596       curlx_unicodefree(cert_path);
597       return CURLE_SSL_CERTPROBLEM;
598     }
599 
600     if(fInCert || blob) {
601       /* Reading a .P12 or .pfx file, like the example at bottom of
602          https://social.msdn.microsoft.com/Forums/windowsdesktop/
603          en-US/3e7bc95f-b21a-4bcd-bd2c-7f996718cae5
604       */
605       CRYPT_DATA_BLOB datablob;
606       WCHAR* pszPassword;
607       size_t pwd_len = 0;
608       int str_w_len = 0;
609       const char *cert_showfilename_error = blob ?
610         "(memory blob)" : data->set.ssl.primary.clientcert;
611       curlx_unicodefree(cert_path);
612       if(fInCert) {
613         long cert_tell = 0;
614         bool continue_reading = fseek(fInCert, 0, SEEK_END) == 0;
615         if(continue_reading)
616           cert_tell = ftell(fInCert);
617         if(cert_tell < 0)
618           continue_reading = FALSE;
619         else
620           certsize = (size_t)cert_tell;
621         if(continue_reading)
622           continue_reading = fseek(fInCert, 0, SEEK_SET) == 0;
623         if(continue_reading)
624           certdata = malloc(certsize + 1);
625         if((!certdata) ||
626            ((int) fread(certdata, certsize, 1, fInCert) != 1))
627           continue_reading = FALSE;
628         fclose(fInCert);
629         if(!continue_reading) {
630           failf(data, "schannel: Failed to read cert file %s",
631                 data->set.ssl.primary.clientcert);
632           free(certdata);
633           return CURLE_SSL_CERTPROBLEM;
634         }
635       }
636 
637       /* Convert key-pair data to the in-memory certificate store */
638       datablob.pbData = (BYTE*)certdata;
639       datablob.cbData = (DWORD)certsize;
640 
641       if(data->set.ssl.key_passwd)
642         pwd_len = strlen(data->set.ssl.key_passwd);
643       pszPassword = (WCHAR*)malloc(sizeof(WCHAR)*(pwd_len + 1));
644       if(pszPassword) {
645         if(pwd_len > 0)
646           str_w_len = MultiByteToWideChar(CP_UTF8,
647                                           MB_ERR_INVALID_CHARS,
648                                           data->set.ssl.key_passwd,
649                                           (int)pwd_len,
650                                           pszPassword, (int)(pwd_len + 1));
651 
652         if((str_w_len >= 0) && (str_w_len <= (int)pwd_len))
653           pszPassword[str_w_len] = 0;
654         else
655           pszPassword[0] = 0;
656 
657         if(curlx_verify_windows_version(6, 0, 0, PLATFORM_WINNT,
658                                         VERSION_GREATER_THAN_EQUAL))
659           cert_store = PFXImportCertStore(&datablob, pszPassword,
660                                           PKCS12_NO_PERSIST_KEY);
661         else
662           cert_store = PFXImportCertStore(&datablob, pszPassword, 0);
663 
664         free(pszPassword);
665       }
666       if(!blob)
667         free(certdata);
668       if(!cert_store) {
669         DWORD errorcode = GetLastError();
670         if(errorcode == ERROR_INVALID_PASSWORD)
671           failf(data, "schannel: Failed to import cert file %s, "
672                 "password is bad",
673                 cert_showfilename_error);
674         else
675           failf(data, "schannel: Failed to import cert file %s, "
676                 "last error is 0x%lx",
677                 cert_showfilename_error, errorcode);
678         return CURLE_SSL_CERTPROBLEM;
679       }
680 
681       client_certs[0] = CertFindCertificateInStore(
682         cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
683         CERT_FIND_ANY, NULL, NULL);
684 
685       if(!client_certs[0]) {
686         failf(data, "schannel: Failed to get certificate from file %s"
687               ", last error is 0x%lx",
688               cert_showfilename_error, GetLastError());
689         CertCloseStore(cert_store, 0);
690         return CURLE_SSL_CERTPROBLEM;
691       }
692     }
693     else {
694       cert_store =
695         CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0,
696                       (HCRYPTPROV)NULL,
697                       CERT_STORE_OPEN_EXISTING_FLAG | cert_store_name,
698                       cert_store_path);
699       if(!cert_store) {
700         char *path_utf8 =
701           curlx_convert_tchar_to_UTF8(cert_store_path);
702         failf(data, "schannel: Failed to open cert store %lx %s, "
703               "last error is 0x%lx",
704               cert_store_name,
705               (path_utf8 ? path_utf8 : "(unknown)"),
706               GetLastError());
707         free(cert_store_path);
708         curlx_unicodefree(path_utf8);
709         curlx_unicodefree(cert_path);
710         return CURLE_SSL_CERTPROBLEM;
711       }
712       free(cert_store_path);
713 
714       cert_thumbprint.pbData = cert_thumbprint_data;
715       cert_thumbprint.cbData = CERT_THUMBPRINT_DATA_LEN;
716 
717       if(!CryptStringToBinary(cert_thumbprint_str,
718                               CERT_THUMBPRINT_STR_LEN,
719                               CRYPT_STRING_HEX,
720                               cert_thumbprint_data,
721                               &cert_thumbprint.cbData,
722                               NULL, NULL)) {
723         curlx_unicodefree(cert_path);
724         CertCloseStore(cert_store, 0);
725         return CURLE_SSL_CERTPROBLEM;
726       }
727 
728       client_certs[0] = CertFindCertificateInStore(
729         cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
730         CERT_FIND_HASH, &cert_thumbprint, NULL);
731 
732       curlx_unicodefree(cert_path);
733 
734       if(!client_certs[0]) {
735         /* CRYPT_E_NOT_FOUND / E_INVALIDARG */
736         CertCloseStore(cert_store, 0);
737         return CURLE_SSL_CERTPROBLEM;
738       }
739     }
740     client_cert_store = cert_store;
741   }
742 #else
743   if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) {
744     failf(data, "schannel: client cert support not built in");
745     return CURLE_NOT_BUILT_IN;
746   }
747 #endif
748 
749   /* allocate memory for the reusable credential handle */
750   backend->cred = (struct Curl_schannel_cred *)
751     calloc(1, sizeof(struct Curl_schannel_cred));
752   if(!backend->cred) {
753     failf(data, "schannel: unable to allocate memory");
754 
755 #ifdef HAS_CLIENT_CERT_PATH
756     if(client_certs[0])
757       CertFreeCertificateContext(client_certs[0]);
758     if(client_cert_store)
759       CertCloseStore(client_cert_store, 0);
760 #endif
761 
762     return CURLE_OUT_OF_MEMORY;
763   }
764   backend->cred->refcount = 1;
765 
766 #ifdef HAS_CLIENT_CERT_PATH
767   /* Since we did not persist the key, we need to extend the store's
768    * lifetime until the end of the connection
769    */
770   backend->cred->client_cert_store = client_cert_store;
771 #endif
772 
773   /* We support TLS 1.3 starting in Windows 10 version 1809 (OS build 17763) as
774      long as the user did not set a legacy algorithm list
775      (CURLOPT_SSL_CIPHER_LIST). */
776   if(!conn_config->cipher_list &&
777      curlx_verify_windows_version(10, 0, 17763, PLATFORM_WINNT,
778                                   VERSION_GREATER_THAN_EQUAL)) {
779 
780     SCH_CREDENTIALS credentials = { 0 };
781     TLS_PARAMETERS tls_parameters = { 0 };
782     CRYPTO_SETTINGS crypto_settings[1] = { { 0 } };
783 
784     tls_parameters.pDisabledCrypto = crypto_settings;
785 
786     /* The number of blocked suites */
787     tls_parameters.cDisabledCrypto = (DWORD)0;
788     credentials.pTlsParameters = &tls_parameters;
789     credentials.cTlsParameters = 1;
790 
791     credentials.dwVersion = SCH_CREDENTIALS_VERSION;
792     credentials.dwFlags = flags | SCH_USE_STRONG_CRYPTO;
793 
794     credentials.pTlsParameters->grbitDisabledProtocols =
795       (DWORD)~enabled_protocols;
796 
797 #ifdef HAS_CLIENT_CERT_PATH
798     if(client_certs[0]) {
799       credentials.cCreds = 1;
800       credentials.paCred = client_certs;
801     }
802 #endif
803 
804     sspi_status =
805       Curl_pSecFn->AcquireCredentialsHandle(NULL, (TCHAR*)UNISP_NAME,
806                                          SECPKG_CRED_OUTBOUND, NULL,
807                                          &credentials, NULL, NULL,
808                                          &backend->cred->cred_handle,
809                                          &backend->cred->time_stamp);
810   }
811   else {
812     /* Pre-Windows 10 1809 or the user set a legacy algorithm list.
813        Schannel will not negotiate TLS 1.3 when SCHANNEL_CRED is used. */
814     ALG_ID algIds[NUM_CIPHERS];
815     char *ciphers = conn_config->cipher_list;
816     SCHANNEL_CRED schannel_cred = { 0 };
817     schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
818     schannel_cred.dwFlags = flags;
819     schannel_cred.grbitEnabledProtocols = enabled_protocols;
820 
821     if(ciphers) {
822       if((enabled_protocols & SP_PROT_TLS1_3_CLIENT)) {
823         infof(data, "schannel: WARNING: This version of Schannel "
824               "negotiates a less-secure TLS version than TLS 1.3 because the "
825               "user set an algorithm cipher list.");
826       }
827       result = set_ssl_ciphers(&schannel_cred, ciphers, algIds);
828       if(CURLE_OK != result) {
829         failf(data, "schannel: Failed setting algorithm cipher list");
830         return result;
831       }
832     }
833     else {
834       schannel_cred.dwFlags = flags | SCH_USE_STRONG_CRYPTO;
835     }
836 
837 #ifdef HAS_CLIENT_CERT_PATH
838     if(client_certs[0]) {
839       schannel_cred.cCreds = 1;
840       schannel_cred.paCred = client_certs;
841     }
842 #endif
843 
844     sspi_status =
845       Curl_pSecFn->AcquireCredentialsHandle(NULL, (TCHAR*)UNISP_NAME,
846                                          SECPKG_CRED_OUTBOUND, NULL,
847                                          &schannel_cred, NULL, NULL,
848                                          &backend->cred->cred_handle,
849                                          &backend->cred->time_stamp);
850   }
851 
852 #ifdef HAS_CLIENT_CERT_PATH
853   if(client_certs[0])
854     CertFreeCertificateContext(client_certs[0]);
855 #endif
856 
857   if(sspi_status != SEC_E_OK) {
858     char buffer[STRERROR_LEN];
859     failf(data, "schannel: AcquireCredentialsHandle failed: %s",
860           Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
861     Curl_safefree(backend->cred);
862     switch(sspi_status) {
863     case SEC_E_INSUFFICIENT_MEMORY:
864       return CURLE_OUT_OF_MEMORY;
865     case SEC_E_NO_CREDENTIALS:
866     case SEC_E_SECPKG_NOT_FOUND:
867     case SEC_E_NOT_OWNER:
868     case SEC_E_UNKNOWN_CREDENTIALS:
869     case SEC_E_INTERNAL_ERROR:
870     default:
871       return CURLE_SSL_CONNECT_ERROR;
872     }
873   }
874 
875   return CURLE_OK;
876 }
877 
878 static CURLcode
schannel_connect_step1(struct Curl_cfilter * cf,struct Curl_easy * data)879 schannel_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
880 {
881   ssize_t written = -1;
882   struct ssl_connect_data *connssl = cf->ctx;
883   struct schannel_ssl_backend_data *backend =
884     (struct schannel_ssl_backend_data *)connssl->backend;
885   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
886   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
887   SecBuffer outbuf;
888   SecBufferDesc outbuf_desc;
889   SecBuffer inbuf;
890   SecBufferDesc inbuf_desc;
891 #ifdef HAS_ALPN
892   unsigned char alpn_buffer[128];
893 #endif
894   SECURITY_STATUS sspi_status = SEC_E_OK;
895   struct Curl_schannel_cred *old_cred = NULL;
896   CURLcode result;
897 
898   DEBUGASSERT(backend);
899   DEBUGF(infof(data,
900                "schannel: SSL/TLS connection with %s port %d (step 1/3)",
901                connssl->peer.hostname, connssl->peer.port));
902 
903   if(curlx_verify_windows_version(5, 1, 0, PLATFORM_WINNT,
904                                   VERSION_LESS_THAN_EQUAL)) {
905     /* Schannel in Windows XP (OS version 5.1) uses legacy handshakes and
906        algorithms that may not be supported by all servers. */
907     infof(data, "schannel: Windows version is old and may not be able to "
908           "connect to some servers due to lack of SNI, algorithms, etc.");
909   }
910 
911 #ifdef HAS_ALPN
912   /* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above.
913      Also it does not seem to be supported for WINE, see curl bug #983. */
914   backend->use_alpn = connssl->alpn &&
915     !GetProcAddress(GetModuleHandle(TEXT("ntdll")),
916                     "wine_get_version") &&
917     curlx_verify_windows_version(6, 3, 0, PLATFORM_WINNT,
918                                  VERSION_GREATER_THAN_EQUAL);
919 #else
920   backend->use_alpn = FALSE;
921 #endif
922 
923 #ifdef _WIN32_WCE
924 #ifdef HAS_MANUAL_VERIFY_API
925   /* certificate validation on CE does not seem to work right; we will
926    * do it following a more manual process. */
927   backend->use_manual_cred_validation = TRUE;
928 #else
929 #error "compiler too old to support Windows CE requisite manual cert verify"
930 #endif
931 #else
932 #ifdef HAS_MANUAL_VERIFY_API
933   if(conn_config->CAfile || conn_config->ca_info_blob) {
934     if(curlx_verify_windows_version(6, 1, 0, PLATFORM_WINNT,
935                                     VERSION_GREATER_THAN_EQUAL)) {
936       backend->use_manual_cred_validation = TRUE;
937     }
938     else {
939       failf(data, "schannel: this version of Windows is too old to support "
940             "certificate verification via CA bundle file.");
941       return CURLE_SSL_CACERT_BADFILE;
942     }
943   }
944   else
945     backend->use_manual_cred_validation = FALSE;
946 #else
947   if(conn_config->CAfile || conn_config->ca_info_blob) {
948     failf(data, "schannel: CA cert support not built in");
949     return CURLE_NOT_BUILT_IN;
950   }
951 #endif
952 #endif
953 
954   backend->cred = NULL;
955 
956   /* check for an existing reusable credential handle */
957   if(ssl_config->primary.cache_session) {
958     Curl_ssl_scache_lock(data);
959     if(Curl_ssl_scache_get_obj(cf, data, connssl->peer.scache_key,
960                                (void **)&old_cred)) {
961       backend->cred = old_cred;
962       DEBUGF(infof(data, "schannel: reusing existing credential handle"));
963 
964       /* increment the reference counter of the credential/session handle */
965       backend->cred->refcount++;
966       DEBUGF(infof(data,
967                    "schannel: incremented credential handle refcount = %d",
968                    backend->cred->refcount));
969     }
970     Curl_ssl_scache_unlock(data);
971   }
972 
973   if(!backend->cred) {
974     char *snihost;
975     result = schannel_acquire_credential_handle(cf, data);
976     if(result)
977       return result;
978     /* schannel_acquire_credential_handle() sets backend->cred accordingly or
979        it returns error otherwise. */
980 
981     /* A hostname associated with the credential is needed by
982        InitializeSecurityContext for SNI and other reasons. */
983     snihost = connssl->peer.sni ? connssl->peer.sni : connssl->peer.hostname;
984     backend->cred->sni_hostname = curlx_convert_UTF8_to_tchar(snihost);
985     if(!backend->cred->sni_hostname)
986       return CURLE_OUT_OF_MEMORY;
987   }
988 
989   /* Warn if SNI is disabled due to use of an IP address */
990   if(connssl->peer.type != CURL_SSL_PEER_DNS) {
991     infof(data, "schannel: using IP address, SNI is not supported by OS.");
992   }
993 
994 #ifdef HAS_ALPN
995   if(backend->use_alpn) {
996     int cur = 0;
997     int list_start_index = 0;
998     unsigned int *extension_len = NULL;
999     unsigned short* list_len = NULL;
1000     struct alpn_proto_buf proto;
1001 
1002     /* The first four bytes will be an unsigned int indicating number
1003        of bytes of data in the rest of the buffer. */
1004     extension_len = (unsigned int *)(void *)(&alpn_buffer[cur]);
1005     cur += (int)sizeof(unsigned int);
1006 
1007     /* The next four bytes are an indicator that this buffer will contain
1008        ALPN data, as opposed to NPN, for example. */
1009     *(unsigned int *)(void *)&alpn_buffer[cur] =
1010       SecApplicationProtocolNegotiationExt_ALPN;
1011     cur += (int)sizeof(unsigned int);
1012 
1013     /* The next two bytes will be an unsigned short indicating the number
1014        of bytes used to list the preferred protocols. */
1015     list_len = (unsigned short*)(void *)(&alpn_buffer[cur]);
1016     cur += (int)sizeof(unsigned short);
1017 
1018     list_start_index = cur;
1019 
1020     result = Curl_alpn_to_proto_buf(&proto, connssl->alpn);
1021     if(result) {
1022       failf(data, "Error setting ALPN");
1023       return CURLE_SSL_CONNECT_ERROR;
1024     }
1025     memcpy(&alpn_buffer[cur], proto.data, proto.len);
1026     cur += proto.len;
1027 
1028     *list_len = curlx_uitous(cur - list_start_index);
1029     *extension_len = (unsigned int)(*list_len +
1030       sizeof(unsigned int) + sizeof(unsigned short));
1031 
1032     InitSecBuffer(&inbuf, SECBUFFER_APPLICATION_PROTOCOLS, alpn_buffer, cur);
1033     InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
1034 
1035     Curl_alpn_to_proto_str(&proto, connssl->alpn);
1036     infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
1037   }
1038   else {
1039     InitSecBuffer(&inbuf, SECBUFFER_EMPTY, NULL, 0);
1040     InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
1041   }
1042 #else /* HAS_ALPN */
1043   InitSecBuffer(&inbuf, SECBUFFER_EMPTY, NULL, 0);
1044   InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
1045 #endif
1046 
1047   /* setup output buffer */
1048   InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
1049   InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
1050 
1051   /* security request flags */
1052   backend->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
1053     ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
1054     ISC_REQ_STREAM;
1055 
1056   if(!ssl_config->auto_client_cert) {
1057     backend->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
1058   }
1059 
1060   /* allocate memory for the security context handle */
1061   backend->ctxt = (struct Curl_schannel_ctxt *)
1062     calloc(1, sizeof(struct Curl_schannel_ctxt));
1063   if(!backend->ctxt) {
1064     failf(data, "schannel: unable to allocate memory");
1065     return CURLE_OUT_OF_MEMORY;
1066   }
1067 
1068   /* Schannel InitializeSecurityContext:
1069      https://msdn.microsoft.com/en-us/library/windows/desktop/aa375924.aspx
1070 
1071      At the moment we do not pass inbuf unless we are using ALPN since we only
1072      use it for that, and WINE (for which we currently disable ALPN) is giving
1073      us problems with inbuf regardless. https://github.com/curl/curl/issues/983
1074   */
1075   sspi_status = Curl_pSecFn->InitializeSecurityContext(
1076     &backend->cred->cred_handle, NULL, backend->cred->sni_hostname,
1077     backend->req_flags, 0, 0,
1078     (backend->use_alpn ? &inbuf_desc : NULL),
1079     0, &backend->ctxt->ctxt_handle,
1080     &outbuf_desc, &backend->ret_flags, &backend->ctxt->time_stamp);
1081 
1082   if(sspi_status != SEC_I_CONTINUE_NEEDED) {
1083     char buffer[STRERROR_LEN];
1084     Curl_safefree(backend->ctxt);
1085     switch(sspi_status) {
1086     case SEC_E_INSUFFICIENT_MEMORY:
1087       failf(data, "schannel: initial InitializeSecurityContext failed: %s",
1088             Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1089       return CURLE_OUT_OF_MEMORY;
1090     case SEC_E_WRONG_PRINCIPAL:
1091       failf(data, "schannel: SNI or certificate check failed: %s",
1092             Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1093       return CURLE_PEER_FAILED_VERIFICATION;
1094       /*
1095         case SEC_E_INVALID_HANDLE:
1096         case SEC_E_INVALID_TOKEN:
1097         case SEC_E_LOGON_DENIED:
1098         case SEC_E_TARGET_UNKNOWN:
1099         case SEC_E_NO_AUTHENTICATING_AUTHORITY:
1100         case SEC_E_INTERNAL_ERROR:
1101         case SEC_E_NO_CREDENTIALS:
1102         case SEC_E_UNSUPPORTED_FUNCTION:
1103         case SEC_E_APPLICATION_PROTOCOL_MISMATCH:
1104       */
1105     default:
1106       failf(data, "schannel: initial InitializeSecurityContext failed: %s",
1107             Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1108       return CURLE_SSL_CONNECT_ERROR;
1109     }
1110   }
1111 
1112   DEBUGF(infof(data, "schannel: sending initial handshake data: "
1113                "sending %lu bytes.", outbuf.cbBuffer));
1114 
1115   /* send initial handshake data which is now stored in output buffer */
1116   written = Curl_conn_cf_send(cf->next, data,
1117                               outbuf.pvBuffer, outbuf.cbBuffer, FALSE,
1118                               &result);
1119   Curl_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
1120   if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) {
1121     failf(data, "schannel: failed to send initial handshake data: "
1122           "sent %zd of %lu bytes", written, outbuf.cbBuffer);
1123     return CURLE_SSL_CONNECT_ERROR;
1124   }
1125 
1126   DEBUGF(infof(data, "schannel: sent initial handshake data: "
1127                "sent %zd bytes", written));
1128 
1129   backend->recv_unrecoverable_err = CURLE_OK;
1130   backend->recv_sspi_close_notify = FALSE;
1131   backend->recv_connection_closed = FALSE;
1132   backend->recv_renegotiating = FALSE;
1133   backend->encdata_is_incomplete = FALSE;
1134 
1135   /* continue to second handshake step */
1136   connssl->connecting_state = ssl_connect_2;
1137 
1138   return CURLE_OK;
1139 }
1140 
1141 static CURLcode
schannel_connect_step2(struct Curl_cfilter * cf,struct Curl_easy * data)1142 schannel_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
1143 {
1144   struct ssl_connect_data *connssl = cf->ctx;
1145   struct schannel_ssl_backend_data *backend =
1146     (struct schannel_ssl_backend_data *)connssl->backend;
1147   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
1148   int i;
1149   ssize_t nread = -1, written = -1;
1150   unsigned char *reallocated_buffer;
1151   SecBuffer outbuf[3];
1152   SecBufferDesc outbuf_desc;
1153   SecBuffer inbuf[2];
1154   SecBufferDesc inbuf_desc;
1155   SECURITY_STATUS sspi_status = SEC_E_OK;
1156   CURLcode result;
1157   bool doread;
1158   const char *pubkey_ptr;
1159 
1160   DEBUGASSERT(backend);
1161 
1162   doread = (connssl->io_need & CURL_SSL_IO_NEED_SEND) ? FALSE : TRUE;
1163   connssl->io_need = CURL_SSL_IO_NEED_NONE;
1164 
1165   DEBUGF(infof(data,
1166                "schannel: SSL/TLS connection with %s port %d (step 2/3)",
1167                connssl->peer.hostname, connssl->peer.port));
1168 
1169   if(!backend->cred || !backend->ctxt)
1170     return CURLE_SSL_CONNECT_ERROR;
1171 
1172   /* buffer to store previously received and decrypted data */
1173   if(!backend->decdata_buffer) {
1174     backend->decdata_offset = 0;
1175     backend->decdata_length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
1176     backend->decdata_buffer = malloc(backend->decdata_length);
1177     if(!backend->decdata_buffer) {
1178       failf(data, "schannel: unable to allocate memory");
1179       return CURLE_OUT_OF_MEMORY;
1180     }
1181   }
1182 
1183   /* buffer to store previously received and encrypted data */
1184   if(!backend->encdata_buffer) {
1185     backend->encdata_is_incomplete = FALSE;
1186     backend->encdata_offset = 0;
1187     backend->encdata_length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
1188     backend->encdata_buffer = malloc(backend->encdata_length);
1189     if(!backend->encdata_buffer) {
1190       failf(data, "schannel: unable to allocate memory");
1191       return CURLE_OUT_OF_MEMORY;
1192     }
1193   }
1194 
1195   /* if we need a bigger buffer to read a full message, increase buffer now */
1196   if(backend->encdata_length - backend->encdata_offset <
1197      CURL_SCHANNEL_BUFFER_FREE_SIZE) {
1198     /* increase internal encrypted data buffer */
1199     size_t reallocated_length = backend->encdata_offset +
1200       CURL_SCHANNEL_BUFFER_FREE_SIZE;
1201     reallocated_buffer = realloc(backend->encdata_buffer,
1202                                  reallocated_length);
1203 
1204     if(!reallocated_buffer) {
1205       failf(data, "schannel: unable to re-allocate memory");
1206       return CURLE_OUT_OF_MEMORY;
1207     }
1208     else {
1209       backend->encdata_buffer = reallocated_buffer;
1210       backend->encdata_length = reallocated_length;
1211     }
1212   }
1213 
1214   for(;;) {
1215     if(doread) {
1216       /* read encrypted handshake data from socket */
1217       nread = Curl_conn_cf_recv(cf->next, data,
1218                                (char *) (backend->encdata_buffer +
1219                                          backend->encdata_offset),
1220                                backend->encdata_length -
1221                                backend->encdata_offset,
1222                                &result);
1223       if(result == CURLE_AGAIN) {
1224         connssl->io_need = CURL_SSL_IO_NEED_RECV;
1225         DEBUGF(infof(data, "schannel: failed to receive handshake, "
1226                      "need more data"));
1227         return CURLE_OK;
1228       }
1229       else if((result != CURLE_OK) || (nread == 0)) {
1230         failf(data, "schannel: failed to receive handshake, "
1231               "SSL/TLS connection failed");
1232         return CURLE_SSL_CONNECT_ERROR;
1233       }
1234 
1235       /* increase encrypted data buffer offset */
1236       backend->encdata_offset += nread;
1237       backend->encdata_is_incomplete = FALSE;
1238       SCH_DEV(infof(data, "schannel: encrypted data got %zd", nread));
1239     }
1240 
1241     SCH_DEV(infof(data,
1242                   "schannel: encrypted data buffer: offset %zu length %zu",
1243                   backend->encdata_offset, backend->encdata_length));
1244 
1245     /* setup input buffers */
1246     InitSecBuffer(&inbuf[0], SECBUFFER_TOKEN, malloc(backend->encdata_offset),
1247                   curlx_uztoul(backend->encdata_offset));
1248     InitSecBuffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
1249     InitSecBufferDesc(&inbuf_desc, inbuf, 2);
1250 
1251     /* setup output buffers */
1252     InitSecBuffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
1253     InitSecBuffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
1254     InitSecBuffer(&outbuf[2], SECBUFFER_EMPTY, NULL, 0);
1255     InitSecBufferDesc(&outbuf_desc, outbuf, 3);
1256 
1257     if(!inbuf[0].pvBuffer) {
1258       failf(data, "schannel: unable to allocate memory");
1259       return CURLE_OUT_OF_MEMORY;
1260     }
1261 
1262     /* copy received handshake data into input buffer */
1263     memcpy(inbuf[0].pvBuffer, backend->encdata_buffer,
1264            backend->encdata_offset);
1265 
1266     sspi_status = Curl_pSecFn->InitializeSecurityContext(
1267       &backend->cred->cred_handle, &backend->ctxt->ctxt_handle,
1268       backend->cred->sni_hostname, backend->req_flags,
1269       0, 0, &inbuf_desc, 0, NULL,
1270       &outbuf_desc, &backend->ret_flags, &backend->ctxt->time_stamp);
1271 
1272     /* free buffer for received handshake data */
1273     Curl_safefree(inbuf[0].pvBuffer);
1274 
1275     /* check if the handshake was incomplete */
1276     if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
1277       backend->encdata_is_incomplete = TRUE;
1278       connssl->io_need = CURL_SSL_IO_NEED_RECV;
1279       DEBUGF(infof(data,
1280                    "schannel: received incomplete message, need more data"));
1281       return CURLE_OK;
1282     }
1283 
1284     /* If the server has requested a client certificate, attempt to continue
1285        the handshake without one. This will allow connections to servers which
1286        request a client certificate but do not require it. */
1287     if(sspi_status == SEC_I_INCOMPLETE_CREDENTIALS &&
1288        !(backend->req_flags & ISC_REQ_USE_SUPPLIED_CREDS)) {
1289       backend->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
1290       connssl->io_need = CURL_SSL_IO_NEED_SEND;
1291       DEBUGF(infof(data,
1292                    "schannel: a client certificate has been requested"));
1293       return CURLE_OK;
1294     }
1295 
1296     /* check if the handshake needs to be continued */
1297     if(sspi_status == SEC_I_CONTINUE_NEEDED || sspi_status == SEC_E_OK) {
1298       for(i = 0; i < 3; i++) {
1299         /* search for handshake tokens that need to be send */
1300         if(outbuf[i].BufferType == SECBUFFER_TOKEN && outbuf[i].cbBuffer > 0) {
1301           DEBUGF(infof(data, "schannel: sending next handshake data: "
1302                        "sending %lu bytes.", outbuf[i].cbBuffer));
1303 
1304           /* send handshake token to server */
1305           written = Curl_conn_cf_send(cf->next, data,
1306                                       outbuf[i].pvBuffer, outbuf[i].cbBuffer,
1307                                       FALSE, &result);
1308           if((result != CURLE_OK) ||
1309              (outbuf[i].cbBuffer != (size_t) written)) {
1310             failf(data, "schannel: failed to send next handshake data: "
1311                   "sent %zd of %lu bytes", written, outbuf[i].cbBuffer);
1312             return CURLE_SSL_CONNECT_ERROR;
1313           }
1314         }
1315 
1316         /* free obsolete buffer */
1317         if(outbuf[i].pvBuffer) {
1318           Curl_pSecFn->FreeContextBuffer(outbuf[i].pvBuffer);
1319         }
1320       }
1321     }
1322     else {
1323       char buffer[STRERROR_LEN];
1324       switch(sspi_status) {
1325       case SEC_E_INSUFFICIENT_MEMORY:
1326         failf(data, "schannel: next InitializeSecurityContext failed: %s",
1327               Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1328         return CURLE_OUT_OF_MEMORY;
1329       case SEC_E_WRONG_PRINCIPAL:
1330         failf(data, "schannel: SNI or certificate check failed: %s",
1331               Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1332         return CURLE_PEER_FAILED_VERIFICATION;
1333       case SEC_E_UNTRUSTED_ROOT:
1334         failf(data, "schannel: %s",
1335               Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1336         return CURLE_PEER_FAILED_VERIFICATION;
1337         /*
1338           case SEC_E_INVALID_HANDLE:
1339           case SEC_E_INVALID_TOKEN:
1340           case SEC_E_LOGON_DENIED:
1341           case SEC_E_TARGET_UNKNOWN:
1342           case SEC_E_NO_AUTHENTICATING_AUTHORITY:
1343           case SEC_E_INTERNAL_ERROR:
1344           case SEC_E_NO_CREDENTIALS:
1345           case SEC_E_UNSUPPORTED_FUNCTION:
1346           case SEC_E_APPLICATION_PROTOCOL_MISMATCH:
1347         */
1348       default:
1349         failf(data, "schannel: next InitializeSecurityContext failed: %s",
1350               Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1351         return CURLE_SSL_CONNECT_ERROR;
1352       }
1353     }
1354 
1355     /* check if there was additional remaining encrypted data */
1356     if(inbuf[1].BufferType == SECBUFFER_EXTRA && inbuf[1].cbBuffer > 0) {
1357       SCH_DEV(infof(data, "schannel: encrypted data length: %lu",
1358                     inbuf[1].cbBuffer));
1359       /*
1360         There are two cases where we could be getting extra data here:
1361         1) If we are renegotiating a connection and the handshake is already
1362         complete (from the server perspective), it can encrypted app data
1363         (not handshake data) in an extra buffer at this point.
1364         2) (sspi_status == SEC_I_CONTINUE_NEEDED) We are negotiating a
1365         connection and this extra data is part of the handshake.
1366         We should process the data immediately; waiting for the socket to
1367         be ready may fail since the server is done sending handshake data.
1368       */
1369       /* check if the remaining data is less than the total amount
1370          and therefore begins after the already processed data */
1371       if(backend->encdata_offset > inbuf[1].cbBuffer) {
1372         memmove(backend->encdata_buffer,
1373                 (backend->encdata_buffer + backend->encdata_offset) -
1374                 inbuf[1].cbBuffer, inbuf[1].cbBuffer);
1375         backend->encdata_offset = inbuf[1].cbBuffer;
1376         if(sspi_status == SEC_I_CONTINUE_NEEDED) {
1377           doread = FALSE;
1378           continue;
1379         }
1380       }
1381     }
1382     else {
1383       backend->encdata_offset = 0;
1384     }
1385     break;
1386   }
1387 
1388   /* check if the handshake needs to be continued */
1389   if(sspi_status == SEC_I_CONTINUE_NEEDED) {
1390     connssl->io_need = CURL_SSL_IO_NEED_RECV;
1391     return CURLE_OK;
1392   }
1393 
1394   /* check if the handshake is complete */
1395   if(sspi_status == SEC_E_OK) {
1396     connssl->connecting_state = ssl_connect_3;
1397     DEBUGF(infof(data, "schannel: SSL/TLS handshake complete"));
1398   }
1399 
1400 #ifndef CURL_DISABLE_PROXY
1401   pubkey_ptr = Curl_ssl_cf_is_proxy(cf) ?
1402     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
1403     data->set.str[STRING_SSL_PINNEDPUBLICKEY];
1404 #else
1405   pubkey_ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
1406 #endif
1407   if(pubkey_ptr) {
1408     result = schannel_pkp_pin_peer_pubkey(cf, data, pubkey_ptr);
1409     if(result) {
1410       failf(data, "SSL: public key does not match pinned public key");
1411       return result;
1412     }
1413   }
1414 
1415 #ifdef HAS_MANUAL_VERIFY_API
1416   if(conn_config->verifypeer && backend->use_manual_cred_validation) {
1417     /* Certificate verification also verifies the hostname if verifyhost */
1418     return Curl_verify_certificate(cf, data);
1419   }
1420 #endif
1421 
1422   /* Verify the hostname manually when certificate verification is disabled,
1423      because in that case Schannel will not verify it. */
1424   if(!conn_config->verifypeer && conn_config->verifyhost)
1425     return Curl_verify_host(cf, data);
1426 
1427   return CURLE_OK;
1428 }
1429 
1430 static bool
valid_cert_encoding(const CERT_CONTEXT * cert_context)1431 valid_cert_encoding(const CERT_CONTEXT *cert_context)
1432 {
1433   return (cert_context != NULL) &&
1434     ((cert_context->dwCertEncodingType & X509_ASN_ENCODING) != 0) &&
1435     (cert_context->pbCertEncoded != NULL) &&
1436     (cert_context->cbCertEncoded > 0);
1437 }
1438 
1439 typedef bool(*Read_crt_func)(const CERT_CONTEXT *ccert_context,
1440                              bool reverse_order, void *arg);
1441 
1442 static void
traverse_cert_store(const CERT_CONTEXT * context,Read_crt_func func,void * arg)1443 traverse_cert_store(const CERT_CONTEXT *context, Read_crt_func func,
1444                     void *arg)
1445 {
1446   const CERT_CONTEXT *current_context = NULL;
1447   bool should_continue = TRUE;
1448   bool first = TRUE;
1449   bool reverse_order = FALSE;
1450   while(should_continue &&
1451         (current_context = CertEnumCertificatesInStore(
1452           context->hCertStore,
1453           current_context)) != NULL) {
1454     /* Windows 11 22H2 OS Build 22621.674 or higher enumerates certificates in
1455        leaf-to-root order while all previous versions of Windows enumerate
1456        certificates in root-to-leaf order. Determine the order of enumeration
1457        by comparing SECPKG_ATTR_REMOTE_CERT_CONTEXT's pbCertContext with the
1458        first certificate's pbCertContext. */
1459     if(first && context->pbCertEncoded != current_context->pbCertEncoded)
1460       reverse_order = TRUE;
1461     should_continue = func(current_context, reverse_order, arg);
1462     first = FALSE;
1463   }
1464 
1465   if(current_context)
1466     CertFreeCertificateContext(current_context);
1467 }
1468 
1469 static bool
cert_counter_callback(const CERT_CONTEXT * ccert_context,bool reverse_order,void * certs_count)1470 cert_counter_callback(const CERT_CONTEXT *ccert_context, bool reverse_order,
1471                       void *certs_count)
1472 {
1473   (void)reverse_order; /* unused */
1474   if(valid_cert_encoding(ccert_context))
1475     (*(int *)certs_count)++;
1476   return TRUE;
1477 }
1478 
1479 struct Adder_args
1480 {
1481   struct Curl_easy *data;
1482   CURLcode result;
1483   int idx;
1484   int certs_count;
1485 };
1486 
1487 static bool
add_cert_to_certinfo(const CERT_CONTEXT * ccert_context,bool reverse_order,void * raw_arg)1488 add_cert_to_certinfo(const CERT_CONTEXT *ccert_context, bool reverse_order,
1489                      void *raw_arg)
1490 {
1491   struct Adder_args *args = (struct Adder_args*)raw_arg;
1492   args->result = CURLE_OK;
1493   if(valid_cert_encoding(ccert_context)) {
1494     const char *beg = (const char *) ccert_context->pbCertEncoded;
1495     const char *end = beg + ccert_context->cbCertEncoded;
1496     int insert_index = reverse_order ? (args->certs_count - 1) - args->idx :
1497                        args->idx;
1498     args->result = Curl_extract_certinfo(args->data, insert_index,
1499                                          beg, end);
1500     args->idx++;
1501   }
1502   return args->result == CURLE_OK;
1503 }
1504 
schannel_session_free(void * sessionid)1505 static void schannel_session_free(void *sessionid)
1506 {
1507   /* this is expected to be called under sessionid lock */
1508   struct Curl_schannel_cred *cred = sessionid;
1509 
1510   if(cred) {
1511     cred->refcount--;
1512     if(cred->refcount == 0) {
1513       Curl_pSecFn->FreeCredentialsHandle(&cred->cred_handle);
1514       curlx_unicodefree(cred->sni_hostname);
1515 #ifdef HAS_CLIENT_CERT_PATH
1516       if(cred->client_cert_store) {
1517         CertCloseStore(cred->client_cert_store, 0);
1518         cred->client_cert_store = NULL;
1519       }
1520 #endif
1521       Curl_safefree(cred);
1522     }
1523   }
1524 }
1525 
1526 static CURLcode
schannel_connect_step3(struct Curl_cfilter * cf,struct Curl_easy * data)1527 schannel_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
1528 {
1529   struct ssl_connect_data *connssl = cf->ctx;
1530   struct schannel_ssl_backend_data *backend =
1531     (struct schannel_ssl_backend_data *)connssl->backend;
1532   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
1533   CURLcode result = CURLE_OK;
1534   SECURITY_STATUS sspi_status = SEC_E_OK;
1535   CERT_CONTEXT *ccert_context = NULL;
1536 #ifdef HAS_ALPN
1537   SecPkgContext_ApplicationProtocol alpn_result;
1538 #endif
1539 
1540   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
1541   DEBUGASSERT(backend);
1542 
1543   DEBUGF(infof(data,
1544                "schannel: SSL/TLS connection with %s port %d (step 3/3)",
1545                connssl->peer.hostname, connssl->peer.port));
1546 
1547   if(!backend->cred)
1548     return CURLE_SSL_CONNECT_ERROR;
1549 
1550   /* check if the required context attributes are met */
1551   if(backend->ret_flags != backend->req_flags) {
1552     if(!(backend->ret_flags & ISC_RET_SEQUENCE_DETECT))
1553       failf(data, "schannel: failed to setup sequence detection");
1554     if(!(backend->ret_flags & ISC_RET_REPLAY_DETECT))
1555       failf(data, "schannel: failed to setup replay detection");
1556     if(!(backend->ret_flags & ISC_RET_CONFIDENTIALITY))
1557       failf(data, "schannel: failed to setup confidentiality");
1558     if(!(backend->ret_flags & ISC_RET_ALLOCATED_MEMORY))
1559       failf(data, "schannel: failed to setup memory allocation");
1560     if(!(backend->ret_flags & ISC_RET_STREAM))
1561       failf(data, "schannel: failed to setup stream orientation");
1562     return CURLE_SSL_CONNECT_ERROR;
1563   }
1564 
1565 #ifdef HAS_ALPN
1566   if(backend->use_alpn) {
1567     sspi_status =
1568       Curl_pSecFn->QueryContextAttributes(&backend->ctxt->ctxt_handle,
1569                                        SECPKG_ATTR_APPLICATION_PROTOCOL,
1570                                        &alpn_result);
1571 
1572     if(sspi_status != SEC_E_OK) {
1573       failf(data, "schannel: failed to retrieve ALPN result");
1574       return CURLE_SSL_CONNECT_ERROR;
1575     }
1576 
1577     if(alpn_result.ProtoNegoStatus ==
1578        SecApplicationProtocolNegotiationStatus_Success) {
1579       unsigned char prev_alpn = cf->conn->alpn;
1580 
1581       Curl_alpn_set_negotiated(cf, data, connssl, alpn_result.ProtocolId,
1582                                alpn_result.ProtocolIdSize);
1583       if(backend->recv_renegotiating) {
1584         if(prev_alpn != cf->conn->alpn &&
1585            prev_alpn != CURL_HTTP_VERSION_NONE) {
1586           /* Renegotiation selected a different protocol now, we cannot
1587            * deal with this */
1588           failf(data, "schannel: server selected an ALPN protocol too late");
1589           return CURLE_SSL_CONNECT_ERROR;
1590         }
1591       }
1592     }
1593     else {
1594       if(!backend->recv_renegotiating)
1595         Curl_alpn_set_negotiated(cf, data, connssl, NULL, 0);
1596     }
1597   }
1598 #endif
1599 
1600   /* save the current session data for possible reuse */
1601   if(ssl_config->primary.cache_session) {
1602     Curl_ssl_scache_lock(data);
1603     /* Up ref count since call takes ownership */
1604     backend->cred->refcount++;
1605     result = Curl_ssl_scache_add_obj(cf, data, connssl->peer.scache_key,
1606                                      backend->cred, schannel_session_free);
1607     Curl_ssl_scache_unlock(data);
1608     if(result)
1609       return result;
1610   }
1611 
1612   if(data->set.ssl.certinfo) {
1613     int certs_count = 0;
1614     sspi_status =
1615       Curl_pSecFn->QueryContextAttributes(&backend->ctxt->ctxt_handle,
1616                                        SECPKG_ATTR_REMOTE_CERT_CONTEXT,
1617                                        &ccert_context);
1618 
1619     if((sspi_status != SEC_E_OK) || !ccert_context) {
1620       failf(data, "schannel: failed to retrieve remote cert context");
1621       return CURLE_PEER_FAILED_VERIFICATION;
1622     }
1623 
1624     traverse_cert_store(ccert_context, cert_counter_callback, &certs_count);
1625 
1626     result = Curl_ssl_init_certinfo(data, certs_count);
1627     if(!result) {
1628       struct Adder_args args;
1629       args.data = data;
1630       args.idx = 0;
1631       args.certs_count = certs_count;
1632       traverse_cert_store(ccert_context, add_cert_to_certinfo, &args);
1633       result = args.result;
1634     }
1635     CertFreeCertificateContext(ccert_context);
1636     if(result)
1637       return result;
1638   }
1639 
1640   connssl->connecting_state = ssl_connect_done;
1641 
1642   return CURLE_OK;
1643 }
1644 
1645 static CURLcode
schannel_connect_common(struct Curl_cfilter * cf,struct Curl_easy * data,bool nonblocking,bool * done)1646 schannel_connect_common(struct Curl_cfilter *cf,
1647                         struct Curl_easy *data,
1648                         bool nonblocking, bool *done)
1649 {
1650   CURLcode result;
1651   struct ssl_connect_data *connssl = cf->ctx;
1652   curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data);
1653   timediff_t timeout_ms;
1654   int what;
1655 
1656   /* check if the connection has already been established */
1657   if(ssl_connection_complete == connssl->state) {
1658     *done = TRUE;
1659     return CURLE_OK;
1660   }
1661 
1662   if(ssl_connect_1 == connssl->connecting_state) {
1663     /* check out how much more time we are allowed */
1664     timeout_ms = Curl_timeleft(data, NULL, TRUE);
1665 
1666     if(timeout_ms < 0) {
1667       /* no need to continue if time already is up */
1668       failf(data, "SSL/TLS connection timeout");
1669       return CURLE_OPERATION_TIMEDOUT;
1670     }
1671 
1672     result = schannel_connect_step1(cf, data);
1673     if(result)
1674       return result;
1675   }
1676 
1677   while(ssl_connect_2 == connssl->connecting_state) {
1678 
1679     /* check out how much more time we are allowed */
1680     timeout_ms = Curl_timeleft(data, NULL, TRUE);
1681 
1682     if(timeout_ms < 0) {
1683       /* no need to continue if time already is up */
1684       failf(data, "SSL/TLS connection timeout");
1685       return CURLE_OPERATION_TIMEDOUT;
1686     }
1687 
1688     /* if ssl is expecting something, check if it is available. */
1689     if(connssl->io_need) {
1690 
1691       curl_socket_t writefd = (connssl->io_need & CURL_SSL_IO_NEED_SEND) ?
1692         sockfd : CURL_SOCKET_BAD;
1693       curl_socket_t readfd = (connssl->io_need & CURL_SSL_IO_NEED_RECV) ?
1694         sockfd : CURL_SOCKET_BAD;
1695 
1696       what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
1697                                nonblocking ? 0 : timeout_ms);
1698       if(what < 0) {
1699         /* fatal error */
1700         failf(data, "select/poll on SSL/TLS socket, errno: %d", SOCKERRNO);
1701         return CURLE_SSL_CONNECT_ERROR;
1702       }
1703       else if(0 == what) {
1704         if(nonblocking) {
1705           *done = FALSE;
1706           return CURLE_OK;
1707         }
1708         else {
1709           /* timeout */
1710           failf(data, "SSL/TLS connection timeout");
1711           return CURLE_OPERATION_TIMEDOUT;
1712         }
1713       }
1714       /* socket is readable or writable */
1715     }
1716 
1717     /* Run transaction, and return to the caller if it failed or if
1718      * this connection is part of a multi handle and this loop would
1719      * execute again. This permits the owner of a multi handle to
1720      * abort a connection attempt before step2 has completed while
1721      * ensuring that a client using select() or epoll() will always
1722      * have a valid fdset to wait on.
1723      */
1724     result = schannel_connect_step2(cf, data);
1725     if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state)))
1726       return result;
1727 
1728   } /* repeat step2 until all transactions are done. */
1729 
1730   if(ssl_connect_3 == connssl->connecting_state) {
1731     result = schannel_connect_step3(cf, data);
1732     if(result)
1733       return result;
1734   }
1735 
1736   if(ssl_connect_done == connssl->connecting_state) {
1737     connssl->state = ssl_connection_complete;
1738 
1739 #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
1740     /* When SSPI is used in combination with Schannel
1741      * we need the Schannel context to create the Schannel
1742      * binding to pass the IIS extended protection checks.
1743      * Available on Windows 7 or later.
1744      */
1745     {
1746       struct schannel_ssl_backend_data *backend =
1747         (struct schannel_ssl_backend_data *)connssl->backend;
1748       DEBUGASSERT(backend);
1749       cf->conn->sslContext = &backend->ctxt->ctxt_handle;
1750     }
1751 #endif
1752 
1753     *done = TRUE;
1754   }
1755   else
1756     *done = FALSE;
1757 
1758   /* reset our connection state machine */
1759   connssl->connecting_state = ssl_connect_1;
1760 
1761   return CURLE_OK;
1762 }
1763 
1764 static ssize_t
schannel_send(struct Curl_cfilter * cf,struct Curl_easy * data,const void * buf,size_t len,CURLcode * err)1765 schannel_send(struct Curl_cfilter *cf, struct Curl_easy *data,
1766               const void *buf, size_t len, CURLcode *err)
1767 {
1768   ssize_t written = -1;
1769   size_t data_len = 0;
1770   unsigned char *ptr = NULL;
1771   struct ssl_connect_data *connssl = cf->ctx;
1772   SecBuffer outbuf[4];
1773   SecBufferDesc outbuf_desc;
1774   SECURITY_STATUS sspi_status = SEC_E_OK;
1775   CURLcode result;
1776   struct schannel_ssl_backend_data *backend =
1777     (struct schannel_ssl_backend_data *)connssl->backend;
1778 
1779   DEBUGASSERT(backend);
1780 
1781   /* check if the maximum stream sizes were queried */
1782   if(backend->stream_sizes.cbMaximumMessage == 0) {
1783     sspi_status = Curl_pSecFn->QueryContextAttributes(
1784       &backend->ctxt->ctxt_handle,
1785       SECPKG_ATTR_STREAM_SIZES,
1786       &backend->stream_sizes);
1787     if(sspi_status != SEC_E_OK) {
1788       *err = CURLE_SEND_ERROR;
1789       return -1;
1790     }
1791   }
1792 
1793   /* check if the buffer is longer than the maximum message length */
1794   if(len > backend->stream_sizes.cbMaximumMessage) {
1795     len = backend->stream_sizes.cbMaximumMessage;
1796   }
1797 
1798   /* calculate the complete message length and allocate a buffer for it */
1799   data_len = backend->stream_sizes.cbHeader + len +
1800     backend->stream_sizes.cbTrailer;
1801   ptr = (unsigned char *) malloc(data_len);
1802   if(!ptr) {
1803     *err = CURLE_OUT_OF_MEMORY;
1804     return -1;
1805   }
1806 
1807   /* setup output buffers (header, data, trailer, empty) */
1808   InitSecBuffer(&outbuf[0], SECBUFFER_STREAM_HEADER,
1809                 ptr, backend->stream_sizes.cbHeader);
1810   InitSecBuffer(&outbuf[1], SECBUFFER_DATA,
1811                 ptr + backend->stream_sizes.cbHeader, curlx_uztoul(len));
1812   InitSecBuffer(&outbuf[2], SECBUFFER_STREAM_TRAILER,
1813                 ptr + backend->stream_sizes.cbHeader + len,
1814                 backend->stream_sizes.cbTrailer);
1815   InitSecBuffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0);
1816   InitSecBufferDesc(&outbuf_desc, outbuf, 4);
1817 
1818   /* copy data into output buffer */
1819   memcpy(outbuf[1].pvBuffer, buf, len);
1820 
1821   /* https://msdn.microsoft.com/en-us/library/windows/desktop/aa375390.aspx */
1822   sspi_status = Curl_pSecFn->EncryptMessage(&backend->ctxt->ctxt_handle, 0,
1823                                          &outbuf_desc, 0);
1824 
1825   /* check if the message was encrypted */
1826   if(sspi_status == SEC_E_OK) {
1827     written = 0;
1828 
1829     /* send the encrypted message including header, data and trailer */
1830     len = outbuf[0].cbBuffer + outbuf[1].cbBuffer + outbuf[2].cbBuffer;
1831 
1832     /*
1833       it is important to send the full message which includes the header,
1834       encrypted payload, and trailer. Until the client receives all the
1835       data a coherent message has not been delivered and the client
1836       cannot read any of it.
1837 
1838       If we wanted to buffer the unwritten encrypted bytes, we would
1839       tell the client that all data it has requested to be sent has been
1840       sent. The unwritten encrypted bytes would be the first bytes to
1841       send on the next invocation.
1842       Here's the catch with this - if we tell the client that all the
1843       bytes have been sent, will the client call this method again to
1844       send the buffered data?  Looking at who calls this function, it
1845       seems the answer is NO.
1846     */
1847 
1848     /* send entire message or fail */
1849     while(len > (size_t)written) {
1850       ssize_t this_write = 0;
1851       int what;
1852       timediff_t timeout_ms = Curl_timeleft(data, NULL, FALSE);
1853       if(timeout_ms < 0) {
1854         /* we already got the timeout */
1855         failf(data, "schannel: timed out sending data "
1856               "(bytes sent: %zd)", written);
1857         *err = CURLE_OPERATION_TIMEDOUT;
1858         written = -1;
1859         break;
1860       }
1861       else if(!timeout_ms)
1862         timeout_ms = TIMEDIFF_T_MAX;
1863       what = SOCKET_WRITABLE(Curl_conn_cf_get_socket(cf, data), timeout_ms);
1864       if(what < 0) {
1865         /* fatal error */
1866         failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1867         *err = CURLE_SEND_ERROR;
1868         written = -1;
1869         break;
1870       }
1871       else if(0 == what) {
1872         failf(data, "schannel: timed out sending data "
1873               "(bytes sent: %zd)", written);
1874         *err = CURLE_OPERATION_TIMEDOUT;
1875         written = -1;
1876         break;
1877       }
1878       /* socket is writable */
1879 
1880        this_write = Curl_conn_cf_send(cf->next, data,
1881                                       ptr + written, len - written,
1882                                       FALSE, &result);
1883       if(result == CURLE_AGAIN)
1884         continue;
1885       else if(result != CURLE_OK) {
1886         *err = result;
1887         written = -1;
1888         break;
1889       }
1890 
1891       written += this_write;
1892     }
1893   }
1894   else if(sspi_status == SEC_E_INSUFFICIENT_MEMORY) {
1895     *err = CURLE_OUT_OF_MEMORY;
1896   }
1897   else{
1898     *err = CURLE_SEND_ERROR;
1899   }
1900 
1901   Curl_safefree(ptr);
1902 
1903   if(len == (size_t)written)
1904     /* Encrypted message including header, data and trailer entirely sent.
1905        The return value is the number of unencrypted bytes that were sent. */
1906     written = outbuf[1].cbBuffer;
1907 
1908   return written;
1909 }
1910 
1911 static ssize_t
schannel_recv(struct Curl_cfilter * cf,struct Curl_easy * data,char * buf,size_t len,CURLcode * err)1912 schannel_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
1913               char *buf, size_t len, CURLcode *err)
1914 {
1915   size_t size = 0;
1916   ssize_t nread = -1;
1917   struct ssl_connect_data *connssl = cf->ctx;
1918   unsigned char *reallocated_buffer;
1919   size_t reallocated_length;
1920   bool done = FALSE;
1921   SecBuffer inbuf[4];
1922   SecBufferDesc inbuf_desc;
1923   SECURITY_STATUS sspi_status = SEC_E_OK;
1924   /* we want the length of the encrypted buffer to be at least large enough
1925      that it can hold all the bytes requested and some TLS record overhead. */
1926   size_t min_encdata_length = len + CURL_SCHANNEL_BUFFER_FREE_SIZE;
1927   struct schannel_ssl_backend_data *backend =
1928     (struct schannel_ssl_backend_data *)connssl->backend;
1929 
1930   DEBUGASSERT(backend);
1931 
1932   /****************************************************************************
1933    * Do not return or set backend->recv_unrecoverable_err unless in the
1934    * cleanup. The pattern for return error is set *err, optional infof, goto
1935    * cleanup.
1936    *
1937    * Some verbose debug messages are wrapped by SCH_DEV() instead of DEBUGF()
1938    * and only shown if CURL_SCHANNEL_DEV_DEBUG was defined at build time. These
1939    * messages are extra verbose and intended for curl developers debugging
1940    * Schannel recv decryption.
1941    *
1942    * Our priority is to always return as much decrypted data to the caller as
1943    * possible, even if an error occurs. The state of the decrypted buffer must
1944    * always be valid. Transfer of decrypted data to the caller's buffer is
1945    * handled in the cleanup.
1946    */
1947 
1948   SCH_DEV(infof(data, "schannel: client wants to read %zu bytes", len));
1949   *err = CURLE_OK;
1950 
1951   if(len && len <= backend->decdata_offset) {
1952     SCH_DEV(infof(data,
1953                   "schannel: enough decrypted data is already available"));
1954     goto cleanup;
1955   }
1956   else if(backend->recv_unrecoverable_err) {
1957     *err = backend->recv_unrecoverable_err;
1958     infof(data, "schannel: an unrecoverable error occurred in a prior call");
1959     goto cleanup;
1960   }
1961   else if(backend->recv_sspi_close_notify) {
1962     /* once a server has indicated shutdown there is no more encrypted data */
1963     infof(data, "schannel: server indicated shutdown in a prior call");
1964     goto cleanup;
1965   }
1966   /* it is debatable what to return when !len. Regardless we cannot return
1967      immediately because there may be data to decrypt (in the case we want to
1968      decrypt all encrypted cached data) so handle !len later in cleanup.
1969   */
1970   else if(len && !backend->recv_connection_closed) {
1971     /* increase enc buffer in order to fit the requested amount of data */
1972     size = backend->encdata_length - backend->encdata_offset;
1973     if(size < CURL_SCHANNEL_BUFFER_FREE_SIZE ||
1974        backend->encdata_length < min_encdata_length) {
1975       reallocated_length = backend->encdata_offset +
1976         CURL_SCHANNEL_BUFFER_FREE_SIZE;
1977       if(reallocated_length < min_encdata_length) {
1978         reallocated_length = min_encdata_length;
1979       }
1980       reallocated_buffer = realloc(backend->encdata_buffer,
1981                                    reallocated_length);
1982       if(!reallocated_buffer) {
1983         *err = CURLE_OUT_OF_MEMORY;
1984         failf(data, "schannel: unable to re-allocate memory");
1985         goto cleanup;
1986       }
1987 
1988       backend->encdata_buffer = reallocated_buffer;
1989       backend->encdata_length = reallocated_length;
1990       size = backend->encdata_length - backend->encdata_offset;
1991       SCH_DEV(infof(data, "schannel: encdata_buffer resized %zu",
1992                     backend->encdata_length));
1993     }
1994 
1995     SCH_DEV(infof(data,
1996                   "schannel: encrypted data buffer: offset %zu length %zu",
1997                   backend->encdata_offset, backend->encdata_length));
1998 
1999     /* read encrypted data from socket */
2000     nread = Curl_conn_cf_recv(cf->next, data,
2001                               (char *)(backend->encdata_buffer +
2002                                     backend->encdata_offset),
2003                               size, err);
2004     if(*err) {
2005       nread = -1;
2006       if(*err == CURLE_AGAIN)
2007         SCH_DEV(infof(data, "schannel: recv returned CURLE_AGAIN"));
2008       else if(*err == CURLE_RECV_ERROR)
2009         infof(data, "schannel: recv returned CURLE_RECV_ERROR");
2010       else
2011         infof(data, "schannel: recv returned error %d", *err);
2012     }
2013     else if(nread == 0) {
2014       backend->recv_connection_closed = TRUE;
2015       DEBUGF(infof(data, "schannel: server closed the connection"));
2016     }
2017     else if(nread > 0) {
2018       backend->encdata_offset += (size_t)nread;
2019       backend->encdata_is_incomplete = FALSE;
2020       SCH_DEV(infof(data, "schannel: encrypted data got %zd", nread));
2021     }
2022   }
2023 
2024   SCH_DEV(infof(data, "schannel: encrypted data buffer: offset %zu length %zu",
2025                 backend->encdata_offset, backend->encdata_length));
2026 
2027   /* decrypt loop */
2028   while(backend->encdata_offset > 0 && sspi_status == SEC_E_OK &&
2029         (!len || backend->decdata_offset < len ||
2030          backend->recv_connection_closed)) {
2031     /* prepare data buffer for DecryptMessage call */
2032     InitSecBuffer(&inbuf[0], SECBUFFER_DATA, backend->encdata_buffer,
2033                   curlx_uztoul(backend->encdata_offset));
2034 
2035     /* we need 3 more empty input buffers for possible output */
2036     InitSecBuffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
2037     InitSecBuffer(&inbuf[2], SECBUFFER_EMPTY, NULL, 0);
2038     InitSecBuffer(&inbuf[3], SECBUFFER_EMPTY, NULL, 0);
2039     InitSecBufferDesc(&inbuf_desc, inbuf, 4);
2040 
2041     /* https://msdn.microsoft.com/en-us/library/windows/desktop/aa375348.aspx
2042      */
2043     sspi_status = Curl_pSecFn->DecryptMessage(&backend->ctxt->ctxt_handle,
2044                                            &inbuf_desc, 0, NULL);
2045 
2046     /* check if everything went fine (server may want to renegotiate
2047        or shutdown the connection context) */
2048     if(sspi_status == SEC_E_OK || sspi_status == SEC_I_RENEGOTIATE ||
2049        sspi_status == SEC_I_CONTEXT_EXPIRED) {
2050       /* check for successfully decrypted data, even before actual
2051          renegotiation or shutdown of the connection context */
2052       if(inbuf[1].BufferType == SECBUFFER_DATA) {
2053         SCH_DEV(infof(data, "schannel: decrypted data length: %lu",
2054                       inbuf[1].cbBuffer));
2055 
2056         /* increase buffer in order to fit the received amount of data */
2057         size = inbuf[1].cbBuffer > CURL_SCHANNEL_BUFFER_FREE_SIZE ?
2058           inbuf[1].cbBuffer : CURL_SCHANNEL_BUFFER_FREE_SIZE;
2059         if(backend->decdata_length - backend->decdata_offset < size ||
2060            backend->decdata_length < len) {
2061           /* increase internal decrypted data buffer */
2062           reallocated_length = backend->decdata_offset + size;
2063           /* make sure that the requested amount of data fits */
2064           if(reallocated_length < len) {
2065             reallocated_length = len;
2066           }
2067           reallocated_buffer = realloc(backend->decdata_buffer,
2068                                        reallocated_length);
2069           if(!reallocated_buffer) {
2070             *err = CURLE_OUT_OF_MEMORY;
2071             failf(data, "schannel: unable to re-allocate memory");
2072             goto cleanup;
2073           }
2074           backend->decdata_buffer = reallocated_buffer;
2075           backend->decdata_length = reallocated_length;
2076         }
2077 
2078         /* copy decrypted data to internal buffer */
2079         size = inbuf[1].cbBuffer;
2080         if(size) {
2081           memcpy(backend->decdata_buffer + backend->decdata_offset,
2082                  inbuf[1].pvBuffer, size);
2083           backend->decdata_offset += size;
2084         }
2085 
2086         SCH_DEV(infof(data, "schannel: decrypted data added: %zu", size));
2087         SCH_DEV(infof(data,
2088                       "schannel: decrypted cached: offset %zu length %zu",
2089                       backend->decdata_offset, backend->decdata_length));
2090       }
2091 
2092       /* check for remaining encrypted data */
2093       if(inbuf[3].BufferType == SECBUFFER_EXTRA && inbuf[3].cbBuffer > 0) {
2094         SCH_DEV(infof(data, "schannel: encrypted data length: %lu",
2095                       inbuf[3].cbBuffer));
2096 
2097         /* check if the remaining data is less than the total amount
2098          * and therefore begins after the already processed data
2099          */
2100         if(backend->encdata_offset > inbuf[3].cbBuffer) {
2101           /* move remaining encrypted data forward to the beginning of
2102              buffer */
2103           memmove(backend->encdata_buffer,
2104                   (backend->encdata_buffer + backend->encdata_offset) -
2105                   inbuf[3].cbBuffer, inbuf[3].cbBuffer);
2106           backend->encdata_offset = inbuf[3].cbBuffer;
2107         }
2108 
2109         SCH_DEV(infof(data,
2110                       "schannel: encrypted cached: offset %zu length %zu",
2111                       backend->encdata_offset, backend->encdata_length));
2112       }
2113       else {
2114         /* reset encrypted buffer offset, because there is no data remaining */
2115         backend->encdata_offset = 0;
2116       }
2117 
2118       /* check if server wants to renegotiate the connection context */
2119       if(sspi_status == SEC_I_RENEGOTIATE) {
2120         infof(data, "schannel: remote party requests renegotiation");
2121         if(*err && *err != CURLE_AGAIN) {
2122           infof(data, "schannel: cannot renegotiate, an error is pending");
2123           goto cleanup;
2124         }
2125 
2126         /* begin renegotiation */
2127         infof(data, "schannel: renegotiating SSL/TLS connection");
2128         connssl->state = ssl_connection_negotiating;
2129         connssl->connecting_state = ssl_connect_2;
2130         connssl->io_need = CURL_SSL_IO_NEED_SEND;
2131         backend->recv_renegotiating = TRUE;
2132         *err = schannel_connect_common(cf, data, FALSE, &done);
2133         backend->recv_renegotiating = FALSE;
2134         if(*err) {
2135           infof(data, "schannel: renegotiation failed");
2136           goto cleanup;
2137         }
2138         /* now retry receiving data */
2139         sspi_status = SEC_E_OK;
2140         infof(data, "schannel: SSL/TLS connection renegotiated");
2141         continue;
2142       }
2143       /* check if the server closed the connection */
2144       else if(sspi_status == SEC_I_CONTEXT_EXPIRED) {
2145         /* In Windows 2000 SEC_I_CONTEXT_EXPIRED (close_notify) is not
2146            returned so we have to work around that in cleanup. */
2147         backend->recv_sspi_close_notify = TRUE;
2148         if(!backend->recv_connection_closed)
2149           backend->recv_connection_closed = TRUE;
2150         /* We received the close notify just fine, any error we got
2151          * from the lower filters afterwards (e.g. the socket), is not
2152          * an error on the TLS data stream. That one ended here. */
2153         if(*err == CURLE_RECV_ERROR)
2154           *err = CURLE_OK;
2155         infof(data,
2156               "schannel: server close notification received (close_notify)");
2157         goto cleanup;
2158       }
2159     }
2160     else if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
2161       backend->encdata_is_incomplete = TRUE;
2162       if(!*err)
2163         *err = CURLE_AGAIN;
2164       SCH_DEV(infof(data, "schannel: failed to decrypt data, need more data"));
2165       goto cleanup;
2166     }
2167     else {
2168 #ifndef CURL_DISABLE_VERBOSE_STRINGS
2169       char buffer[STRERROR_LEN];
2170       failf(data, "schannel: failed to read data from server: %s",
2171             Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
2172 #endif
2173       *err = CURLE_RECV_ERROR;
2174       goto cleanup;
2175     }
2176   }
2177 
2178   SCH_DEV(infof(data, "schannel: encrypted data buffer: offset %zu length %zu",
2179                 backend->encdata_offset, backend->encdata_length));
2180 
2181   SCH_DEV(infof(data, "schannel: decrypted data buffer: offset %zu length %zu",
2182                 backend->decdata_offset, backend->decdata_length));
2183 
2184 cleanup:
2185   /* Warning- there is no guarantee the encdata state is valid at this point */
2186   SCH_DEV(infof(data, "schannel: schannel_recv cleanup"));
2187 
2188   /* Error if the connection has closed without a close_notify.
2189 
2190      The behavior here is a matter of debate. We do not want to be vulnerable
2191      to a truncation attack however there is some browser precedent for
2192      ignoring the close_notify for compatibility reasons.
2193 
2194      Additionally, Windows 2000 (v5.0) is a special case since it seems it
2195      does not return close_notify. In that case if the connection was closed we
2196      assume it was graceful (close_notify) since there does not seem to be a
2197      way to tell.
2198   */
2199   if(len && !backend->decdata_offset && backend->recv_connection_closed &&
2200      !backend->recv_sspi_close_notify) {
2201     bool isWin2k = curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
2202                                                 VERSION_EQUAL);
2203 
2204     if(isWin2k && sspi_status == SEC_E_OK)
2205       backend->recv_sspi_close_notify = TRUE;
2206     else {
2207       *err = CURLE_RECV_ERROR;
2208       failf(data, "schannel: server closed abruptly (missing close_notify)");
2209     }
2210   }
2211 
2212   /* Any error other than CURLE_AGAIN is an unrecoverable error. */
2213   if(*err && *err != CURLE_AGAIN)
2214     backend->recv_unrecoverable_err = *err;
2215 
2216   size = len < backend->decdata_offset ? len : backend->decdata_offset;
2217   if(size) {
2218     memcpy(buf, backend->decdata_buffer, size);
2219     memmove(backend->decdata_buffer, backend->decdata_buffer + size,
2220             backend->decdata_offset - size);
2221     backend->decdata_offset -= size;
2222     SCH_DEV(infof(data, "schannel: decrypted data returned %zu", size));
2223     SCH_DEV(infof(data,
2224                   "schannel: decrypted data buffer: offset %zu length %zu",
2225                   backend->decdata_offset, backend->decdata_length));
2226     *err = CURLE_OK;
2227     return (ssize_t)size;
2228   }
2229 
2230   if(!*err && !backend->recv_connection_closed)
2231     *err = CURLE_AGAIN;
2232 
2233   /* it is debatable what to return when !len. We could return whatever error
2234      we got from decryption but instead we override here so the return is
2235      consistent.
2236   */
2237   if(!len)
2238     *err = CURLE_OK;
2239 
2240   return *err ? -1 : 0;
2241 }
2242 
schannel_connect_nonblocking(struct Curl_cfilter * cf,struct Curl_easy * data,bool * done)2243 static CURLcode schannel_connect_nonblocking(struct Curl_cfilter *cf,
2244                                              struct Curl_easy *data,
2245                                              bool *done)
2246 {
2247   return schannel_connect_common(cf, data, TRUE, done);
2248 }
2249 
schannel_connect(struct Curl_cfilter * cf,struct Curl_easy * data)2250 static CURLcode schannel_connect(struct Curl_cfilter *cf,
2251                                  struct Curl_easy *data)
2252 {
2253   CURLcode result;
2254   bool done = FALSE;
2255 
2256   result = schannel_connect_common(cf, data, FALSE, &done);
2257   if(result)
2258     return result;
2259 
2260   DEBUGASSERT(done);
2261 
2262   return CURLE_OK;
2263 }
2264 
schannel_data_pending(struct Curl_cfilter * cf,const struct Curl_easy * data)2265 static bool schannel_data_pending(struct Curl_cfilter *cf,
2266                                   const struct Curl_easy *data)
2267 {
2268   const struct ssl_connect_data *connssl = cf->ctx;
2269   struct schannel_ssl_backend_data *backend =
2270     (struct schannel_ssl_backend_data *)connssl->backend;
2271 
2272   (void)data;
2273   DEBUGASSERT(backend);
2274 
2275   if(backend->ctxt) /* SSL/TLS is in use */
2276     return backend->decdata_offset > 0 ||
2277            (backend->encdata_offset > 0 && !backend->encdata_is_incomplete) ||
2278            backend->recv_connection_closed ||
2279            backend->recv_sspi_close_notify ||
2280            backend->recv_unrecoverable_err;
2281   else
2282     return FALSE;
2283 }
2284 
2285 /* shut down the SSL connection and clean up related memory.
2286    this function can be called multiple times on the same connection including
2287    if the SSL connection failed (eg connection made but failed handshake). */
schannel_shutdown(struct Curl_cfilter * cf,struct Curl_easy * data,bool send_shutdown,bool * done)2288 static CURLcode schannel_shutdown(struct Curl_cfilter *cf,
2289                                   struct Curl_easy *data,
2290                                   bool send_shutdown, bool *done)
2291 {
2292   /* See https://msdn.microsoft.com/en-us/library/windows/desktop/aa380138.aspx
2293    * Shutting Down an Schannel Connection
2294    */
2295   struct ssl_connect_data *connssl = cf->ctx;
2296   struct schannel_ssl_backend_data *backend =
2297     (struct schannel_ssl_backend_data *)connssl->backend;
2298   CURLcode result = CURLE_OK;
2299 
2300   if(cf->shutdown) {
2301     *done = TRUE;
2302     return CURLE_OK;
2303   }
2304 
2305   DEBUGASSERT(data);
2306   DEBUGASSERT(backend);
2307 
2308   /* Not supported in schannel */
2309   (void)send_shutdown;
2310 
2311   *done = FALSE;
2312   if(backend->ctxt) {
2313     infof(data, "schannel: shutting down SSL/TLS connection with %s port %d",
2314           connssl->peer.hostname, connssl->peer.port);
2315   }
2316 
2317   if(!backend->ctxt || cf->shutdown) {
2318     *done = TRUE;
2319     goto out;
2320   }
2321 
2322   if(backend->cred && backend->ctxt && !backend->sent_shutdown) {
2323     SecBufferDesc BuffDesc;
2324     SecBuffer Buffer;
2325     SECURITY_STATUS sspi_status;
2326     SecBuffer outbuf;
2327     SecBufferDesc outbuf_desc;
2328     DWORD dwshut = SCHANNEL_SHUTDOWN;
2329 
2330     InitSecBuffer(&Buffer, SECBUFFER_TOKEN, &dwshut, sizeof(dwshut));
2331     InitSecBufferDesc(&BuffDesc, &Buffer, 1);
2332 
2333     sspi_status = Curl_pSecFn->ApplyControlToken(&backend->ctxt->ctxt_handle,
2334                                               &BuffDesc);
2335 
2336     if(sspi_status != SEC_E_OK) {
2337       char buffer[STRERROR_LEN];
2338       failf(data, "schannel: ApplyControlToken failure: %s",
2339             Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
2340       result = CURLE_SEND_ERROR;
2341       goto out;
2342     }
2343 
2344     /* setup output buffer */
2345     InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
2346     InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
2347 
2348     sspi_status = Curl_pSecFn->InitializeSecurityContext(
2349       &backend->cred->cred_handle,
2350       &backend->ctxt->ctxt_handle,
2351       backend->cred->sni_hostname,
2352       backend->req_flags,
2353       0,
2354       0,
2355       NULL,
2356       0,
2357       &backend->ctxt->ctxt_handle,
2358       &outbuf_desc,
2359       &backend->ret_flags,
2360       &backend->ctxt->time_stamp);
2361 
2362     if((sspi_status == SEC_E_OK) || (sspi_status == SEC_I_CONTEXT_EXPIRED)) {
2363       /* send close message which is in output buffer */
2364       ssize_t written = Curl_conn_cf_send(cf->next, data,
2365                                           outbuf.pvBuffer, outbuf.cbBuffer,
2366                                           FALSE, &result);
2367       Curl_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
2368       if(!result) {
2369         if(written < (ssize_t)outbuf.cbBuffer) {
2370           /* TODO: handle partial sends */
2371           failf(data, "schannel: failed to send close msg: %s"
2372                 " (bytes written: %zd)", curl_easy_strerror(result), written);
2373           result = CURLE_SEND_ERROR;
2374           goto out;
2375         }
2376         backend->sent_shutdown = TRUE;
2377         *done = TRUE;
2378       }
2379       else if(result == CURLE_AGAIN) {
2380         connssl->io_need = CURL_SSL_IO_NEED_SEND;
2381         result = CURLE_OK;
2382         goto out;
2383       }
2384       else {
2385         if(!backend->recv_connection_closed) {
2386           failf(data, "schannel: error sending close msg: %d", result);
2387           result = CURLE_SEND_ERROR;
2388           goto out;
2389         }
2390         /* Looks like server already closed the connection.
2391          * An error to send our close notify is not a failure. */
2392         *done = TRUE;
2393         result = CURLE_OK;
2394       }
2395     }
2396   }
2397 
2398   /* If the connection seems open and we have not seen the close notify
2399    * from the server yet, try to receive it. */
2400   if(backend->cred && backend->ctxt &&
2401      !backend->recv_sspi_close_notify && !backend->recv_connection_closed) {
2402     char buffer[1024];
2403     ssize_t nread;
2404 
2405     nread = schannel_recv(cf, data, buffer, sizeof(buffer), &result);
2406     if(nread > 0) {
2407       /* still data coming in? */
2408     }
2409     else if(nread == 0) {
2410       /* We got the close notify alert and are done. */
2411       backend->recv_connection_closed = TRUE;
2412       *done = TRUE;
2413     }
2414     else if(nread < 0 && result == CURLE_AGAIN) {
2415       connssl->io_need = CURL_SSL_IO_NEED_RECV;
2416     }
2417     else {
2418       CURL_TRC_CF(data, cf, "SSL shutdown, error %d", result);
2419       result = CURLE_RECV_ERROR;
2420     }
2421   }
2422 
2423 out:
2424   cf->shutdown = (result || *done);
2425   return result;
2426 }
2427 
schannel_close(struct Curl_cfilter * cf,struct Curl_easy * data)2428 static void schannel_close(struct Curl_cfilter *cf, struct Curl_easy *data)
2429 {
2430   struct ssl_connect_data *connssl = cf->ctx;
2431   struct schannel_ssl_backend_data *backend =
2432     (struct schannel_ssl_backend_data *)connssl->backend;
2433 
2434   DEBUGASSERT(data);
2435   DEBUGASSERT(backend);
2436 
2437   /* free SSPI Schannel API security context handle */
2438   if(backend->ctxt) {
2439     DEBUGF(infof(data, "schannel: clear security context handle"));
2440     Curl_pSecFn->DeleteSecurityContext(&backend->ctxt->ctxt_handle);
2441     Curl_safefree(backend->ctxt);
2442   }
2443 
2444   /* free SSPI Schannel API credential handle */
2445   if(backend->cred) {
2446     Curl_ssl_scache_lock(data);
2447     schannel_session_free(backend->cred);
2448     Curl_ssl_scache_unlock(data);
2449     backend->cred = NULL;
2450   }
2451 
2452   /* free internal buffer for received encrypted data */
2453   if(backend->encdata_buffer) {
2454     Curl_safefree(backend->encdata_buffer);
2455     backend->encdata_length = 0;
2456     backend->encdata_offset = 0;
2457     backend->encdata_is_incomplete = FALSE;
2458   }
2459 
2460   /* free internal buffer for received decrypted data */
2461   if(backend->decdata_buffer) {
2462     Curl_safefree(backend->decdata_buffer);
2463     backend->decdata_length = 0;
2464     backend->decdata_offset = 0;
2465   }
2466 }
2467 
schannel_init(void)2468 static int schannel_init(void)
2469 {
2470   return Curl_sspi_global_init() == CURLE_OK ? 1 : 0;
2471 }
2472 
schannel_cleanup(void)2473 static void schannel_cleanup(void)
2474 {
2475   Curl_sspi_global_cleanup();
2476 }
2477 
schannel_version(char * buffer,size_t size)2478 static size_t schannel_version(char *buffer, size_t size)
2479 {
2480   return msnprintf(buffer, size, "Schannel");
2481 }
2482 
schannel_random(struct Curl_easy * data UNUSED_PARAM,unsigned char * entropy,size_t length)2483 static CURLcode schannel_random(struct Curl_easy *data UNUSED_PARAM,
2484                                 unsigned char *entropy, size_t length)
2485 {
2486   (void)data;
2487 
2488   return Curl_win32_random(entropy, length);
2489 }
2490 
schannel_pkp_pin_peer_pubkey(struct Curl_cfilter * cf,struct Curl_easy * data,const char * pinnedpubkey)2491 static CURLcode schannel_pkp_pin_peer_pubkey(struct Curl_cfilter *cf,
2492                                              struct Curl_easy *data,
2493                                              const char *pinnedpubkey)
2494 {
2495   struct ssl_connect_data *connssl = cf->ctx;
2496   struct schannel_ssl_backend_data *backend =
2497     (struct schannel_ssl_backend_data *)connssl->backend;
2498   CERT_CONTEXT *pCertContextServer = NULL;
2499 
2500   /* Result is returned to caller */
2501   CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
2502 
2503   DEBUGASSERT(backend);
2504 
2505   /* if a path was not specified, do not pin */
2506   if(!pinnedpubkey)
2507     return CURLE_OK;
2508 
2509   do {
2510     SECURITY_STATUS sspi_status;
2511     const char *x509_der;
2512     DWORD x509_der_len;
2513     struct Curl_X509certificate x509_parsed;
2514     struct Curl_asn1Element *pubkey;
2515 
2516     sspi_status =
2517       Curl_pSecFn->QueryContextAttributes(&backend->ctxt->ctxt_handle,
2518                                        SECPKG_ATTR_REMOTE_CERT_CONTEXT,
2519                                        &pCertContextServer);
2520 
2521     if((sspi_status != SEC_E_OK) || !pCertContextServer) {
2522       char buffer[STRERROR_LEN];
2523       failf(data, "schannel: Failed to read remote certificate context: %s",
2524             Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
2525       break; /* failed */
2526     }
2527 
2528 
2529     if(!(((pCertContextServer->dwCertEncodingType & X509_ASN_ENCODING) != 0) &&
2530          (pCertContextServer->cbCertEncoded > 0)))
2531       break;
2532 
2533     x509_der = (const char *)pCertContextServer->pbCertEncoded;
2534     x509_der_len = pCertContextServer->cbCertEncoded;
2535     memset(&x509_parsed, 0, sizeof(x509_parsed));
2536     if(Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len))
2537       break;
2538 
2539     pubkey = &x509_parsed.subjectPublicKeyInfo;
2540     if(!pubkey->header || pubkey->end <= pubkey->header) {
2541       failf(data, "SSL: failed retrieving public key from server certificate");
2542       break;
2543     }
2544 
2545     result = Curl_pin_peer_pubkey(data,
2546                                   pinnedpubkey,
2547                                   (const unsigned char *)pubkey->header,
2548                                   (size_t)(pubkey->end - pubkey->header));
2549     if(result) {
2550       failf(data, "SSL: public key does not match pinned public key");
2551     }
2552   } while(0);
2553 
2554   if(pCertContextServer)
2555     CertFreeCertificateContext(pCertContextServer);
2556 
2557   return result;
2558 }
2559 
schannel_checksum(const unsigned char * input,size_t inputlen,unsigned char * checksum,size_t checksumlen,DWORD provType,const unsigned int algId)2560 static void schannel_checksum(const unsigned char *input,
2561                               size_t inputlen,
2562                               unsigned char *checksum,
2563                               size_t checksumlen,
2564                               DWORD provType,
2565                               const unsigned int algId)
2566 {
2567 #ifdef CURL_WINDOWS_UWP
2568   (void)input;
2569   (void)inputlen;
2570   (void)provType;
2571   (void)algId;
2572   memset(checksum, 0, checksumlen);
2573 #else
2574   HCRYPTPROV hProv = 0;
2575   HCRYPTHASH hHash = 0;
2576   DWORD cbHashSize = 0;
2577   DWORD dwHashSizeLen = (DWORD)sizeof(cbHashSize);
2578   DWORD dwChecksumLen = (DWORD)checksumlen;
2579 
2580   /* since this can fail in multiple ways, zero memory first so we never
2581    * return old data
2582    */
2583   memset(checksum, 0, checksumlen);
2584 
2585   if(!CryptAcquireContext(&hProv, NULL, NULL, provType,
2586                           CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
2587     return; /* failed */
2588 
2589   do {
2590     if(!CryptCreateHash(hProv, algId, 0, 0, &hHash))
2591       break; /* failed */
2592 
2593     if(!CryptHashData(hHash, input, (DWORD)inputlen, 0))
2594       break; /* failed */
2595 
2596     /* get hash size */
2597     if(!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&cbHashSize,
2598                           &dwHashSizeLen, 0))
2599       break; /* failed */
2600 
2601     /* check hash size */
2602     if(checksumlen < cbHashSize)
2603       break; /* failed */
2604 
2605     if(CryptGetHashParam(hHash, HP_HASHVAL, checksum, &dwChecksumLen, 0))
2606       break; /* failed */
2607   } while(0);
2608 
2609   if(hHash)
2610     CryptDestroyHash(hHash);
2611 
2612   if(hProv)
2613     CryptReleaseContext(hProv, 0);
2614 #endif
2615 }
2616 
schannel_sha256sum(const unsigned char * input,size_t inputlen,unsigned char * sha256sum,size_t sha256len)2617 static CURLcode schannel_sha256sum(const unsigned char *input,
2618                                    size_t inputlen,
2619                                    unsigned char *sha256sum,
2620                                    size_t sha256len)
2621 {
2622   schannel_checksum(input, inputlen, sha256sum, sha256len,
2623                     PROV_RSA_AES, CALG_SHA_256);
2624   return CURLE_OK;
2625 }
2626 
schannel_get_internals(struct ssl_connect_data * connssl,CURLINFO info UNUSED_PARAM)2627 static void *schannel_get_internals(struct ssl_connect_data *connssl,
2628                                     CURLINFO info UNUSED_PARAM)
2629 {
2630   struct schannel_ssl_backend_data *backend =
2631     (struct schannel_ssl_backend_data *)connssl->backend;
2632   (void)info;
2633   DEBUGASSERT(backend);
2634   return &backend->ctxt->ctxt_handle;
2635 }
2636 
Curl_schannel_get_cached_cert_store(struct Curl_cfilter * cf,const struct Curl_easy * data)2637 HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf,
2638                                                const struct Curl_easy *data)
2639 {
2640   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2641   struct Curl_multi *multi = data->multi;
2642   const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
2643   struct schannel_cert_share *share;
2644   const struct ssl_general_config *cfg = &data->set.general_ssl;
2645   timediff_t timeout_ms;
2646   timediff_t elapsed_ms;
2647   struct curltime now;
2648   unsigned char info_blob_digest[CURL_SHA256_DIGEST_LENGTH];
2649 
2650   DEBUGASSERT(multi);
2651 
2652   if(!multi) {
2653     return NULL;
2654   }
2655 
2656   share = Curl_hash_pick(&multi->proto_hash,
2657                          (void *)MPROTO_SCHANNEL_CERT_SHARE_KEY,
2658                          sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY)-1);
2659   if(!share || !share->cert_store) {
2660     return NULL;
2661   }
2662 
2663   /* zero ca_cache_timeout completely disables caching */
2664   if(!cfg->ca_cache_timeout) {
2665     return NULL;
2666   }
2667 
2668   /* check for cache timeout by using the cached_x509_store_expired timediff
2669      calculation pattern from openssl.c.
2670      negative timeout means retain forever. */
2671   timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
2672   if(timeout_ms >= 0) {
2673     now = Curl_now();
2674     elapsed_ms = Curl_timediff(now, share->time);
2675     if(elapsed_ms >= timeout_ms) {
2676       return NULL;
2677     }
2678   }
2679 
2680   if(ca_info_blob) {
2681     if(share->CAinfo_blob_size != ca_info_blob->len) {
2682       return NULL;
2683     }
2684     schannel_sha256sum((const unsigned char *)ca_info_blob->data,
2685                        ca_info_blob->len,
2686                        info_blob_digest,
2687                        CURL_SHA256_DIGEST_LENGTH);
2688     if(memcmp(share->CAinfo_blob_digest, info_blob_digest,
2689               CURL_SHA256_DIGEST_LENGTH)) {
2690       return NULL;
2691     }
2692   }
2693   else {
2694     if(!conn_config->CAfile || !share->CAfile ||
2695        strcmp(share->CAfile, conn_config->CAfile)) {
2696       return NULL;
2697     }
2698   }
2699 
2700   return share->cert_store;
2701 }
2702 
schannel_cert_share_free(void * key,size_t key_len,void * p)2703 static void schannel_cert_share_free(void *key, size_t key_len, void *p)
2704 {
2705   struct schannel_cert_share *share = p;
2706   DEBUGASSERT(key_len == (sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY)-1));
2707   DEBUGASSERT(!memcmp(MPROTO_SCHANNEL_CERT_SHARE_KEY, key, key_len));
2708   (void)key;
2709   (void)key_len;
2710   if(share->cert_store) {
2711     CertCloseStore(share->cert_store, 0);
2712   }
2713   free(share->CAfile);
2714   free(share);
2715 }
2716 
Curl_schannel_set_cached_cert_store(struct Curl_cfilter * cf,const struct Curl_easy * data,HCERTSTORE cert_store)2717 bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf,
2718                                          const struct Curl_easy *data,
2719                                          HCERTSTORE cert_store)
2720 {
2721   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2722   struct Curl_multi *multi = data->multi;
2723   const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
2724   struct schannel_cert_share *share;
2725   size_t CAinfo_blob_size = 0;
2726   char *CAfile = NULL;
2727 
2728   DEBUGASSERT(multi);
2729 
2730   if(!multi) {
2731     return FALSE;
2732   }
2733 
2734   share = Curl_hash_pick(&multi->proto_hash,
2735                          (void *)MPROTO_SCHANNEL_CERT_SHARE_KEY,
2736                          sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY)-1);
2737   if(!share) {
2738     share = calloc(1, sizeof(*share));
2739     if(!share) {
2740       return FALSE;
2741     }
2742     if(!Curl_hash_add2(&multi->proto_hash,
2743                        (void *)MPROTO_SCHANNEL_CERT_SHARE_KEY,
2744                        sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY)-1,
2745                        share, schannel_cert_share_free)) {
2746       free(share);
2747       return FALSE;
2748     }
2749   }
2750 
2751   if(ca_info_blob) {
2752     schannel_sha256sum((const unsigned char *)ca_info_blob->data,
2753                        ca_info_blob->len,
2754                        share->CAinfo_blob_digest,
2755                        CURL_SHA256_DIGEST_LENGTH);
2756     CAinfo_blob_size = ca_info_blob->len;
2757   }
2758   else {
2759     if(conn_config->CAfile) {
2760       CAfile = strdup(conn_config->CAfile);
2761       if(!CAfile) {
2762         return FALSE;
2763       }
2764     }
2765   }
2766 
2767   /* free old cache data */
2768   if(share->cert_store) {
2769     CertCloseStore(share->cert_store, 0);
2770   }
2771   free(share->CAfile);
2772 
2773   share->time = Curl_now();
2774   share->cert_store = cert_store;
2775   share->CAinfo_blob_size = CAinfo_blob_size;
2776   share->CAfile = CAfile;
2777   return TRUE;
2778 }
2779 
2780 const struct Curl_ssl Curl_ssl_schannel = {
2781   { CURLSSLBACKEND_SCHANNEL, "schannel" }, /* info */
2782 
2783   SSLSUPP_CERTINFO |
2784 #ifdef HAS_MANUAL_VERIFY_API
2785   SSLSUPP_CAINFO_BLOB |
2786 #endif
2787 #ifndef CURL_WINDOWS_UWP
2788   SSLSUPP_PINNEDPUBKEY |
2789 #endif
2790   SSLSUPP_CA_CACHE |
2791   SSLSUPP_HTTPS_PROXY |
2792   SSLSUPP_CIPHER_LIST,
2793 
2794   sizeof(struct schannel_ssl_backend_data),
2795 
2796   schannel_init,                     /* init */
2797   schannel_cleanup,                  /* cleanup */
2798   schannel_version,                  /* version */
2799   schannel_shutdown,                 /* shutdown */
2800   schannel_data_pending,             /* data_pending */
2801   schannel_random,                   /* random */
2802   NULL,                              /* cert_status_request */
2803   schannel_connect,                  /* connect */
2804   schannel_connect_nonblocking,      /* connect_nonblocking */
2805   Curl_ssl_adjust_pollset,           /* adjust_pollset */
2806   schannel_get_internals,            /* get_internals */
2807   schannel_close,                    /* close_one */
2808   NULL,                              /* close_all */
2809   NULL,                              /* set_engine */
2810   NULL,                              /* set_engine_default */
2811   NULL,                              /* engines_list */
2812   NULL,                              /* false_start */
2813   schannel_sha256sum,                /* sha256sum */
2814   schannel_recv,                     /* recv decrypted data */
2815   schannel_send,                     /* send data to encrypt */
2816   NULL,                              /* get_channel_binding */
2817 };
2818 
2819 #endif /* USE_SCHANNEL */
2820