1 #ifndef HEADER_CURL_SCHANNEL_INT_H 2 #define HEADER_CURL_SCHANNEL_INT_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al. 11 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 12 * 13 * This software is licensed as described in the file COPYING, which 14 * you should have received as part of this distribution. The terms 15 * are also available at https://curl.se/docs/copyright.html. 16 * 17 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 18 * copies of the Software, and permit persons to whom the Software is 19 * furnished to do so, under the terms of the COPYING file. 20 * 21 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 22 * KIND, either express or implied. 23 * 24 * SPDX-License-Identifier: curl 25 * 26 ***************************************************************************/ 27 #include "curl_setup.h" 28 29 #ifdef USE_SCHANNEL 30 31 #if (defined(__MINGW32__) || defined(CERT_CHAIN_REVOCATION_CHECK_CHAIN)) \ 32 && !defined(CURL_WINDOWS_APP) 33 #define HAS_MANUAL_VERIFY_API 34 #endif 35 36 #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \ 37 && !defined(DISABLE_SCHANNEL_CLIENT_CERT) 38 #define HAS_CLIENT_CERT_PATH 39 #endif 40 41 #ifndef CRYPT_DECODE_NOCOPY_FLAG 42 #define CRYPT_DECODE_NOCOPY_FLAG 0x1 43 #endif 44 45 #ifndef CRYPT_DECODE_ALLOC_FLAG 46 #define CRYPT_DECODE_ALLOC_FLAG 0x8000 47 #endif 48 49 #ifndef CERT_ALT_NAME_DNS_NAME 50 #define CERT_ALT_NAME_DNS_NAME 3 51 #endif 52 53 #ifndef CERT_ALT_NAME_IP_ADDRESS 54 #define CERT_ALT_NAME_IP_ADDRESS 8 55 #endif 56 57 #if defined(_MSC_VER) && (_MSC_VER <= 1600) 58 /* Workaround for warning: 59 'type cast' : conversion from 'int' to 'LPCSTR' of greater size */ 60 #undef CERT_STORE_PROV_MEMORY 61 #undef CERT_STORE_PROV_SYSTEM_A 62 #undef CERT_STORE_PROV_SYSTEM_W 63 #define CERT_STORE_PROV_MEMORY ((LPCSTR)(size_t)2) 64 #define CERT_STORE_PROV_SYSTEM_A ((LPCSTR)(size_t)9) 65 #define CERT_STORE_PROV_SYSTEM_W ((LPCSTR)(size_t)10) 66 #endif 67 68 #ifndef SCH_CREDENTIALS_VERSION 69 70 #define SCH_CREDENTIALS_VERSION 0x00000005 71 72 typedef enum _eTlsAlgorithmUsage 73 { 74 TlsParametersCngAlgUsageKeyExchange, 75 TlsParametersCngAlgUsageSignature, 76 TlsParametersCngAlgUsageCipher, 77 TlsParametersCngAlgUsageDigest, 78 TlsParametersCngAlgUsageCertSig 79 } eTlsAlgorithmUsage; 80 81 typedef struct _CRYPTO_SETTINGS 82 { 83 eTlsAlgorithmUsage eAlgorithmUsage; 84 UNICODE_STRING strCngAlgId; 85 DWORD cChainingModes; 86 PUNICODE_STRING rgstrChainingModes; 87 DWORD dwMinBitLength; 88 DWORD dwMaxBitLength; 89 } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS; 90 91 typedef struct _TLS_PARAMETERS 92 { 93 DWORD cAlpnIds; 94 PUNICODE_STRING rgstrAlpnIds; 95 DWORD grbitDisabledProtocols; 96 DWORD cDisabledCrypto; 97 PCRYPTO_SETTINGS pDisabledCrypto; 98 DWORD dwFlags; 99 } TLS_PARAMETERS, * PTLS_PARAMETERS; 100 101 typedef struct _SCH_CREDENTIALS 102 { 103 DWORD dwVersion; 104 DWORD dwCredFormat; 105 DWORD cCreds; 106 PCCERT_CONTEXT* paCred; 107 HCERTSTORE hRootStore; 108 109 DWORD cMappers; 110 struct _HMAPPER **aphMappers; 111 112 DWORD dwSessionLifespan; 113 DWORD dwFlags; 114 DWORD cTlsParameters; 115 PTLS_PARAMETERS pTlsParameters; 116 } SCH_CREDENTIALS, * PSCH_CREDENTIALS; 117 118 #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16 119 #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16 120 #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16 121 #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16 122 123 #endif /* SCH_CREDENTIALS_VERSION */ 124 125 struct Curl_schannel_cred { 126 CredHandle cred_handle; 127 TimeStamp time_stamp; 128 TCHAR *sni_hostname; 129 #ifdef HAS_CLIENT_CERT_PATH 130 HCERTSTORE client_cert_store; 131 #endif 132 int refcount; 133 }; 134 135 struct Curl_schannel_ctxt { 136 CtxtHandle ctxt_handle; 137 TimeStamp time_stamp; 138 }; 139 140 struct schannel_ssl_backend_data { 141 struct Curl_schannel_cred *cred; 142 struct Curl_schannel_ctxt *ctxt; 143 SecPkgContext_StreamSizes stream_sizes; 144 size_t encdata_length, decdata_length; 145 size_t encdata_offset, decdata_offset; 146 unsigned char *encdata_buffer, *decdata_buffer; 147 /* encdata_is_incomplete: if encdata contains only a partial record that 148 can't be decrypted without another recv() (that is, status is 149 SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds 150 more bytes into encdata then set this back to false. */ 151 bool encdata_is_incomplete; 152 unsigned long req_flags, ret_flags; 153 CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */ 154 bool recv_sspi_close_notify; /* true if connection closed by close_notify */ 155 bool recv_connection_closed; /* true if connection closed, regardless how */ 156 bool recv_renegotiating; /* true if recv is doing renegotiation */ 157 bool use_alpn; /* true if ALPN is used for this connection */ 158 #ifdef HAS_MANUAL_VERIFY_API 159 bool use_manual_cred_validation; /* true if manual cred validation is used */ 160 #endif 161 BIT(sent_shutdown); 162 }; 163 164 /* key to use at `multi->proto_hash` */ 165 #define MPROTO_SCHANNEL_CERT_SHARE_KEY "tls:schannel:cert:share" 166 167 struct schannel_cert_share { 168 unsigned char *CAinfo_blob_digest; /* CA info blob digest */ 169 size_t CAinfo_blob_size; /* CA info blob size */ 170 char *CAfile; /* CAfile path used to generate 171 certificate store */ 172 HCERTSTORE cert_store; /* cached certificate store or 173 NULL if none */ 174 struct curltime time; /* when the cached store was created */ 175 }; 176 177 HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf, 178 const struct Curl_easy *data); 179 180 bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf, 181 const struct Curl_easy *data, 182 HCERTSTORE cert_store); 183 184 #endif /* USE_SCHANNEL */ 185 #endif /* HEADER_CURL_SCHANNEL_INT_H */ 186