xref: /curl/lib/vtls/schannel_int.h (revision 9640a8ef) 
1 #ifndef HEADER_CURL_SCHANNEL_INT_H
2 #define HEADER_CURL_SCHANNEL_INT_H
3 /***************************************************************************
4  *                                  _   _ ____  _
5  *  Project                     ___| | | |  _ \| |
6  *                             / __| | | | |_) | |
7  *                            | (__| |_| |  _ <| |___
8  *                             \___|\___/|_| \_\_____|
9  *
10  * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al.
11  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
12  *
13  * This software is licensed as described in the file COPYING, which
14  * you should have received as part of this distribution. The terms
15  * are also available at https://curl.se/docs/copyright.html.
16  *
17  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
18  * copies of the Software, and permit persons to whom the Software is
19  * furnished to do so, under the terms of the COPYING file.
20  *
21  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
22  * KIND, either express or implied.
23  *
24  * SPDX-License-Identifier: curl
25  *
26  ***************************************************************************/
27 #include "curl_setup.h"
28 
29 #ifdef USE_SCHANNEL
30 
31 #include "vtls.h"
32 
33 #if (defined(__MINGW32__) || defined(CERT_CHAIN_REVOCATION_CHECK_CHAIN)) \
34   && !defined(CURL_WINDOWS_UWP)
35 #define HAS_MANUAL_VERIFY_API
36 #endif
37 
38 #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX)   \
39   && !defined(DISABLE_SCHANNEL_CLIENT_CERT)
40 #define HAS_CLIENT_CERT_PATH
41 #endif
42 
43 #ifndef CRYPT_DECODE_NOCOPY_FLAG
44 #define CRYPT_DECODE_NOCOPY_FLAG 0x1
45 #endif
46 
47 #ifndef CRYPT_DECODE_ALLOC_FLAG
48 #define CRYPT_DECODE_ALLOC_FLAG 0x8000
49 #endif
50 
51 #ifndef CERT_ALT_NAME_DNS_NAME
52 #define CERT_ALT_NAME_DNS_NAME 3
53 #endif
54 
55 #ifndef CERT_ALT_NAME_IP_ADDRESS
56 #define CERT_ALT_NAME_IP_ADDRESS 8
57 #endif
58 
59 #if defined(_MSC_VER) && (_MSC_VER <= 1600)
60 /* Workaround for warning:
61    'type cast' : conversion from 'int' to 'LPCSTR' of greater size */
62 #undef CERT_STORE_PROV_MEMORY
63 #undef CERT_STORE_PROV_SYSTEM_A
64 #undef CERT_STORE_PROV_SYSTEM_W
65 #define CERT_STORE_PROV_MEMORY    ((LPCSTR)(size_t)2)
66 #define CERT_STORE_PROV_SYSTEM_A  ((LPCSTR)(size_t)9)
67 #define CERT_STORE_PROV_SYSTEM_W  ((LPCSTR)(size_t)10)
68 #endif
69 
70 #ifndef SCH_CREDENTIALS_VERSION
71 
72 #define SCH_CREDENTIALS_VERSION  0x00000005
73 
74 typedef enum _eTlsAlgorithmUsage
75 {
76     TlsParametersCngAlgUsageKeyExchange,
77     TlsParametersCngAlgUsageSignature,
78     TlsParametersCngAlgUsageCipher,
79     TlsParametersCngAlgUsageDigest,
80     TlsParametersCngAlgUsageCertSig
81 } eTlsAlgorithmUsage;
82 
83 typedef struct _CRYPTO_SETTINGS
84 {
85     eTlsAlgorithmUsage  eAlgorithmUsage;
86     UNICODE_STRING      strCngAlgId;
87     DWORD               cChainingModes;
88     PUNICODE_STRING     rgstrChainingModes;
89     DWORD               dwMinBitLength;
90     DWORD               dwMaxBitLength;
91 } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
92 
93 typedef struct _TLS_PARAMETERS
94 {
95     DWORD               cAlpnIds;
96     PUNICODE_STRING     rgstrAlpnIds;
97     DWORD               grbitDisabledProtocols;
98     DWORD               cDisabledCrypto;
99     PCRYPTO_SETTINGS    pDisabledCrypto;
100     DWORD               dwFlags;
101 } TLS_PARAMETERS, * PTLS_PARAMETERS;
102 
103 typedef struct _SCH_CREDENTIALS
104 {
105     DWORD               dwVersion;
106     DWORD               dwCredFormat;
107     DWORD               cCreds;
108     PCCERT_CONTEXT* paCred;
109     HCERTSTORE          hRootStore;
110 
111     DWORD               cMappers;
112     struct _HMAPPER **aphMappers;
113 
114     DWORD               dwSessionLifespan;
115     DWORD               dwFlags;
116     DWORD               cTlsParameters;
117     PTLS_PARAMETERS     pTlsParameters;
118 } SCH_CREDENTIALS, * PSCH_CREDENTIALS;
119 
120 #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
121 #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
122 #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
123 #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
124 
125 #endif /* SCH_CREDENTIALS_VERSION */
126 
127 struct Curl_schannel_cred {
128   CredHandle cred_handle;
129   TimeStamp time_stamp;
130   TCHAR *sni_hostname;
131 #ifdef HAS_CLIENT_CERT_PATH
132   HCERTSTORE client_cert_store;
133 #endif
134   int refcount;
135 };
136 
137 struct Curl_schannel_ctxt {
138   CtxtHandle ctxt_handle;
139   TimeStamp time_stamp;
140 };
141 
142 struct schannel_ssl_backend_data {
143   struct Curl_schannel_cred *cred;
144   struct Curl_schannel_ctxt *ctxt;
145   SecPkgContext_StreamSizes stream_sizes;
146   size_t encdata_length, decdata_length;
147   size_t encdata_offset, decdata_offset;
148   unsigned char *encdata_buffer, *decdata_buffer;
149   /* encdata_is_incomplete: if encdata contains only a partial record that
150      cannot be decrypted without another recv() (that is, status is
151      SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds
152      more bytes into encdata then set this back to false. */
153   bool encdata_is_incomplete;
154   unsigned long req_flags, ret_flags;
155   CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
156   bool recv_sspi_close_notify; /* true if connection closed by close_notify */
157   bool recv_connection_closed; /* true if connection closed, regardless how */
158   bool recv_renegotiating;     /* true if recv is doing renegotiation */
159   bool use_alpn; /* true if ALPN is used for this connection */
160 #ifdef HAS_MANUAL_VERIFY_API
161   bool use_manual_cred_validation; /* true if manual cred validation is used */
162 #endif
163   BIT(sent_shutdown);
164 };
165 
166 /* key to use at `multi->proto_hash` */
167 #define MPROTO_SCHANNEL_CERT_SHARE_KEY   "tls:schannel:cert:share"
168 
169 struct schannel_cert_share {
170   unsigned char CAinfo_blob_digest[CURL_SHA256_DIGEST_LENGTH];
171   size_t CAinfo_blob_size;           /* CA info blob size */
172   char *CAfile;                      /* CAfile path used to generate
173                                         certificate store */
174   HCERTSTORE cert_store;             /* cached certificate store or
175                                         NULL if none */
176   struct curltime time;              /* when the cached store was created */
177 };
178 
179 /*
180 * size of the structure: 20 bytes.
181 */
182 struct num_ip_data {
183   DWORD size; /* 04 bytes */
184   union {
185     struct in_addr  ia;  /* 04 bytes */
186     struct in6_addr ia6; /* 16 bytes */
187   } bData;
188 };
189 
190 HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf,
191                                                const struct Curl_easy *data);
192 
193 bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf,
194                                          const struct Curl_easy *data,
195                                          HCERTSTORE cert_store);
196 
197 #endif /* USE_SCHANNEL */
198 #endif /* HEADER_CURL_SCHANNEL_INT_H */
199