Utilities/cmcurl/lib/vtls/schannel.h

   1 #ifndef HEADER_CURL_SCHANNEL_H
   2 #define HEADER_CURL_SCHANNEL_H
   3 /***************************************************************************
   4  *                                  _   _ ____  _
   5  *  Project                     ___| | | |  _ \| |
   6  *                             / __| | | | |_) | |
   7  *                            | (__| |_| |  _ <| |___
   8  *                             \___|\___/|_| \_\_____|
   9  *
  10  * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
  11  * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  12  *
  13  * This software is licensed as described in the file COPYING, which
  14  * you should have received as part of this distribution. The terms
  15  * are also available at https://curl.se/docs/copyright.html.
  16  *
  17  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  18  * copies of the Software, and permit persons to whom the Software is
  19  * furnished to do so, under the terms of the COPYING file.
  20  *
  21  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  22  * KIND, either express or implied.
  23  *
  24  * SPDX-License-Identifier: curl
  25  *
  26  ***************************************************************************/
  27 #include "curl_setup.h"
  28
  29 #ifdef USE_SCHANNEL
  30
  31 #define SCHANNEL_USE_BLACKLISTS 1
  32
  33 #ifdef _MSC_VER
  34 #pragma warning(push)
  35 #pragma warning(disable: 4201)
  36 #endif
  37 #include <subauth.h>
  38 #ifdef _MSC_VER
  39 #pragma warning(pop)
  40 #endif
  41 /* Wincrypt must be included before anything that could include OpenSSL. */
  42 #if defined(USE_WIN32_CRYPTO)
  43 #include <wincrypt.h>
  44 /* Undefine wincrypt conflicting symbols for BoringSSL. */
  45 #undef X509_NAME
  46 #undef X509_EXTENSIONS
  47 #undef PKCS7_ISSUER_AND_SERIAL
  48 #undef PKCS7_SIGNER_INFO
  49 #undef OCSP_REQUEST
  50 #undef OCSP_RESPONSE
  51 #endif
  52
  53 #include <schnlsp.h>
  54 #include <schannel.h>
  55 #include "curl_sspi.h"
  56
  57 #include "urldata.h"
  58
  59 /* <wincrypt.h> has been included via the above <schnlsp.h>.
  60  * Or in case of ldap.c, it was included via <winldap.h>.
  61  * And since <wincrypt.h> has this:
  62  *   #define X509_NAME  ((LPCSTR) 7)
  63  *
  64  * And in BoringSSL's <openssl/base.h> there is:
  65  *  typedef struct X509_name_st X509_NAME;
  66  *  etc.
  67  *
  68  * this will cause all kinds of C-preprocessing paste errors in
  69  * BoringSSL's <openssl/x509.h>: So just undefine those defines here
  70  * (and only here).
  71  */
  72 #if defined(HAVE_BORINGSSL) || defined(OPENSSL_IS_BORINGSSL)
  73 # undef X509_NAME
  74 # undef X509_CERT_PAIR
  75 # undef X509_EXTENSIONS
  76 #endif
  77
  78 extern const struct Curl_ssl Curl_ssl_schannel;
  79
  80 CURLcode Curl_verify_certificate(struct Curl_easy *data,
  81                                  struct connectdata *conn, int sockindex);
  82
  83 /* structs to expose only in schannel.c and schannel_verify.c */
  84 #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
  85
  86 #include <wincrypt.h>
  87
  88 #ifdef __MINGW32__
  89 #ifdef __MINGW64_VERSION_MAJOR
  90 #define HAS_MANUAL_VERIFY_API
  91 #endif
  92 #else
  93 #ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
  94 #define HAS_MANUAL_VERIFY_API
  95 #endif
  96 #endif
  97
  98 #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX)   \
  99   && !defined(DISABLE_SCHANNEL_CLIENT_CERT)
 100 #define HAS_CLIENT_CERT_PATH
 101 #endif
 102
 103 #ifndef SCH_CREDENTIALS_VERSION
 104
 105 #define SCH_CREDENTIALS_VERSION  0x00000005
 106
 107 typedef enum _eTlsAlgorithmUsage
 108 {
 109     TlsParametersCngAlgUsageKeyExchange,
 110     TlsParametersCngAlgUsageSignature,
 111     TlsParametersCngAlgUsageCipher,
 112     TlsParametersCngAlgUsageDigest,
 113     TlsParametersCngAlgUsageCertSig
 114 } eTlsAlgorithmUsage;
 115
 116 typedef struct _CRYPTO_SETTINGS
 117 {
 118     eTlsAlgorithmUsage  eAlgorithmUsage;
 119     UNICODE_STRING      strCngAlgId;
 120     DWORD               cChainingModes;
 121     PUNICODE_STRING     rgstrChainingModes;
 122     DWORD               dwMinBitLength;
 123     DWORD               dwMaxBitLength;
 124 } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
 125
 126 typedef struct _TLS_PARAMETERS
 127 {
 128     DWORD               cAlpnIds;
 129     PUNICODE_STRING     rgstrAlpnIds;
 130     DWORD               grbitDisabledProtocols;
 131     DWORD               cDisabledCrypto;
 132     PCRYPTO_SETTINGS    pDisabledCrypto;
 133     DWORD               dwFlags;
 134 } TLS_PARAMETERS, * PTLS_PARAMETERS;
 135
 136 typedef struct _SCH_CREDENTIALS
 137 {
 138     DWORD               dwVersion;
 139     DWORD               dwCredFormat;
 140     DWORD               cCreds;
 141     PCCERT_CONTEXT* paCred;
 142     HCERTSTORE          hRootStore;
 143
 144     DWORD               cMappers;
 145     struct _HMAPPER **aphMappers;
 146
 147     DWORD               dwSessionLifespan;
 148     DWORD               dwFlags;
 149     DWORD               cTlsParameters;
 150     PTLS_PARAMETERS     pTlsParameters;
 151 } SCH_CREDENTIALS, * PSCH_CREDENTIALS;
 152
 153 #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
 154 #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
 155 #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
 156 #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
 157
 158 #endif
 159
 160 struct Curl_schannel_cred {
 161   CredHandle cred_handle;
 162   TimeStamp time_stamp;
 163   TCHAR *sni_hostname;
 164 #ifdef HAS_CLIENT_CERT_PATH
 165   HCERTSTORE client_cert_store;
 166 #endif
 167   int refcount;
 168 };
 169
 170 struct Curl_schannel_ctxt {
 171   CtxtHandle ctxt_handle;
 172   TimeStamp time_stamp;
 173 };
 174
 175 struct ssl_backend_data {
 176   struct Curl_schannel_cred *cred;
 177   struct Curl_schannel_ctxt *ctxt;
 178   SecPkgContext_StreamSizes stream_sizes;
 179   size_t encdata_length, decdata_length;
 180   size_t encdata_offset, decdata_offset;
 181   unsigned char *encdata_buffer, *decdata_buffer;
 182   /* encdata_is_incomplete: if encdata contains only a partial record that
 183      can't be decrypted without another Curl_read_plain (that is, status is
 184      SEC_E_INCOMPLETE_MESSAGE) then set this true. after Curl_read_plain writes
 185      more bytes into encdata then set this back to false. */
 186   bool encdata_is_incomplete;
 187   unsigned long req_flags, ret_flags;
 188   CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
 189   bool recv_sspi_close_notify; /* true if connection closed by close_notify */
 190   bool recv_connection_closed; /* true if connection closed, regardless how */
 191   bool recv_renegotiating;     /* true if recv is doing renegotiation */
 192   bool use_alpn; /* true if ALPN is used for this connection */
 193 #ifdef HAS_MANUAL_VERIFY_API
 194   bool use_manual_cred_validation; /* true if manual cred validation is used */
 195 #endif
 196 };
 197 #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
 198
 199 #endif /* USE_SCHANNEL */
 200 #endif /* HEADER_CURL_SCHANNEL_H */