1 #ifndef HEADER_CURL_SCHANNEL_H
2 #define HEADER_CURL_SCHANNEL_H
3 /***************************************************************************
5 * Project ___| | | | _ \| |
7 * | (__| |_| | _ <| |___
8 * \___|\___/|_| \_\_____|
10 * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
11 * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
13 * This software is licensed as described in the file COPYING, which
14 * you should have received as part of this distribution. The terms
15 * are also available at https://curl.se/docs/copyright.html.
17 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
18 * copies of the Software, and permit persons to whom the Software is
19 * furnished to do so, under the terms of the COPYING file.
21 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
22 * KIND, either express or implied.
24 * SPDX-License-Identifier: curl
26 ***************************************************************************/
27 #include "curl_setup.h"
31 #define SCHANNEL_USE_BLACKLISTS 1
35 #pragma warning(disable: 4201)
41 /* Wincrypt must be included before anything that could include OpenSSL. */
42 #if defined(USE_WIN32_CRYPTO)
44 /* Undefine wincrypt conflicting symbols for BoringSSL. */
46 #undef X509_EXTENSIONS
47 #undef PKCS7_ISSUER_AND_SERIAL
48 #undef PKCS7_SIGNER_INFO
55 #include "curl_sspi.h"
59 /* <wincrypt.h> has been included via the above <schnlsp.h>.
60 * Or in case of ldap.c, it was included via <winldap.h>.
61 * And since <wincrypt.h> has this:
62 * #define X509_NAME ((LPCSTR) 7)
64 * And in BoringSSL's <openssl/base.h> there is:
65 * typedef struct X509_name_st X509_NAME;
68 * this will cause all kinds of C-preprocessing paste errors in
69 * BoringSSL's <openssl/x509.h>: So just undefine those defines here
72 #if defined(HAVE_BORINGSSL) || defined(OPENSSL_IS_BORINGSSL)
74 # undef X509_CERT_PAIR
75 # undef X509_EXTENSIONS
78 extern const struct Curl_ssl Curl_ssl_schannel;
80 CURLcode Curl_verify_certificate(struct Curl_easy *data,
81 struct connectdata *conn, int sockindex);
83 /* structs to expose only in schannel.c and schannel_verify.c */
84 #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
89 #ifdef __MINGW64_VERSION_MAJOR
90 #define HAS_MANUAL_VERIFY_API
93 #ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
94 #define HAS_MANUAL_VERIFY_API
98 #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \
99 && !defined(DISABLE_SCHANNEL_CLIENT_CERT)
100 #define HAS_CLIENT_CERT_PATH
103 #ifndef SCH_CREDENTIALS_VERSION
105 #define SCH_CREDENTIALS_VERSION 0x00000005
107 typedef enum _eTlsAlgorithmUsage
109 TlsParametersCngAlgUsageKeyExchange,
110 TlsParametersCngAlgUsageSignature,
111 TlsParametersCngAlgUsageCipher,
112 TlsParametersCngAlgUsageDigest,
113 TlsParametersCngAlgUsageCertSig
114 } eTlsAlgorithmUsage;
116 typedef struct _CRYPTO_SETTINGS
118 eTlsAlgorithmUsage eAlgorithmUsage;
119 UNICODE_STRING strCngAlgId;
120 DWORD cChainingModes;
121 PUNICODE_STRING rgstrChainingModes;
122 DWORD dwMinBitLength;
123 DWORD dwMaxBitLength;
124 } CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
126 typedef struct _TLS_PARAMETERS
129 PUNICODE_STRING rgstrAlpnIds;
130 DWORD grbitDisabledProtocols;
131 DWORD cDisabledCrypto;
132 PCRYPTO_SETTINGS pDisabledCrypto;
134 } TLS_PARAMETERS, * PTLS_PARAMETERS;
136 typedef struct _SCH_CREDENTIALS
141 PCCERT_CONTEXT* paCred;
142 HCERTSTORE hRootStore;
145 struct _HMAPPER **aphMappers;
147 DWORD dwSessionLifespan;
149 DWORD cTlsParameters;
150 PTLS_PARAMETERS pTlsParameters;
151 } SCH_CREDENTIALS, * PSCH_CREDENTIALS;
153 #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
154 #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
155 #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
156 #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
160 struct Curl_schannel_cred {
161 CredHandle cred_handle;
162 TimeStamp time_stamp;
164 #ifdef HAS_CLIENT_CERT_PATH
165 HCERTSTORE client_cert_store;
170 struct Curl_schannel_ctxt {
171 CtxtHandle ctxt_handle;
172 TimeStamp time_stamp;
175 struct ssl_backend_data {
176 struct Curl_schannel_cred *cred;
177 struct Curl_schannel_ctxt *ctxt;
178 SecPkgContext_StreamSizes stream_sizes;
179 size_t encdata_length, decdata_length;
180 size_t encdata_offset, decdata_offset;
181 unsigned char *encdata_buffer, *decdata_buffer;
182 /* encdata_is_incomplete: if encdata contains only a partial record that
183 can't be decrypted without another Curl_read_plain (that is, status is
184 SEC_E_INCOMPLETE_MESSAGE) then set this true. after Curl_read_plain writes
185 more bytes into encdata then set this back to false. */
186 bool encdata_is_incomplete;
187 unsigned long req_flags, ret_flags;
188 CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
189 bool recv_sspi_close_notify; /* true if connection closed by close_notify */
190 bool recv_connection_closed; /* true if connection closed, regardless how */
191 bool recv_renegotiating; /* true if recv is doing renegotiation */
192 bool use_alpn; /* true if ALPN is used for this connection */
193 #ifdef HAS_MANUAL_VERIFY_API
194 bool use_manual_cred_validation; /* true if manual cred validation is used */
197 #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
199 #endif /* USE_SCHANNEL */
200 #endif /* HEADER_CURL_SCHANNEL_H */