1#ifndef HEADER_CURL_SCHANNEL_INT_H 2#define HEADER_CURL_SCHANNEL_INT_H 3/*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al. 11 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 12 * 13 * This software is licensed as described in the file COPYING, which 14 * you should have received as part of this distribution. The terms 15 * are also available at https://curl.se/docs/copyright.html. 16 * 17 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 18 * copies of the Software, and permit persons to whom the Software is 19 * furnished to do so, under the terms of the COPYING file. 20 * 21 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 22 * KIND, either express or implied. 23 * 24 * SPDX-License-Identifier: curl 25 * 26 ***************************************************************************/ 27#include "curl_setup.h" 28 29#ifdef USE_SCHANNEL 30 31#if defined(__MINGW32__) || defined(CERT_CHAIN_REVOCATION_CHECK_CHAIN) 32#define HAS_MANUAL_VERIFY_API 33#endif 34 35#if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \ 36 && !defined(DISABLE_SCHANNEL_CLIENT_CERT) 37#define HAS_CLIENT_CERT_PATH 38#endif 39 40#ifndef CRYPT_DECODE_NOCOPY_FLAG 41#define CRYPT_DECODE_NOCOPY_FLAG 0x1 42#endif 43 44#ifndef CRYPT_DECODE_ALLOC_FLAG 45#define CRYPT_DECODE_ALLOC_FLAG 0x8000 46#endif 47 48#ifndef CERT_ALT_NAME_DNS_NAME 49#define CERT_ALT_NAME_DNS_NAME 3 50#endif 51 52#ifndef CERT_ALT_NAME_IP_ADDRESS 53#define CERT_ALT_NAME_IP_ADDRESS 8 54#endif 55 56 57#ifndef SCH_CREDENTIALS_VERSION 58 59#define SCH_CREDENTIALS_VERSION 0x00000005 60 61typedef enum _eTlsAlgorithmUsage 62{ 63 TlsParametersCngAlgUsageKeyExchange, 64 TlsParametersCngAlgUsageSignature, 65 TlsParametersCngAlgUsageCipher, 66 TlsParametersCngAlgUsageDigest, 67 TlsParametersCngAlgUsageCertSig 68} eTlsAlgorithmUsage; 69 70typedef struct _CRYPTO_SETTINGS 71{ 72 eTlsAlgorithmUsage eAlgorithmUsage; 73 UNICODE_STRING strCngAlgId; 74 DWORD cChainingModes; 75 PUNICODE_STRING rgstrChainingModes; 76 DWORD dwMinBitLength; 77 DWORD dwMaxBitLength; 78} CRYPTO_SETTINGS, * PCRYPTO_SETTINGS; 79 80typedef struct _TLS_PARAMETERS 81{ 82 DWORD cAlpnIds; 83 PUNICODE_STRING rgstrAlpnIds; 84 DWORD grbitDisabledProtocols; 85 DWORD cDisabledCrypto; 86 PCRYPTO_SETTINGS pDisabledCrypto; 87 DWORD dwFlags; 88} TLS_PARAMETERS, * PTLS_PARAMETERS; 89 90typedef struct _SCH_CREDENTIALS 91{ 92 DWORD dwVersion; 93 DWORD dwCredFormat; 94 DWORD cCreds; 95 PCCERT_CONTEXT* paCred; 96 HCERTSTORE hRootStore; 97 98 DWORD cMappers; 99 struct _HMAPPER **aphMappers; 100 101 DWORD dwSessionLifespan; 102 DWORD dwFlags; 103 DWORD cTlsParameters; 104 PTLS_PARAMETERS pTlsParameters; 105} SCH_CREDENTIALS, * PSCH_CREDENTIALS; 106 107#define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16 108#define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16 109#define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16 110#define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16 111 112#endif /* SCH_CREDENTIALS_VERSION */ 113 114struct Curl_schannel_cred { 115 CredHandle cred_handle; 116 TimeStamp time_stamp; 117 TCHAR *sni_hostname; 118#ifdef HAS_CLIENT_CERT_PATH 119 HCERTSTORE client_cert_store; 120#endif 121 int refcount; 122}; 123 124struct Curl_schannel_ctxt { 125 CtxtHandle ctxt_handle; 126 TimeStamp time_stamp; 127}; 128 129struct schannel_ssl_backend_data { 130 struct Curl_schannel_cred *cred; 131 struct Curl_schannel_ctxt *ctxt; 132 SecPkgContext_StreamSizes stream_sizes; 133 size_t encdata_length, decdata_length; 134 size_t encdata_offset, decdata_offset; 135 unsigned char *encdata_buffer, *decdata_buffer; 136 /* encdata_is_incomplete: if encdata contains only a partial record that 137 can't be decrypted without another recv() (that is, status is 138 SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds 139 more bytes into encdata then set this back to false. */ 140 bool encdata_is_incomplete; 141 unsigned long req_flags, ret_flags; 142 CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */ 143 bool recv_sspi_close_notify; /* true if connection closed by close_notify */ 144 bool recv_connection_closed; /* true if connection closed, regardless how */ 145 bool recv_renegotiating; /* true if recv is doing renegotiation */ 146 bool use_alpn; /* true if ALPN is used for this connection */ 147#ifdef HAS_MANUAL_VERIFY_API 148 bool use_manual_cred_validation; /* true if manual cred validation is used */ 149#endif 150}; 151 152struct schannel_multi_ssl_backend_data { 153 unsigned char *CAinfo_blob_digest; /* CA info blob digest */ 154 size_t CAinfo_blob_size; /* CA info blob size */ 155 char *CAfile; /* CAfile path used to generate 156 certificate store */ 157 HCERTSTORE cert_store; /* cached certificate store or 158 NULL if none */ 159 struct curltime time; /* when the cached store was created */ 160}; 161 162HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf, 163 const struct Curl_easy *data); 164 165bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf, 166 const struct Curl_easy *data, 167 HCERTSTORE cert_store); 168 169#endif /* USE_SCHANNEL */ 170#endif /* HEADER_CURL_SCHANNEL_INT_H */ 171