1#ifndef HEADER_CURL_SCHANNEL_H
2#define HEADER_CURL_SCHANNEL_H
3/***************************************************************************
4 * _ _ ____ _
5 * Project ___| | | | _ \| |
6 * / __| | | | |_) | |
7 * | (__| |_| | _ <| |___
8 * \___|\___/|_| \_\_____|
9 *
10 * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
11 * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
12 *
13 * This software is licensed as described in the file COPYING, which
14 * you should have received as part of this distribution. The terms
15 * are also available at https://curl.se/docs/copyright.html.
16 *
17 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
18 * copies of the Software, and permit persons to whom the Software is
19 * furnished to do so, under the terms of the COPYING file.
20 *
21 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
22 * KIND, either express or implied.
23 *
24 ***************************************************************************/
25#include "curl_setup.h"
26
27#ifdef USE_SCHANNEL
28
29#include <schnlsp.h>
30#include <schannel.h>
31#include "curl_sspi.h"
32
33#include "urldata.h"
34
35/* <wincrypt.h> has been included via the above <schnlsp.h>.
36 * Or in case of ldap.c, it was included via <winldap.h>.
37 * And since <wincrypt.h> has this:
38 * #define X509_NAME ((LPCSTR) 7)
39 *
40 * And in BoringSSL's <openssl/base.h> there is:
41 * typedef struct X509_name_st X509_NAME;
42 * etc.
43 *
44 * this will cause all kinds of C-preprocessing paste errors in
45 * BoringSSL's <openssl/x509.h>: So just undefine those defines here
46 * (and only here).
47 */
48#if defined(HAVE_BORINGSSL) || defined(OPENSSL_IS_BORINGSSL)
49# undef X509_NAME
50# undef X509_CERT_PAIR
51# undef X509_EXTENSIONS
52#endif
53
54extern const struct Curl_ssl Curl_ssl_schannel;
55
56CURLcode Curl_verify_certificate(struct Curl_easy *data,
57 struct connectdata *conn, int sockindex);
58
59/* structs to expose only in schannel.c and schannel_verify.c */
60#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
61
62#ifdef __MINGW32__
63#include <_mingw.h>
64#ifdef __MINGW64_VERSION_MAJOR
65#define HAS_MANUAL_VERIFY_API
66#endif
67#else
68#include <wincrypt.h>
69#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
70#define HAS_MANUAL_VERIFY_API
71#endif
72#endif
73
74#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */
75
76struct Curl_schannel_cred {
77 CredHandle cred_handle;
78 TimeStamp time_stamp;
79 int refcount;
80};
81
82struct Curl_schannel_ctxt {
83 CtxtHandle ctxt_handle;
84 TimeStamp time_stamp;
85};
86
87struct ssl_backend_data {
88 struct Curl_schannel_cred *cred;
89 struct Curl_schannel_ctxt *ctxt;
90 SecPkgContext_StreamSizes stream_sizes;
91 size_t encdata_length, decdata_length;
92 size_t encdata_offset, decdata_offset;
93 unsigned char *encdata_buffer, *decdata_buffer;
94 /* encdata_is_incomplete: if encdata contains only a partial record that
95 can't be decrypted without another Curl_read_plain (that is, status is
96 SEC_E_INCOMPLETE_MESSAGE) then set this true. after Curl_read_plain writes
97 more bytes into encdata then set this back to false. */
98 bool encdata_is_incomplete;
99 unsigned long req_flags, ret_flags;
100 CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
101 bool recv_sspi_close_notify; /* true if connection closed by close_notify */
102 bool recv_connection_closed; /* true if connection closed, regardless how */
103 bool use_alpn; /* true if ALPN is used for this connection */
104#ifdef HAS_MANUAL_VERIFY_API
105 bool use_manual_cred_validation; /* true if manual cred validation is used */
106#endif
107 ALG_ID algIds[NUMOF_CIPHERS];
108};
109#endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
110
111#endif /* USE_SCHANNEL */
112#endif /* HEADER_CURL_SCHANNEL_H */
113