1 #ifndef HEADER_CURL_SCHANNEL_H
2 #define HEADER_CURL_SCHANNEL_H
3 /***************************************************************************
4  *                                  _   _ ____  _
5  *  Project                     ___| | | |  _ \| |
6  *                             / __| | | | |_) | |
7  *                            | (__| |_| |  _ <| |___
8  *                             \___|\___/|_| \_\_____|
9  *
10  * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
11  * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
12  *
13  * This software is licensed as described in the file COPYING, which
14  * you should have received as part of this distribution. The terms
15  * are also available at https://curl.se/docs/copyright.html.
16  *
17  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
18  * copies of the Software, and permit persons to whom the Software is
19  * furnished to do so, under the terms of the COPYING file.
20  *
21  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
22  * KIND, either express or implied.
23  *
24  ***************************************************************************/
25 #include "curl_setup.h"
26 
27 #ifdef USE_SCHANNEL
28 
29 #include <schnlsp.h>
30 #include <schannel.h>
31 #include "curl_sspi.h"
32 
33 #include "urldata.h"
34 
35 /* <wincrypt.h> has been included via the above <schnlsp.h>.
36  * Or in case of ldap.c, it was included via <winldap.h>.
37  * And since <wincrypt.h> has this:
38  *   #define X509_NAME  ((LPCSTR) 7)
39  *
40  * And in BoringSSL's <openssl/base.h> there is:
41  *  typedef struct X509_name_st X509_NAME;
42  *  etc.
43  *
44  * this will cause all kinds of C-preprocessing paste errors in
45  * BoringSSL's <openssl/x509.h>: So just undefine those defines here
46  * (and only here).
47  */
48 #if defined(HAVE_BORINGSSL) || defined(OPENSSL_IS_BORINGSSL)
49 # undef X509_NAME
50 # undef X509_CERT_PAIR
51 # undef X509_EXTENSIONS
52 #endif
53 
54 extern const struct Curl_ssl Curl_ssl_schannel;
55 
56 CURLcode Curl_verify_certificate(struct Curl_easy *data,
57                                  struct connectdata *conn, int sockindex);
58 
59 /* structs to expose only in schannel.c and schannel_verify.c */
60 #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
61 
62 #ifdef __MINGW32__
63 #include <_mingw.h>
64 #ifdef __MINGW64_VERSION_MAJOR
65 #define HAS_MANUAL_VERIFY_API
66 #endif
67 #else
68 #include <wincrypt.h>
69 #ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
70 #define HAS_MANUAL_VERIFY_API
71 #endif
72 #endif
73 
74 struct Curl_schannel_cred {
75   CredHandle cred_handle;
76   TimeStamp time_stamp;
77   int refcount;
78 };
79 
80 struct Curl_schannel_ctxt {
81   CtxtHandle ctxt_handle;
82   TimeStamp time_stamp;
83 };
84 
85 struct ssl_backend_data {
86   struct Curl_schannel_cred *cred;
87   struct Curl_schannel_ctxt *ctxt;
88   SecPkgContext_StreamSizes stream_sizes;
89   size_t encdata_length, decdata_length;
90   size_t encdata_offset, decdata_offset;
91   unsigned char *encdata_buffer, *decdata_buffer;
92   /* encdata_is_incomplete: if encdata contains only a partial record that
93      can't be decrypted without another Curl_read_plain (that is, status is
94      SEC_E_INCOMPLETE_MESSAGE) then set this true. after Curl_read_plain writes
95      more bytes into encdata then set this back to false. */
96   bool encdata_is_incomplete;
97   unsigned long req_flags, ret_flags;
98   CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
99   bool recv_sspi_close_notify; /* true if connection closed by close_notify */
100   bool recv_connection_closed; /* true if connection closed, regardless how */
101   bool use_alpn; /* true if ALPN is used for this connection */
102 #ifdef HAS_MANUAL_VERIFY_API
103   bool use_manual_cred_validation; /* true if manual cred validation is used */
104 #endif
105 };
106 #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
107 
108 #endif /* USE_SCHANNEL */
109 #endif /* HEADER_CURL_SCHANNEL_H */
110