mirror of
https://github.com/curl/curl.git
synced 2024-12-21 06:50:10 +08:00
5651a36d1a
- Curl_write_plain/Curl_read_plain have been eliminated. Last code use now uses Curl_conn_send/recv so that requests use conn->send/revc callbacks which defaults to cfilters use. - Curl_recv_plain/Curl_send_plain have been internalized in cf-socket.c. - USE_RECV_BEFORE_SEND_WORKAROUND (active on Windows) has been moved into cf-socket.c. The pre_recv buffer is held at the socket filter context. `postponed_data` structures have been removed from `connectdata`. - the hanger in HTTP/2 request handling was a result of read buffering on all sends and the multi handling is not prepared for this. The following happens: - multi preforms on a HTTP/2 easy handle - h2 reads and processes data - this leads to a send of h2 data - which receives and buffers before the send - h2 returns - multi selects on the socket, but no data arrives (its in the buffer already) the workaround now receives data in a loop as long as there is something in the buffer. The real fix would be for multi to change, so that `data_pending` is evaluated before deciding to wait on the socket. io_buffer, optional, in cf-socket.c, http/2 sets state.drain if lower filter have pending data. This io_buffer is only available/used when the -DUSE_RECV_BEFORE_SEND_WORKAROUND is active, e.g. on Windows configurations. It also maintains the original checks on protocol handler being HTTP and conn->send/recv not being replaced. The HTTP/2 (nghttp2) cfilter now sets data->state.drain when it finds out that the "lower" filter chain has still pending data at the end of its IO operation. This prevents the processing from becoming stalled. Closes #10280
200 lines
6.0 KiB
C
200 lines
6.0 KiB
C
#ifndef HEADER_CURL_SCHANNEL_H
|
|
#define HEADER_CURL_SCHANNEL_H
|
|
/***************************************************************************
|
|
* _ _ ____ _
|
|
* Project ___| | | | _ \| |
|
|
* / __| | | | |_) | |
|
|
* | (__| |_| | _ <| |___
|
|
* \___|\___/|_| \_\_____|
|
|
*
|
|
* Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al.
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
*
|
|
* This software is licensed as described in the file COPYING, which
|
|
* you should have received as part of this distribution. The terms
|
|
* are also available at https://curl.se/docs/copyright.html.
|
|
*
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
* SPDX-License-Identifier: curl
|
|
*
|
|
***************************************************************************/
|
|
#include "curl_setup.h"
|
|
|
|
#ifdef USE_SCHANNEL
|
|
|
|
#define SCHANNEL_USE_BLACKLISTS 1
|
|
|
|
#ifdef _MSC_VER
|
|
#pragma warning(push)
|
|
#pragma warning(disable: 4201)
|
|
#endif
|
|
#include <subauth.h>
|
|
#ifdef _MSC_VER
|
|
#pragma warning(pop)
|
|
#endif
|
|
/* Wincrypt must be included before anything that could include OpenSSL. */
|
|
#if defined(USE_WIN32_CRYPTO)
|
|
#include <wincrypt.h>
|
|
/* Undefine wincrypt conflicting symbols for BoringSSL. */
|
|
#undef X509_NAME
|
|
#undef X509_EXTENSIONS
|
|
#undef PKCS7_ISSUER_AND_SERIAL
|
|
#undef PKCS7_SIGNER_INFO
|
|
#undef OCSP_REQUEST
|
|
#undef OCSP_RESPONSE
|
|
#endif
|
|
|
|
#include <schnlsp.h>
|
|
#include <schannel.h>
|
|
#include "curl_sspi.h"
|
|
|
|
#include "cfilters.h"
|
|
#include "urldata.h"
|
|
|
|
/* <wincrypt.h> has been included via the above <schnlsp.h>.
|
|
* Or in case of ldap.c, it was included via <winldap.h>.
|
|
* And since <wincrypt.h> has this:
|
|
* #define X509_NAME ((LPCSTR) 7)
|
|
*
|
|
* And in BoringSSL's <openssl/base.h> there is:
|
|
* typedef struct X509_name_st X509_NAME;
|
|
* etc.
|
|
*
|
|
* this will cause all kinds of C-preprocessing paste errors in
|
|
* BoringSSL's <openssl/x509.h>: So just undefine those defines here
|
|
* (and only here).
|
|
*/
|
|
#if defined(HAVE_BORINGSSL) || defined(OPENSSL_IS_BORINGSSL)
|
|
# undef X509_NAME
|
|
# undef X509_CERT_PAIR
|
|
# undef X509_EXTENSIONS
|
|
#endif
|
|
|
|
extern const struct Curl_ssl Curl_ssl_schannel;
|
|
|
|
CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data);
|
|
|
|
/* structs to expose only in schannel.c and schannel_verify.c */
|
|
#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
|
|
|
|
#ifdef __MINGW32__
|
|
#ifdef __MINGW64_VERSION_MAJOR
|
|
#define HAS_MANUAL_VERIFY_API
|
|
#endif
|
|
#else
|
|
#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
|
|
#define HAS_MANUAL_VERIFY_API
|
|
#endif
|
|
#endif
|
|
|
|
#if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \
|
|
&& !defined(DISABLE_SCHANNEL_CLIENT_CERT)
|
|
#define HAS_CLIENT_CERT_PATH
|
|
#endif
|
|
|
|
#ifndef SCH_CREDENTIALS_VERSION
|
|
|
|
#define SCH_CREDENTIALS_VERSION 0x00000005
|
|
|
|
typedef enum _eTlsAlgorithmUsage
|
|
{
|
|
TlsParametersCngAlgUsageKeyExchange,
|
|
TlsParametersCngAlgUsageSignature,
|
|
TlsParametersCngAlgUsageCipher,
|
|
TlsParametersCngAlgUsageDigest,
|
|
TlsParametersCngAlgUsageCertSig
|
|
} eTlsAlgorithmUsage;
|
|
|
|
typedef struct _CRYPTO_SETTINGS
|
|
{
|
|
eTlsAlgorithmUsage eAlgorithmUsage;
|
|
UNICODE_STRING strCngAlgId;
|
|
DWORD cChainingModes;
|
|
PUNICODE_STRING rgstrChainingModes;
|
|
DWORD dwMinBitLength;
|
|
DWORD dwMaxBitLength;
|
|
} CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
|
|
|
|
typedef struct _TLS_PARAMETERS
|
|
{
|
|
DWORD cAlpnIds;
|
|
PUNICODE_STRING rgstrAlpnIds;
|
|
DWORD grbitDisabledProtocols;
|
|
DWORD cDisabledCrypto;
|
|
PCRYPTO_SETTINGS pDisabledCrypto;
|
|
DWORD dwFlags;
|
|
} TLS_PARAMETERS, * PTLS_PARAMETERS;
|
|
|
|
typedef struct _SCH_CREDENTIALS
|
|
{
|
|
DWORD dwVersion;
|
|
DWORD dwCredFormat;
|
|
DWORD cCreds;
|
|
PCCERT_CONTEXT* paCred;
|
|
HCERTSTORE hRootStore;
|
|
|
|
DWORD cMappers;
|
|
struct _HMAPPER **aphMappers;
|
|
|
|
DWORD dwSessionLifespan;
|
|
DWORD dwFlags;
|
|
DWORD cTlsParameters;
|
|
PTLS_PARAMETERS pTlsParameters;
|
|
} SCH_CREDENTIALS, * PSCH_CREDENTIALS;
|
|
|
|
#define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
|
|
#define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
|
|
#define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
|
|
#define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
|
|
|
|
#endif
|
|
|
|
struct Curl_schannel_cred {
|
|
CredHandle cred_handle;
|
|
TimeStamp time_stamp;
|
|
TCHAR *sni_hostname;
|
|
#ifdef HAS_CLIENT_CERT_PATH
|
|
HCERTSTORE client_cert_store;
|
|
#endif
|
|
int refcount;
|
|
};
|
|
|
|
struct Curl_schannel_ctxt {
|
|
CtxtHandle ctxt_handle;
|
|
TimeStamp time_stamp;
|
|
};
|
|
|
|
struct ssl_backend_data {
|
|
struct Curl_schannel_cred *cred;
|
|
struct Curl_schannel_ctxt *ctxt;
|
|
SecPkgContext_StreamSizes stream_sizes;
|
|
size_t encdata_length, decdata_length;
|
|
size_t encdata_offset, decdata_offset;
|
|
unsigned char *encdata_buffer, *decdata_buffer;
|
|
/* encdata_is_incomplete: if encdata contains only a partial record that
|
|
can't be decrypted without another recv() (that is, status is
|
|
SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds
|
|
more bytes into encdata then set this back to false. */
|
|
bool encdata_is_incomplete;
|
|
unsigned long req_flags, ret_flags;
|
|
CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
|
|
bool recv_sspi_close_notify; /* true if connection closed by close_notify */
|
|
bool recv_connection_closed; /* true if connection closed, regardless how */
|
|
bool recv_renegotiating; /* true if recv is doing renegotiation */
|
|
bool use_alpn; /* true if ALPN is used for this connection */
|
|
#ifdef HAS_MANUAL_VERIFY_API
|
|
bool use_manual_cred_validation; /* true if manual cred validation is used */
|
|
#endif
|
|
};
|
|
#endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
|
|
|
|
#endif /* USE_SCHANNEL */
|
|
#endif /* HEADER_CURL_SCHANNEL_H */
|