Annotation of embedaddon/curl/lib/vtls/schannel.c, revision 1.1
1.1 ! misho 1: /***************************************************************************
! 2: * _ _ ____ _
! 3: * Project ___| | | | _ \| |
! 4: * / __| | | | |_) | |
! 5: * | (__| |_| | _ <| |___
! 6: * \___|\___/|_| \_\_____|
! 7: *
! 8: * Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de>
! 9: * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
! 10: * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
! 11: *
! 12: * This software is licensed as described in the file COPYING, which
! 13: * you should have received as part of this distribution. The terms
! 14: * are also available at https://curl.haxx.se/docs/copyright.html.
! 15: *
! 16: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
! 17: * copies of the Software, and permit persons to whom the Software is
! 18: * furnished to do so, under the terms of the COPYING file.
! 19: *
! 20: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
! 21: * KIND, either express or implied.
! 22: *
! 23: ***************************************************************************/
! 24:
! 25: /*
! 26: * Source file for all Schannel-specific code for the TLS/SSL layer. No code
! 27: * but vtls.c should ever call or use these functions.
! 28: */
! 29:
! 30: #include "curl_setup.h"
! 31:
! 32: #ifdef USE_SCHANNEL
! 33:
! 34: #define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
! 35:
! 36: #ifndef USE_WINDOWS_SSPI
! 37: # error "Can't compile SCHANNEL support without SSPI."
! 38: #endif
! 39:
! 40: #include "schannel.h"
! 41: #include "vtls.h"
! 42: #include "sendf.h"
! 43: #include "connect.h" /* for the connect timeout */
! 44: #include "strerror.h"
! 45: #include "select.h" /* for the socket readyness */
! 46: #include "inet_pton.h" /* for IP addr SNI check */
! 47: #include "curl_multibyte.h"
! 48: #include "warnless.h"
! 49: #include "x509asn1.h"
! 50: #include "curl_printf.h"
! 51: #include "multiif.h"
! 52: #include "system_win32.h"
! 53:
! 54: /* The last #include file should be: */
! 55: #include "curl_memory.h"
! 56: #include "memdebug.h"
! 57:
! 58: /* ALPN requires version 8.1 of the Windows SDK, which was
! 59: shipped with Visual Studio 2013, aka _MSC_VER 1800:
! 60:
! 61: https://technet.microsoft.com/en-us/library/hh831771%28v=ws.11%29.aspx
! 62: */
! 63: #if defined(_MSC_VER) && (_MSC_VER >= 1800) && !defined(_USING_V110_SDK71_)
! 64: # define HAS_ALPN 1
! 65: #endif
! 66:
! 67: #ifndef UNISP_NAME_A
! 68: #define UNISP_NAME_A "Microsoft Unified Security Protocol Provider"
! 69: #endif
! 70:
! 71: #ifndef UNISP_NAME_W
! 72: #define UNISP_NAME_W L"Microsoft Unified Security Protocol Provider"
! 73: #endif
! 74:
! 75: #ifndef UNISP_NAME
! 76: #ifdef UNICODE
! 77: #define UNISP_NAME UNISP_NAME_W
! 78: #else
! 79: #define UNISP_NAME UNISP_NAME_A
! 80: #endif
! 81: #endif
! 82:
! 83: #if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX)
! 84: #define HAS_CLIENT_CERT_PATH
! 85: #endif
! 86:
! 87: #ifdef HAS_CLIENT_CERT_PATH
! 88: #ifdef UNICODE
! 89: #define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_W
! 90: #else
! 91: #define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_A
! 92: #endif
! 93: #endif
! 94:
! 95: #ifndef SP_PROT_SSL2_CLIENT
! 96: #define SP_PROT_SSL2_CLIENT 0x00000008
! 97: #endif
! 98:
! 99: #ifndef SP_PROT_SSL3_CLIENT
! 100: #define SP_PROT_SSL3_CLIENT 0x00000008
! 101: #endif
! 102:
! 103: #ifndef SP_PROT_TLS1_CLIENT
! 104: #define SP_PROT_TLS1_CLIENT 0x00000080
! 105: #endif
! 106:
! 107: #ifndef SP_PROT_TLS1_0_CLIENT
! 108: #define SP_PROT_TLS1_0_CLIENT SP_PROT_TLS1_CLIENT
! 109: #endif
! 110:
! 111: #ifndef SP_PROT_TLS1_1_CLIENT
! 112: #define SP_PROT_TLS1_1_CLIENT 0x00000200
! 113: #endif
! 114:
! 115: #ifndef SP_PROT_TLS1_2_CLIENT
! 116: #define SP_PROT_TLS1_2_CLIENT 0x00000800
! 117: #endif
! 118:
! 119: #ifndef SECBUFFER_ALERT
! 120: #define SECBUFFER_ALERT 17
! 121: #endif
! 122:
! 123: /* Both schannel buffer sizes must be > 0 */
! 124: #define CURL_SCHANNEL_BUFFER_INIT_SIZE 4096
! 125: #define CURL_SCHANNEL_BUFFER_FREE_SIZE 1024
! 126:
! 127: #define CERT_THUMBPRINT_STR_LEN 40
! 128: #define CERT_THUMBPRINT_DATA_LEN 20
! 129:
! 130: /* Uncomment to force verbose output
! 131: * #define infof(x, y, ...) printf(y, __VA_ARGS__)
! 132: * #define failf(x, y, ...) printf(y, __VA_ARGS__)
! 133: */
! 134:
! 135: #ifndef CALG_SHA_256
! 136: # define CALG_SHA_256 0x0000800c
! 137: #endif
! 138:
! 139: #define BACKEND connssl->backend
! 140:
! 141: static Curl_recv schannel_recv;
! 142: static Curl_send schannel_send;
! 143:
! 144: static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
! 145: const char *pinnedpubkey);
! 146:
! 147: static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType,
! 148: void *BufDataPtr, unsigned long BufByteSize)
! 149: {
! 150: buffer->cbBuffer = BufByteSize;
! 151: buffer->BufferType = BufType;
! 152: buffer->pvBuffer = BufDataPtr;
! 153: }
! 154:
! 155: static void InitSecBufferDesc(SecBufferDesc *desc, SecBuffer *BufArr,
! 156: unsigned long NumArrElem)
! 157: {
! 158: desc->ulVersion = SECBUFFER_VERSION;
! 159: desc->pBuffers = BufArr;
! 160: desc->cBuffers = NumArrElem;
! 161: }
! 162:
! 163: static CURLcode
! 164: set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn)
! 165: {
! 166: struct Curl_easy *data = conn->data;
! 167: long ssl_version = SSL_CONN_CONFIG(version);
! 168: long ssl_version_max = SSL_CONN_CONFIG(version_max);
! 169: long i = ssl_version;
! 170:
! 171: switch(ssl_version_max) {
! 172: case CURL_SSLVERSION_MAX_NONE:
! 173: case CURL_SSLVERSION_MAX_DEFAULT:
! 174: ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
! 175: break;
! 176: }
! 177: for(; i <= (ssl_version_max >> 16); ++i) {
! 178: switch(i) {
! 179: case CURL_SSLVERSION_TLSv1_0:
! 180: schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_0_CLIENT;
! 181: break;
! 182: case CURL_SSLVERSION_TLSv1_1:
! 183: schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT;
! 184: break;
! 185: case CURL_SSLVERSION_TLSv1_2:
! 186: schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT;
! 187: break;
! 188: case CURL_SSLVERSION_TLSv1_3:
! 189: failf(data, "schannel: TLS 1.3 is not yet supported");
! 190: return CURLE_SSL_CONNECT_ERROR;
! 191: }
! 192: }
! 193: return CURLE_OK;
! 194: }
! 195:
! 196: /*longest is 26, buffer is slightly bigger*/
! 197: #define LONGEST_ALG_ID 32
! 198: #define CIPHEROPTION(X) \
! 199: if(strcmp(#X, tmp) == 0) \
! 200: return X
! 201:
! 202: static int
! 203: get_alg_id_by_name(char *name)
! 204: {
! 205: char tmp[LONGEST_ALG_ID] = { 0 };
! 206: char *nameEnd = strchr(name, ':');
! 207: size_t n = nameEnd ? min((size_t)(nameEnd - name), LONGEST_ALG_ID - 1) : \
! 208: min(strlen(name), LONGEST_ALG_ID - 1);
! 209: strncpy(tmp, name, n);
! 210: tmp[n] = 0;
! 211: CIPHEROPTION(CALG_MD2);
! 212: CIPHEROPTION(CALG_MD4);
! 213: CIPHEROPTION(CALG_MD5);
! 214: CIPHEROPTION(CALG_SHA);
! 215: CIPHEROPTION(CALG_SHA1);
! 216: CIPHEROPTION(CALG_MAC);
! 217: CIPHEROPTION(CALG_RSA_SIGN);
! 218: CIPHEROPTION(CALG_DSS_SIGN);
! 219: /*ifdefs for the options that are defined conditionally in wincrypt.h*/
! 220: #ifdef CALG_NO_SIGN
! 221: CIPHEROPTION(CALG_NO_SIGN);
! 222: #endif
! 223: CIPHEROPTION(CALG_RSA_KEYX);
! 224: CIPHEROPTION(CALG_DES);
! 225: #ifdef CALG_3DES_112
! 226: CIPHEROPTION(CALG_3DES_112);
! 227: #endif
! 228: CIPHEROPTION(CALG_3DES);
! 229: CIPHEROPTION(CALG_DESX);
! 230: CIPHEROPTION(CALG_RC2);
! 231: CIPHEROPTION(CALG_RC4);
! 232: CIPHEROPTION(CALG_SEAL);
! 233: #ifdef CALG_DH_SF
! 234: CIPHEROPTION(CALG_DH_SF);
! 235: #endif
! 236: CIPHEROPTION(CALG_DH_EPHEM);
! 237: #ifdef CALG_AGREEDKEY_ANY
! 238: CIPHEROPTION(CALG_AGREEDKEY_ANY);
! 239: #endif
! 240: #ifdef CALG_HUGHES_MD5
! 241: CIPHEROPTION(CALG_HUGHES_MD5);
! 242: #endif
! 243: CIPHEROPTION(CALG_SKIPJACK);
! 244: #ifdef CALG_TEK
! 245: CIPHEROPTION(CALG_TEK);
! 246: #endif
! 247: CIPHEROPTION(CALG_CYLINK_MEK);
! 248: CIPHEROPTION(CALG_SSL3_SHAMD5);
! 249: #ifdef CALG_SSL3_MASTER
! 250: CIPHEROPTION(CALG_SSL3_MASTER);
! 251: #endif
! 252: #ifdef CALG_SCHANNEL_MASTER_HASH
! 253: CIPHEROPTION(CALG_SCHANNEL_MASTER_HASH);
! 254: #endif
! 255: #ifdef CALG_SCHANNEL_MAC_KEY
! 256: CIPHEROPTION(CALG_SCHANNEL_MAC_KEY);
! 257: #endif
! 258: #ifdef CALG_SCHANNEL_ENC_KEY
! 259: CIPHEROPTION(CALG_SCHANNEL_ENC_KEY);
! 260: #endif
! 261: #ifdef CALG_PCT1_MASTER
! 262: CIPHEROPTION(CALG_PCT1_MASTER);
! 263: #endif
! 264: #ifdef CALG_SSL2_MASTER
! 265: CIPHEROPTION(CALG_SSL2_MASTER);
! 266: #endif
! 267: #ifdef CALG_TLS1_MASTER
! 268: CIPHEROPTION(CALG_TLS1_MASTER);
! 269: #endif
! 270: #ifdef CALG_RC5
! 271: CIPHEROPTION(CALG_RC5);
! 272: #endif
! 273: #ifdef CALG_HMAC
! 274: CIPHEROPTION(CALG_HMAC);
! 275: #endif
! 276: #if !defined(__W32API_MAJOR_VERSION) || \
! 277: !defined(__W32API_MINOR_VERSION) || \
! 278: defined(__MINGW64_VERSION_MAJOR) || \
! 279: (__W32API_MAJOR_VERSION > 5) || \
! 280: ((__W32API_MAJOR_VERSION == 5) && (__W32API_MINOR_VERSION > 0))
! 281: /* CALG_TLS1PRF has a syntax error in MinGW's w32api up to version 5.0,
! 282: see https://osdn.net/projects/mingw/ticket/38391 */
! 283: CIPHEROPTION(CALG_TLS1PRF);
! 284: #endif
! 285: #ifdef CALG_HASH_REPLACE_OWF
! 286: CIPHEROPTION(CALG_HASH_REPLACE_OWF);
! 287: #endif
! 288: #ifdef CALG_AES_128
! 289: CIPHEROPTION(CALG_AES_128);
! 290: #endif
! 291: #ifdef CALG_AES_192
! 292: CIPHEROPTION(CALG_AES_192);
! 293: #endif
! 294: #ifdef CALG_AES_256
! 295: CIPHEROPTION(CALG_AES_256);
! 296: #endif
! 297: #ifdef CALG_AES
! 298: CIPHEROPTION(CALG_AES);
! 299: #endif
! 300: #ifdef CALG_SHA_256
! 301: CIPHEROPTION(CALG_SHA_256);
! 302: #endif
! 303: #ifdef CALG_SHA_384
! 304: CIPHEROPTION(CALG_SHA_384);
! 305: #endif
! 306: #ifdef CALG_SHA_512
! 307: CIPHEROPTION(CALG_SHA_512);
! 308: #endif
! 309: #ifdef CALG_ECDH
! 310: CIPHEROPTION(CALG_ECDH);
! 311: #endif
! 312: #ifdef CALG_ECMQV
! 313: CIPHEROPTION(CALG_ECMQV);
! 314: #endif
! 315: #ifdef CALG_ECDSA
! 316: CIPHEROPTION(CALG_ECDSA);
! 317: #endif
! 318: #ifdef CALG_ECDH_EPHEM
! 319: CIPHEROPTION(CALG_ECDH_EPHEM);
! 320: #endif
! 321: return 0;
! 322: }
! 323:
! 324: static CURLcode
! 325: set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
! 326: {
! 327: char *startCur = ciphers;
! 328: int algCount = 0;
! 329: static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/
! 330: while(startCur && (0 != *startCur) && (algCount < 45)) {
! 331: long alg = strtol(startCur, 0, 0);
! 332: if(!alg)
! 333: alg = get_alg_id_by_name(startCur);
! 334: if(alg)
! 335: algIds[algCount++] = alg;
! 336: else
! 337: return CURLE_SSL_CIPHER;
! 338: startCur = strchr(startCur, ':');
! 339: if(startCur)
! 340: startCur++;
! 341: }
! 342: schannel_cred->palgSupportedAlgs = algIds;
! 343: schannel_cred->cSupportedAlgs = algCount;
! 344: return CURLE_OK;
! 345: }
! 346:
! 347: #ifdef HAS_CLIENT_CERT_PATH
! 348: static CURLcode
! 349: get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
! 350: TCHAR **thumbprint)
! 351: {
! 352: TCHAR *sep;
! 353: TCHAR *store_path_start;
! 354: size_t store_name_len;
! 355:
! 356: sep = _tcschr(path, TEXT('\\'));
! 357: if(sep == NULL)
! 358: return CURLE_SSL_CERTPROBLEM;
! 359:
! 360: store_name_len = sep - path;
! 361:
! 362: if(_tcsnccmp(path, TEXT("CurrentUser"), store_name_len) == 0)
! 363: *store_name = CERT_SYSTEM_STORE_CURRENT_USER;
! 364: else if(_tcsnccmp(path, TEXT("LocalMachine"), store_name_len) == 0)
! 365: *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE;
! 366: else if(_tcsnccmp(path, TEXT("CurrentService"), store_name_len) == 0)
! 367: *store_name = CERT_SYSTEM_STORE_CURRENT_SERVICE;
! 368: else if(_tcsnccmp(path, TEXT("Services"), store_name_len) == 0)
! 369: *store_name = CERT_SYSTEM_STORE_SERVICES;
! 370: else if(_tcsnccmp(path, TEXT("Users"), store_name_len) == 0)
! 371: *store_name = CERT_SYSTEM_STORE_USERS;
! 372: else if(_tcsnccmp(path, TEXT("CurrentUserGroupPolicy"),
! 373: store_name_len) == 0)
! 374: *store_name = CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY;
! 375: else if(_tcsnccmp(path, TEXT("LocalMachineGroupPolicy"),
! 376: store_name_len) == 0)
! 377: *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY;
! 378: else if(_tcsnccmp(path, TEXT("LocalMachineEnterprise"),
! 379: store_name_len) == 0)
! 380: *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE;
! 381: else
! 382: return CURLE_SSL_CERTPROBLEM;
! 383:
! 384: store_path_start = sep + 1;
! 385:
! 386: sep = _tcschr(store_path_start, TEXT('\\'));
! 387: if(sep == NULL)
! 388: return CURLE_SSL_CERTPROBLEM;
! 389:
! 390: *sep = TEXT('\0');
! 391: *store_path = _tcsdup(store_path_start);
! 392: *sep = TEXT('\\');
! 393: if(*store_path == NULL)
! 394: return CURLE_OUT_OF_MEMORY;
! 395:
! 396: *thumbprint = sep + 1;
! 397: if(_tcslen(*thumbprint) != CERT_THUMBPRINT_STR_LEN)
! 398: return CURLE_SSL_CERTPROBLEM;
! 399:
! 400: return CURLE_OK;
! 401: }
! 402: #endif
! 403:
! 404: static CURLcode
! 405: schannel_connect_step1(struct connectdata *conn, int sockindex)
! 406: {
! 407: ssize_t written = -1;
! 408: struct Curl_easy *data = conn->data;
! 409: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 410: SecBuffer outbuf;
! 411: SecBufferDesc outbuf_desc;
! 412: SecBuffer inbuf;
! 413: SecBufferDesc inbuf_desc;
! 414: #ifdef HAS_ALPN
! 415: unsigned char alpn_buffer[128];
! 416: #endif
! 417: SCHANNEL_CRED schannel_cred;
! 418: PCCERT_CONTEXT client_certs[1] = { NULL };
! 419: SECURITY_STATUS sspi_status = SEC_E_OK;
! 420: struct curl_schannel_cred *old_cred = NULL;
! 421: struct in_addr addr;
! 422: #ifdef ENABLE_IPV6
! 423: struct in6_addr addr6;
! 424: #endif
! 425: TCHAR *host_name;
! 426: CURLcode result;
! 427: char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
! 428: conn->host.name;
! 429:
! 430: DEBUGF(infof(data,
! 431: "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
! 432: hostname, conn->remote_port));
! 433:
! 434: if(Curl_verify_windows_version(5, 1, PLATFORM_WINNT,
! 435: VERSION_LESS_THAN_EQUAL)) {
! 436: /* Schannel in Windows XP (OS version 5.1) uses legacy handshakes and
! 437: algorithms that may not be supported by all servers. */
! 438: infof(data, "schannel: Windows version is old and may not be able to "
! 439: "connect to some servers due to lack of SNI, algorithms, etc.\n");
! 440: }
! 441:
! 442: #ifdef HAS_ALPN
! 443: /* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above.
! 444: Also it doesn't seem to be supported for Wine, see curl bug #983. */
! 445: BACKEND->use_alpn = conn->bits.tls_enable_alpn &&
! 446: !GetProcAddress(GetModuleHandleA("ntdll"),
! 447: "wine_get_version") &&
! 448: Curl_verify_windows_version(6, 3, PLATFORM_WINNT,
! 449: VERSION_GREATER_THAN_EQUAL);
! 450: #else
! 451: BACKEND->use_alpn = false;
! 452: #endif
! 453:
! 454: #ifdef _WIN32_WCE
! 455: #ifdef HAS_MANUAL_VERIFY_API
! 456: /* certificate validation on CE doesn't seem to work right; we'll
! 457: * do it following a more manual process. */
! 458: BACKEND->use_manual_cred_validation = true;
! 459: #else
! 460: #error "compiler too old to support requisite manual cert verify for Win CE"
! 461: #endif
! 462: #else
! 463: #ifdef HAS_MANUAL_VERIFY_API
! 464: if(SSL_CONN_CONFIG(CAfile)) {
! 465: if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT,
! 466: VERSION_GREATER_THAN_EQUAL)) {
! 467: BACKEND->use_manual_cred_validation = true;
! 468: }
! 469: else {
! 470: failf(data, "schannel: this version of Windows is too old to support "
! 471: "certificate verification via CA bundle file.");
! 472: return CURLE_SSL_CACERT_BADFILE;
! 473: }
! 474: }
! 475: else
! 476: BACKEND->use_manual_cred_validation = false;
! 477: #else
! 478: if(SSL_CONN_CONFIG(CAfile)) {
! 479: failf(data, "schannel: CA cert support not built in");
! 480: return CURLE_NOT_BUILT_IN;
! 481: }
! 482: #endif
! 483: #endif
! 484:
! 485: BACKEND->cred = NULL;
! 486:
! 487: /* check for an existing re-usable credential handle */
! 488: if(SSL_SET_OPTION(primary.sessionid)) {
! 489: Curl_ssl_sessionid_lock(conn);
! 490: if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
! 491: BACKEND->cred = old_cred;
! 492: DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
! 493:
! 494: /* increment the reference counter of the credential/session handle */
! 495: BACKEND->cred->refcount++;
! 496: DEBUGF(infof(data,
! 497: "schannel: incremented credential handle refcount = %d\n",
! 498: BACKEND->cred->refcount));
! 499: }
! 500: Curl_ssl_sessionid_unlock(conn);
! 501: }
! 502:
! 503: if(!BACKEND->cred) {
! 504: /* setup Schannel API options */
! 505: memset(&schannel_cred, 0, sizeof(schannel_cred));
! 506: schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
! 507:
! 508: if(conn->ssl_config.verifypeer) {
! 509: #ifdef HAS_MANUAL_VERIFY_API
! 510: if(BACKEND->use_manual_cred_validation)
! 511: schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
! 512: else
! 513: #endif
! 514: schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION;
! 515:
! 516: if(data->set.ssl.no_revoke) {
! 517: schannel_cred.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
! 518: SCH_CRED_IGNORE_REVOCATION_OFFLINE;
! 519:
! 520: DEBUGF(infof(data, "schannel: disabled server certificate revocation "
! 521: "checks\n"));
! 522: }
! 523: else if(data->set.ssl.revoke_best_effort) {
! 524: schannel_cred.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
! 525: SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN;
! 526:
! 527: DEBUGF(infof(data, "schannel: ignore revocation offline errors"));
! 528: }
! 529: else {
! 530: schannel_cred.dwFlags |= SCH_CRED_REVOCATION_CHECK_CHAIN;
! 531:
! 532: DEBUGF(infof(data,
! 533: "schannel: checking server certificate revocation\n"));
! 534: }
! 535: }
! 536: else {
! 537: schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION |
! 538: SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
! 539: SCH_CRED_IGNORE_REVOCATION_OFFLINE;
! 540: DEBUGF(infof(data,
! 541: "schannel: disabled server cert revocation checks\n"));
! 542: }
! 543:
! 544: if(!conn->ssl_config.verifyhost) {
! 545: schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
! 546: DEBUGF(infof(data, "schannel: verifyhost setting prevents Schannel from "
! 547: "comparing the supplied target name with the subject "
! 548: "names in server certificates.\n"));
! 549: }
! 550:
! 551: switch(conn->ssl_config.version) {
! 552: case CURL_SSLVERSION_DEFAULT:
! 553: case CURL_SSLVERSION_TLSv1:
! 554: case CURL_SSLVERSION_TLSv1_0:
! 555: case CURL_SSLVERSION_TLSv1_1:
! 556: case CURL_SSLVERSION_TLSv1_2:
! 557: case CURL_SSLVERSION_TLSv1_3:
! 558: {
! 559: result = set_ssl_version_min_max(&schannel_cred, conn);
! 560: if(result != CURLE_OK)
! 561: return result;
! 562: break;
! 563: }
! 564: case CURL_SSLVERSION_SSLv3:
! 565: schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
! 566: break;
! 567: case CURL_SSLVERSION_SSLv2:
! 568: schannel_cred.grbitEnabledProtocols = SP_PROT_SSL2_CLIENT;
! 569: break;
! 570: default:
! 571: failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
! 572: return CURLE_SSL_CONNECT_ERROR;
! 573: }
! 574:
! 575: if(SSL_CONN_CONFIG(cipher_list)) {
! 576: result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list));
! 577: if(CURLE_OK != result) {
! 578: failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG");
! 579: return result;
! 580: }
! 581: }
! 582:
! 583:
! 584: #ifdef HAS_CLIENT_CERT_PATH
! 585: /* client certificate */
! 586: if(data->set.ssl.cert) {
! 587: DWORD cert_store_name;
! 588: TCHAR *cert_store_path = NULL;
! 589: TCHAR *cert_thumbprint_str;
! 590: CRYPT_HASH_BLOB cert_thumbprint;
! 591: BYTE cert_thumbprint_data[CERT_THUMBPRINT_DATA_LEN];
! 592: HCERTSTORE cert_store;
! 593: FILE *fInCert = NULL;
! 594:
! 595: TCHAR *cert_path = Curl_convert_UTF8_to_tchar(data->set.ssl.cert);
! 596: if(!cert_path)
! 597: return CURLE_OUT_OF_MEMORY;
! 598:
! 599: result = get_cert_location(cert_path, &cert_store_name,
! 600: &cert_store_path, &cert_thumbprint_str);
! 601: if((result != CURLE_OK) && (data->set.ssl.cert[0]!='\0'))
! 602: fInCert = fopen(data->set.ssl.cert, "rb");
! 603:
! 604: if((result != CURLE_OK) && (fInCert == NULL)) {
! 605: failf(data, "schannel: Failed to get certificate location"
! 606: " or file for %s",
! 607: data->set.ssl.cert);
! 608: Curl_unicodefree(cert_path);
! 609: return result;
! 610: }
! 611:
! 612: if(fInCert) {
! 613: /* Reading a .P12 or .pfx file, like the example at bottom of
! 614: https://social.msdn.microsoft.com/Forums/windowsdesktop/
! 615: en-US/3e7bc95f-b21a-4bcd-bd2c-7f996718cae5
! 616: */
! 617: void *certdata = NULL;
! 618: long filesize = 0;
! 619: CRYPT_DATA_BLOB datablob;
! 620: WCHAR* pszPassword;
! 621: size_t pwd_len = 0;
! 622: int str_w_len = 0;
! 623: int continue_reading = fseek(fInCert, 0, SEEK_END) == 0;
! 624: if(continue_reading)
! 625: filesize = ftell(fInCert);
! 626: if(filesize < 0)
! 627: continue_reading = 0;
! 628: if(continue_reading)
! 629: continue_reading = fseek(fInCert, 0, SEEK_SET) == 0;
! 630: if(continue_reading)
! 631: certdata = malloc(((size_t)filesize) + 1);
! 632: if((certdata == NULL) ||
! 633: ((int) fread(certdata, (size_t)filesize, 1, fInCert) != 1))
! 634: continue_reading = 0;
! 635: fclose(fInCert);
! 636: Curl_unicodefree(cert_path);
! 637:
! 638: if(!continue_reading) {
! 639: failf(data, "schannel: Failed to read cert file %s",
! 640: data->set.ssl.cert);
! 641: free(certdata);
! 642: return CURLE_SSL_CERTPROBLEM;
! 643: }
! 644:
! 645: /* Convert key-pair data to the in-memory certificate store */
! 646: datablob.pbData = (BYTE*)certdata;
! 647: datablob.cbData = (DWORD)filesize;
! 648:
! 649: if(data->set.ssl.key_passwd != NULL)
! 650: pwd_len = strlen(data->set.ssl.key_passwd);
! 651: pszPassword = (WCHAR*)malloc(sizeof(WCHAR)*(pwd_len + 1));
! 652: if(pwd_len > 0)
! 653: str_w_len =
! 654: MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS,
! 655: data->set.ssl.key_passwd, (int)pwd_len,
! 656: pszPassword, (int)(pwd_len + 1));
! 657:
! 658: if((str_w_len >= 0) && (str_w_len <= (int)pwd_len))
! 659: pszPassword[str_w_len] = 0;
! 660: else
! 661: pszPassword[0] = 0;
! 662:
! 663: cert_store = PFXImportCertStore(&datablob, pszPassword, 0);
! 664: free(pszPassword);
! 665: free(certdata);
! 666: if(cert_store == NULL) {
! 667: DWORD errorcode = GetLastError();
! 668: if(errorcode == ERROR_INVALID_PASSWORD)
! 669: failf(data, "schannel: Failed to import cert file %s, "
! 670: "password is bad", data->set.ssl.cert);
! 671: else
! 672: failf(data, "schannel: Failed to import cert file %s, "
! 673: "last error is 0x%x", data->set.ssl.cert, errorcode);
! 674: return CURLE_SSL_CERTPROBLEM;
! 675: }
! 676:
! 677: client_certs[0] = CertFindCertificateInStore(
! 678: cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
! 679: CERT_FIND_ANY, NULL, NULL);
! 680:
! 681: if(client_certs[0] == NULL) {
! 682: failf(data, "schannel: Failed to get certificate from file %s"
! 683: ", last error is 0x%x",
! 684: data->set.ssl.cert, GetLastError());
! 685: CertCloseStore(cert_store, 0);
! 686: return CURLE_SSL_CERTPROBLEM;
! 687: }
! 688:
! 689: schannel_cred.cCreds = 1;
! 690: schannel_cred.paCred = client_certs;
! 691: }
! 692: else {
! 693: cert_store =
! 694: CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0,
! 695: (HCRYPTPROV)NULL,
! 696: CERT_STORE_OPEN_EXISTING_FLAG | cert_store_name,
! 697: cert_store_path);
! 698: if(!cert_store) {
! 699: failf(data, "schannel: Failed to open cert store %x %s, "
! 700: "last error is 0x%x",
! 701: cert_store_name, cert_store_path, GetLastError());
! 702: free(cert_store_path);
! 703: Curl_unicodefree(cert_path);
! 704: return CURLE_SSL_CERTPROBLEM;
! 705: }
! 706: free(cert_store_path);
! 707:
! 708: cert_thumbprint.pbData = cert_thumbprint_data;
! 709: cert_thumbprint.cbData = CERT_THUMBPRINT_DATA_LEN;
! 710:
! 711: if(!CryptStringToBinary(cert_thumbprint_str,
! 712: CERT_THUMBPRINT_STR_LEN,
! 713: CRYPT_STRING_HEX,
! 714: cert_thumbprint_data,
! 715: &cert_thumbprint.cbData,
! 716: NULL, NULL)) {
! 717: Curl_unicodefree(cert_path);
! 718: CertCloseStore(cert_store, 0);
! 719: return CURLE_SSL_CERTPROBLEM;
! 720: }
! 721:
! 722: client_certs[0] = CertFindCertificateInStore(
! 723: cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
! 724: CERT_FIND_HASH, &cert_thumbprint, NULL);
! 725:
! 726: Curl_unicodefree(cert_path);
! 727:
! 728: if(client_certs[0]) {
! 729: schannel_cred.cCreds = 1;
! 730: schannel_cred.paCred = client_certs;
! 731: }
! 732: else {
! 733: /* CRYPT_E_NOT_FOUND / E_INVALIDARG */
! 734: CertCloseStore(cert_store, 0);
! 735: return CURLE_SSL_CERTPROBLEM;
! 736: }
! 737: }
! 738: CertCloseStore(cert_store, 0);
! 739: }
! 740: #else
! 741: if(data->set.ssl.cert) {
! 742: failf(data, "schannel: client cert support not built in");
! 743: return CURLE_NOT_BUILT_IN;
! 744: }
! 745: #endif
! 746:
! 747: /* allocate memory for the re-usable credential handle */
! 748: BACKEND->cred = (struct curl_schannel_cred *)
! 749: calloc(1, sizeof(struct curl_schannel_cred));
! 750: if(!BACKEND->cred) {
! 751: failf(data, "schannel: unable to allocate memory");
! 752:
! 753: if(client_certs[0])
! 754: CertFreeCertificateContext(client_certs[0]);
! 755:
! 756: return CURLE_OUT_OF_MEMORY;
! 757: }
! 758: BACKEND->cred->refcount = 1;
! 759:
! 760: /* https://msdn.microsoft.com/en-us/library/windows/desktop/aa374716.aspx
! 761: */
! 762: sspi_status =
! 763: s_pSecFn->AcquireCredentialsHandle(NULL, (TCHAR *)UNISP_NAME,
! 764: SECPKG_CRED_OUTBOUND, NULL,
! 765: &schannel_cred, NULL, NULL,
! 766: &BACKEND->cred->cred_handle,
! 767: &BACKEND->cred->time_stamp);
! 768:
! 769: if(client_certs[0])
! 770: CertFreeCertificateContext(client_certs[0]);
! 771:
! 772: if(sspi_status != SEC_E_OK) {
! 773: char buffer[STRERROR_LEN];
! 774: failf(data, "schannel: AcquireCredentialsHandle failed: %s",
! 775: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 776: Curl_safefree(BACKEND->cred);
! 777: switch(sspi_status) {
! 778: case SEC_E_INSUFFICIENT_MEMORY:
! 779: return CURLE_OUT_OF_MEMORY;
! 780: case SEC_E_NO_CREDENTIALS:
! 781: case SEC_E_SECPKG_NOT_FOUND:
! 782: case SEC_E_NOT_OWNER:
! 783: case SEC_E_UNKNOWN_CREDENTIALS:
! 784: case SEC_E_INTERNAL_ERROR:
! 785: default:
! 786: return CURLE_SSL_CONNECT_ERROR;
! 787: }
! 788: }
! 789: }
! 790:
! 791: /* Warn if SNI is disabled due to use of an IP address */
! 792: if(Curl_inet_pton(AF_INET, hostname, &addr)
! 793: #ifdef ENABLE_IPV6
! 794: || Curl_inet_pton(AF_INET6, hostname, &addr6)
! 795: #endif
! 796: ) {
! 797: infof(data, "schannel: using IP address, SNI is not supported by OS.\n");
! 798: }
! 799:
! 800: #ifdef HAS_ALPN
! 801: if(BACKEND->use_alpn) {
! 802: int cur = 0;
! 803: int list_start_index = 0;
! 804: unsigned int *extension_len = NULL;
! 805: unsigned short* list_len = NULL;
! 806:
! 807: /* The first four bytes will be an unsigned int indicating number
! 808: of bytes of data in the rest of the buffer. */
! 809: extension_len = (unsigned int *)(&alpn_buffer[cur]);
! 810: cur += sizeof(unsigned int);
! 811:
! 812: /* The next four bytes are an indicator that this buffer will contain
! 813: ALPN data, as opposed to NPN, for example. */
! 814: *(unsigned int *)&alpn_buffer[cur] =
! 815: SecApplicationProtocolNegotiationExt_ALPN;
! 816: cur += sizeof(unsigned int);
! 817:
! 818: /* The next two bytes will be an unsigned short indicating the number
! 819: of bytes used to list the preferred protocols. */
! 820: list_len = (unsigned short*)(&alpn_buffer[cur]);
! 821: cur += sizeof(unsigned short);
! 822:
! 823: list_start_index = cur;
! 824:
! 825: #ifdef USE_NGHTTP2
! 826: if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
! 827: memcpy(&alpn_buffer[cur], NGHTTP2_PROTO_ALPN, NGHTTP2_PROTO_ALPN_LEN);
! 828: cur += NGHTTP2_PROTO_ALPN_LEN;
! 829: infof(data, "schannel: ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
! 830: }
! 831: #endif
! 832:
! 833: alpn_buffer[cur++] = ALPN_HTTP_1_1_LENGTH;
! 834: memcpy(&alpn_buffer[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
! 835: cur += ALPN_HTTP_1_1_LENGTH;
! 836: infof(data, "schannel: ALPN, offering %s\n", ALPN_HTTP_1_1);
! 837:
! 838: *list_len = curlx_uitous(cur - list_start_index);
! 839: *extension_len = *list_len + sizeof(unsigned int) + sizeof(unsigned short);
! 840:
! 841: InitSecBuffer(&inbuf, SECBUFFER_APPLICATION_PROTOCOLS, alpn_buffer, cur);
! 842: InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
! 843: }
! 844: else {
! 845: InitSecBuffer(&inbuf, SECBUFFER_EMPTY, NULL, 0);
! 846: InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
! 847: }
! 848: #else /* HAS_ALPN */
! 849: InitSecBuffer(&inbuf, SECBUFFER_EMPTY, NULL, 0);
! 850: InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
! 851: #endif
! 852:
! 853: /* setup output buffer */
! 854: InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
! 855: InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
! 856:
! 857: /* setup request flags */
! 858: BACKEND->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
! 859: ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
! 860: ISC_REQ_STREAM;
! 861:
! 862: /* allocate memory for the security context handle */
! 863: BACKEND->ctxt = (struct curl_schannel_ctxt *)
! 864: calloc(1, sizeof(struct curl_schannel_ctxt));
! 865: if(!BACKEND->ctxt) {
! 866: failf(data, "schannel: unable to allocate memory");
! 867: return CURLE_OUT_OF_MEMORY;
! 868: }
! 869:
! 870: host_name = Curl_convert_UTF8_to_tchar(hostname);
! 871: if(!host_name)
! 872: return CURLE_OUT_OF_MEMORY;
! 873:
! 874: /* Schannel InitializeSecurityContext:
! 875: https://msdn.microsoft.com/en-us/library/windows/desktop/aa375924.aspx
! 876:
! 877: At the moment we don't pass inbuf unless we're using ALPN since we only
! 878: use it for that, and Wine (for which we currently disable ALPN) is giving
! 879: us problems with inbuf regardless. https://github.com/curl/curl/issues/983
! 880: */
! 881: sspi_status = s_pSecFn->InitializeSecurityContext(
! 882: &BACKEND->cred->cred_handle, NULL, host_name, BACKEND->req_flags, 0, 0,
! 883: (BACKEND->use_alpn ? &inbuf_desc : NULL),
! 884: 0, &BACKEND->ctxt->ctxt_handle,
! 885: &outbuf_desc, &BACKEND->ret_flags, &BACKEND->ctxt->time_stamp);
! 886:
! 887: Curl_unicodefree(host_name);
! 888:
! 889: if(sspi_status != SEC_I_CONTINUE_NEEDED) {
! 890: char buffer[STRERROR_LEN];
! 891: Curl_safefree(BACKEND->ctxt);
! 892: switch(sspi_status) {
! 893: case SEC_E_INSUFFICIENT_MEMORY:
! 894: failf(data, "schannel: initial InitializeSecurityContext failed: %s",
! 895: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 896: return CURLE_OUT_OF_MEMORY;
! 897: case SEC_E_WRONG_PRINCIPAL:
! 898: failf(data, "schannel: SNI or certificate check failed: %s",
! 899: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 900: return CURLE_PEER_FAILED_VERIFICATION;
! 901: /*
! 902: case SEC_E_INVALID_HANDLE:
! 903: case SEC_E_INVALID_TOKEN:
! 904: case SEC_E_LOGON_DENIED:
! 905: case SEC_E_TARGET_UNKNOWN:
! 906: case SEC_E_NO_AUTHENTICATING_AUTHORITY:
! 907: case SEC_E_INTERNAL_ERROR:
! 908: case SEC_E_NO_CREDENTIALS:
! 909: case SEC_E_UNSUPPORTED_FUNCTION:
! 910: case SEC_E_APPLICATION_PROTOCOL_MISMATCH:
! 911: */
! 912: default:
! 913: failf(data, "schannel: initial InitializeSecurityContext failed: %s",
! 914: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 915: return CURLE_SSL_CONNECT_ERROR;
! 916: }
! 917: }
! 918:
! 919: DEBUGF(infof(data, "schannel: sending initial handshake data: "
! 920: "sending %lu bytes...\n", outbuf.cbBuffer));
! 921:
! 922: /* send initial handshake data which is now stored in output buffer */
! 923: result = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer,
! 924: outbuf.cbBuffer, &written);
! 925: s_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
! 926: if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) {
! 927: failf(data, "schannel: failed to send initial handshake data: "
! 928: "sent %zd of %lu bytes", written, outbuf.cbBuffer);
! 929: return CURLE_SSL_CONNECT_ERROR;
! 930: }
! 931:
! 932: DEBUGF(infof(data, "schannel: sent initial handshake data: "
! 933: "sent %zd bytes\n", written));
! 934:
! 935: BACKEND->recv_unrecoverable_err = CURLE_OK;
! 936: BACKEND->recv_sspi_close_notify = false;
! 937: BACKEND->recv_connection_closed = false;
! 938: BACKEND->encdata_is_incomplete = false;
! 939:
! 940: /* continue to second handshake step */
! 941: connssl->connecting_state = ssl_connect_2;
! 942:
! 943: return CURLE_OK;
! 944: }
! 945:
! 946: static CURLcode
! 947: schannel_connect_step2(struct connectdata *conn, int sockindex)
! 948: {
! 949: int i;
! 950: ssize_t nread = -1, written = -1;
! 951: struct Curl_easy *data = conn->data;
! 952: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 953: unsigned char *reallocated_buffer;
! 954: SecBuffer outbuf[3];
! 955: SecBufferDesc outbuf_desc;
! 956: SecBuffer inbuf[2];
! 957: SecBufferDesc inbuf_desc;
! 958: SECURITY_STATUS sspi_status = SEC_E_OK;
! 959: CURLcode result;
! 960: bool doread;
! 961: char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
! 962: conn->host.name;
! 963: const char *pubkey_ptr;
! 964:
! 965: doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE;
! 966:
! 967: DEBUGF(infof(data,
! 968: "schannel: SSL/TLS connection with %s port %hu (step 2/3)\n",
! 969: hostname, conn->remote_port));
! 970:
! 971: if(!BACKEND->cred || !BACKEND->ctxt)
! 972: return CURLE_SSL_CONNECT_ERROR;
! 973:
! 974: /* buffer to store previously received and decrypted data */
! 975: if(BACKEND->decdata_buffer == NULL) {
! 976: BACKEND->decdata_offset = 0;
! 977: BACKEND->decdata_length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
! 978: BACKEND->decdata_buffer = malloc(BACKEND->decdata_length);
! 979: if(BACKEND->decdata_buffer == NULL) {
! 980: failf(data, "schannel: unable to allocate memory");
! 981: return CURLE_OUT_OF_MEMORY;
! 982: }
! 983: }
! 984:
! 985: /* buffer to store previously received and encrypted data */
! 986: if(BACKEND->encdata_buffer == NULL) {
! 987: BACKEND->encdata_is_incomplete = false;
! 988: BACKEND->encdata_offset = 0;
! 989: BACKEND->encdata_length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
! 990: BACKEND->encdata_buffer = malloc(BACKEND->encdata_length);
! 991: if(BACKEND->encdata_buffer == NULL) {
! 992: failf(data, "schannel: unable to allocate memory");
! 993: return CURLE_OUT_OF_MEMORY;
! 994: }
! 995: }
! 996:
! 997: /* if we need a bigger buffer to read a full message, increase buffer now */
! 998: if(BACKEND->encdata_length - BACKEND->encdata_offset <
! 999: CURL_SCHANNEL_BUFFER_FREE_SIZE) {
! 1000: /* increase internal encrypted data buffer */
! 1001: size_t reallocated_length = BACKEND->encdata_offset +
! 1002: CURL_SCHANNEL_BUFFER_FREE_SIZE;
! 1003: reallocated_buffer = realloc(BACKEND->encdata_buffer,
! 1004: reallocated_length);
! 1005:
! 1006: if(reallocated_buffer == NULL) {
! 1007: failf(data, "schannel: unable to re-allocate memory");
! 1008: return CURLE_OUT_OF_MEMORY;
! 1009: }
! 1010: else {
! 1011: BACKEND->encdata_buffer = reallocated_buffer;
! 1012: BACKEND->encdata_length = reallocated_length;
! 1013: }
! 1014: }
! 1015:
! 1016: for(;;) {
! 1017: TCHAR *host_name;
! 1018: if(doread) {
! 1019: /* read encrypted handshake data from socket */
! 1020: result = Curl_read_plain(conn->sock[sockindex],
! 1021: (char *) (BACKEND->encdata_buffer +
! 1022: BACKEND->encdata_offset),
! 1023: BACKEND->encdata_length -
! 1024: BACKEND->encdata_offset,
! 1025: &nread);
! 1026: if(result == CURLE_AGAIN) {
! 1027: if(connssl->connecting_state != ssl_connect_2_writing)
! 1028: connssl->connecting_state = ssl_connect_2_reading;
! 1029: DEBUGF(infof(data, "schannel: failed to receive handshake, "
! 1030: "need more data\n"));
! 1031: return CURLE_OK;
! 1032: }
! 1033: else if((result != CURLE_OK) || (nread == 0)) {
! 1034: failf(data, "schannel: failed to receive handshake, "
! 1035: "SSL/TLS connection failed");
! 1036: return CURLE_SSL_CONNECT_ERROR;
! 1037: }
! 1038:
! 1039: /* increase encrypted data buffer offset */
! 1040: BACKEND->encdata_offset += nread;
! 1041: BACKEND->encdata_is_incomplete = false;
! 1042: DEBUGF(infof(data, "schannel: encrypted data got %zd\n", nread));
! 1043: }
! 1044:
! 1045: DEBUGF(infof(data,
! 1046: "schannel: encrypted data buffer: offset %zu length %zu\n",
! 1047: BACKEND->encdata_offset, BACKEND->encdata_length));
! 1048:
! 1049: /* setup input buffers */
! 1050: InitSecBuffer(&inbuf[0], SECBUFFER_TOKEN, malloc(BACKEND->encdata_offset),
! 1051: curlx_uztoul(BACKEND->encdata_offset));
! 1052: InitSecBuffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
! 1053: InitSecBufferDesc(&inbuf_desc, inbuf, 2);
! 1054:
! 1055: /* setup output buffers */
! 1056: InitSecBuffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
! 1057: InitSecBuffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
! 1058: InitSecBuffer(&outbuf[2], SECBUFFER_EMPTY, NULL, 0);
! 1059: InitSecBufferDesc(&outbuf_desc, outbuf, 3);
! 1060:
! 1061: if(inbuf[0].pvBuffer == NULL) {
! 1062: failf(data, "schannel: unable to allocate memory");
! 1063: return CURLE_OUT_OF_MEMORY;
! 1064: }
! 1065:
! 1066: /* copy received handshake data into input buffer */
! 1067: memcpy(inbuf[0].pvBuffer, BACKEND->encdata_buffer,
! 1068: BACKEND->encdata_offset);
! 1069:
! 1070: host_name = Curl_convert_UTF8_to_tchar(hostname);
! 1071: if(!host_name)
! 1072: return CURLE_OUT_OF_MEMORY;
! 1073:
! 1074: /* https://msdn.microsoft.com/en-us/library/windows/desktop/aa375924.aspx
! 1075: */
! 1076: sspi_status = s_pSecFn->InitializeSecurityContext(
! 1077: &BACKEND->cred->cred_handle, &BACKEND->ctxt->ctxt_handle,
! 1078: host_name, BACKEND->req_flags, 0, 0, &inbuf_desc, 0, NULL,
! 1079: &outbuf_desc, &BACKEND->ret_flags, &BACKEND->ctxt->time_stamp);
! 1080:
! 1081: Curl_unicodefree(host_name);
! 1082:
! 1083: /* free buffer for received handshake data */
! 1084: Curl_safefree(inbuf[0].pvBuffer);
! 1085:
! 1086: /* check if the handshake was incomplete */
! 1087: if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
! 1088: BACKEND->encdata_is_incomplete = true;
! 1089: connssl->connecting_state = ssl_connect_2_reading;
! 1090: DEBUGF(infof(data,
! 1091: "schannel: received incomplete message, need more data\n"));
! 1092: return CURLE_OK;
! 1093: }
! 1094:
! 1095: /* If the server has requested a client certificate, attempt to continue
! 1096: the handshake without one. This will allow connections to servers which
! 1097: request a client certificate but do not require it. */
! 1098: if(sspi_status == SEC_I_INCOMPLETE_CREDENTIALS &&
! 1099: !(BACKEND->req_flags & ISC_REQ_USE_SUPPLIED_CREDS)) {
! 1100: BACKEND->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
! 1101: connssl->connecting_state = ssl_connect_2_writing;
! 1102: DEBUGF(infof(data,
! 1103: "schannel: a client certificate has been requested\n"));
! 1104: return CURLE_OK;
! 1105: }
! 1106:
! 1107: /* check if the handshake needs to be continued */
! 1108: if(sspi_status == SEC_I_CONTINUE_NEEDED || sspi_status == SEC_E_OK) {
! 1109: for(i = 0; i < 3; i++) {
! 1110: /* search for handshake tokens that need to be send */
! 1111: if(outbuf[i].BufferType == SECBUFFER_TOKEN && outbuf[i].cbBuffer > 0) {
! 1112: DEBUGF(infof(data, "schannel: sending next handshake data: "
! 1113: "sending %lu bytes...\n", outbuf[i].cbBuffer));
! 1114:
! 1115: /* send handshake token to server */
! 1116: result = Curl_write_plain(conn, conn->sock[sockindex],
! 1117: outbuf[i].pvBuffer, outbuf[i].cbBuffer,
! 1118: &written);
! 1119: if((result != CURLE_OK) ||
! 1120: (outbuf[i].cbBuffer != (size_t) written)) {
! 1121: failf(data, "schannel: failed to send next handshake data: "
! 1122: "sent %zd of %lu bytes", written, outbuf[i].cbBuffer);
! 1123: return CURLE_SSL_CONNECT_ERROR;
! 1124: }
! 1125: }
! 1126:
! 1127: /* free obsolete buffer */
! 1128: if(outbuf[i].pvBuffer != NULL) {
! 1129: s_pSecFn->FreeContextBuffer(outbuf[i].pvBuffer);
! 1130: }
! 1131: }
! 1132: }
! 1133: else {
! 1134: char buffer[STRERROR_LEN];
! 1135: switch(sspi_status) {
! 1136: case SEC_E_INSUFFICIENT_MEMORY:
! 1137: failf(data, "schannel: next InitializeSecurityContext failed: %s",
! 1138: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 1139: return CURLE_OUT_OF_MEMORY;
! 1140: case SEC_E_WRONG_PRINCIPAL:
! 1141: failf(data, "schannel: SNI or certificate check failed: %s",
! 1142: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 1143: return CURLE_PEER_FAILED_VERIFICATION;
! 1144: /*
! 1145: case SEC_E_INVALID_HANDLE:
! 1146: case SEC_E_INVALID_TOKEN:
! 1147: case SEC_E_LOGON_DENIED:
! 1148: case SEC_E_TARGET_UNKNOWN:
! 1149: case SEC_E_NO_AUTHENTICATING_AUTHORITY:
! 1150: case SEC_E_INTERNAL_ERROR:
! 1151: case SEC_E_NO_CREDENTIALS:
! 1152: case SEC_E_UNSUPPORTED_FUNCTION:
! 1153: case SEC_E_APPLICATION_PROTOCOL_MISMATCH:
! 1154: */
! 1155: default:
! 1156: failf(data, "schannel: next InitializeSecurityContext failed: %s",
! 1157: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 1158: return CURLE_SSL_CONNECT_ERROR;
! 1159: }
! 1160: }
! 1161:
! 1162: /* check if there was additional remaining encrypted data */
! 1163: if(inbuf[1].BufferType == SECBUFFER_EXTRA && inbuf[1].cbBuffer > 0) {
! 1164: DEBUGF(infof(data, "schannel: encrypted data length: %lu\n",
! 1165: inbuf[1].cbBuffer));
! 1166: /*
! 1167: There are two cases where we could be getting extra data here:
! 1168: 1) If we're renegotiating a connection and the handshake is already
! 1169: complete (from the server perspective), it can encrypted app data
! 1170: (not handshake data) in an extra buffer at this point.
! 1171: 2) (sspi_status == SEC_I_CONTINUE_NEEDED) We are negotiating a
! 1172: connection and this extra data is part of the handshake.
! 1173: We should process the data immediately; waiting for the socket to
! 1174: be ready may fail since the server is done sending handshake data.
! 1175: */
! 1176: /* check if the remaining data is less than the total amount
! 1177: and therefore begins after the already processed data */
! 1178: if(BACKEND->encdata_offset > inbuf[1].cbBuffer) {
! 1179: memmove(BACKEND->encdata_buffer,
! 1180: (BACKEND->encdata_buffer + BACKEND->encdata_offset) -
! 1181: inbuf[1].cbBuffer, inbuf[1].cbBuffer);
! 1182: BACKEND->encdata_offset = inbuf[1].cbBuffer;
! 1183: if(sspi_status == SEC_I_CONTINUE_NEEDED) {
! 1184: doread = FALSE;
! 1185: continue;
! 1186: }
! 1187: }
! 1188: }
! 1189: else {
! 1190: BACKEND->encdata_offset = 0;
! 1191: }
! 1192: break;
! 1193: }
! 1194:
! 1195: /* check if the handshake needs to be continued */
! 1196: if(sspi_status == SEC_I_CONTINUE_NEEDED) {
! 1197: connssl->connecting_state = ssl_connect_2_reading;
! 1198: return CURLE_OK;
! 1199: }
! 1200:
! 1201: /* check if the handshake is complete */
! 1202: if(sspi_status == SEC_E_OK) {
! 1203: connssl->connecting_state = ssl_connect_3;
! 1204: DEBUGF(infof(data, "schannel: SSL/TLS handshake complete\n"));
! 1205: }
! 1206:
! 1207: pubkey_ptr = SSL_IS_PROXY() ?
! 1208: data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
! 1209: data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
! 1210: if(pubkey_ptr) {
! 1211: result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
! 1212: if(result) {
! 1213: failf(data, "SSL: public key does not match pinned public key!");
! 1214: return result;
! 1215: }
! 1216: }
! 1217:
! 1218: #ifdef HAS_MANUAL_VERIFY_API
! 1219: if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
! 1220: return Curl_verify_certificate(conn, sockindex);
! 1221: }
! 1222: #endif
! 1223:
! 1224: return CURLE_OK;
! 1225: }
! 1226:
! 1227: static bool
! 1228: valid_cert_encoding(const CERT_CONTEXT *cert_context)
! 1229: {
! 1230: return (cert_context != NULL) &&
! 1231: ((cert_context->dwCertEncodingType & X509_ASN_ENCODING) != 0) &&
! 1232: (cert_context->pbCertEncoded != NULL) &&
! 1233: (cert_context->cbCertEncoded > 0);
! 1234: }
! 1235:
! 1236: typedef bool(*Read_crt_func)(const CERT_CONTEXT *ccert_context, void *arg);
! 1237:
! 1238: static void
! 1239: traverse_cert_store(const CERT_CONTEXT *context, Read_crt_func func,
! 1240: void *arg)
! 1241: {
! 1242: const CERT_CONTEXT *current_context = NULL;
! 1243: bool should_continue = true;
! 1244: while(should_continue &&
! 1245: (current_context = CertEnumCertificatesInStore(
! 1246: context->hCertStore,
! 1247: current_context)) != NULL)
! 1248: should_continue = func(current_context, arg);
! 1249:
! 1250: if(current_context)
! 1251: CertFreeCertificateContext(current_context);
! 1252: }
! 1253:
! 1254: static bool
! 1255: cert_counter_callback(const CERT_CONTEXT *ccert_context, void *certs_count)
! 1256: {
! 1257: if(valid_cert_encoding(ccert_context))
! 1258: (*(int *)certs_count)++;
! 1259: return true;
! 1260: }
! 1261:
! 1262: struct Adder_args
! 1263: {
! 1264: struct connectdata *conn;
! 1265: CURLcode result;
! 1266: int idx;
! 1267: int certs_count;
! 1268: };
! 1269:
! 1270: static bool
! 1271: add_cert_to_certinfo(const CERT_CONTEXT *ccert_context, void *raw_arg)
! 1272: {
! 1273: struct Adder_args *args = (struct Adder_args*)raw_arg;
! 1274: args->result = CURLE_OK;
! 1275: if(valid_cert_encoding(ccert_context)) {
! 1276: const char *beg = (const char *) ccert_context->pbCertEncoded;
! 1277: const char *end = beg + ccert_context->cbCertEncoded;
! 1278: int insert_index = (args->certs_count - 1) - args->idx;
! 1279: args->result = Curl_extract_certinfo(args->conn, insert_index, beg, end);
! 1280: args->idx++;
! 1281: }
! 1282: return args->result == CURLE_OK;
! 1283: }
! 1284:
! 1285: static CURLcode
! 1286: schannel_connect_step3(struct connectdata *conn, int sockindex)
! 1287: {
! 1288: CURLcode result = CURLE_OK;
! 1289: struct Curl_easy *data = conn->data;
! 1290: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 1291: SECURITY_STATUS sspi_status = SEC_E_OK;
! 1292: CERT_CONTEXT *ccert_context = NULL;
! 1293: #ifdef DEBUGBUILD
! 1294: const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
! 1295: conn->host.name;
! 1296: #endif
! 1297: #ifdef HAS_ALPN
! 1298: SecPkgContext_ApplicationProtocol alpn_result;
! 1299: #endif
! 1300:
! 1301: DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
! 1302:
! 1303: DEBUGF(infof(data,
! 1304: "schannel: SSL/TLS connection with %s port %hu (step 3/3)\n",
! 1305: hostname, conn->remote_port));
! 1306:
! 1307: if(!BACKEND->cred)
! 1308: return CURLE_SSL_CONNECT_ERROR;
! 1309:
! 1310: /* check if the required context attributes are met */
! 1311: if(BACKEND->ret_flags != BACKEND->req_flags) {
! 1312: if(!(BACKEND->ret_flags & ISC_RET_SEQUENCE_DETECT))
! 1313: failf(data, "schannel: failed to setup sequence detection");
! 1314: if(!(BACKEND->ret_flags & ISC_RET_REPLAY_DETECT))
! 1315: failf(data, "schannel: failed to setup replay detection");
! 1316: if(!(BACKEND->ret_flags & ISC_RET_CONFIDENTIALITY))
! 1317: failf(data, "schannel: failed to setup confidentiality");
! 1318: if(!(BACKEND->ret_flags & ISC_RET_ALLOCATED_MEMORY))
! 1319: failf(data, "schannel: failed to setup memory allocation");
! 1320: if(!(BACKEND->ret_flags & ISC_RET_STREAM))
! 1321: failf(data, "schannel: failed to setup stream orientation");
! 1322: return CURLE_SSL_CONNECT_ERROR;
! 1323: }
! 1324:
! 1325: #ifdef HAS_ALPN
! 1326: if(BACKEND->use_alpn) {
! 1327: sspi_status = s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
! 1328: SECPKG_ATTR_APPLICATION_PROTOCOL, &alpn_result);
! 1329:
! 1330: if(sspi_status != SEC_E_OK) {
! 1331: failf(data, "schannel: failed to retrieve ALPN result");
! 1332: return CURLE_SSL_CONNECT_ERROR;
! 1333: }
! 1334:
! 1335: if(alpn_result.ProtoNegoStatus ==
! 1336: SecApplicationProtocolNegotiationStatus_Success) {
! 1337:
! 1338: infof(data, "schannel: ALPN, server accepted to use %.*s\n",
! 1339: alpn_result.ProtocolIdSize, alpn_result.ProtocolId);
! 1340:
! 1341: #ifdef USE_NGHTTP2
! 1342: if(alpn_result.ProtocolIdSize == NGHTTP2_PROTO_VERSION_ID_LEN &&
! 1343: !memcmp(NGHTTP2_PROTO_VERSION_ID, alpn_result.ProtocolId,
! 1344: NGHTTP2_PROTO_VERSION_ID_LEN)) {
! 1345: conn->negnpn = CURL_HTTP_VERSION_2;
! 1346: }
! 1347: else
! 1348: #endif
! 1349: if(alpn_result.ProtocolIdSize == ALPN_HTTP_1_1_LENGTH &&
! 1350: !memcmp(ALPN_HTTP_1_1, alpn_result.ProtocolId,
! 1351: ALPN_HTTP_1_1_LENGTH)) {
! 1352: conn->negnpn = CURL_HTTP_VERSION_1_1;
! 1353: }
! 1354: }
! 1355: else
! 1356: infof(data, "ALPN, server did not agree to a protocol\n");
! 1357: Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ?
! 1358: BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
! 1359: }
! 1360: #endif
! 1361:
! 1362: /* save the current session data for possible re-use */
! 1363: if(SSL_SET_OPTION(primary.sessionid)) {
! 1364: bool incache;
! 1365: struct curl_schannel_cred *old_cred = NULL;
! 1366:
! 1367: Curl_ssl_sessionid_lock(conn);
! 1368: incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
! 1369: sockindex));
! 1370: if(incache) {
! 1371: if(old_cred != BACKEND->cred) {
! 1372: DEBUGF(infof(data,
! 1373: "schannel: old credential handle is stale, removing\n"));
! 1374: /* we're not taking old_cred ownership here, no refcount++ is needed */
! 1375: Curl_ssl_delsessionid(conn, (void *)old_cred);
! 1376: incache = FALSE;
! 1377: }
! 1378: }
! 1379: if(!incache) {
! 1380: result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
! 1381: sizeof(struct curl_schannel_cred),
! 1382: sockindex);
! 1383: if(result) {
! 1384: Curl_ssl_sessionid_unlock(conn);
! 1385: failf(data, "schannel: failed to store credential handle");
! 1386: return result;
! 1387: }
! 1388: else {
! 1389: /* this cred session is now also referenced by sessionid cache */
! 1390: BACKEND->cred->refcount++;
! 1391: DEBUGF(infof(data,
! 1392: "schannel: stored credential handle in session cache\n"));
! 1393: }
! 1394: }
! 1395: Curl_ssl_sessionid_unlock(conn);
! 1396: }
! 1397:
! 1398: if(data->set.ssl.certinfo) {
! 1399: int certs_count = 0;
! 1400: sspi_status = s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
! 1401: SECPKG_ATTR_REMOTE_CERT_CONTEXT, &ccert_context);
! 1402:
! 1403: if((sspi_status != SEC_E_OK) || (ccert_context == NULL)) {
! 1404: failf(data, "schannel: failed to retrieve remote cert context");
! 1405: return CURLE_PEER_FAILED_VERIFICATION;
! 1406: }
! 1407:
! 1408: traverse_cert_store(ccert_context, cert_counter_callback, &certs_count);
! 1409:
! 1410: result = Curl_ssl_init_certinfo(data, certs_count);
! 1411: if(!result) {
! 1412: struct Adder_args args;
! 1413: args.conn = conn;
! 1414: args.idx = 0;
! 1415: args.certs_count = certs_count;
! 1416: traverse_cert_store(ccert_context, add_cert_to_certinfo, &args);
! 1417: result = args.result;
! 1418: }
! 1419: CertFreeCertificateContext(ccert_context);
! 1420: if(result)
! 1421: return result;
! 1422: }
! 1423:
! 1424: connssl->connecting_state = ssl_connect_done;
! 1425:
! 1426: return CURLE_OK;
! 1427: }
! 1428:
! 1429: static CURLcode
! 1430: schannel_connect_common(struct connectdata *conn, int sockindex,
! 1431: bool nonblocking, bool *done)
! 1432: {
! 1433: CURLcode result;
! 1434: struct Curl_easy *data = conn->data;
! 1435: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 1436: curl_socket_t sockfd = conn->sock[sockindex];
! 1437: timediff_t timeout_ms;
! 1438: int what;
! 1439:
! 1440: /* check if the connection has already been established */
! 1441: if(ssl_connection_complete == connssl->state) {
! 1442: *done = TRUE;
! 1443: return CURLE_OK;
! 1444: }
! 1445:
! 1446: if(ssl_connect_1 == connssl->connecting_state) {
! 1447: /* check out how much more time we're allowed */
! 1448: timeout_ms = Curl_timeleft(data, NULL, TRUE);
! 1449:
! 1450: if(timeout_ms < 0) {
! 1451: /* no need to continue if time already is up */
! 1452: failf(data, "SSL/TLS connection timeout");
! 1453: return CURLE_OPERATION_TIMEDOUT;
! 1454: }
! 1455:
! 1456: result = schannel_connect_step1(conn, sockindex);
! 1457: if(result)
! 1458: return result;
! 1459: }
! 1460:
! 1461: while(ssl_connect_2 == connssl->connecting_state ||
! 1462: ssl_connect_2_reading == connssl->connecting_state ||
! 1463: ssl_connect_2_writing == connssl->connecting_state) {
! 1464:
! 1465: /* check out how much more time we're allowed */
! 1466: timeout_ms = Curl_timeleft(data, NULL, TRUE);
! 1467:
! 1468: if(timeout_ms < 0) {
! 1469: /* no need to continue if time already is up */
! 1470: failf(data, "SSL/TLS connection timeout");
! 1471: return CURLE_OPERATION_TIMEDOUT;
! 1472: }
! 1473:
! 1474: /* if ssl is expecting something, check if it's available. */
! 1475: if(connssl->connecting_state == ssl_connect_2_reading
! 1476: || connssl->connecting_state == ssl_connect_2_writing) {
! 1477:
! 1478: curl_socket_t writefd = ssl_connect_2_writing ==
! 1479: connssl->connecting_state ? sockfd : CURL_SOCKET_BAD;
! 1480: curl_socket_t readfd = ssl_connect_2_reading ==
! 1481: connssl->connecting_state ? sockfd : CURL_SOCKET_BAD;
! 1482:
! 1483: what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
! 1484: nonblocking ? 0 : (time_t)timeout_ms);
! 1485: if(what < 0) {
! 1486: /* fatal error */
! 1487: failf(data, "select/poll on SSL/TLS socket, errno: %d", SOCKERRNO);
! 1488: return CURLE_SSL_CONNECT_ERROR;
! 1489: }
! 1490: else if(0 == what) {
! 1491: if(nonblocking) {
! 1492: *done = FALSE;
! 1493: return CURLE_OK;
! 1494: }
! 1495: else {
! 1496: /* timeout */
! 1497: failf(data, "SSL/TLS connection timeout");
! 1498: return CURLE_OPERATION_TIMEDOUT;
! 1499: }
! 1500: }
! 1501: /* socket is readable or writable */
! 1502: }
! 1503:
! 1504: /* Run transaction, and return to the caller if it failed or if
! 1505: * this connection is part of a multi handle and this loop would
! 1506: * execute again. This permits the owner of a multi handle to
! 1507: * abort a connection attempt before step2 has completed while
! 1508: * ensuring that a client using select() or epoll() will always
! 1509: * have a valid fdset to wait on.
! 1510: */
! 1511: result = schannel_connect_step2(conn, sockindex);
! 1512: if(result || (nonblocking &&
! 1513: (ssl_connect_2 == connssl->connecting_state ||
! 1514: ssl_connect_2_reading == connssl->connecting_state ||
! 1515: ssl_connect_2_writing == connssl->connecting_state)))
! 1516: return result;
! 1517:
! 1518: } /* repeat step2 until all transactions are done. */
! 1519:
! 1520: if(ssl_connect_3 == connssl->connecting_state) {
! 1521: result = schannel_connect_step3(conn, sockindex);
! 1522: if(result)
! 1523: return result;
! 1524: }
! 1525:
! 1526: if(ssl_connect_done == connssl->connecting_state) {
! 1527: connssl->state = ssl_connection_complete;
! 1528: conn->recv[sockindex] = schannel_recv;
! 1529: conn->send[sockindex] = schannel_send;
! 1530:
! 1531: #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
! 1532: /* When SSPI is used in combination with Schannel
! 1533: * we need the Schannel context to create the Schannel
! 1534: * binding to pass the IIS extended protection checks.
! 1535: * Available on Windows 7 or later.
! 1536: */
! 1537: conn->sslContext = &BACKEND->ctxt->ctxt_handle;
! 1538: #endif
! 1539:
! 1540: *done = TRUE;
! 1541: }
! 1542: else
! 1543: *done = FALSE;
! 1544:
! 1545: /* reset our connection state machine */
! 1546: connssl->connecting_state = ssl_connect_1;
! 1547:
! 1548: return CURLE_OK;
! 1549: }
! 1550:
! 1551: static ssize_t
! 1552: schannel_send(struct connectdata *conn, int sockindex,
! 1553: const void *buf, size_t len, CURLcode *err)
! 1554: {
! 1555: ssize_t written = -1;
! 1556: size_t data_len = 0;
! 1557: unsigned char *data = NULL;
! 1558: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 1559: SecBuffer outbuf[4];
! 1560: SecBufferDesc outbuf_desc;
! 1561: SECURITY_STATUS sspi_status = SEC_E_OK;
! 1562: CURLcode result;
! 1563:
! 1564: /* check if the maximum stream sizes were queried */
! 1565: if(BACKEND->stream_sizes.cbMaximumMessage == 0) {
! 1566: sspi_status = s_pSecFn->QueryContextAttributes(
! 1567: &BACKEND->ctxt->ctxt_handle,
! 1568: SECPKG_ATTR_STREAM_SIZES,
! 1569: &BACKEND->stream_sizes);
! 1570: if(sspi_status != SEC_E_OK) {
! 1571: *err = CURLE_SEND_ERROR;
! 1572: return -1;
! 1573: }
! 1574: }
! 1575:
! 1576: /* check if the buffer is longer than the maximum message length */
! 1577: if(len > BACKEND->stream_sizes.cbMaximumMessage) {
! 1578: len = BACKEND->stream_sizes.cbMaximumMessage;
! 1579: }
! 1580:
! 1581: /* calculate the complete message length and allocate a buffer for it */
! 1582: data_len = BACKEND->stream_sizes.cbHeader + len +
! 1583: BACKEND->stream_sizes.cbTrailer;
! 1584: data = (unsigned char *) malloc(data_len);
! 1585: if(data == NULL) {
! 1586: *err = CURLE_OUT_OF_MEMORY;
! 1587: return -1;
! 1588: }
! 1589:
! 1590: /* setup output buffers (header, data, trailer, empty) */
! 1591: InitSecBuffer(&outbuf[0], SECBUFFER_STREAM_HEADER,
! 1592: data, BACKEND->stream_sizes.cbHeader);
! 1593: InitSecBuffer(&outbuf[1], SECBUFFER_DATA,
! 1594: data + BACKEND->stream_sizes.cbHeader, curlx_uztoul(len));
! 1595: InitSecBuffer(&outbuf[2], SECBUFFER_STREAM_TRAILER,
! 1596: data + BACKEND->stream_sizes.cbHeader + len,
! 1597: BACKEND->stream_sizes.cbTrailer);
! 1598: InitSecBuffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0);
! 1599: InitSecBufferDesc(&outbuf_desc, outbuf, 4);
! 1600:
! 1601: /* copy data into output buffer */
! 1602: memcpy(outbuf[1].pvBuffer, buf, len);
! 1603:
! 1604: /* https://msdn.microsoft.com/en-us/library/windows/desktop/aa375390.aspx */
! 1605: sspi_status = s_pSecFn->EncryptMessage(&BACKEND->ctxt->ctxt_handle, 0,
! 1606: &outbuf_desc, 0);
! 1607:
! 1608: /* check if the message was encrypted */
! 1609: if(sspi_status == SEC_E_OK) {
! 1610: written = 0;
! 1611:
! 1612: /* send the encrypted message including header, data and trailer */
! 1613: len = outbuf[0].cbBuffer + outbuf[1].cbBuffer + outbuf[2].cbBuffer;
! 1614:
! 1615: /*
! 1616: It's important to send the full message which includes the header,
! 1617: encrypted payload, and trailer. Until the client receives all the
! 1618: data a coherent message has not been delivered and the client
! 1619: can't read any of it.
! 1620:
! 1621: If we wanted to buffer the unwritten encrypted bytes, we would
! 1622: tell the client that all data it has requested to be sent has been
! 1623: sent. The unwritten encrypted bytes would be the first bytes to
! 1624: send on the next invocation.
! 1625: Here's the catch with this - if we tell the client that all the
! 1626: bytes have been sent, will the client call this method again to
! 1627: send the buffered data? Looking at who calls this function, it
! 1628: seems the answer is NO.
! 1629: */
! 1630:
! 1631: /* send entire message or fail */
! 1632: while(len > (size_t)written) {
! 1633: ssize_t this_write;
! 1634: timediff_t timeout_ms;
! 1635: int what;
! 1636:
! 1637: this_write = 0;
! 1638:
! 1639: timeout_ms = Curl_timeleft(conn->data, NULL, FALSE);
! 1640: if(timeout_ms < 0) {
! 1641: /* we already got the timeout */
! 1642: failf(conn->data, "schannel: timed out sending data "
! 1643: "(bytes sent: %zd)", written);
! 1644: *err = CURLE_OPERATION_TIMEDOUT;
! 1645: written = -1;
! 1646: break;
! 1647: }
! 1648: if(!timeout_ms)
! 1649: timeout_ms = TIMEDIFF_T_MAX;
! 1650: what = SOCKET_WRITABLE(conn->sock[sockindex], timeout_ms);
! 1651: if(what < 0) {
! 1652: /* fatal error */
! 1653: failf(conn->data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
! 1654: *err = CURLE_SEND_ERROR;
! 1655: written = -1;
! 1656: break;
! 1657: }
! 1658: else if(0 == what) {
! 1659: failf(conn->data, "schannel: timed out sending data "
! 1660: "(bytes sent: %zd)", written);
! 1661: *err = CURLE_OPERATION_TIMEDOUT;
! 1662: written = -1;
! 1663: break;
! 1664: }
! 1665: /* socket is writable */
! 1666:
! 1667: result = Curl_write_plain(conn, conn->sock[sockindex], data + written,
! 1668: len - written, &this_write);
! 1669: if(result == CURLE_AGAIN)
! 1670: continue;
! 1671: else if(result != CURLE_OK) {
! 1672: *err = result;
! 1673: written = -1;
! 1674: break;
! 1675: }
! 1676:
! 1677: written += this_write;
! 1678: }
! 1679: }
! 1680: else if(sspi_status == SEC_E_INSUFFICIENT_MEMORY) {
! 1681: *err = CURLE_OUT_OF_MEMORY;
! 1682: }
! 1683: else{
! 1684: *err = CURLE_SEND_ERROR;
! 1685: }
! 1686:
! 1687: Curl_safefree(data);
! 1688:
! 1689: if(len == (size_t)written)
! 1690: /* Encrypted message including header, data and trailer entirely sent.
! 1691: The return value is the number of unencrypted bytes that were sent. */
! 1692: written = outbuf[1].cbBuffer;
! 1693:
! 1694: return written;
! 1695: }
! 1696:
! 1697: static ssize_t
! 1698: schannel_recv(struct connectdata *conn, int sockindex,
! 1699: char *buf, size_t len, CURLcode *err)
! 1700: {
! 1701: size_t size = 0;
! 1702: ssize_t nread = -1;
! 1703: struct Curl_easy *data = conn->data;
! 1704: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 1705: unsigned char *reallocated_buffer;
! 1706: size_t reallocated_length;
! 1707: bool done = FALSE;
! 1708: SecBuffer inbuf[4];
! 1709: SecBufferDesc inbuf_desc;
! 1710: SECURITY_STATUS sspi_status = SEC_E_OK;
! 1711: /* we want the length of the encrypted buffer to be at least large enough
! 1712: that it can hold all the bytes requested and some TLS record overhead. */
! 1713: size_t min_encdata_length = len + CURL_SCHANNEL_BUFFER_FREE_SIZE;
! 1714:
! 1715: /****************************************************************************
! 1716: * Don't return or set BACKEND->recv_unrecoverable_err unless in the cleanup.
! 1717: * The pattern for return error is set *err, optional infof, goto cleanup.
! 1718: *
! 1719: * Our priority is to always return as much decrypted data to the caller as
! 1720: * possible, even if an error occurs. The state of the decrypted buffer must
! 1721: * always be valid. Transfer of decrypted data to the caller's buffer is
! 1722: * handled in the cleanup.
! 1723: */
! 1724:
! 1725: DEBUGF(infof(data, "schannel: client wants to read %zu bytes\n", len));
! 1726: *err = CURLE_OK;
! 1727:
! 1728: if(len && len <= BACKEND->decdata_offset) {
! 1729: infof(data, "schannel: enough decrypted data is already available\n");
! 1730: goto cleanup;
! 1731: }
! 1732: else if(BACKEND->recv_unrecoverable_err) {
! 1733: *err = BACKEND->recv_unrecoverable_err;
! 1734: infof(data, "schannel: an unrecoverable error occurred in a prior call\n");
! 1735: goto cleanup;
! 1736: }
! 1737: else if(BACKEND->recv_sspi_close_notify) {
! 1738: /* once a server has indicated shutdown there is no more encrypted data */
! 1739: infof(data, "schannel: server indicated shutdown in a prior call\n");
! 1740: goto cleanup;
! 1741: }
! 1742: else if(!len) {
! 1743: /* It's debatable what to return when !len. Regardless we can't return
! 1744: immediately because there may be data to decrypt (in the case we want to
! 1745: decrypt all encrypted cached data) so handle !len later in cleanup.
! 1746: */
! 1747: ; /* do nothing */
! 1748: }
! 1749: else if(!BACKEND->recv_connection_closed) {
! 1750: /* increase enc buffer in order to fit the requested amount of data */
! 1751: size = BACKEND->encdata_length - BACKEND->encdata_offset;
! 1752: if(size < CURL_SCHANNEL_BUFFER_FREE_SIZE ||
! 1753: BACKEND->encdata_length < min_encdata_length) {
! 1754: reallocated_length = BACKEND->encdata_offset +
! 1755: CURL_SCHANNEL_BUFFER_FREE_SIZE;
! 1756: if(reallocated_length < min_encdata_length) {
! 1757: reallocated_length = min_encdata_length;
! 1758: }
! 1759: reallocated_buffer = realloc(BACKEND->encdata_buffer,
! 1760: reallocated_length);
! 1761: if(reallocated_buffer == NULL) {
! 1762: *err = CURLE_OUT_OF_MEMORY;
! 1763: failf(data, "schannel: unable to re-allocate memory");
! 1764: goto cleanup;
! 1765: }
! 1766:
! 1767: BACKEND->encdata_buffer = reallocated_buffer;
! 1768: BACKEND->encdata_length = reallocated_length;
! 1769: size = BACKEND->encdata_length - BACKEND->encdata_offset;
! 1770: DEBUGF(infof(data, "schannel: encdata_buffer resized %zu\n",
! 1771: BACKEND->encdata_length));
! 1772: }
! 1773:
! 1774: DEBUGF(infof(data,
! 1775: "schannel: encrypted data buffer: offset %zu length %zu\n",
! 1776: BACKEND->encdata_offset, BACKEND->encdata_length));
! 1777:
! 1778: /* read encrypted data from socket */
! 1779: *err = Curl_read_plain(conn->sock[sockindex],
! 1780: (char *)(BACKEND->encdata_buffer +
! 1781: BACKEND->encdata_offset),
! 1782: size, &nread);
! 1783: if(*err) {
! 1784: nread = -1;
! 1785: if(*err == CURLE_AGAIN)
! 1786: DEBUGF(infof(data,
! 1787: "schannel: Curl_read_plain returned CURLE_AGAIN\n"));
! 1788: else if(*err == CURLE_RECV_ERROR)
! 1789: infof(data, "schannel: Curl_read_plain returned CURLE_RECV_ERROR\n");
! 1790: else
! 1791: infof(data, "schannel: Curl_read_plain returned error %d\n", *err);
! 1792: }
! 1793: else if(nread == 0) {
! 1794: BACKEND->recv_connection_closed = true;
! 1795: DEBUGF(infof(data, "schannel: server closed the connection\n"));
! 1796: }
! 1797: else if(nread > 0) {
! 1798: BACKEND->encdata_offset += (size_t)nread;
! 1799: BACKEND->encdata_is_incomplete = false;
! 1800: DEBUGF(infof(data, "schannel: encrypted data got %zd\n", nread));
! 1801: }
! 1802: }
! 1803:
! 1804: DEBUGF(infof(data,
! 1805: "schannel: encrypted data buffer: offset %zu length %zu\n",
! 1806: BACKEND->encdata_offset, BACKEND->encdata_length));
! 1807:
! 1808: /* decrypt loop */
! 1809: while(BACKEND->encdata_offset > 0 && sspi_status == SEC_E_OK &&
! 1810: (!len || BACKEND->decdata_offset < len ||
! 1811: BACKEND->recv_connection_closed)) {
! 1812: /* prepare data buffer for DecryptMessage call */
! 1813: InitSecBuffer(&inbuf[0], SECBUFFER_DATA, BACKEND->encdata_buffer,
! 1814: curlx_uztoul(BACKEND->encdata_offset));
! 1815:
! 1816: /* we need 3 more empty input buffers for possible output */
! 1817: InitSecBuffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
! 1818: InitSecBuffer(&inbuf[2], SECBUFFER_EMPTY, NULL, 0);
! 1819: InitSecBuffer(&inbuf[3], SECBUFFER_EMPTY, NULL, 0);
! 1820: InitSecBufferDesc(&inbuf_desc, inbuf, 4);
! 1821:
! 1822: /* https://msdn.microsoft.com/en-us/library/windows/desktop/aa375348.aspx
! 1823: */
! 1824: sspi_status = s_pSecFn->DecryptMessage(&BACKEND->ctxt->ctxt_handle,
! 1825: &inbuf_desc, 0, NULL);
! 1826:
! 1827: /* check if everything went fine (server may want to renegotiate
! 1828: or shutdown the connection context) */
! 1829: if(sspi_status == SEC_E_OK || sspi_status == SEC_I_RENEGOTIATE ||
! 1830: sspi_status == SEC_I_CONTEXT_EXPIRED) {
! 1831: /* check for successfully decrypted data, even before actual
! 1832: renegotiation or shutdown of the connection context */
! 1833: if(inbuf[1].BufferType == SECBUFFER_DATA) {
! 1834: DEBUGF(infof(data, "schannel: decrypted data length: %lu\n",
! 1835: inbuf[1].cbBuffer));
! 1836:
! 1837: /* increase buffer in order to fit the received amount of data */
! 1838: size = inbuf[1].cbBuffer > CURL_SCHANNEL_BUFFER_FREE_SIZE ?
! 1839: inbuf[1].cbBuffer : CURL_SCHANNEL_BUFFER_FREE_SIZE;
! 1840: if(BACKEND->decdata_length - BACKEND->decdata_offset < size ||
! 1841: BACKEND->decdata_length < len) {
! 1842: /* increase internal decrypted data buffer */
! 1843: reallocated_length = BACKEND->decdata_offset + size;
! 1844: /* make sure that the requested amount of data fits */
! 1845: if(reallocated_length < len) {
! 1846: reallocated_length = len;
! 1847: }
! 1848: reallocated_buffer = realloc(BACKEND->decdata_buffer,
! 1849: reallocated_length);
! 1850: if(reallocated_buffer == NULL) {
! 1851: *err = CURLE_OUT_OF_MEMORY;
! 1852: failf(data, "schannel: unable to re-allocate memory");
! 1853: goto cleanup;
! 1854: }
! 1855: BACKEND->decdata_buffer = reallocated_buffer;
! 1856: BACKEND->decdata_length = reallocated_length;
! 1857: }
! 1858:
! 1859: /* copy decrypted data to internal buffer */
! 1860: size = inbuf[1].cbBuffer;
! 1861: if(size) {
! 1862: memcpy(BACKEND->decdata_buffer + BACKEND->decdata_offset,
! 1863: inbuf[1].pvBuffer, size);
! 1864: BACKEND->decdata_offset += size;
! 1865: }
! 1866:
! 1867: DEBUGF(infof(data, "schannel: decrypted data added: %zu\n", size));
! 1868: DEBUGF(infof(data,
! 1869: "schannel: decrypted cached: offset %zu length %zu\n",
! 1870: BACKEND->decdata_offset, BACKEND->decdata_length));
! 1871: }
! 1872:
! 1873: /* check for remaining encrypted data */
! 1874: if(inbuf[3].BufferType == SECBUFFER_EXTRA && inbuf[3].cbBuffer > 0) {
! 1875: DEBUGF(infof(data, "schannel: encrypted data length: %lu\n",
! 1876: inbuf[3].cbBuffer));
! 1877:
! 1878: /* check if the remaining data is less than the total amount
! 1879: * and therefore begins after the already processed data
! 1880: */
! 1881: if(BACKEND->encdata_offset > inbuf[3].cbBuffer) {
! 1882: /* move remaining encrypted data forward to the beginning of
! 1883: buffer */
! 1884: memmove(BACKEND->encdata_buffer,
! 1885: (BACKEND->encdata_buffer + BACKEND->encdata_offset) -
! 1886: inbuf[3].cbBuffer, inbuf[3].cbBuffer);
! 1887: BACKEND->encdata_offset = inbuf[3].cbBuffer;
! 1888: }
! 1889:
! 1890: DEBUGF(infof(data,
! 1891: "schannel: encrypted cached: offset %zu length %zu\n",
! 1892: BACKEND->encdata_offset, BACKEND->encdata_length));
! 1893: }
! 1894: else {
! 1895: /* reset encrypted buffer offset, because there is no data remaining */
! 1896: BACKEND->encdata_offset = 0;
! 1897: }
! 1898:
! 1899: /* check if server wants to renegotiate the connection context */
! 1900: if(sspi_status == SEC_I_RENEGOTIATE) {
! 1901: infof(data, "schannel: remote party requests renegotiation\n");
! 1902: if(*err && *err != CURLE_AGAIN) {
! 1903: infof(data, "schannel: can't renogotiate, an error is pending\n");
! 1904: goto cleanup;
! 1905: }
! 1906: if(BACKEND->encdata_offset) {
! 1907: *err = CURLE_RECV_ERROR;
! 1908: infof(data, "schannel: can't renogotiate, "
! 1909: "encrypted data available\n");
! 1910: goto cleanup;
! 1911: }
! 1912: /* begin renegotiation */
! 1913: infof(data, "schannel: renegotiating SSL/TLS connection\n");
! 1914: connssl->state = ssl_connection_negotiating;
! 1915: connssl->connecting_state = ssl_connect_2_writing;
! 1916: *err = schannel_connect_common(conn, sockindex, FALSE, &done);
! 1917: if(*err) {
! 1918: infof(data, "schannel: renegotiation failed\n");
! 1919: goto cleanup;
! 1920: }
! 1921: /* now retry receiving data */
! 1922: sspi_status = SEC_E_OK;
! 1923: infof(data, "schannel: SSL/TLS connection renegotiated\n");
! 1924: continue;
! 1925: }
! 1926: /* check if the server closed the connection */
! 1927: else if(sspi_status == SEC_I_CONTEXT_EXPIRED) {
! 1928: /* In Windows 2000 SEC_I_CONTEXT_EXPIRED (close_notify) is not
! 1929: returned so we have to work around that in cleanup. */
! 1930: BACKEND->recv_sspi_close_notify = true;
! 1931: if(!BACKEND->recv_connection_closed) {
! 1932: BACKEND->recv_connection_closed = true;
! 1933: infof(data, "schannel: server closed the connection\n");
! 1934: }
! 1935: goto cleanup;
! 1936: }
! 1937: }
! 1938: else if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
! 1939: BACKEND->encdata_is_incomplete = true;
! 1940: if(!*err)
! 1941: *err = CURLE_AGAIN;
! 1942: infof(data, "schannel: failed to decrypt data, need more data\n");
! 1943: goto cleanup;
! 1944: }
! 1945: else {
! 1946: #ifndef CURL_DISABLE_VERBOSE_STRINGS
! 1947: char buffer[STRERROR_LEN];
! 1948: #endif
! 1949: *err = CURLE_RECV_ERROR;
! 1950: infof(data, "schannel: failed to read data from server: %s\n",
! 1951: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 1952: goto cleanup;
! 1953: }
! 1954: }
! 1955:
! 1956: DEBUGF(infof(data,
! 1957: "schannel: encrypted data buffer: offset %zu length %zu\n",
! 1958: BACKEND->encdata_offset, BACKEND->encdata_length));
! 1959:
! 1960: DEBUGF(infof(data,
! 1961: "schannel: decrypted data buffer: offset %zu length %zu\n",
! 1962: BACKEND->decdata_offset, BACKEND->decdata_length));
! 1963:
! 1964: cleanup:
! 1965: /* Warning- there is no guarantee the encdata state is valid at this point */
! 1966: DEBUGF(infof(data, "schannel: schannel_recv cleanup\n"));
! 1967:
! 1968: /* Error if the connection has closed without a close_notify.
! 1969: Behavior here is a matter of debate. We don't want to be vulnerable to a
! 1970: truncation attack however there's some browser precedent for ignoring the
! 1971: close_notify for compatibility reasons.
! 1972: Additionally, Windows 2000 (v5.0) is a special case since it seems it doesn't
! 1973: return close_notify. In that case if the connection was closed we assume it
! 1974: was graceful (close_notify) since there doesn't seem to be a way to tell.
! 1975: */
! 1976: if(len && !BACKEND->decdata_offset && BACKEND->recv_connection_closed &&
! 1977: !BACKEND->recv_sspi_close_notify) {
! 1978: bool isWin2k = Curl_verify_windows_version(5, 0, PLATFORM_WINNT,
! 1979: VERSION_EQUAL);
! 1980:
! 1981: if(isWin2k && sspi_status == SEC_E_OK)
! 1982: BACKEND->recv_sspi_close_notify = true;
! 1983: else {
! 1984: *err = CURLE_RECV_ERROR;
! 1985: infof(data, "schannel: server closed abruptly (missing close_notify)\n");
! 1986: }
! 1987: }
! 1988:
! 1989: /* Any error other than CURLE_AGAIN is an unrecoverable error. */
! 1990: if(*err && *err != CURLE_AGAIN)
! 1991: BACKEND->recv_unrecoverable_err = *err;
! 1992:
! 1993: size = len < BACKEND->decdata_offset ? len : BACKEND->decdata_offset;
! 1994: if(size) {
! 1995: memcpy(buf, BACKEND->decdata_buffer, size);
! 1996: memmove(BACKEND->decdata_buffer, BACKEND->decdata_buffer + size,
! 1997: BACKEND->decdata_offset - size);
! 1998: BACKEND->decdata_offset -= size;
! 1999: DEBUGF(infof(data, "schannel: decrypted data returned %zu\n", size));
! 2000: DEBUGF(infof(data,
! 2001: "schannel: decrypted data buffer: offset %zu length %zu\n",
! 2002: BACKEND->decdata_offset, BACKEND->decdata_length));
! 2003: *err = CURLE_OK;
! 2004: return (ssize_t)size;
! 2005: }
! 2006:
! 2007: if(!*err && !BACKEND->recv_connection_closed)
! 2008: *err = CURLE_AGAIN;
! 2009:
! 2010: /* It's debatable what to return when !len. We could return whatever error we
! 2011: got from decryption but instead we override here so the return is consistent.
! 2012: */
! 2013: if(!len)
! 2014: *err = CURLE_OK;
! 2015:
! 2016: return *err ? -1 : 0;
! 2017: }
! 2018:
! 2019: static CURLcode Curl_schannel_connect_nonblocking(struct connectdata *conn,
! 2020: int sockindex, bool *done)
! 2021: {
! 2022: return schannel_connect_common(conn, sockindex, TRUE, done);
! 2023: }
! 2024:
! 2025: static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex)
! 2026: {
! 2027: CURLcode result;
! 2028: bool done = FALSE;
! 2029:
! 2030: result = schannel_connect_common(conn, sockindex, FALSE, &done);
! 2031: if(result)
! 2032: return result;
! 2033:
! 2034: DEBUGASSERT(done);
! 2035:
! 2036: return CURLE_OK;
! 2037: }
! 2038:
! 2039: static bool Curl_schannel_data_pending(const struct connectdata *conn,
! 2040: int sockindex)
! 2041: {
! 2042: const struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 2043:
! 2044: if(connssl->use) /* SSL/TLS is in use */
! 2045: return (BACKEND->decdata_offset > 0 ||
! 2046: (BACKEND->encdata_offset > 0 && !BACKEND->encdata_is_incomplete));
! 2047: else
! 2048: return FALSE;
! 2049: }
! 2050:
! 2051: static void Curl_schannel_close(struct connectdata *conn, int sockindex)
! 2052: {
! 2053: if(conn->ssl[sockindex].use)
! 2054: /* if the SSL/TLS channel hasn't been shut down yet, do that now. */
! 2055: Curl_ssl_shutdown(conn, sockindex);
! 2056: }
! 2057:
! 2058: static void Curl_schannel_session_free(void *ptr)
! 2059: {
! 2060: /* this is expected to be called under sessionid lock */
! 2061: struct curl_schannel_cred *cred = ptr;
! 2062:
! 2063: cred->refcount--;
! 2064: if(cred->refcount == 0) {
! 2065: s_pSecFn->FreeCredentialsHandle(&cred->cred_handle);
! 2066: Curl_safefree(cred);
! 2067: }
! 2068: }
! 2069:
! 2070: static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
! 2071: {
! 2072: /* See https://msdn.microsoft.com/en-us/library/windows/desktop/aa380138.aspx
! 2073: * Shutting Down an Schannel Connection
! 2074: */
! 2075: struct Curl_easy *data = conn->data;
! 2076: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 2077: char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
! 2078: conn->host.name;
! 2079:
! 2080: DEBUGASSERT(data);
! 2081:
! 2082: infof(data, "schannel: shutting down SSL/TLS connection with %s port %hu\n",
! 2083: hostname, conn->remote_port);
! 2084:
! 2085: if(BACKEND->cred && BACKEND->ctxt) {
! 2086: SecBufferDesc BuffDesc;
! 2087: SecBuffer Buffer;
! 2088: SECURITY_STATUS sspi_status;
! 2089: SecBuffer outbuf;
! 2090: SecBufferDesc outbuf_desc;
! 2091: CURLcode result;
! 2092: TCHAR *host_name;
! 2093: DWORD dwshut = SCHANNEL_SHUTDOWN;
! 2094:
! 2095: InitSecBuffer(&Buffer, SECBUFFER_TOKEN, &dwshut, sizeof(dwshut));
! 2096: InitSecBufferDesc(&BuffDesc, &Buffer, 1);
! 2097:
! 2098: sspi_status = s_pSecFn->ApplyControlToken(&BACKEND->ctxt->ctxt_handle,
! 2099: &BuffDesc);
! 2100:
! 2101: if(sspi_status != SEC_E_OK) {
! 2102: char buffer[STRERROR_LEN];
! 2103: failf(data, "schannel: ApplyControlToken failure: %s",
! 2104: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 2105: }
! 2106:
! 2107: host_name = Curl_convert_UTF8_to_tchar(hostname);
! 2108: if(!host_name)
! 2109: return CURLE_OUT_OF_MEMORY;
! 2110:
! 2111: /* setup output buffer */
! 2112: InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
! 2113: InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
! 2114:
! 2115: sspi_status = s_pSecFn->InitializeSecurityContext(
! 2116: &BACKEND->cred->cred_handle,
! 2117: &BACKEND->ctxt->ctxt_handle,
! 2118: host_name,
! 2119: BACKEND->req_flags,
! 2120: 0,
! 2121: 0,
! 2122: NULL,
! 2123: 0,
! 2124: &BACKEND->ctxt->ctxt_handle,
! 2125: &outbuf_desc,
! 2126: &BACKEND->ret_flags,
! 2127: &BACKEND->ctxt->time_stamp);
! 2128:
! 2129: Curl_unicodefree(host_name);
! 2130:
! 2131: if((sspi_status == SEC_E_OK) || (sspi_status == SEC_I_CONTEXT_EXPIRED)) {
! 2132: /* send close message which is in output buffer */
! 2133: ssize_t written;
! 2134: result = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer,
! 2135: outbuf.cbBuffer, &written);
! 2136:
! 2137: s_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
! 2138: if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) {
! 2139: infof(data, "schannel: failed to send close msg: %s"
! 2140: " (bytes written: %zd)\n", curl_easy_strerror(result), written);
! 2141: }
! 2142: }
! 2143: }
! 2144:
! 2145: /* free SSPI Schannel API security context handle */
! 2146: if(BACKEND->ctxt) {
! 2147: DEBUGF(infof(data, "schannel: clear security context handle\n"));
! 2148: s_pSecFn->DeleteSecurityContext(&BACKEND->ctxt->ctxt_handle);
! 2149: Curl_safefree(BACKEND->ctxt);
! 2150: }
! 2151:
! 2152: /* free SSPI Schannel API credential handle */
! 2153: if(BACKEND->cred) {
! 2154: /*
! 2155: * When this function is called from Curl_schannel_close() the connection
! 2156: * might not have an associated transfer so the check for conn->data is
! 2157: * necessary.
! 2158: */
! 2159: Curl_ssl_sessionid_lock(conn);
! 2160: Curl_schannel_session_free(BACKEND->cred);
! 2161: Curl_ssl_sessionid_unlock(conn);
! 2162: BACKEND->cred = NULL;
! 2163: }
! 2164:
! 2165: /* free internal buffer for received encrypted data */
! 2166: if(BACKEND->encdata_buffer != NULL) {
! 2167: Curl_safefree(BACKEND->encdata_buffer);
! 2168: BACKEND->encdata_length = 0;
! 2169: BACKEND->encdata_offset = 0;
! 2170: BACKEND->encdata_is_incomplete = false;
! 2171: }
! 2172:
! 2173: /* free internal buffer for received decrypted data */
! 2174: if(BACKEND->decdata_buffer != NULL) {
! 2175: Curl_safefree(BACKEND->decdata_buffer);
! 2176: BACKEND->decdata_length = 0;
! 2177: BACKEND->decdata_offset = 0;
! 2178: }
! 2179:
! 2180: return CURLE_OK;
! 2181: }
! 2182:
! 2183: static int Curl_schannel_init(void)
! 2184: {
! 2185: return (Curl_sspi_global_init() == CURLE_OK ? 1 : 0);
! 2186: }
! 2187:
! 2188: static void Curl_schannel_cleanup(void)
! 2189: {
! 2190: Curl_sspi_global_cleanup();
! 2191: }
! 2192:
! 2193: static size_t Curl_schannel_version(char *buffer, size_t size)
! 2194: {
! 2195: size = msnprintf(buffer, size, "Schannel");
! 2196:
! 2197: return size;
! 2198: }
! 2199:
! 2200: static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM,
! 2201: unsigned char *entropy, size_t length)
! 2202: {
! 2203: HCRYPTPROV hCryptProv = 0;
! 2204:
! 2205: (void)data;
! 2206:
! 2207: if(!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL,
! 2208: CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
! 2209: return CURLE_FAILED_INIT;
! 2210:
! 2211: if(!CryptGenRandom(hCryptProv, (DWORD)length, entropy)) {
! 2212: CryptReleaseContext(hCryptProv, 0UL);
! 2213: return CURLE_FAILED_INIT;
! 2214: }
! 2215:
! 2216: CryptReleaseContext(hCryptProv, 0UL);
! 2217: return CURLE_OK;
! 2218: }
! 2219:
! 2220: static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
! 2221: const char *pinnedpubkey)
! 2222: {
! 2223: struct Curl_easy *data = conn->data;
! 2224: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 2225: CERT_CONTEXT *pCertContextServer = NULL;
! 2226:
! 2227: /* Result is returned to caller */
! 2228: CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
! 2229:
! 2230: /* if a path wasn't specified, don't pin */
! 2231: if(!pinnedpubkey)
! 2232: return CURLE_OK;
! 2233:
! 2234: do {
! 2235: SECURITY_STATUS sspi_status;
! 2236: const char *x509_der;
! 2237: DWORD x509_der_len;
! 2238: curl_X509certificate x509_parsed;
! 2239: curl_asn1Element *pubkey;
! 2240:
! 2241: sspi_status =
! 2242: s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
! 2243: SECPKG_ATTR_REMOTE_CERT_CONTEXT,
! 2244: &pCertContextServer);
! 2245:
! 2246: if((sspi_status != SEC_E_OK) || (pCertContextServer == NULL)) {
! 2247: char buffer[STRERROR_LEN];
! 2248: failf(data, "schannel: Failed to read remote certificate context: %s",
! 2249: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 2250: break; /* failed */
! 2251: }
! 2252:
! 2253:
! 2254: if(!(((pCertContextServer->dwCertEncodingType & X509_ASN_ENCODING) != 0) &&
! 2255: (pCertContextServer->cbCertEncoded > 0)))
! 2256: break;
! 2257:
! 2258: x509_der = (const char *)pCertContextServer->pbCertEncoded;
! 2259: x509_der_len = pCertContextServer->cbCertEncoded;
! 2260: memset(&x509_parsed, 0, sizeof(x509_parsed));
! 2261: if(Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len))
! 2262: break;
! 2263:
! 2264: pubkey = &x509_parsed.subjectPublicKeyInfo;
! 2265: if(!pubkey->header || pubkey->end <= pubkey->header) {
! 2266: failf(data, "SSL: failed retrieving public key from server certificate");
! 2267: break;
! 2268: }
! 2269:
! 2270: result = Curl_pin_peer_pubkey(data,
! 2271: pinnedpubkey,
! 2272: (const unsigned char *)pubkey->header,
! 2273: (size_t)(pubkey->end - pubkey->header));
! 2274: if(result) {
! 2275: failf(data, "SSL: public key does not match pinned public key!");
! 2276: }
! 2277: } while(0);
! 2278:
! 2279: if(pCertContextServer)
! 2280: CertFreeCertificateContext(pCertContextServer);
! 2281:
! 2282: return result;
! 2283: }
! 2284:
! 2285: static void Curl_schannel_checksum(const unsigned char *input,
! 2286: size_t inputlen,
! 2287: unsigned char *checksum,
! 2288: size_t checksumlen,
! 2289: DWORD provType,
! 2290: const unsigned int algId)
! 2291: {
! 2292: HCRYPTPROV hProv = 0;
! 2293: HCRYPTHASH hHash = 0;
! 2294: DWORD cbHashSize = 0;
! 2295: DWORD dwHashSizeLen = (DWORD)sizeof(cbHashSize);
! 2296: DWORD dwChecksumLen = (DWORD)checksumlen;
! 2297:
! 2298: /* since this can fail in multiple ways, zero memory first so we never
! 2299: * return old data
! 2300: */
! 2301: memset(checksum, 0, checksumlen);
! 2302:
! 2303: if(!CryptAcquireContext(&hProv, NULL, NULL, provType,
! 2304: CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
! 2305: return; /* failed */
! 2306:
! 2307: do {
! 2308: if(!CryptCreateHash(hProv, algId, 0, 0, &hHash))
! 2309: break; /* failed */
! 2310:
! 2311: /* workaround for original MinGW, should be (const BYTE*) */
! 2312: if(!CryptHashData(hHash, (BYTE*)input, (DWORD)inputlen, 0))
! 2313: break; /* failed */
! 2314:
! 2315: /* get hash size */
! 2316: if(!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&cbHashSize,
! 2317: &dwHashSizeLen, 0))
! 2318: break; /* failed */
! 2319:
! 2320: /* check hash size */
! 2321: if(checksumlen < cbHashSize)
! 2322: break; /* failed */
! 2323:
! 2324: if(CryptGetHashParam(hHash, HP_HASHVAL, checksum, &dwChecksumLen, 0))
! 2325: break; /* failed */
! 2326: } while(0);
! 2327:
! 2328: if(hHash)
! 2329: CryptDestroyHash(hHash);
! 2330:
! 2331: if(hProv)
! 2332: CryptReleaseContext(hProv, 0);
! 2333: }
! 2334:
! 2335: static CURLcode Curl_schannel_md5sum(unsigned char *input,
! 2336: size_t inputlen,
! 2337: unsigned char *md5sum,
! 2338: size_t md5len)
! 2339: {
! 2340: Curl_schannel_checksum(input, inputlen, md5sum, md5len,
! 2341: PROV_RSA_FULL, CALG_MD5);
! 2342: return CURLE_OK;
! 2343: }
! 2344:
! 2345: static CURLcode Curl_schannel_sha256sum(const unsigned char *input,
! 2346: size_t inputlen,
! 2347: unsigned char *sha256sum,
! 2348: size_t sha256len)
! 2349: {
! 2350: Curl_schannel_checksum(input, inputlen, sha256sum, sha256len,
! 2351: PROV_RSA_AES, CALG_SHA_256);
! 2352: return CURLE_OK;
! 2353: }
! 2354:
! 2355: static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl,
! 2356: CURLINFO info UNUSED_PARAM)
! 2357: {
! 2358: (void)info;
! 2359: return &BACKEND->ctxt->ctxt_handle;
! 2360: }
! 2361:
! 2362: const struct Curl_ssl Curl_ssl_schannel = {
! 2363: { CURLSSLBACKEND_SCHANNEL, "schannel" }, /* info */
! 2364:
! 2365: SSLSUPP_CERTINFO |
! 2366: SSLSUPP_PINNEDPUBKEY,
! 2367:
! 2368: sizeof(struct ssl_backend_data),
! 2369:
! 2370: Curl_schannel_init, /* init */
! 2371: Curl_schannel_cleanup, /* cleanup */
! 2372: Curl_schannel_version, /* version */
! 2373: Curl_none_check_cxn, /* check_cxn */
! 2374: Curl_schannel_shutdown, /* shutdown */
! 2375: Curl_schannel_data_pending, /* data_pending */
! 2376: Curl_schannel_random, /* random */
! 2377: Curl_none_cert_status_request, /* cert_status_request */
! 2378: Curl_schannel_connect, /* connect */
! 2379: Curl_schannel_connect_nonblocking, /* connect_nonblocking */
! 2380: Curl_schannel_get_internals, /* get_internals */
! 2381: Curl_schannel_close, /* close_one */
! 2382: Curl_none_close_all, /* close_all */
! 2383: Curl_schannel_session_free, /* session_free */
! 2384: Curl_none_set_engine, /* set_engine */
! 2385: Curl_none_set_engine_default, /* set_engine_default */
! 2386: Curl_none_engines_list, /* engines_list */
! 2387: Curl_none_false_start, /* false_start */
! 2388: Curl_schannel_md5sum, /* md5sum */
! 2389: Curl_schannel_sha256sum /* sha256sum */
! 2390: };
! 2391:
! 2392: #endif /* USE_SCHANNEL */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to schannel.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vtls