mirror of
https://github.com/moparisthebest/curl
synced 2024-12-25 09:38:54 -05:00
schannel: move code out of SChannel_connect_step1
Reviewed-by: Marc Hoersken Closes #7168
This commit is contained in:
parent
510e6e9a19
commit
68d388061c
@ -413,108 +413,17 @@ get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
|
||||
return CURLE_OK;
|
||||
}
|
||||
#endif
|
||||
|
||||
static CURLcode
|
||||
schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
||||
schannel_acquire_credential_handle(struct Curl_easy *data,
|
||||
struct connectdata *conn,
|
||||
int sockindex)
|
||||
{
|
||||
ssize_t written = -1;
|
||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||
SecBuffer outbuf;
|
||||
SecBufferDesc outbuf_desc;
|
||||
SecBuffer inbuf;
|
||||
SecBufferDesc inbuf_desc;
|
||||
#ifdef HAS_ALPN
|
||||
unsigned char alpn_buffer[128];
|
||||
#endif
|
||||
SCHANNEL_CRED schannel_cred;
|
||||
PCCERT_CONTEXT client_certs[1] = { NULL };
|
||||
SECURITY_STATUS sspi_status = SEC_E_OK;
|
||||
struct Curl_schannel_cred *old_cred = NULL;
|
||||
struct in_addr addr;
|
||||
#ifdef ENABLE_IPV6
|
||||
struct in6_addr addr6;
|
||||
#endif
|
||||
TCHAR *host_name;
|
||||
CURLcode result;
|
||||
char * const hostname = SSL_HOST_NAME();
|
||||
|
||||
DEBUGF(infof(data,
|
||||
"schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
|
||||
hostname, conn->remote_port));
|
||||
|
||||
if(curlx_verify_windows_version(5, 1, PLATFORM_WINNT,
|
||||
VERSION_LESS_THAN_EQUAL)) {
|
||||
/* Schannel in Windows XP (OS version 5.1) uses legacy handshakes and
|
||||
algorithms that may not be supported by all servers. */
|
||||
infof(data, "schannel: Windows version is old and may not be able to "
|
||||
"connect to some servers due to lack of SNI, algorithms, etc.\n");
|
||||
}
|
||||
|
||||
#ifdef HAS_ALPN
|
||||
/* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above.
|
||||
Also it doesn't seem to be supported for Wine, see curl bug #983. */
|
||||
BACKEND->use_alpn = conn->bits.tls_enable_alpn &&
|
||||
!GetProcAddress(GetModuleHandle(TEXT("ntdll")),
|
||||
"wine_get_version") &&
|
||||
curlx_verify_windows_version(6, 3, PLATFORM_WINNT,
|
||||
VERSION_GREATER_THAN_EQUAL);
|
||||
#else
|
||||
BACKEND->use_alpn = false;
|
||||
#endif
|
||||
|
||||
#ifdef _WIN32_WCE
|
||||
#ifdef HAS_MANUAL_VERIFY_API
|
||||
/* certificate validation on CE doesn't seem to work right; we'll
|
||||
* do it following a more manual process. */
|
||||
BACKEND->use_manual_cred_validation = true;
|
||||
#else
|
||||
#error "compiler too old to support requisite manual cert verify for Win CE"
|
||||
#endif
|
||||
#else
|
||||
#ifdef HAS_MANUAL_VERIFY_API
|
||||
if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) {
|
||||
if(curlx_verify_windows_version(6, 1, PLATFORM_WINNT,
|
||||
VERSION_GREATER_THAN_EQUAL)) {
|
||||
BACKEND->use_manual_cred_validation = true;
|
||||
}
|
||||
else {
|
||||
failf(data, "schannel: this version of Windows is too old to support "
|
||||
"certificate verification via CA bundle file.");
|
||||
return CURLE_SSL_CACERT_BADFILE;
|
||||
}
|
||||
}
|
||||
else
|
||||
BACKEND->use_manual_cred_validation = false;
|
||||
#else
|
||||
if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) {
|
||||
failf(data, "schannel: CA cert support not built in");
|
||||
return CURLE_NOT_BUILT_IN;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
BACKEND->cred = NULL;
|
||||
|
||||
/* check for an existing re-usable credential handle */
|
||||
if(SSL_SET_OPTION(primary.sessionid)) {
|
||||
Curl_ssl_sessionid_lock(data);
|
||||
if(!Curl_ssl_getsessionid(data, conn,
|
||||
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||
(void **)&old_cred, NULL, sockindex)) {
|
||||
BACKEND->cred = old_cred;
|
||||
DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
|
||||
|
||||
/* increment the reference counter of the credential/session handle */
|
||||
BACKEND->cred->refcount++;
|
||||
DEBUGF(infof(data,
|
||||
"schannel: incremented credential handle refcount = %d\n",
|
||||
BACKEND->cred->refcount));
|
||||
}
|
||||
Curl_ssl_sessionid_unlock(data);
|
||||
}
|
||||
|
||||
if(!BACKEND->cred) {
|
||||
/* setup Schannel API options */
|
||||
memset(&schannel_cred, 0, sizeof(schannel_cred));
|
||||
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
|
||||
@ -836,6 +745,113 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
return CURLE_OK;
|
||||
}
|
||||
|
||||
static CURLcode
|
||||
schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
||||
int sockindex)
|
||||
{
|
||||
ssize_t written = -1;
|
||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||
SecBuffer outbuf;
|
||||
SecBufferDesc outbuf_desc;
|
||||
SecBuffer inbuf;
|
||||
SecBufferDesc inbuf_desc;
|
||||
#ifdef HAS_ALPN
|
||||
unsigned char alpn_buffer[128];
|
||||
#endif
|
||||
SECURITY_STATUS sspi_status = SEC_E_OK;
|
||||
struct Curl_schannel_cred *old_cred = NULL;
|
||||
struct in_addr addr;
|
||||
#ifdef ENABLE_IPV6
|
||||
struct in6_addr addr6;
|
||||
#endif
|
||||
TCHAR *host_name;
|
||||
CURLcode result;
|
||||
char * const hostname = SSL_HOST_NAME();
|
||||
|
||||
DEBUGF(infof(data,
|
||||
"schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
|
||||
hostname, conn->remote_port));
|
||||
|
||||
if(curlx_verify_windows_version(5, 1, PLATFORM_WINNT,
|
||||
VERSION_LESS_THAN_EQUAL)) {
|
||||
/* Schannel in Windows XP (OS version 5.1) uses legacy handshakes and
|
||||
algorithms that may not be supported by all servers. */
|
||||
infof(data, "schannel: Windows version is old and may not be able to "
|
||||
"connect to some servers due to lack of SNI, algorithms, etc.\n");
|
||||
}
|
||||
|
||||
#ifdef HAS_ALPN
|
||||
/* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above.
|
||||
Also it doesn't seem to be supported for Wine, see curl bug #983. */
|
||||
BACKEND->use_alpn = conn->bits.tls_enable_alpn &&
|
||||
!GetProcAddress(GetModuleHandle(TEXT("ntdll")),
|
||||
"wine_get_version") &&
|
||||
curlx_verify_windows_version(6, 3, PLATFORM_WINNT,
|
||||
VERSION_GREATER_THAN_EQUAL);
|
||||
#else
|
||||
BACKEND->use_alpn = false;
|
||||
#endif
|
||||
|
||||
#ifdef _WIN32_WCE
|
||||
#ifdef HAS_MANUAL_VERIFY_API
|
||||
/* certificate validation on CE doesn't seem to work right; we'll
|
||||
* do it following a more manual process. */
|
||||
BACKEND->use_manual_cred_validation = true;
|
||||
#else
|
||||
#error "compiler too old to support requisite manual cert verify for Win CE"
|
||||
#endif
|
||||
#else
|
||||
#ifdef HAS_MANUAL_VERIFY_API
|
||||
if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) {
|
||||
if(curlx_verify_windows_version(6, 1, PLATFORM_WINNT,
|
||||
VERSION_GREATER_THAN_EQUAL)) {
|
||||
BACKEND->use_manual_cred_validation = true;
|
||||
}
|
||||
else {
|
||||
failf(data, "schannel: this version of Windows is too old to support "
|
||||
"certificate verification via CA bundle file.");
|
||||
return CURLE_SSL_CACERT_BADFILE;
|
||||
}
|
||||
}
|
||||
else
|
||||
BACKEND->use_manual_cred_validation = false;
|
||||
#else
|
||||
if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) {
|
||||
failf(data, "schannel: CA cert support not built in");
|
||||
return CURLE_NOT_BUILT_IN;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
BACKEND->cred = NULL;
|
||||
|
||||
/* check for an existing re-usable credential handle */
|
||||
if(SSL_SET_OPTION(primary.sessionid)) {
|
||||
Curl_ssl_sessionid_lock(data);
|
||||
if(!Curl_ssl_getsessionid(data, conn,
|
||||
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||
(void **)&old_cred, NULL, sockindex)) {
|
||||
BACKEND->cred = old_cred;
|
||||
DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
|
||||
|
||||
/* increment the reference counter of the credential/session handle */
|
||||
BACKEND->cred->refcount++;
|
||||
DEBUGF(infof(data,
|
||||
"schannel: incremented credential handle refcount = %d\n",
|
||||
BACKEND->cred->refcount));
|
||||
}
|
||||
Curl_ssl_sessionid_unlock(data);
|
||||
}
|
||||
|
||||
if(!BACKEND->cred) {
|
||||
result = schannel_acquire_credential_handle(data, conn, sockindex);
|
||||
if(result != CURLE_OK) {
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
/* Warn if SNI is disabled due to use of an IP address */
|
||||
|
Loading…
Reference in New Issue
Block a user