cjson
fuzzing
inputs
test1 test10 test11 test2 test3 test3.bu test3.uf test3.uu test4 test5 test6 test7 test8 test9library_config
cJSONConfig.cmake.in cJSONConfigVersion.cmake.in libcjson.pc.in libcjson_utils.pc.in uninstall.cmaketests
inputs
test1 test1.expected test10 test10.expected test11 test11.expected test2 test2.expected test3 test3.expected test4 test4.expected test5 test5.expected test6 test7 test7.expected test8 test8.expected test9 test9.expectedjson-patch-tests
.editorconfig .gitignore .npmignore README.md cjson-utils-tests.json package.json spec_tests.json tests.jsonunity
auto
colour_prompt.rb colour_reporter.rb generate_config.yml generate_module.rb generate_test_runner.rb parse_output.rb stylize_as_junit.rb test_file_filter.rb type_sanitizer.rb unity_test_summary.py unity_test_summary.rb unity_to_junit.pydocs
ThrowTheSwitchCodingStandard.md UnityAssertionsCheatSheetSuitableforPrintingandPossiblyFraming.pdf UnityAssertionsReference.md UnityConfigurationGuide.md UnityGettingStartedGuide.md UnityHelperScriptsGuide.md license.txtexamples
unity_config.hcurl
.github
scripts
cleancmd.pl cmp-config.pl cmp-pkg-config.sh codespell-ignore.words codespell.sh distfiles.sh pyspelling.words pyspelling.yaml randcurl.pl requirements-docs.txt requirements-proselint.txt requirements.txt shellcheck-ci.sh shellcheck.sh spellcheck.curl trimmarkdownheader.pl typos.sh typos.toml verify-examples.pl verify-synopsis.pl yamlcheck.sh yamlcheck.yamlworkflows
appveyor-status.yml checkdocs.yml checksrc.yml checkurls.yml codeql.yml configure-vs-cmake.yml curl-for-win.yml distcheck.yml fuzz.yml http3-linux.yml label.yml linux-old.yml linux.yml macos.yml non-native.yml windows.ymlCMake
CurlSymbolHiding.cmake CurlTests.c FindBrotli.cmake FindCares.cmake FindGSS.cmake FindGnuTLS.cmake FindLDAP.cmake FindLibbacktrace.cmake FindLibgsasl.cmake FindLibidn2.cmake FindLibpsl.cmake FindLibssh.cmake FindLibssh2.cmake FindLibuv.cmake FindMbedTLS.cmake FindNGHTTP2.cmake FindNGHTTP3.cmake FindNGTCP2.cmake FindNettle.cmake FindQuiche.cmake FindRustls.cmake FindWolfSSL.cmake FindZstd.cmake Macros.cmake OtherTests.cmake PickyWarnings.cmake Utilities.cmake cmake_uninstall.in.cmake curl-config.in.cmake unix-cache.cmake win32-cache.cmakedocs
cmdline-opts
.gitignore CMakeLists.txt MANPAGE.md Makefile.am Makefile.inc _AUTHORS.md _BUGS.md _DESCRIPTION.md _ENVIRONMENT.md _EXITCODES.md _FILES.md _GLOBBING.md _NAME.md _OPTIONS.md _OUTPUT.md _PROGRESS.md _PROTOCOLS.md _PROXYPREFIX.md _SEEALSO.md _SYNOPSIS.md _URL.md _VARIABLES.md _VERSION.md _WWW.md abstract-unix-socket.md alt-svc.md anyauth.md append.md aws-sigv4.md basic.md ca-native.md cacert.md capath.md cert-status.md cert-type.md cert.md ciphers.md compressed-ssh.md compressed.md config.md connect-timeout.md connect-to.md continue-at.md cookie-jar.md cookie.md create-dirs.md create-file-mode.md crlf.md crlfile.md curves.md data-ascii.md data-binary.md data-raw.md data-urlencode.md data.md delegation.md digest.md disable-eprt.md disable-epsv.md disable.md disallow-username-in-url.md dns-interface.md dns-ipv4-addr.md dns-ipv6-addr.md dns-servers.md doh-cert-status.md doh-insecure.md doh-url.md dump-ca-embed.md dump-header.md ech.md egd-file.md engine.md etag-compare.md etag-save.md expect100-timeout.md fail-early.md fail-with-body.md fail.md false-start.md follow.md form-escape.md form-string.md form.md ftp-account.md ftp-alternative-to-user.md ftp-create-dirs.md ftp-method.md ftp-pasv.md ftp-port.md ftp-pret.md ftp-skip-pasv-ip.md ftp-ssl-ccc-mode.md ftp-ssl-ccc.md ftp-ssl-control.md get.md globoff.md happy-eyeballs-timeout-ms.md haproxy-clientip.md haproxy-protocol.md head.md header.md help.md hostpubmd5.md hostpubsha256.md hsts.md http0.9.md http1.0.md http1.1.md http2-prior-knowledge.md http2.md http3-only.md http3.md ignore-content-length.md insecure.md interface.md ip-tos.md ipfs-gateway.md ipv4.md ipv6.md json.md junk-session-cookies.md keepalive-cnt.md keepalive-time.md key-type.md key.md knownhosts.md krb.md libcurl.md limit-rate.md list-only.md local-port.md location-trusted.md location.md login-options.md mail-auth.md mail-from.md mail-rcpt-allowfails.md mail-rcpt.md mainpage.idx manual.md max-filesize.md max-redirs.md max-time.md metalink.md mptcp.md negotiate.md netrc-file.md netrc-optional.md netrc.md next.md no-alpn.md no-buffer.md no-clobber.md no-keepalive.md no-npn.md no-progress-meter.md no-sessionid.md noproxy.md ntlm-wb.md ntlm.md oauth2-bearer.md out-null.md output-dir.md output.md parallel-immediate.md parallel-max-host.md parallel-max.md parallel.md pass.md path-as-is.md pinnedpubkey.md post301.md post302.md post303.md preproxy.md progress-bar.md proto-default.md proto-redir.md proto.md proxy-anyauth.md proxy-basic.md proxy-ca-native.md proxy-cacert.md proxy-capath.md proxy-cert-type.md proxy-cert.md proxy-ciphers.md proxy-crlfile.md proxy-digest.md proxy-header.md proxy-http2.md proxy-insecure.md proxy-key-type.md proxy-key.md proxy-negotiate.md proxy-ntlm.md proxy-pass.md proxy-pinnedpubkey.md proxy-service-name.md proxy-ssl-allow-beast.md proxy-ssl-auto-client-cert.md proxy-tls13-ciphers.md proxy-tlsauthtype.md proxy-tlspassword.md proxy-tlsuser.md proxy-tlsv1.md proxy-user.md proxy.md proxy1.0.md proxytunnel.md pubkey.md quote.md random-file.md range.md rate.md raw.md referer.md remote-header-name.md remote-name-all.md remote-name.md remote-time.md remove-on-error.md request-target.md request.md resolve.md retry-all-errors.md retry-connrefused.md retry-delay.md retry-max-time.md retry.md sasl-authzid.md sasl-ir.md service-name.md show-error.md show-headers.md sigalgs.md silent.md skip-existing.md socks4.md socks4a.md socks5-basic.md socks5-gssapi-nec.md socks5-gssapi-service.md socks5-gssapi.md socks5-hostname.md socks5.md speed-limit.md speed-time.md ssl-allow-beast.md ssl-auto-client-cert.md ssl-no-revoke.md ssl-reqd.md ssl-revoke-best-effort.md ssl-sessions.md ssl.md sslv2.md sslv3.md stderr.md styled-output.md suppress-connect-headers.md tcp-fastopen.md tcp-nodelay.md telnet-option.md tftp-blksize.md tftp-no-options.md time-cond.md tls-earlydata.md tls-max.md tls13-ciphers.md tlsauthtype.md tlspassword.md tlsuser.md tlsv1.0.md tlsv1.1.md tlsv1.2.md tlsv1.3.md tlsv1.md tr-encoding.md trace-ascii.md trace-config.md trace-ids.md trace-time.md trace.md unix-socket.md upload-file.md upload-flags.md url-query.md url.md use-ascii.md user-agent.md user.md variable.md verbose.md version.md vlan-priority.md write-out.md xattr.mdexamples
.checksrc .gitignore 10-at-a-time.c CMakeLists.txt Makefile.am Makefile.example Makefile.inc README.md adddocsref.pl address-scope.c altsvc.c anyauthput.c block_ip.c cacertinmem.c certinfo.c chkspeed.c connect-to.c cookie_interface.c crawler.c debug.c default-scheme.c ephiperfifo.c evhiperfifo.c externalsocket.c fileupload.c ftp-delete.c ftp-wildcard.c ftpget.c ftpgetinfo.c ftpgetresp.c ftpsget.c ftpupload.c ftpuploadfrommem.c ftpuploadresume.c getinfo.c getinmemory.c getredirect.c getreferrer.c ghiper.c headerapi.c hiperfifo.c hsts-preload.c htmltidy.c htmltitle.cpp http-options.c http-post.c http2-download.c http2-pushinmemory.c http2-serverpush.c http2-upload.c http3-present.c http3.c httpcustomheader.c httpput-postfields.c httpput.c https.c imap-append.c imap-authzid.c imap-copy.c imap-create.c imap-delete.c imap-examine.c imap-fetch.c imap-list.c imap-lsub.c imap-multi.c imap-noop.c imap-search.c imap-ssl.c imap-store.c imap-tls.c interface.c ipv6.c keepalive.c localport.c log_failed_transfers.c maxconnects.c multi-app.c multi-debugcallback.c multi-double.c multi-event.c multi-formadd.c multi-legacy.c multi-post.c multi-single.c multi-uv.c netrc.c parseurl.c persistent.c pop3-authzid.c pop3-dele.c pop3-list.c pop3-multi.c pop3-noop.c pop3-retr.c pop3-ssl.c pop3-stat.c pop3-tls.c pop3-top.c pop3-uidl.c post-callback.c postinmemory.c postit2-formadd.c postit2.c progressfunc.c protofeats.c range.c resolve.c rtsp-options.c sendrecv.c sepheaders.c sessioninfo.c sftpget.c sftpuploadresume.c shared-connection-cache.c simple.c simplepost.c simplessl.c smooth-gtk-thread.c smtp-authzid.c smtp-expn.c smtp-mail.c smtp-mime.c smtp-multi.c smtp-ssl.c smtp-tls.c smtp-vrfy.c sslbackend.c synctime.c threaded.c unixsocket.c url2file.c urlapi.c usercertinmem.c version-check.pl websocket-cb.c websocket-updown.c websocket.c xmlstream.cinternals
BUFQ.md BUFREF.md CHECKSRC.md CLIENT-READERS.md CLIENT-WRITERS.md CODE_STYLE.md CONNECTION-FILTERS.md CREDENTIALS.md CURLX.md DYNBUF.md HASH.md LLIST.md MID.md MQTT.md MULTI-EV.md NEW-PROTOCOL.md PEERS.md PORTING.md RATELIMITS.md README.md SCORECARD.md SPLAY.md STRPARSE.md THRDPOOL-AND-QUEUE.md TIME-KEEPING.md TLS-SESSIONS.md UINT_SETS.md WEBSOCKET.mdlibcurl
opts
CMakeLists.txt CURLINFO_ACTIVESOCKET.md CURLINFO_APPCONNECT_TIME.md CURLINFO_APPCONNECT_TIME_T.md CURLINFO_CAINFO.md CURLINFO_CAPATH.md CURLINFO_CERTINFO.md CURLINFO_CONDITION_UNMET.md CURLINFO_CONNECT_TIME.md CURLINFO_CONNECT_TIME_T.md CURLINFO_CONN_ID.md CURLINFO_CONTENT_LENGTH_DOWNLOAD.md CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md CURLINFO_CONTENT_LENGTH_UPLOAD.md CURLINFO_CONTENT_LENGTH_UPLOAD_T.md CURLINFO_CONTENT_TYPE.md CURLINFO_COOKIELIST.md CURLINFO_EARLYDATA_SENT_T.md CURLINFO_EFFECTIVE_METHOD.md CURLINFO_EFFECTIVE_URL.md CURLINFO_FILETIME.md CURLINFO_FILETIME_T.md CURLINFO_FTP_ENTRY_PATH.md CURLINFO_HEADER_SIZE.md CURLINFO_HTTPAUTH_AVAIL.md CURLINFO_HTTPAUTH_USED.md CURLINFO_HTTP_CONNECTCODE.md CURLINFO_HTTP_VERSION.md CURLINFO_LASTSOCKET.md CURLINFO_LOCAL_IP.md CURLINFO_LOCAL_PORT.md CURLINFO_NAMELOOKUP_TIME.md CURLINFO_NAMELOOKUP_TIME_T.md CURLINFO_NUM_CONNECTS.md CURLINFO_OS_ERRNO.md CURLINFO_POSTTRANSFER_TIME_T.md CURLINFO_PRETRANSFER_TIME.md CURLINFO_PRETRANSFER_TIME_T.md CURLINFO_PRIMARY_IP.md CURLINFO_PRIMARY_PORT.md CURLINFO_PRIVATE.md CURLINFO_PROTOCOL.md CURLINFO_PROXYAUTH_AVAIL.md CURLINFO_PROXYAUTH_USED.md CURLINFO_PROXY_ERROR.md CURLINFO_PROXY_SSL_VERIFYRESULT.md CURLINFO_QUEUE_TIME_T.md CURLINFO_REDIRECT_COUNT.md CURLINFO_REDIRECT_TIME.md CURLINFO_REDIRECT_TIME_T.md CURLINFO_REDIRECT_URL.md CURLINFO_REFERER.md CURLINFO_REQUEST_SIZE.md CURLINFO_RESPONSE_CODE.md CURLINFO_RETRY_AFTER.md CURLINFO_RTSP_CLIENT_CSEQ.md CURLINFO_RTSP_CSEQ_RECV.md CURLINFO_RTSP_SERVER_CSEQ.md CURLINFO_RTSP_SESSION_ID.md CURLINFO_SCHEME.md CURLINFO_SIZE_DELIVERED.md CURLINFO_SIZE_DOWNLOAD.md CURLINFO_SIZE_DOWNLOAD_T.md CURLINFO_SIZE_UPLOAD.md CURLINFO_SIZE_UPLOAD_T.md CURLINFO_SPEED_DOWNLOAD.md CURLINFO_SPEED_DOWNLOAD_T.md CURLINFO_SPEED_UPLOAD.md CURLINFO_SPEED_UPLOAD_T.md CURLINFO_SSL_ENGINES.md CURLINFO_SSL_VERIFYRESULT.md CURLINFO_STARTTRANSFER_TIME.md CURLINFO_STARTTRANSFER_TIME_T.md CURLINFO_TLS_SESSION.md CURLINFO_TLS_SSL_PTR.md CURLINFO_TOTAL_TIME.md CURLINFO_TOTAL_TIME_T.md CURLINFO_USED_PROXY.md CURLINFO_XFER_ID.md CURLMINFO_XFERS_ADDED.md CURLMINFO_XFERS_CURRENT.md CURLMINFO_XFERS_DONE.md CURLMINFO_XFERS_PENDING.md CURLMINFO_XFERS_RUNNING.md CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE.md CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE.md CURLMOPT_MAXCONNECTS.md CURLMOPT_MAX_CONCURRENT_STREAMS.md CURLMOPT_MAX_HOST_CONNECTIONS.md CURLMOPT_MAX_PIPELINE_LENGTH.md CURLMOPT_MAX_TOTAL_CONNECTIONS.md CURLMOPT_NETWORK_CHANGED.md CURLMOPT_NOTIFYDATA.md CURLMOPT_NOTIFYFUNCTION.md CURLMOPT_PIPELINING.md CURLMOPT_PIPELINING_SERVER_BL.md CURLMOPT_PIPELINING_SITE_BL.md CURLMOPT_PUSHDATA.md CURLMOPT_PUSHFUNCTION.md CURLMOPT_QUICK_EXIT.md CURLMOPT_RESOLVE_THREADS_MAX.md CURLMOPT_SOCKETDATA.md CURLMOPT_SOCKETFUNCTION.md CURLMOPT_TIMERDATA.md CURLMOPT_TIMERFUNCTION.md CURLOPT_ABSTRACT_UNIX_SOCKET.md CURLOPT_ACCEPTTIMEOUT_MS.md CURLOPT_ACCEPT_ENCODING.md CURLOPT_ADDRESS_SCOPE.md CURLOPT_ALTSVC.md CURLOPT_ALTSVC_CTRL.md CURLOPT_APPEND.md CURLOPT_AUTOREFERER.md CURLOPT_AWS_SIGV4.md CURLOPT_BUFFERSIZE.md CURLOPT_CAINFO.md CURLOPT_CAINFO_BLOB.md CURLOPT_CAPATH.md CURLOPT_CA_CACHE_TIMEOUT.md CURLOPT_CERTINFO.md CURLOPT_CHUNK_BGN_FUNCTION.md CURLOPT_CHUNK_DATA.md CURLOPT_CHUNK_END_FUNCTION.md CURLOPT_CLOSESOCKETDATA.md CURLOPT_CLOSESOCKETFUNCTION.md CURLOPT_CONNECTTIMEOUT.md CURLOPT_CONNECTTIMEOUT_MS.md CURLOPT_CONNECT_ONLY.md CURLOPT_CONNECT_TO.md CURLOPT_CONV_FROM_NETWORK_FUNCTION.md CURLOPT_CONV_FROM_UTF8_FUNCTION.md CURLOPT_CONV_TO_NETWORK_FUNCTION.md CURLOPT_COOKIE.md CURLOPT_COOKIEFILE.md CURLOPT_COOKIEJAR.md CURLOPT_COOKIELIST.md CURLOPT_COOKIESESSION.md CURLOPT_COPYPOSTFIELDS.md CURLOPT_CRLF.md CURLOPT_CRLFILE.md CURLOPT_CURLU.md CURLOPT_CUSTOMREQUEST.md CURLOPT_DEBUGDATA.md CURLOPT_DEBUGFUNCTION.md CURLOPT_DEFAULT_PROTOCOL.md CURLOPT_DIRLISTONLY.md CURLOPT_DISALLOW_USERNAME_IN_URL.md CURLOPT_DNS_CACHE_TIMEOUT.md CURLOPT_DNS_INTERFACE.md CURLOPT_DNS_LOCAL_IP4.md CURLOPT_DNS_LOCAL_IP6.md CURLOPT_DNS_SERVERS.md CURLOPT_DNS_SHUFFLE_ADDRESSES.md CURLOPT_DNS_USE_GLOBAL_CACHE.md CURLOPT_DOH_SSL_VERIFYHOST.md CURLOPT_DOH_SSL_VERIFYPEER.md CURLOPT_DOH_SSL_VERIFYSTATUS.md CURLOPT_DOH_URL.md CURLOPT_ECH.md CURLOPT_EGDSOCKET.md CURLOPT_ERRORBUFFER.md CURLOPT_EXPECT_100_TIMEOUT_MS.md CURLOPT_FAILONERROR.md CURLOPT_FILETIME.md CURLOPT_FNMATCH_DATA.md CURLOPT_FNMATCH_FUNCTION.md CURLOPT_FOLLOWLOCATION.md CURLOPT_FORBID_REUSE.md CURLOPT_FRESH_CONNECT.md CURLOPT_FTPPORT.md CURLOPT_FTPSSLAUTH.md CURLOPT_FTP_ACCOUNT.md CURLOPT_FTP_ALTERNATIVE_TO_USER.md CURLOPT_FTP_CREATE_MISSING_DIRS.md CURLOPT_FTP_FILEMETHOD.md CURLOPT_FTP_SKIP_PASV_IP.md CURLOPT_FTP_SSL_CCC.md CURLOPT_FTP_USE_EPRT.md CURLOPT_FTP_USE_EPSV.md CURLOPT_FTP_USE_PRET.md CURLOPT_GSSAPI_DELEGATION.md CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.md CURLOPT_HAPROXYPROTOCOL.md CURLOPT_HAPROXY_CLIENT_IP.md CURLOPT_HEADER.md CURLOPT_HEADERDATA.md CURLOPT_HEADERFUNCTION.md CURLOPT_HEADEROPT.md CURLOPT_HSTS.md CURLOPT_HSTSREADDATA.md CURLOPT_HSTSREADFUNCTION.md CURLOPT_HSTSWRITEDATA.md CURLOPT_HSTSWRITEFUNCTION.md CURLOPT_HSTS_CTRL.md CURLOPT_HTTP09_ALLOWED.md CURLOPT_HTTP200ALIASES.md CURLOPT_HTTPAUTH.md CURLOPT_HTTPGET.md CURLOPT_HTTPHEADER.md CURLOPT_HTTPPOST.md CURLOPT_HTTPPROXYTUNNEL.md CURLOPT_HTTP_CONTENT_DECODING.md CURLOPT_HTTP_TRANSFER_DECODING.md CURLOPT_HTTP_VERSION.md CURLOPT_IGNORE_CONTENT_LENGTH.md CURLOPT_INFILESIZE.md CURLOPT_INFILESIZE_LARGE.md CURLOPT_INTERFACE.md CURLOPT_INTERLEAVEDATA.md CURLOPT_INTERLEAVEFUNCTION.md CURLOPT_IOCTLDATA.md CURLOPT_IOCTLFUNCTION.md CURLOPT_IPRESOLVE.md CURLOPT_ISSUERCERT.md CURLOPT_ISSUERCERT_BLOB.md CURLOPT_KEEP_SENDING_ON_ERROR.md CURLOPT_KEYPASSWD.md CURLOPT_KRBLEVEL.md CURLOPT_LOCALPORT.md CURLOPT_LOCALPORTRANGE.md CURLOPT_LOGIN_OPTIONS.md CURLOPT_LOW_SPEED_LIMIT.md CURLOPT_LOW_SPEED_TIME.md CURLOPT_MAIL_AUTH.md CURLOPT_MAIL_FROM.md CURLOPT_MAIL_RCPT.md CURLOPT_MAIL_RCPT_ALLOWFAILS.md CURLOPT_MAXAGE_CONN.md CURLOPT_MAXCONNECTS.md CURLOPT_MAXFILESIZE.md CURLOPT_MAXFILESIZE_LARGE.md CURLOPT_MAXLIFETIME_CONN.md CURLOPT_MAXREDIRS.md CURLOPT_MAX_RECV_SPEED_LARGE.md CURLOPT_MAX_SEND_SPEED_LARGE.md CURLOPT_MIMEPOST.md CURLOPT_MIME_OPTIONS.md CURLOPT_NETRC.md CURLOPT_NETRC_FILE.md CURLOPT_NEW_DIRECTORY_PERMS.md CURLOPT_NEW_FILE_PERMS.md CURLOPT_NOBODY.md CURLOPT_NOPROGRESS.md CURLOPT_NOPROXY.md CURLOPT_NOSIGNAL.md CURLOPT_OPENSOCKETDATA.md CURLOPT_OPENSOCKETFUNCTION.md CURLOPT_PASSWORD.md CURLOPT_PATH_AS_IS.md CURLOPT_PINNEDPUBLICKEY.md CURLOPT_PIPEWAIT.md CURLOPT_PORT.md CURLOPT_POST.md CURLOPT_POSTFIELDS.md CURLOPT_POSTFIELDSIZE.md CURLOPT_POSTFIELDSIZE_LARGE.md CURLOPT_POSTQUOTE.md CURLOPT_POSTREDIR.md CURLOPT_PREQUOTE.md CURLOPT_PREREQDATA.md CURLOPT_PREREQFUNCTION.md CURLOPT_PRE_PROXY.md CURLOPT_PRIVATE.md CURLOPT_PROGRESSDATA.md CURLOPT_PROGRESSFUNCTION.md CURLOPT_PROTOCOLS.md CURLOPT_PROTOCOLS_STR.md CURLOPT_PROXY.md CURLOPT_PROXYAUTH.md CURLOPT_PROXYHEADER.md CURLOPT_PROXYPASSWORD.md CURLOPT_PROXYPORT.md CURLOPT_PROXYTYPE.md CURLOPT_PROXYUSERNAME.md CURLOPT_PROXYUSERPWD.md CURLOPT_PROXY_CAINFO.md CURLOPT_PROXY_CAINFO_BLOB.md CURLOPT_PROXY_CAPATH.md CURLOPT_PROXY_CRLFILE.md CURLOPT_PROXY_ISSUERCERT.md CURLOPT_PROXY_ISSUERCERT_BLOB.md CURLOPT_PROXY_KEYPASSWD.md CURLOPT_PROXY_PINNEDPUBLICKEY.md CURLOPT_PROXY_SERVICE_NAME.md CURLOPT_PROXY_SSLCERT.md CURLOPT_PROXY_SSLCERTTYPE.md CURLOPT_PROXY_SSLCERT_BLOB.md CURLOPT_PROXY_SSLKEY.md CURLOPT_PROXY_SSLKEYTYPE.md CURLOPT_PROXY_SSLKEY_BLOB.md CURLOPT_PROXY_SSLVERSION.md CURLOPT_PROXY_SSL_CIPHER_LIST.md CURLOPT_PROXY_SSL_OPTIONS.md CURLOPT_PROXY_SSL_VERIFYHOST.md CURLOPT_PROXY_SSL_VERIFYPEER.md CURLOPT_PROXY_TLS13_CIPHERS.md CURLOPT_PROXY_TLSAUTH_PASSWORD.md CURLOPT_PROXY_TLSAUTH_TYPE.md CURLOPT_PROXY_TLSAUTH_USERNAME.md CURLOPT_PROXY_TRANSFER_MODE.md CURLOPT_PUT.md CURLOPT_QUICK_EXIT.md CURLOPT_QUOTE.md CURLOPT_RANDOM_FILE.md CURLOPT_RANGE.md CURLOPT_READDATA.md CURLOPT_READFUNCTION.md CURLOPT_REDIR_PROTOCOLS.md CURLOPT_REDIR_PROTOCOLS_STR.md CURLOPT_REFERER.md CURLOPT_REQUEST_TARGET.md CURLOPT_RESOLVE.md CURLOPT_RESOLVER_START_DATA.md CURLOPT_RESOLVER_START_FUNCTION.md CURLOPT_RESUME_FROM.md CURLOPT_RESUME_FROM_LARGE.md CURLOPT_RTSP_CLIENT_CSEQ.md CURLOPT_RTSP_REQUEST.md CURLOPT_RTSP_SERVER_CSEQ.md CURLOPT_RTSP_SESSION_ID.md CURLOPT_RTSP_STREAM_URI.md CURLOPT_RTSP_TRANSPORT.md CURLOPT_SASL_AUTHZID.md CURLOPT_SASL_IR.md CURLOPT_SEEKDATA.md CURLOPT_SEEKFUNCTION.md CURLOPT_SERVER_RESPONSE_TIMEOUT.md CURLOPT_SERVER_RESPONSE_TIMEOUT_MS.md CURLOPT_SERVICE_NAME.md CURLOPT_SHARE.md CURLOPT_SOCKOPTDATA.md CURLOPT_SOCKOPTFUNCTION.md CURLOPT_SOCKS5_AUTH.md CURLOPT_SOCKS5_GSSAPI_NEC.md CURLOPT_SOCKS5_GSSAPI_SERVICE.md CURLOPT_SSH_AUTH_TYPES.md CURLOPT_SSH_COMPRESSION.md CURLOPT_SSH_HOSTKEYDATA.md CURLOPT_SSH_HOSTKEYFUNCTION.md CURLOPT_SSH_HOST_PUBLIC_KEY_MD5.md CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256.md CURLOPT_SSH_KEYDATA.md CURLOPT_SSH_KEYFUNCTION.md CURLOPT_SSH_KNOWNHOSTS.md CURLOPT_SSH_PRIVATE_KEYFILE.md CURLOPT_SSH_PUBLIC_KEYFILE.md CURLOPT_SSLCERT.md CURLOPT_SSLCERTTYPE.md CURLOPT_SSLCERT_BLOB.md CURLOPT_SSLENGINE.md CURLOPT_SSLENGINE_DEFAULT.md CURLOPT_SSLKEY.md CURLOPT_SSLKEYTYPE.md CURLOPT_SSLKEY_BLOB.md CURLOPT_SSLVERSION.md CURLOPT_SSL_CIPHER_LIST.md CURLOPT_SSL_CTX_DATA.md CURLOPT_SSL_CTX_FUNCTION.md CURLOPT_SSL_EC_CURVES.md CURLOPT_SSL_ENABLE_ALPN.md CURLOPT_SSL_ENABLE_NPN.md CURLOPT_SSL_FALSESTART.md CURLOPT_SSL_OPTIONS.md CURLOPT_SSL_SESSIONID_CACHE.md CURLOPT_SSL_SIGNATURE_ALGORITHMS.md CURLOPT_SSL_VERIFYHOST.md CURLOPT_SSL_VERIFYPEER.md CURLOPT_SSL_VERIFYSTATUS.md CURLOPT_STDERR.md CURLOPT_STREAM_DEPENDS.md CURLOPT_STREAM_DEPENDS_E.md CURLOPT_STREAM_WEIGHT.md CURLOPT_SUPPRESS_CONNECT_HEADERS.md CURLOPT_TCP_FASTOPEN.md CURLOPT_TCP_KEEPALIVE.md CURLOPT_TCP_KEEPCNT.md CURLOPT_TCP_KEEPIDLE.md CURLOPT_TCP_KEEPINTVL.md CURLOPT_TCP_NODELAY.md CURLOPT_TELNETOPTIONS.md CURLOPT_TFTP_BLKSIZE.md CURLOPT_TFTP_NO_OPTIONS.md CURLOPT_TIMECONDITION.md CURLOPT_TIMEOUT.md CURLOPT_TIMEOUT_MS.md CURLOPT_TIMEVALUE.md CURLOPT_TIMEVALUE_LARGE.md CURLOPT_TLS13_CIPHERS.md CURLOPT_TLSAUTH_PASSWORD.md CURLOPT_TLSAUTH_TYPE.md CURLOPT_TLSAUTH_USERNAME.md CURLOPT_TRAILERDATA.md CURLOPT_TRAILERFUNCTION.md CURLOPT_TRANSFERTEXT.md CURLOPT_TRANSFER_ENCODING.md CURLOPT_UNIX_SOCKET_PATH.md CURLOPT_UNRESTRICTED_AUTH.md CURLOPT_UPKEEP_INTERVAL_MS.md CURLOPT_UPLOAD.md CURLOPT_UPLOAD_BUFFERSIZE.md CURLOPT_UPLOAD_FLAGS.md CURLOPT_URL.md CURLOPT_USERAGENT.md CURLOPT_USERNAME.md CURLOPT_USERPWD.md CURLOPT_USE_SSL.md CURLOPT_VERBOSE.md CURLOPT_WILDCARDMATCH.md CURLOPT_WRITEDATA.md CURLOPT_WRITEFUNCTION.md CURLOPT_WS_OPTIONS.md CURLOPT_XFERINFODATA.md CURLOPT_XFERINFOFUNCTION.md CURLOPT_XOAUTH2_BEARER.md CURLSHOPT_LOCKFUNC.md CURLSHOPT_SHARE.md CURLSHOPT_UNLOCKFUNC.md CURLSHOPT_UNSHARE.md CURLSHOPT_USERDATA.md Makefile.am Makefile.incinclude
curl
Makefile.am curl.h curlver.h easy.h header.h mprintf.h multi.h options.h stdcheaders.h system.h typecheck-gcc.h urlapi.h websockets.hlib
curlx
base64.c base64.h basename.c basename.h dynbuf.c dynbuf.h fopen.c fopen.h inet_ntop.c inet_ntop.h inet_pton.c inet_pton.h multibyte.c multibyte.h nonblock.c nonblock.h snprintf.c snprintf.h strcopy.c strcopy.h strdup.c strdup.h strerr.c strerr.h strparse.c strparse.h timediff.c timediff.h timeval.c timeval.h version_win32.c version_win32.h wait.c wait.h warnless.c warnless.h winapi.c winapi.hvauth
cleartext.c cram.c digest.c digest.h digest_sspi.c gsasl.c krb5_gssapi.c krb5_sspi.c ntlm.c ntlm_sspi.c oauth2.c spnego_gssapi.c spnego_sspi.c vauth.c vauth.hvquic
curl_ngtcp2.c curl_ngtcp2.h curl_quiche.c curl_quiche.h vquic-tls.c vquic-tls.h vquic.c vquic.h vquic_int.hvtls
apple.c apple.h cipher_suite.c cipher_suite.h gtls.c gtls.h hostcheck.c hostcheck.h keylog.c keylog.h mbedtls.c mbedtls.h openssl.c openssl.h rustls.c rustls.h schannel.c schannel.h schannel_int.h schannel_verify.c vtls.c vtls.h vtls_int.h vtls_scache.c vtls_scache.h vtls_spack.c vtls_spack.h wolfssl.c wolfssl.h x509asn1.c x509asn1.hm4
.gitignore curl-amissl.m4 curl-apple-sectrust.m4 curl-compilers.m4 curl-confopts.m4 curl-functions.m4 curl-gnutls.m4 curl-mbedtls.m4 curl-openssl.m4 curl-override.m4 curl-reentrant.m4 curl-rustls.m4 curl-schannel.m4 curl-sysconfig.m4 curl-wolfssl.m4 xc-am-iface.m4 xc-cc-check.m4 xc-lt-iface.m4 xc-val-flgs.m4 zz40-xc-ovr.m4 zz50-xc-ovr.m4projects
OS400
.checksrc README.OS400 ccsidcurl.c ccsidcurl.h config400.default curl.cmd curl.inc.in curlcl.c curlmain.c initscript.sh make-docs.sh make-include.sh make-lib.sh make-src.sh make-tests.sh makefile.sh os400sys.c os400sys.hWindows
tmpl
.gitattributes README.txt curl-all.sln curl.sln curl.vcxproj curl.vcxproj.filters libcurl.sln libcurl.vcxproj libcurl.vcxproj.filtersvms
Makefile.am backup_gnv_curl_src.com build_curl-config_script.com build_gnv_curl.com build_gnv_curl_pcsi_desc.com build_gnv_curl_pcsi_text.com build_gnv_curl_release_notes.com build_libcurl_pc.com build_vms.com clean_gnv_curl.com compare_curl_source.com config_h.com curl_crtl_init.c curl_gnv_build_steps.txt curl_release_note_start.txt curl_startup.com curlmsg.h curlmsg.msg curlmsg.sdl curlmsg_vms.h generate_config_vms_h_curl.com generate_vax_transfer.com gnv_conftest.c_first gnv_curl_configure.sh gnv_libcurl_symbols.opt gnv_link_curl.com macro32_exactcase.patch make_gnv_curl_install.sh make_pcsi_curl_kit_name.com pcsi_gnv_curl_file_list.txt pcsi_product_gnv_curl.com readme report_openssl_version.c setup_gnv_curl_build.com stage_curl_install.com vms_eco_level.hscripts
.checksrc CMakeLists.txt Makefile.am badwords badwords-all badwords.txt cd2cd cd2nroff cdall checksrc-all.pl checksrc.pl cmakelint.sh completion.pl contributors.sh contrithanks.sh coverage.sh delta dmaketgz extract-unit-protos firefox-db2pem.sh installcheck.sh maketgz managen mdlinkcheck mk-ca-bundle.pl mk-unity.pl nroff2cd perlcheck.sh pythonlint.sh randdisable release-notes.pl release-tools.sh schemetable.c singleuse.pl spacecheck.pl top-complexity top-length verify-release wcurlsrc
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc config2setopts.c config2setopts.h curl.rc curlinfo.c mk-file-embed.pl mkhelp.pl slist_wc.c slist_wc.h terminal.c terminal.h tool_cb_dbg.c tool_cb_dbg.h tool_cb_hdr.c tool_cb_hdr.h tool_cb_prg.c tool_cb_prg.h tool_cb_rea.c tool_cb_rea.h tool_cb_see.c tool_cb_see.h tool_cb_soc.c tool_cb_soc.h tool_cb_wrt.c tool_cb_wrt.h tool_cfgable.c tool_cfgable.h tool_dirhie.c tool_dirhie.h tool_doswin.c tool_doswin.h tool_easysrc.c tool_easysrc.h tool_filetime.c tool_filetime.h tool_findfile.c tool_findfile.h tool_formparse.c tool_formparse.h tool_getparam.c tool_getparam.h tool_getpass.c tool_getpass.h tool_help.c tool_help.h tool_helpers.c tool_helpers.h tool_hugehelp.h tool_ipfs.c tool_ipfs.h tool_libinfo.c tool_libinfo.h tool_listhelp.c tool_main.c tool_main.h tool_msgs.c tool_msgs.h tool_operate.c tool_operate.h tool_operhlp.c tool_operhlp.h tool_paramhlp.c tool_paramhlp.h tool_parsecfg.c tool_parsecfg.h tool_progress.c tool_progress.h tool_sdecls.h tool_setopt.c tool_setopt.h tool_setup.h tool_ssls.c tool_ssls.h tool_stderr.c tool_stderr.h tool_urlglob.c tool_urlglob.h tool_util.c tool_util.h tool_version.h tool_vms.c tool_vms.h tool_writeout.c tool_writeout.h tool_writeout_json.c tool_writeout_json.h tool_xattr.c tool_xattr.h var.c var.htests
certs
.gitignore CMakeLists.txt Makefile.am Makefile.inc genserv.pl srp-verifier-conf srp-verifier-db test-ca.cnf test-ca.prm test-client-cert.prm test-client-eku-only.prm test-localhost-san-first.prm test-localhost-san-last.prm test-localhost.nn.prm test-localhost.prm test-localhost0h.prmdata
.gitignore DISABLED Makefile.am data-xml1 data1400.c data1401.c data1402.c data1403.c data1404.c data1405.c data1406.c data1407.c data1420.c data1461.txt data1463.txt data1465.c data1481.c data1705-1.md data1705-2.md data1705-3.md data1705-4.md data1705-stdout.1 data1706-1.md data1706-2.md data1706-3.md data1706-4.md data1706-stdout.txt data320.html test1 test10 test100 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 test1008 test1009 test101 test1010 test1011 test1012 test1013 test1014 test1015 test1016 test1017 test1018 test1019 test102 test1020 test1021 test1022 test1023 test1024 test1025 test1026 test1027 test1028 test1029 test103 test1030 test1031 test1032 test1033 test1034 test1035 test1036 test1037 test1038 test1039 test104 test1040 test1041 test1042 test1043 test1044 test1045 test1046 test1047 test1048 test1049 test105 test1050 test1051 test1052 test1053 test1054 test1055 test1056 test1057 test1058 test1059 test106 test1060 test1061 test1062 test1063 test1064 test1065 test1066 test1067 test1068 test1069 test107 test1070 test1071 test1072 test1073 test1074 test1075 test1076 test1077 test1078 test1079 test108 test1080 test1081 test1082 test1083 test1084 test1085 test1086 test1087 test1088 test1089 test109 test1090 test1091 test1092 test1093 test1094 test1095 test1096 test1097 test1098 test1099 test11 test110 test1100 test1101 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 test111 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 test112 test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 test1128 test1129 test113 test1130 test1131 test1132 test1133 test1134 test1135 test1136 test1137 test1138 test1139 test114 test1140 test1141 test1142 test1143 test1144 test1145 test1146 test1147 test1148 test1149 test115 test1150 test1151 test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 test116 test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 test1168 test1169 test117 test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 test1178 test1179 test118 test1180 test1181 test1182 test1183 test1184 test1185 test1186 test1187 test1188 test1189 test119 test1190 test1191 test1192 test1193 test1194 test1195 test1196 test1197 test1198 test1199 test12 test120 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 test1208 test1209 test121 test1210 test1211 test1212 test1213 test1214 test1215 test1216 test1217 test1218 test1219 test122 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 test1228 test1229 test123 test1230 test1231 test1232 test1233 test1234 test1235 test1236 test1237 test1238 test1239 test124 test1240 test1241 test1242 test1243 test1244 test1245 test1246 test1247 test1248 test1249 test125 test1250 test1251 test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 test126 test1260 test1261 test1262 test1263 test1264 test1265 test1266 test1267 test1268 test1269 test127 test1270 test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 test1279 test128 test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 test1288 test1289 test129 test1290 test1291 test1292 test1293 test1294 test1295 test1296 test1297 test1298 test1299 test13 test130 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 test1309 test131 test1310 test1311 test1312 test1313 test1314 test1315 test1316 test1317 test1318 test1319 test132 test1320 test1321 test1322 test1323 test1324 test1325 test1326 test1327 test1328 test1329 test133 test1330 test1331 test1332 test1333 test1334 test1335 test1336 test1337 test1338 test1339 test134 test1340 test1341 test1342 test1343 test1344 test1345 test1346 test1347 test1348 test1349 test135 test1350 test1351 test1352 test1353 test1354 test1355 test1356 test1357 test1358 test1359 test136 test1360 test1361 test1362 test1363 test1364 test1365 test1366 test1367 test1368 test1369 test137 test1370 test1371 test1372 test1373 test1374 test1375 test1376 test1377 test1378 test1379 test138 test1380 test1381 test1382 test1383 test1384 test1385 test1386 test1387 test1388 test1389 test139 test1390 test1391 test1392 test1393 test1394 test1395 test1396 test1397 test1398 test1399 test14 test140 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 test1408 test1409 test141 test1410 test1411 test1412 test1413 test1414 test1415 test1416 test1417 test1418 test1419 test142 test1420 test1421 test1422 test1423 test1424 test1425 test1426 test1427 test1428 test1429 test143 test1430 test1431 test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 test144 test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 test1448 test1449 test145 test1450 test1451 test1452 test1453 test1454 test1455 test1456 test1457 test1458 test1459 test146 test1460 test1461 test1462 test1463 test1464 test1465 test1466 test1467 test1468 test1469 test147 test1470 test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 test1479 test148 test1480 test1481 test1482 test1483 test1484 test1485 test1486 test1487 test1488 test1489 test149 test1490 test1491 test1492 test1493 test1494 test1495 test1496 test1497 test1498 test1499 test15 test150 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 test1508 test1509 test151 test1510 test1511 test1512 test1513 test1514 test1515 test1516 test1517 test1518 test1519 test152 test1520 test1521 test1522 test1523 test1524 test1525 test1526 test1527 test1528 test1529 test153 test1530 test1531 test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 test154 test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 test1548 test1549 test155 test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 test1558 test1559 test156 test1560 test1561 test1562 test1563 test1564 test1565 test1566 test1567 test1568 test1569 test157 test1570 test1571 test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 test158 test1580 test1581 test1582 test1583 test1584 test1585 test1586 test1587 test1588 test1589 test159 test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 test1598 test1599 test16 test160 test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 test1608 test1609 test161 test1610 test1611 test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 test162 test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 test1628 test1629 test163 test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 test1638 test1639 test164 test1640 test1641 test1642 test1643 test1644 test1645 test165 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 test1658 test1659 test166 test1660 test1661 test1662 test1663 test1664 test1665 test1666 test1667 test1668 test1669 test167 test1670 test1671 test1672 test1673 test1674 test1675 test1676 test168 test1680 test1681 test1682 test1683 test1684 test1685 test169 test17 test170 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 test1708 test1709 test171 test1710 test1711 test1712 test1713 test1714 test1715 test172 test1720 test1721 test173 test174 test175 test176 test177 test178 test179 test18 test180 test1800 test1801 test1802 test181 test182 test183 test184 test1847 test1848 test1849 test185 test1850 test1851 test186 test187 test188 test189 test19 test190 test1900 test1901 test1902 test1903 test1904 test1905 test1906 test1907 test1908 test1909 test191 test1910 test1911 test1912 test1913 test1914 test1915 test1916 test1917 test1918 test1919 test192 test1920 test1921 test193 test1933 test1934 test1935 test1936 test1937 test1938 test1939 test194 test1940 test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 test195 test1955 test1956 test1957 test1958 test1959 test196 test1960 test1964 test1965 test1966 test197 test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 test1978 test1979 test198 test1980 test1981 test1982 test1983 test1984 test199 test2 test20 test200 test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 test2008 test2009 test201 test2010 test2011 test2012 test2013 test2014 test202 test2023 test2024 test2025 test2026 test2027 test2028 test2029 test203 test2030 test2031 test2032 test2033 test2034 test2035 test2037 test2038 test2039 test204 test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 test2048 test2049 test205 test2050 test2051 test2052 test2053 test2054 test2055 test2056 test2057 test2058 test2059 test206 test2060 test2061 test2062 test2063 test2064 test2065 test2066 test2067 test2068 test2069 test207 test2070 test2071 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 test208 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 test2088 test2089 test209 test2090 test2091 test2092 test21 test210 test2100 test2101 test2102 test2103 test2104 test211 test212 test213 test214 test215 test216 test217 test218 test219 test22 test220 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 test221 test222 test223 test224 test225 test226 test227 test228 test229 test23 test230 test2300 test2301 test2302 test2303 test2304 test2306 test2307 test2308 test2309 test231 test232 test233 test234 test235 test236 test237 test238 test239 test24 test240 test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 test2408 test2409 test241 test2410 test2411 test242 test243 test244 test245 test246 test247 test248 test249 test25 test250 test2500 test2501 test2502 test2503 test2504 test2505 test2506 test251 test252 test253 test254 test255 test256 test257 test258 test259 test26 test260 test2600 test2601 test2602 test2603 test2604 test2605 test261 test262 test263 test264 test265 test266 test267 test268 test269 test27 test270 test2700 test2701 test2702 test2703 test2704 test2705 test2706 test2707 test2708 test2709 test271 test2710 test2711 test2712 test2713 test2714 test2715 test2716 test2717 test2718 test2719 test272 test2720 test2721 test2722 test2723 test273 test274 test275 test276 test277 test278 test279 test28 test280 test281 test282 test283 test284 test285 test286 test287 test288 test289 test29 test290 test291 test292 test293 test294 test295 test296 test297 test298 test299 test3 test30 test300 test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 test3008 test3009 test301 test3010 test3011 test3012 test3013 test3014 test3015 test3016 test3017 test3018 test3019 test302 test3020 test3021 test3022 test3023 test3024 test3025 test3026 test3027 test3028 test3029 test303 test3030 test3031 test3032 test3033 test3034 test3035 test3036 test304 test305 test306 test307 test308 test309 test31 test310 test3100 test3101 test3102 test3103 test3104 test3105 test3106 test311 test312 test313 test314 test315 test316 test317 test318 test319 test32 test320 test3200 test3201 test3202 test3203 test3204 test3205 test3206 test3207 test3208 test3209 test321 test3210 test3211 test3212 test3213 test3214 test3215 test3216 test3217 test3218 test3219 test322 test3220 test323 test324 test325 test326 test327 test328 test329 test33 test330 test3300 test3301 test3302 test331 test332 test333 test334 test335 test336 test337 test338 test339 test34 test340 test341 test342 test343 test344 test345 test346 test347 test348 test349 test35 test350 test351 test352 test353 test354 test355 test356 test357 test358 test359 test36 test360 test361 test362 test363 test364 test365 test366 test367 test368 test369 test37 test370 test371 test372 test373 test374 test375 test376 test378 test379 test38 test380 test381 test383 test384 test385 test386 test387 test388 test389 test39 test390 test391 test392 test393 test394 test395 test396 test397 test398 test399 test4 test40 test400 test4000 test4001 test401 test402 test403 test404 test405 test406 test407 test408 test409 test41 test410 test411 test412 test413 test414 test415 test416 test417 test418 test419 test42 test420 test421 test422 test423 test424 test425 test426 test427 test428 test429 test43 test430 test431 test432 test433 test434 test435 test436 test437 test438 test439 test44 test440 test441 test442 test443 test444 test445 test446 test447 test448 test449 test45 test450 test451 test452 test453 test454 test455 test456 test457 test458 test459 test46 test460 test461 test462 test463 test467 test468 test469 test47 test470 test471 test472 test473 test474 test475 test476 test477 test478 test479 test48 test480 test481 test482 test483 test484 test485 test486 test487 test488 test489 test49 test490 test491 test492 test493 test494 test495 test496 test497 test498 test499 test5 test50 test500 test501 test502 test503 test504 test505 test506 test507 test508 test509 test51 test510 test511 test512 test513 test514 test515 test516 test517 test518 test519 test52 test520 test521 test522 test523 test524 test525 test526 test527 test528 test529 test53 test530 test531 test532 test533 test534 test535 test536 test537 test538 test539 test54 test540 test541 test542 test543 test544 test545 test546 test547 test548 test549 test55 test550 test551 test552 test553 test554 test555 test556 test557 test558 test559 test56 test560 test561 test562 test563 test564 test565 test566 test567 test568 test569 test57 test570 test571 test572 test573 test574 test575 test576 test577 test578 test579 test58 test580 test581 test582 test583 test584 test585 test586 test587 test588 test589 test59 test590 test591 test592 test593 test594 test595 test596 test597 test598 test599 test6 test60 test600 test601 test602 test603 test604 test605 test606 test607 test608 test609 test61 test610 test611 test612 test613 test614 test615 test616 test617 test618 test619 test62 test620 test621 test622 test623 test624 test625 test626 test627 test628 test629 test63 test630 test631 test632 test633 test634 test635 test636 test637 test638 test639 test64 test640 test641 test642 test643 test644 test645 test646 test647 test648 test649 test65 test650 test651 test652 test653 test654 test655 test656 test658 test659 test66 test660 test661 test662 test663 test664 test665 test666 test667 test668 test669 test67 test670 test671 test672 test673 test674 test675 test676 test677 test678 test679 test68 test680 test681 test682 test683 test684 test685 test686 test687 test688 test689 test69 test690 test691 test692 test693 test694 test695 test696 test697 test698 test699 test7 test70 test700 test701 test702 test703 test704 test705 test706 test707 test708 test709 test71 test710 test711 test712 test713 test714 test715 test716 test717 test718 test719 test72 test720 test721 test722 test723 test724 test725 test726 test727 test728 test729 test73 test730 test731 test732 test733 test734 test735 test736 test737 test738 test739 test74 test740 test741 test742 test743 test744 test745 test746 test747 test748 test749 test75 test750 test751 test752 test753 test754 test755 test756 test757 test758 test759 test76 test760 test761 test762 test763 test764 test765 test766 test767 test768 test769 test77 test770 test771 test772 test773 test774 test775 test776 test777 test778 test779 test78 test780 test781 test782 test783 test784 test785 test786 test787 test788 test789 test79 test790 test791 test792 test793 test794 test795 test796 test797 test798 test799 test8 test80 test800 test801 test802 test803 test804 test805 test806 test807 test808 test809 test81 test810 test811 test812 test813 test814 test815 test816 test817 test818 test819 test82 test820 test821 test822 test823 test824 test825 test826 test827 test828 test829 test83 test830 test831 test832 test833 test834 test835 test836 test837 test838 test839 test84 test840 test841 test842 test843 test844 test845 test846 test847 test848 test849 test85 test850 test851 test852 test853 test854 test855 test856 test857 test858 test859 test86 test860 test861 test862 test863 test864 test865 test866 test867 test868 test869 test87 test870 test871 test872 test873 test874 test875 test876 test877 test878 test879 test88 test880 test881 test882 test883 test884 test885 test886 test887 test888 test889 test89 test890 test891 test892 test893 test894 test895 test896 test897 test898 test899 test9 test90 test900 test901 test902 test903 test904 test905 test906 test907 test908 test909 test91 test910 test911 test912 test913 test914 test915 test916 test917 test918 test919 test92 test920 test921 test922 test923 test924 test925 test926 test927 test928 test929 test93 test930 test931 test932 test933 test934 test935 test936 test937 test938 test939 test94 test940 test941 test942 test943 test944 test945 test946 test947 test948 test949 test95 test950 test951 test952 test953 test954 test955 test956 test957 test958 test959 test96 test960 test961 test962 test963 test964 test965 test966 test967 test968 test969 test97 test970 test971 test972 test973 test974 test975 test976 test977 test978 test979 test98 test980 test981 test982 test983 test984 test985 test986 test987 test988 test989 test99 test990 test991 test992 test993 test994 test995 test996 test997 test998 test999http
testenv
__init__.py caddy.py certs.py client.py curl.py dante.py dnsd.py env.py httpd.py nghttpx.py ports.py sshd.py vsftpd.py ws_echo_server.pylibtest
.gitignore CMakeLists.txt Makefile.am Makefile.inc cli_ftp_upload.c cli_h2_pausing.c cli_h2_serverpush.c cli_h2_upgrade_extreme.c cli_hx_download.c cli_hx_upload.c cli_tls_session_reuse.c cli_upload_pausing.c cli_ws_data.c cli_ws_pingpong.c first.c first.h lib1156.c lib1301.c lib1308.c lib1485.c lib1500.c lib1501.c lib1502.c lib1506.c lib1507.c lib1508.c lib1509.c lib1510.c lib1511.c lib1512.c lib1513.c lib1514.c lib1515.c lib1517.c lib1518.c lib1520.c lib1522.c lib1523.c lib1525.c lib1526.c lib1527.c lib1528.c lib1529.c lib1530.c lib1531.c lib1532.c lib1533.c lib1534.c lib1535.c lib1536.c lib1537.c lib1538.c lib1540.c lib1541.c lib1542.c lib1545.c lib1549.c lib1550.c lib1551.c lib1552.c lib1553.c lib1554.c lib1555.c lib1556.c lib1557.c lib1558.c lib1559.c lib1560.c lib1564.c lib1565.c lib1567.c lib1568.c lib1569.c lib1571.c lib1576.c lib1582.c lib1587.c lib1588.c lib1589.c lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c lib1598.c lib1599.c lib1662.c lib1900.c lib1901.c lib1902.c lib1903.c lib1905.c lib1906.c lib1907.c lib1908.c lib1910.c lib1911.c lib1912.c lib1913.c lib1915.c lib1916.c lib1918.c lib1919.c lib1920.c lib1921.c lib1933.c lib1934.c lib1935.c lib1936.c lib1937.c lib1938.c lib1939.c lib1940.c lib1945.c lib1947.c lib1948.c lib1955.c lib1956.c lib1957.c lib1958.c lib1959.c lib1960.c lib1964.c lib1965.c lib1970.c lib1971.c lib1972.c lib1973.c lib1974.c lib1975.c lib1977.c lib1978.c lib2023.c lib2032.c lib2082.c lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c lib2402.c lib2404.c lib2405.c lib2502.c lib2504.c lib2505.c lib2506.c lib2700.c lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c lib3207.c lib3208.c lib500.c lib501.c lib502.c lib503.c lib504.c lib505.c lib506.c lib507.c lib508.c lib509.c lib510.c lib511.c lib512.c lib513.c lib514.c lib515.c lib516.c lib517.c lib518.c lib519.c lib520.c lib521.c lib523.c lib524.c lib525.c lib526.c lib530.c lib533.c lib536.c lib537.c lib539.c lib540.c lib541.c lib542.c lib543.c lib544.c lib547.c lib549.c lib552.c lib553.c lib554.c lib555.c lib556.c lib557.c lib558.c lib559.c lib560.c lib562.c lib564.c lib566.c lib567.c lib568.c lib569.c lib570.c lib571.c lib572.c lib573.c lib574.c lib575.c lib576.c lib578.c lib579.c lib582.c lib583.c lib586.c lib589.c lib590.c lib591.c lib597.c lib598.c lib599.c lib643.c lib650.c lib651.c lib652.c lib653.c lib654.c lib655.c lib658.c lib659.c lib661.c lib666.c lib667.c lib668.c lib670.c lib674.c lib676.c lib677.c lib678.c lib694.c lib695.c lib751.c lib753.c lib757.c lib758.c lib766.c memptr.c mk-lib1521.pl test1013.pl test1022.pl test307.pl test610.pl test613.pl testtrace.c testtrace.h testutil.c testutil.h unitcheck.hserver
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc dnsd.c first.c first.h getpart.c mqttd.c resolve.c rtspd.c sockfilt.c socksd.c sws.c tftpd.c util.ctunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md tool1394.c tool1604.c tool1621.c tool1622.c tool1623.c tool1720.cunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md unit1300.c unit1302.c unit1303.c unit1304.c unit1305.c unit1307.c unit1309.c unit1323.c unit1330.c unit1395.c unit1396.c unit1397.c unit1398.c unit1399.c unit1600.c unit1601.c unit1602.c unit1603.c unit1605.c unit1606.c unit1607.c unit1608.c unit1609.c unit1610.c unit1611.c unit1612.c unit1614.c unit1615.c unit1616.c unit1620.c unit1625.c unit1626.c unit1627.c unit1636.c unit1650.c unit1651.c unit1652.c unit1653.c unit1654.c unit1655.c unit1656.c unit1657.c unit1658.c unit1660.c unit1661.c unit1663.c unit1664.c unit1666.c unit1667.c unit1668.c unit1669.c unit1674.c unit1675.c unit1676.c unit1979.c unit1980.c unit2600.c unit2601.c unit2602.c unit2603.c unit2604.c unit2605.c unit3200.c unit3205.c unit3211.c unit3212.c unit3213.c unit3214.c unit3216.c unit3219.c unit3300.c unit3301.c unit3302.cexamples
.env config.ini crypto_test.lua env_test.lua fs_example.lua http_server.lua https_test.lua ini_example.lua json.lua log.lua path_fs_example.lua process_example.lua request_download.lua request_test.lua run_all.lua sqlite_example.lua sqlite_http_template.lua stash_test.lua template_test.lua timer.lua websocket.luainiparser
example
iniexample.c iniwrite.c parse.c twisted-errors.ini twisted-genhuge.py twisted-ofkey.ini twisted-ofval.ini twisted.initest
CMakeLists.txt test_dictionary.c test_iniparser.c unity-config.yml unity_config.hjinjac
libjinjac
src
CMakeLists.txt ast.c ast.h block_statement.c block_statement.h buffer.c buffer.h buildin.c buildin.h common.h convert.c convert.h flex_decl.h jfunction.c jfunction.h jinja_expression.l jinja_expression.y jinjac_parse.c jinjac_parse.h jinjac_stream.c jinjac_stream.h jlist.c jlist.h jobject.c jobject.h parameter.c parameter.h str_obj.c str_obj.h trace.c trace.htest
.gitignore CMakeLists.txt autotest.rb test_01.expected test_01.jinja test_01b.expected test_01b.jinja test_01c.expected test_01c.jinja test_01d.expected test_01d.jinja test_02.expected test_02.jinja test_03.expected test_03.jinja test_04.expected test_04.jinja test_05.expected test_05.jinja test_06.expected test_06.jinja test_07.expected test_07.jinja test_08.expected test_08.jinja test_08b.expected test_08b.jinja test_09.expected test_09.jinja test_10.expected test_10.jinja test_11.expected test_11.jinja test_12.expected test_12.jinja test_13.expected test_13.jinja test_14.expected test_14.jinja test_15.expected test_15.jinja test_16.expected test_16.jinja test_17.expected test_17.jinja test_18.expected test_18.jinja test_18b.expected test_18b.jinja test_18c.expected test_18c.jinja test_19.expected test_19.jinja test_19b.expected test_19b.jinja test_19c.expected test_19c.jinja test_19d.expected test_19d.jinja test_19e.expected test_19e.jinja test_19f.expected test_19f.jinja test_20.expected test_20.jinja test_21.expected test_21.jinja test_22.expected test_22.jinja test_22a.expected test_22a.jinja test_22b.expected test_22b.jinja test_23.expected test_23.jinja test_24.expected test_24.jinjalibev
Changes LICENSE Makefile Makefile.am Makefile.in README Symbols.ev Symbols.event aclocal.m4 autogen.sh compile config.guess config.h config.h.in config.status config.sub configure configure.ac depcomp ev++.h ev.3 ev.c ev.h ev.pod ev_epoll.c ev_kqueue.c ev_poll.c ev_port.c ev_select.c ev_vars.h ev_win32.c ev_wrap.h event.c event.h install-sh libev.m4 libtool ltmain.sh missing mkinstalldirs stamp-h1luajit
doc
bluequad-print.css bluequad.css contact.html ext_buffer.html ext_c_api.html ext_ffi.html ext_ffi_api.html ext_ffi_semantics.html ext_ffi_tutorial.html ext_jit.html ext_profiler.html extensions.html install.html luajit.html running.html
dynasm
dasm_arm.h dasm_arm.lua dasm_arm64.h dasm_arm64.lua dasm_mips.h dasm_mips.lua dasm_mips64.lua dasm_ppc.h dasm_ppc.lua dasm_proto.h dasm_x64.lua dasm_x86.h dasm_x86.lua dynasm.luasrc
host
.gitignore README buildvm.c buildvm.h buildvm_asm.c buildvm_fold.c buildvm_lib.c buildvm_libbc.h buildvm_peobj.c genlibbc.lua genminilua.lua genversion.lua minilua.cjit
.gitignore bc.lua bcsave.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_mips.lua dis_mips64.lua dis_mips64el.lua dis_mips64r6.lua dis_mips64r6el.lua dis_mipsel.lua dis_ppc.lua dis_x64.lua dis_x86.lua dump.lua p.lua v.lua zone.luawolfssl
.github
workflows
ada.yml arduino.yml async-examples.yml async.yml atecc608-sim.yml bind.yml cmake-autoconf.yml cmake.yml codespell.yml coverity-scan-fixes.yml cryptocb-only.yml curl.yml cyrus-sasl.yml disable-pk-algs.yml docker-Espressif.yml docker-OpenWrt.yml emnet-nonblock.yml fil-c.yml freertos-mem-track.yml gencertbuf.yml grpc.yml haproxy.yml hostap-vm.yml intelasm-c-fallback.yml ipmitool.yml jwt-cpp.yml krb5.yml libspdm.yml libssh2.yml libvncserver.yml linuxkm.yml macos-apple-native-cert-validation.yml mbedtls.sh mbedtls.yml membrowse-comment.yml membrowse-onboard.yml membrowse-report.yml memcached.sh memcached.yml mono.yml mosquitto.yml msmtp.yml msys2.yml multi-arch.yml multi-compiler.yml net-snmp.yml nginx.yml no-malloc.yml no-tls.yml nss.sh nss.yml ntp.yml ocsp.yml openldap.yml openssh.yml openssl-ech.yml opensslcoexist.yml openvpn.yml os-check.yml packaging.yml pam-ipmi.yml pq-all.yml pr-commit-check.yml psk.yml puf.yml python.yml rng-tools.yml rust-wrapper.yml se050-sim.yml smallStackSize.yml socat.yml softhsm.yml sssd.yml stm32-sim.yml stsafe-a120-sim.yml stunnel.yml symbol-prefixes.yml threadx.yml tls-anvil.yml trackmemory.yml watcomc.yml win-csharp-test.yml wolfCrypt-Wconversion.yml wolfboot-integration.yml wolfsm.yml xcode.yml zephyr-4.x.yml zephyr.ymlIDE
ARDUINO
Arduino_README_prepend.md README.md include.am keywords.txt library.properties.template wolfssl-arduino.cpp wolfssl-arduino.sh wolfssl.hECLIPSE
Espressif
ESP-IDF
examples
template
CMakeLists.txt Makefile README.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp8266wolfssl_benchmark
VisualGDB
wolfssl_benchmark_IDF_v4.4_ESP32.sln wolfssl_benchmark_IDF_v4.4_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32.sln wolfssl_benchmark_IDF_v5_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32C3.sln wolfssl_benchmark_IDF_v5_ESP32C3.vgdbproj wolfssl_benchmark_IDF_v5_ESP32S3.sln wolfssl_benchmark_IDF_v5_ESP32S3.vgdbprojwolfssl_client
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_client_ESP8266.vgdbprojwolfssl_server
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_server_ESP8266.vgdbprojwolfssl_test
VisualGDB
wolfssl_test-IDF_v5_ESP32.sln wolfssl_test-IDF_v5_ESP32.vgdbproj wolfssl_test-IDF_v5_ESP32C3.sln wolfssl_test-IDF_v5_ESP32C3.vgdbproj wolfssl_test-IDF_v5_ESP32C6.sln wolfssl_test-IDF_v5_ESP32C6.vgdbproj wolfssl_test_IDF_v5_ESP32S3.sln wolfssl_test_IDF_v5_ESP32S3.vgdbprojGCC-ARM
Makefile Makefile.bench Makefile.client Makefile.common Makefile.server Makefile.static Makefile.test README.md include.am linker.ld linker_fips.ldIAR-EWARM
embOS
SAMV71_XULT
embOS_SAMV71_XULT_user_settings
user_settings.h user_settings_simple_example.h user_settings_verbose_example.hembOS_wolfcrypt_benchmark_SAMV71_XULT
README_wolfcrypt_benchmark wolfcrypt_benchmark.ewd wolfcrypt_benchmark.ewpINTIME-RTOS
Makefile README.md include.am libwolfssl.c libwolfssl.vcxproj user_settings.h wolfExamples.c wolfExamples.h wolfExamples.sln wolfExamples.vcxproj wolfssl-lib.sln wolfssl-lib.vcxprojMQX
Makefile README-jp.md README.md client-tls.c include.am server-tls.c user_config.h user_settings.hMSVS-2019-AZSPHERE
wolfssl_new_azsphere
.gitignore CMakeLists.txt CMakeSettings.json app_manifest.json applibs_versions.h launch.vs.json main.cNETOS
Makefile.wolfcrypt.inc README.md include.am user_settings.h user_settings.h-cert2425 user_settings.h-cert3389 wolfssl_netos_custom.cPlatformIO
examples
wolfssl_benchmark
CMakeLists.txt README.md platformio.ini sdkconfig.defaults wolfssl_benchmark.code-workspaceROWLEY-CROSSWORKS-ARM
Kinetis_FlashPlacement.xml README.md arm_startup.c benchmark_main.c hw.h include.am kinetis_hw.c retarget.c test_main.c user_settings.h wolfssl.hzp wolfssl_ltc.hzpRenesas
e2studio
RA6M3
README.md README_APRA6M_en.md README_APRA6M_jp.md include.amRX72N
EnvisionKit
Simple
README_EN.md README_JP.mdwolfssl_demo
key_data.c key_data.h user_settings.h wolfssl_demo.c wolfssl_demo.h wolfssl_tsip_unit_test.cSTM32Cube
README.md STM32_Benchmarks.md default_conf.ftl include.am main.c wolfssl_example.c wolfssl_example.hWIN
README.txt include.am test.vcxproj user_settings.h user_settings_dtls.h wolfssl-fips.sln wolfssl-fips.vcxprojWIN-SRTP-KDF-140-3
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojWIN10
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojXCODE
Benchmark
include.amXilinxSDK
README.md bench.sh combine.sh eclipse_formatter_profile.xml graph.sh include.am user_settings.h wolfssl_example.capple-universal
wolfssl-multiplatform
iotsafe
Makefile README.md ca-cert.c devices.c devices.h include.am main.c memory-tls.c startup.c target.ld user_settings.hmynewt
README.md apps.wolfcrypttest.pkg.yml crypto.wolfssl.pkg.yml crypto.wolfssl.syscfg.yml include.am setup.shcerts
1024
ca-cert.der ca-cert.pem ca-key.der ca-key.pem client-cert.der client-cert.pem client-key.der client-key.pem client-keyPub.der dh1024.der dh1024.pem dsa-pub-1024.pem dsa1024.der dsa1024.pem include.am rsa1024.der server-cert.der server-cert.pem server-key.der server-key.pemcrl
extra-crls
ca-int-cert-revoked.pem claim-root.pem crl_critical_entry.pem crlnum_57oct.pem crlnum_64oct.pem general-server-crl.pem large_crlnum.pem large_crlnum2.pemdilithium
bench_dilithium_level2_key.der bench_dilithium_level3_key.der bench_dilithium_level5_key.der include.amecc
bp256r1-key.der bp256r1-key.pem ca-secp256k1-cert.pem ca-secp256k1-key.pem client-bp256r1-cert.der client-bp256r1-cert.pem client-secp256k1-cert.der client-secp256k1-cert.pem genecc.sh include.am secp256k1-key.der secp256k1-key.pem secp256k1-param.pem secp256k1-privkey.der secp256k1-privkey.pem server-bp256r1-cert.der server-bp256r1-cert.pem server-secp256k1-cert.der server-secp256k1-cert.pem server2-secp256k1-cert.der server2-secp256k1-cert.pem wolfssl.cnf wolfssl_384.cnfed25519
ca-ed25519-key.der ca-ed25519-key.pem ca-ed25519-priv.der ca-ed25519-priv.pem ca-ed25519.der ca-ed25519.pem client-ed25519-key.der client-ed25519-key.pem client-ed25519-priv.der client-ed25519-priv.pem client-ed25519.der client-ed25519.pem eddsa-ed25519.der eddsa-ed25519.pem gen-ed25519-certs.sh gen-ed25519-keys.sh gen-ed25519.sh include.am root-ed25519-key.der root-ed25519-key.pem root-ed25519-priv.der root-ed25519-priv.pem root-ed25519.der root-ed25519.pem server-ed25519-cert.pem server-ed25519-key.der server-ed25519-key.pem server-ed25519-priv.der server-ed25519-priv.pem server-ed25519.der server-ed25519.pemed448
ca-ed448-key.der ca-ed448-key.pem ca-ed448-priv.der ca-ed448-priv.pem ca-ed448.der ca-ed448.pem client-ed448-key.der client-ed448-key.pem client-ed448-priv.der client-ed448-priv.pem client-ed448.der client-ed448.pem gen-ed448-certs.sh gen-ed448-keys.sh include.am root-ed448-key.der root-ed448-key.pem root-ed448-priv.der root-ed448-priv.pem root-ed448.der root-ed448.pem server-ed448-cert.pem server-ed448-key.der server-ed448-key.pem server-ed448-priv.der server-ed448-priv.pem server-ed448.der server-ed448.pemexternal
DigiCertGlobalRootCA.pem README.txt ca-digicert-ev.pem ca-globalsign-root.pem ca-google-root.pem ca_collection.pem include.amintermediate
ca_false_intermediate
gentestcert.sh int_ca.key server.key test_ca.key test_ca.pem test_int_not_cacert.pem test_sign_bynoca_srv.pem wolfssl_base.conf wolfssl_srv.conflms
bc_hss_L2_H5_W8_root.der bc_hss_L3_H5_W4_root.der bc_lms_chain_ca.der bc_lms_chain_leaf.der bc_lms_native_bc_root.der bc_lms_sha256_h10_w8_root.der bc_lms_sha256_h5_w4_root.der include.ammldsa
README.txt include.am mldsa44-cert.der mldsa44-cert.pem mldsa44-key.pem mldsa44_bare-priv.der mldsa44_bare-seed.der mldsa44_oqskeypair.der mldsa44_priv-only.der mldsa44_pub-spki.der mldsa44_seed-only.der mldsa44_seed-priv.der mldsa65-cert.der mldsa65-cert.pem mldsa65-key.pem mldsa65_bare-priv.der mldsa65_bare-seed.der mldsa65_oqskeypair.der mldsa65_priv-only.der mldsa65_pub-spki.der mldsa65_seed-only.der mldsa65_seed-priv.der mldsa87-cert.der mldsa87-cert.pem mldsa87-key.pem mldsa87_bare-priv.der mldsa87_bare-seed.der mldsa87_oqskeypair.der mldsa87_priv-only.der mldsa87_pub-spki.der mldsa87_seed-only.der mldsa87_seed-priv.derocsp
imposter-root-ca-cert.der imposter-root-ca-cert.pem imposter-root-ca-key.der imposter-root-ca-key.pem include.am index-ca-and-intermediate-cas.txt index-ca-and-intermediate-cas.txt.attr index-intermediate1-ca-issued-certs.txt index-intermediate1-ca-issued-certs.txt.attr index-intermediate2-ca-issued-certs.txt index-intermediate2-ca-issued-certs.txt.attr index-intermediate3-ca-issued-certs.txt index-intermediate3-ca-issued-certs.txt.attr intermediate1-ca-cert.der intermediate1-ca-cert.pem intermediate1-ca-key.der intermediate1-ca-key.pem intermediate2-ca-cert.der intermediate2-ca-cert.pem intermediate2-ca-key.der intermediate2-ca-key.pem intermediate3-ca-cert.der intermediate3-ca-cert.pem intermediate3-ca-key.der intermediate3-ca-key.pem ocsp-responder-cert.der ocsp-responder-cert.pem ocsp-responder-key.der ocsp-responder-key.pem openssl.cnf renewcerts-for-test.sh renewcerts.sh root-ca-cert.der root-ca-cert.pem root-ca-crl.pem root-ca-key.der root-ca-key.pem server1-cert.der server1-cert.pem server1-chain-noroot.pem server1-key.der server1-key.pem server2-cert.der server2-cert.pem server2-key.der server2-key.pem server3-cert.der server3-cert.pem server3-key.der server3-key.pem server4-cert.der server4-cert.pem server4-key.der server4-key.pem server5-cert.der server5-cert.pem server5-key.der server5-key.pem test-leaf-response.der test-multi-response.der test-response-nointern.der test-response-rsapss.der test-response.derp521
ca-p521-key.der ca-p521-key.pem ca-p521-priv.der ca-p521-priv.pem ca-p521.der ca-p521.pem client-p521-key.der client-p521-key.pem client-p521-priv.der client-p521-priv.pem client-p521.der client-p521.pem gen-p521-certs.sh gen-p521-keys.sh include.am root-p521-key.der root-p521-key.pem root-p521-priv.der root-p521-priv.pem root-p521.der root-p521.pem server-p521-cert.pem server-p521-key.der server-p521-key.pem server-p521-priv.der server-p521-priv.pem server-p521.der server-p521.pemrpk
client-cert-rpk.der client-ecc-cert-rpk.der include.am server-cert-rpk.der server-ecc-cert-rpk.derrsapss
ca-3072-rsapss-key.der ca-3072-rsapss-key.pem ca-3072-rsapss-priv.der ca-3072-rsapss-priv.pem ca-3072-rsapss.der ca-3072-rsapss.pem ca-rsapss-key.der ca-rsapss-key.pem ca-rsapss-priv.der ca-rsapss-priv.pem ca-rsapss.der ca-rsapss.pem client-3072-rsapss-key.der client-3072-rsapss-key.pem client-3072-rsapss-priv.der client-3072-rsapss-priv.pem client-3072-rsapss.der client-3072-rsapss.pem client-rsapss-key.der client-rsapss-key.pem client-rsapss-priv.der client-rsapss-priv.pem client-rsapss.der client-rsapss.pem gen-rsapss-keys.sh include.am renew-rsapss-certs.sh root-3072-rsapss-key.der root-3072-rsapss-key.pem root-3072-rsapss-priv.der root-3072-rsapss-priv.pem root-3072-rsapss.der root-3072-rsapss.pem root-rsapss-key.der root-rsapss-key.pem root-rsapss-priv.der root-rsapss-priv.pem root-rsapss.der root-rsapss.pem server-3072-rsapss-cert.pem server-3072-rsapss-key.der server-3072-rsapss-key.pem server-3072-rsapss-priv.der server-3072-rsapss-priv.pem server-3072-rsapss.der server-3072-rsapss.pem server-mix-rsapss-cert.pem server-rsapss-cert.pem server-rsapss-key.der server-rsapss-key.pem server-rsapss-priv.der server-rsapss-priv.pem server-rsapss.der server-rsapss.pemslhdsa
bench_slhdsa_sha2_128f_key.der bench_slhdsa_sha2_128s_key.der bench_slhdsa_sha2_192f_key.der bench_slhdsa_sha2_192s_key.der bench_slhdsa_sha2_256f_key.der bench_slhdsa_sha2_256s_key.der bench_slhdsa_shake128f_key.der bench_slhdsa_shake128s_key.der bench_slhdsa_shake192f_key.der bench_slhdsa_shake192s_key.der bench_slhdsa_shake256f_key.der bench_slhdsa_shake256s_key.der client-mldsa44-priv.pem client-mldsa44-sha2.der client-mldsa44-sha2.pem client-mldsa44-shake.der client-mldsa44-shake.pem gen-slhdsa-mldsa-certs.sh include.am root-slhdsa-sha2-128s-priv.der root-slhdsa-sha2-128s-priv.pem root-slhdsa-sha2-128s.der root-slhdsa-sha2-128s.pem root-slhdsa-shake-128s-priv.der root-slhdsa-shake-128s-priv.pem root-slhdsa-shake-128s.der root-slhdsa-shake-128s.pem server-mldsa44-priv.pem server-mldsa44-sha2.der server-mldsa44-sha2.pem server-mldsa44-shake.der server-mldsa44-shake.pemsm2
ca-sm2-key.der ca-sm2-key.pem ca-sm2-priv.der ca-sm2-priv.pem ca-sm2.der ca-sm2.pem client-sm2-key.der client-sm2-key.pem client-sm2-priv.der client-sm2-priv.pem client-sm2.der client-sm2.pem fix_sm2_spki.py gen-sm2-certs.sh gen-sm2-keys.sh include.am root-sm2-key.der root-sm2-key.pem root-sm2-priv.der root-sm2-priv.pem root-sm2.der root-sm2.pem self-sm2-cert.pem self-sm2-key.pem self-sm2-priv.pem server-sm2-cert.der server-sm2-cert.pem server-sm2-key.der server-sm2-key.pem server-sm2-priv.der server-sm2-priv.pem server-sm2.der server-sm2.pemstatickeys
dh-ffdhe2048-params.pem dh-ffdhe2048-pub.der dh-ffdhe2048-pub.pem dh-ffdhe2048.der dh-ffdhe2048.pem ecc-secp256r1.der ecc-secp256r1.pem gen-static.sh include.am x25519-pub.der x25519-pub.pem x25519.der x25519.pemtest
catalog.txt cert-bad-neg-int.der cert-bad-oid.der cert-bad-utf8.der cert-ext-ia.cfg cert-ext-ia.der cert-ext-ia.pem cert-ext-joi.cfg cert-ext-joi.der cert-ext-joi.pem cert-ext-mnc.der cert-ext-multiple.cfg cert-ext-multiple.der cert-ext-multiple.pem cert-ext-nc-combined.der cert-ext-nc-combined.pem cert-ext-nc.cfg cert-ext-nc.der cert-ext-nc.pem cert-ext-ncdns.der cert-ext-ncdns.pem cert-ext-ncip.der cert-ext-ncip.pem cert-ext-ncmixed.der cert-ext-ncmulti.der cert-ext-ncmulti.pem cert-ext-ncrid.der cert-ext-ncrid.pem cert-ext-nct.cfg cert-ext-nct.der cert-ext-nct.pem cert-ext-ndir-exc.cfg cert-ext-ndir-exc.der cert-ext-ndir-exc.pem cert-ext-ndir.cfg cert-ext-ndir.der cert-ext-ndir.pem cert-ext-ns.der cert-over-max-altnames.cfg cert-over-max-altnames.der cert-over-max-altnames.pem cert-over-max-nc.cfg cert-over-max-nc.der cert-over-max-nc.pem client-ecc-cert-ski.hex cn-ip-literal.der cn-ip-wildcard.der crit-cert.pem crit-key.pem dh1024.der dh1024.pem dh512.der dh512.pem digsigku.pem encrypteddata.msg gen-badsig.sh gen-ext-certs.sh gen-testcerts.sh include.am kari-keyid-cms.msg ktri-keyid-cms.msg ossl-trusted-cert.pem server-badaltname.der server-badaltname.pem server-badaltnull.der server-badaltnull.pem server-badcn.der server-badcn.pem server-badcnnull.der server-badcnnull.pem server-cert-ecc-badsig.der server-cert-ecc-badsig.pem server-cert-rsa-badsig.der server-cert-rsa-badsig.pem server-duplicate-policy.pem server-garbage.der server-garbage.pem server-goodalt.der server-goodalt.pem server-goodaltwild.der server-goodaltwild.pem server-goodcn.der server-goodcn.pem server-goodcnwild.der server-goodcnwild.pem server-localhost.der server-localhost.pem smime-test-canon.p7s smime-test-multipart-badsig.p7s smime-test-multipart.p7s smime-test.p7stest-pathlen
assemble-chains.sh chainA-ICA1-key.pem chainA-ICA1-pathlen0.pem chainA-assembled.pem chainA-entity-key.pem chainA-entity.pem chainB-ICA1-key.pem chainB-ICA1-pathlen0.pem chainB-ICA2-key.pem chainB-ICA2-pathlen1.pem chainB-assembled.pem chainB-entity-key.pem chainB-entity.pem chainC-ICA1-key.pem chainC-ICA1-pathlen1.pem chainC-assembled.pem chainC-entity-key.pem chainC-entity.pem chainD-ICA1-key.pem chainD-ICA1-pathlen127.pem chainD-assembled.pem chainD-entity-key.pem chainD-entity.pem chainE-ICA1-key.pem chainE-ICA1-pathlen128.pem chainE-assembled.pem chainE-entity-key.pem chainE-entity.pem chainF-ICA1-key.pem chainF-ICA1-pathlen1.pem chainF-ICA2-key.pem chainF-ICA2-pathlen0.pem chainF-assembled.pem chainF-entity-key.pem chainF-entity.pem chainG-ICA1-key.pem chainG-ICA1-pathlen0.pem chainG-ICA2-key.pem chainG-ICA2-pathlen1.pem chainG-ICA3-key.pem chainG-ICA3-pathlen99.pem chainG-ICA4-key.pem chainG-ICA4-pathlen5.pem chainG-ICA5-key.pem chainG-ICA5-pathlen20.pem chainG-ICA6-key.pem chainG-ICA6-pathlen10.pem chainG-ICA7-key.pem chainG-ICA7-pathlen100.pem chainG-assembled.pem chainG-entity-key.pem chainG-entity.pem chainH-ICA1-key.pem chainH-ICA1-pathlen0.pem chainH-ICA2-key.pem chainH-ICA2-pathlen2.pem chainH-ICA3-key.pem chainH-ICA3-pathlen2.pem chainH-ICA4-key.pem chainH-ICA4-pathlen2.pem chainH-assembled.pem chainH-entity-key.pem chainH-entity.pem chainI-ICA1-key.pem chainI-ICA1-no_pathlen.pem chainI-ICA2-key.pem chainI-ICA2-no_pathlen.pem chainI-ICA3-key.pem chainI-ICA3-pathlen2.pem chainI-assembled.pem chainI-entity-key.pem chainI-entity.pem chainJ-ICA1-key.pem chainJ-ICA1-no_pathlen.pem chainJ-ICA2-key.pem chainJ-ICA2-no_pathlen.pem chainJ-ICA3-key.pem chainJ-ICA3-no_pathlen.pem chainJ-ICA4-key.pem chainJ-ICA4-pathlen2.pem chainJ-assembled.pem chainJ-entity-key.pem chainJ-entity.pem include.am refreshkeys.shtest-serial0
ee_normal.pem ee_serial0.pem generate_certs.sh include.am intermediate_serial0.pem root_serial0.pem root_serial0_key.pem selfsigned_nonca_serial0.pemxmss
bc_xmss_chain_ca.der bc_xmss_chain_leaf.der bc_xmss_sha2_10_256_root.der bc_xmss_sha2_16_256_root.der bc_xmssmt_sha2_20_2_256_root.der bc_xmssmt_sha2_20_4_256_root.der bc_xmssmt_sha2_40_8_256_root.der include.amcmake
Config.cmake.in README.md config.in functions.cmake include.am options.h.in wolfssl-config-version.cmake.in wolfssl-targets.cmake.indebian
changelog.in control.in copyright include.am libwolfssl-dev.install libwolfssl.install rules.indoc
dox_comments
header_files
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h puf.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wc_she.h wc_slhdsa.h wolfio.hheader_files-ja
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wolfio.h
examples
async
Makefile README.md async_client.c async_server.c async_tls.c async_tls.h include.am user_settings.hconfigs
README.md include.am user_settings_EBSnet.h user_settings_all.h user_settings_arduino.h user_settings_baremetal.h user_settings_ca.h user_settings_curve25519nonblock.h user_settings_dtls13.h user_settings_eccnonblock.h user_settings_espressif.h user_settings_fipsv2.h user_settings_fipsv5.h user_settings_min_ecc.h user_settings_openssl_compat.h user_settings_pkcs7.h user_settings_platformio.h user_settings_pq.h user_settings_rsa_only.h user_settings_stm32.h user_settings_template.h user_settings_tls12.h user_settings_tls13.h user_settings_wolfboot_keytools.h user_settings_wolfssh.h user_settings_wolftpm.hechoclient
echoclient.c echoclient.h echoclient.sln echoclient.vcproj echoclient.vcxproj include.am quitlinuxkm
Kbuild Makefile README.md get_thread_size.c include.am linuxkm-fips-hash-wrapper.sh linuxkm-fips-hash.c linuxkm_memory.c linuxkm_memory.h linuxkm_wc_port.h lkcapi_aes_glue.c lkcapi_dh_glue.c lkcapi_ecdh_glue.c lkcapi_ecdsa_glue.c lkcapi_glue.c lkcapi_rsa_glue.c lkcapi_sha_glue.c module_exports.c.template module_hooks.c pie_redirect_table.c wolfcrypt.lds x86_vector_register_glue.cm4
ax_add_am_macro.m4 ax_am_jobserver.m4 ax_am_macros.m4 ax_append_compile_flags.m4 ax_append_flag.m4 ax_append_link_flags.m4 ax_append_to_file.m4 ax_atomic.m4 ax_bsdkm.m4 ax_check_compile_flag.m4 ax_check_link_flag.m4 ax_compiler_version.m4 ax_count_cpus.m4 ax_create_generic_config.m4 ax_debug.m4 ax_file_escapes.m4 ax_harden_compiler_flags.m4 ax_linuxkm.m4 ax_print_to_file.m4 ax_pthread.m4 ax_require_defined.m4 ax_tls.m4 ax_vcs_checkout.m4 hexversion.m4 lib_socket_nsl.m4 visibility.m4mqx
wolfcrypt_benchmark
ReferencedRSESystems.xml wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfcrypt_test
ReferencedRSESystems.xml wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfssl_client
ReferencedRSESystems.xml wolfssl_client_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchscripts
aria-cmake-build-test.sh asn1_oid_sum.pl benchmark.test benchmark_compare.sh cleanup_testfiles.sh crl-gen-openssl.test crl-revoked.test dertoc.pl dtls.test dtlscid.test external.test google.test include.am makedistsmall.sh memtest.sh ocsp-responder-openssl-interop.test ocsp-stapling-with-ca-as-responder.test ocsp-stapling-with-wolfssl-responder.test ocsp-stapling.test ocsp-stapling2.test ocsp-stapling_tls13multi.test ocsp.test openssl.test openssl_srtp.test pem.test ping.test pkcallbacks.test psk.test resume.test rsapss.test sniffer-gen.sh sniffer-ipv6.pcap sniffer-static-rsa.pcap sniffer-testsuite.test sniffer-tls12-keylog.out sniffer-tls12-keylog.pcap sniffer-tls12-keylog.sslkeylog sniffer-tls13-dh-resume.pcap sniffer-tls13-dh.pcap sniffer-tls13-ecc-resume.pcap sniffer-tls13-ecc.pcap sniffer-tls13-hrr.pcap sniffer-tls13-keylog.out sniffer-tls13-keylog.pcap sniffer-tls13-keylog.sslkeylog sniffer-tls13-x25519-resume.pcap sniffer-tls13-x25519.pcap stm32l4-v4_0_1_build.sh tls13.test trusted_peer.test unit.test.in user_settings_asm.shsrc
bio.c conf.c crl.c dtls.c dtls13.c include.am internal.c keys.c ocsp.c pk.c pk_ec.c pk_rsa.c quic.c sniffer.c ssl.c ssl_api_cert.c ssl_api_crl_ocsp.c ssl_api_pk.c ssl_asn1.c ssl_bn.c ssl_certman.c ssl_crypto.c ssl_ech.c ssl_load.c ssl_misc.c ssl_p7p12.c ssl_sess.c ssl_sk.c tls.c tls13.c wolfio.c x509.c x509_str.ctests
api
api.h api_decl.h create_ocsp_test_blobs.py include.am test_aes.c test_aes.h test_arc4.c test_arc4.h test_ascon.c test_ascon.h test_ascon_kats.h test_asn.c test_asn.h test_blake2.c test_blake2.h test_camellia.c test_camellia.h test_certman.c test_certman.h test_chacha.c test_chacha.h test_chacha20_poly1305.c test_chacha20_poly1305.h test_cmac.c test_cmac.h test_curve25519.c test_curve25519.h test_curve448.c test_curve448.h test_des3.c test_des3.h test_dh.c test_dh.h test_digest.h test_dsa.c test_dsa.h test_dtls.c test_dtls.h test_ecc.c test_ecc.h test_ed25519.c test_ed25519.h test_ed448.c test_ed448.h test_evp.c test_evp.h test_evp_cipher.c test_evp_cipher.h test_evp_digest.c test_evp_digest.h test_evp_pkey.c test_evp_pkey.h test_hash.c test_hash.h test_hmac.c test_hmac.h test_md2.c test_md2.h test_md4.c test_md4.h test_md5.c test_md5.h test_mldsa.c test_mldsa.h test_mlkem.c test_mlkem.h test_ocsp.c test_ocsp.h test_ocsp_test_blobs.h test_ossl_asn1.c test_ossl_asn1.h test_ossl_bio.c test_ossl_bio.h test_ossl_bn.c test_ossl_bn.h test_ossl_cipher.c test_ossl_cipher.h test_ossl_dgst.c test_ossl_dgst.h test_ossl_dh.c test_ossl_dh.h test_ossl_dsa.c test_ossl_dsa.h test_ossl_ec.c test_ossl_ec.h test_ossl_ecx.c test_ossl_ecx.h test_ossl_mac.c test_ossl_mac.h test_ossl_obj.c test_ossl_obj.h test_ossl_p7p12.c test_ossl_p7p12.h test_ossl_pem.c test_ossl_pem.h test_ossl_rand.c test_ossl_rand.h test_ossl_rsa.c test_ossl_rsa.h test_ossl_sk.c test_ossl_sk.h test_ossl_x509.c test_ossl_x509.h test_ossl_x509_acert.c test_ossl_x509_acert.h test_ossl_x509_crypto.c test_ossl_x509_crypto.h test_ossl_x509_ext.c test_ossl_x509_ext.h test_ossl_x509_info.c test_ossl_x509_info.h test_ossl_x509_io.c test_ossl_x509_io.h test_ossl_x509_lu.c test_ossl_x509_lu.h test_ossl_x509_name.c test_ossl_x509_name.h test_ossl_x509_pk.c test_ossl_x509_pk.h test_ossl_x509_str.c test_ossl_x509_str.h test_ossl_x509_vp.c test_ossl_x509_vp.h test_pkcs12.c test_pkcs12.h test_pkcs7.c test_pkcs7.h test_poly1305.c test_poly1305.h test_random.c test_random.h test_rc2.c test_rc2.h test_ripemd.c test_ripemd.h test_rsa.c test_rsa.h test_sha.c test_sha.h test_sha256.c test_sha256.h test_sha3.c test_sha3.h test_sha512.c test_sha512.h test_she.c test_she.h test_signature.c test_signature.h test_slhdsa.c test_slhdsa.h test_sm2.c test_sm2.h test_sm3.c test_sm3.h test_sm4.c test_sm4.h test_tls.c test_tls.h test_tls13.c test_tls13.h test_tls_ext.c test_tls_ext.h test_wc_encrypt.c test_wc_encrypt.h test_wolfmath.c test_wolfmath.h test_x509.c test_x509.hwolfcrypt
benchmark
README.md benchmark-VS2022.sln benchmark-VS2022.vcxproj benchmark-VS2022.vcxproj.user benchmark.c benchmark.h benchmark.sln benchmark.vcproj benchmark.vcxproj include.amsrc
port
Espressif
esp_crt_bundle
README.md cacrt_all.pem cacrt_deprecated.pem cacrt_local.pem esp_crt_bundle.c gen_crt_bundle.py pio_install_cryptography.pyRenesas
README.md renesas_common.c renesas_fspsm_aes.c renesas_fspsm_rsa.c renesas_fspsm_sha.c renesas_fspsm_util.c renesas_rx64_hw_sha.c renesas_rx64_hw_util.c renesas_tsip_aes.c renesas_tsip_rsa.c renesas_tsip_sha.c renesas_tsip_util.carm
armv8-32-aes-asm.S armv8-32-aes-asm_c.c armv8-32-chacha-asm.S armv8-32-chacha-asm_c.c armv8-32-curve25519.S armv8-32-curve25519_c.c armv8-32-mlkem-asm.S armv8-32-mlkem-asm_c.c armv8-32-poly1305-asm.S armv8-32-poly1305-asm_c.c armv8-32-sha256-asm.S armv8-32-sha256-asm_c.c armv8-32-sha3-asm.S armv8-32-sha3-asm_c.c armv8-32-sha512-asm.S armv8-32-sha512-asm_c.c armv8-aes-asm.S armv8-aes-asm_c.c armv8-aes.c armv8-chacha-asm.S armv8-chacha-asm_c.c armv8-curve25519.S armv8-curve25519_c.c armv8-mlkem-asm.S armv8-mlkem-asm_c.c armv8-poly1305-asm.S armv8-poly1305-asm_c.c armv8-sha256-asm.S armv8-sha256-asm_c.c armv8-sha256.c armv8-sha3-asm.S armv8-sha3-asm_c.c armv8-sha512-asm.S armv8-sha512-asm_c.c armv8-sha512.c cryptoCell.c cryptoCellHash.c thumb2-aes-asm.S thumb2-aes-asm_c.c thumb2-chacha-asm.S thumb2-chacha-asm_c.c thumb2-curve25519.S thumb2-curve25519_c.c thumb2-mlkem-asm.S thumb2-mlkem-asm_c.c thumb2-poly1305-asm.S thumb2-poly1305-asm_c.c thumb2-sha256-asm.S thumb2-sha256-asm_c.c thumb2-sha3-asm.S thumb2-sha3-asm_c.c thumb2-sha512-asm.S thumb2-sha512-asm_c.ccaam
README.md caam_aes.c caam_doc.pdf caam_driver.c caam_error.c caam_integrity.c caam_qnx.c caam_sha.c wolfcaam_aes.c wolfcaam_cmac.c wolfcaam_ecdsa.c wolfcaam_fsl_nxp.c wolfcaam_hash.c wolfcaam_hmac.c wolfcaam_init.c wolfcaam_qnx.c wolfcaam_rsa.c wolfcaam_seco.c wolfcaam_x25519.cdevcrypto
README.md devcrypto_aes.c devcrypto_ecdsa.c devcrypto_hash.c devcrypto_hmac.c devcrypto_rsa.c devcrypto_x25519.c wc_devcrypto.criscv
riscv-64-aes.c riscv-64-chacha.c riscv-64-poly1305.c riscv-64-sha256.c riscv-64-sha3.c riscv-64-sha512.cwolfssl
openssl
aes.h asn1.h asn1t.h bio.h bn.h buffer.h camellia.h cmac.h cms.h compat_types.h conf.h crypto.h des.h dh.h dsa.h ec.h ec25519.h ec448.h ecdh.h ecdsa.h ed25519.h ed448.h engine.h err.h evp.h fips_rand.h hmac.h include.am kdf.h lhash.h md4.h md5.h modes.h obj_mac.h objects.h ocsp.h opensslconf.h opensslv.h ossl_typ.h pem.h pkcs12.h pkcs7.h rand.h rc4.h ripemd.h rsa.h safestack.h sha.h sha3.h srp.h ssl.h ssl23.h stack.h tls1.h txt_db.h ui.h x509.h x509_vfy.h x509v3.hwolfcrypt
port
Renesas
renesas-fspsm-crypt.h renesas-fspsm-types.h renesas-rx64-hw-crypt.h renesas-tsip-crypt.h renesas_cmn.h renesas_fspsm_internal.h renesas_sync.h renesas_tsip_internal.h renesas_tsip_types.hcaam
caam_driver.h caam_error.h caam_qnx.h wolfcaam.h wolfcaam_aes.h wolfcaam_cmac.h wolfcaam_ecdsa.h wolfcaam_fsl_nxp.h wolfcaam_hash.h wolfcaam_qnx.h wolfcaam_rsa.h wolfcaam_seco.h wolfcaam_sha.h wolfcaam_x25519.hwrapper
Ada
examples
src
aes_verify_main.adb rsa_verify_main.adb sha256_main.adb spark_sockets.adb spark_sockets.ads spark_terminal.adb spark_terminal.ads tls_client.adb tls_client.ads tls_client_main.adb tls_server.adb tls_server.ads tls_server_main.adbtests
src
aes_bindings_tests.adb aes_bindings_tests.ads rsa_verify_bindings_tests.adb rsa_verify_bindings_tests.ads sha256_bindings_tests.adb sha256_bindings_tests.ads tests.adbCSharp
wolfSSL-Example-IOCallbacks
App.config wolfSSL-Example-IOCallbacks.cs wolfSSL-Example-IOCallbacks.csprojwolfSSL-TLS-ServerThreaded
App.config wolfSSL-TLS-ServerThreaded.cs wolfSSL-TLS-ServerThreaded.csprojrust
wolfssl-wolfcrypt
src
aes.rs blake2.rs chacha20_poly1305.rs cmac.rs cmac_mac.rs curve25519.rs dh.rs dilithium.rs ecc.rs ecdsa.rs ed25519.rs ed448.rs fips.rs hkdf.rs hmac.rs hmac_mac.rs kdf.rs lib.rs lms.rs mlkem.rs mlkem_kem.rs pbkdf2_password_hash.rs prf.rs random.rs rsa.rs rsa_pkcs1v15.rs sha.rs sha_digest.rs sys.rstests
test_aes.rs test_blake2.rs test_chacha20_poly1305.rs test_cmac.rs test_cmac_mac.rs test_curve25519.rs test_dh.rs test_dilithium.rs test_ecc.rs test_ecdsa.rs test_ed25519.rs test_ed448.rs test_hkdf.rs test_hmac.rs test_hmac_mac.rs test_kdf.rs test_lms.rs test_mlkem.rs test_mlkem_kem.rs test_pbkdf2_password_hash.rs test_prf.rs test_random.rs test_rsa.rs test_rsa_pkcs1v15.rs test_sha.rs test_sha_digest.rs test_wolfcrypt.rszephyr
samples
wolfssl_benchmark
CMakeLists.txt README install_test.sh prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.confwolfssl_test
CMakeLists.txt README install_test.sh prj-no-malloc.conf prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.conf
curl/lib/vtls/schannel.c
raw
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>
10 * Copyright (C) Mark Salisbury, <mark.salisbury@hp.com>
11 *
12 * This software is licensed as described in the file COPYING, which
13 * you should have received as part of this distribution. The terms
14 * are also available at https://curl.se/docs/copyright.html.
15 *
16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17 * copies of the Software, and permit persons to whom the Software is
18 * furnished to do so, under the terms of the COPYING file.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 * SPDX-License-Identifier: curl
24 *
25 ***************************************************************************/
26/*
27 * Source file for all Schannel-specific code for the TLS/SSL layer. No code
28 * but vtls.c should ever call or use these functions.
29 */
30#include "curl_setup.h"
31
32#ifdef USE_SCHANNEL
33
34#ifndef USE_WINDOWS_SSPI
35#error "cannot compile Schannel support without SSPI."
36#endif
37
38#include "vtls/schannel.h"
39#include "vtls/schannel_int.h"
40#include "vtls/vtls.h"
41#include "vtls/vtls_int.h"
42#include "vtls/vtls_scache.h"
43#include "curl_trc.h"
44#include "connect.h" /* for the connect timeout */
45#include "curlx/strdup.h"
46#include "strerror.h"
47#include "select.h" /* for the socket readiness */
48#include "curlx/fopen.h"
49#include "curlx/multibyte.h"
50#include "vtls/x509asn1.h"
51#include "system_win32.h"
52#include "curlx/version_win32.h"
53#include "rand.h"
54#include "curlx/strparse.h"
55#include "progress.h"
56#include "curl_sha256.h"
57
58/* Some verbose debug messages are wrapped by SCH_DEV() instead of DEBUGF()
59 * and only shown if CURL_SCHANNEL_DEV_DEBUG was defined at build time. These
60 * messages are extra verbose and intended for curl developers debugging
61 * Schannel recv decryption and renegotiation.
62 */
63#ifdef CURL_SCHANNEL_DEV_DEBUG
64#define SCH_DEV(x) x
65#define SCH_DEV_SHOWBOOL(x) \
66 infof(data, "schannel: " #x " %s", (x) ? "TRUE" : "FALSE");
67#else
68#define SCH_DEV(x) do {} while(0)
69#define SCH_DEV_SHOWBOOL(x) do {} while(0)
70#endif
71
72/* Offered by mingw-w64 v8+, MS SDK 7.0A/VS2010+ */
73#ifndef SP_PROT_TLS1_0_CLIENT
74#define SP_PROT_TLS1_0_CLIENT SP_PROT_TLS1_CLIENT
75#endif
76#ifndef SP_PROT_TLS1_1_CLIENT
77#define SP_PROT_TLS1_1_CLIENT 0x00000200
78#endif
79#ifndef SP_PROT_TLS1_2_CLIENT
80#define SP_PROT_TLS1_2_CLIENT 0x00000800
81#endif
82
83/* Offered by mingw-w64 v8+, MS SDK 10.0.15063.0/VS2017 15.1+ */
84#ifndef SP_PROT_TLS1_3_CLIENT
85#define SP_PROT_TLS1_3_CLIENT 0x00002000
86#endif
87/* Offered by mingw-w64 v8+, MS SDK 8.1/~VS2013+ */
88#ifndef SCH_USE_STRONG_CRYPTO
89#define SCH_USE_STRONG_CRYPTO 0x00400000
90#endif
91
92/* Offered by mingw-w64 v10+, MS SDK 7.0A/VS2010+ */
93#ifndef SECBUFFER_ALERT
94#define SECBUFFER_ALERT 17
95#endif
96
97/* Both schannel buffer sizes must be > 0 */
98#define CURL_SCHANNEL_BUFFER_INIT_SIZE 4096
99#define CURL_SCHANNEL_BUFFER_FREE_SIZE 1024
100
101#define CERT_THUMBPRINT_STR_LEN 40
102#define CERT_THUMBPRINT_DATA_LEN 20
103
104/* Uncomment to force verbose output
105 * #define infof(x, y, ...) curl_mprintf(y, __VA_ARGS__)
106 * #define failf(x, y, ...) curl_mprintf(y, __VA_ARGS__)
107 */
108
109/* Offered by mingw-w64 v4+, MS SDK 6.0A/VS2008+ */
110#ifndef PKCS12_NO_PERSIST_KEY
111#define PKCS12_NO_PERSIST_KEY 0x00008000
112#endif
113
114/* Offered by mingw-w64 v4+, MS SDK 8.0/~VS2012+ */
115#ifndef CERT_FIND_HAS_PRIVATE_KEY
116#define CERT_FIND_HAS_PRIVATE_KEY (21 << CERT_COMPARE_SHIFT)
117#endif
118
119/* key to use at `multi->proto_hash` */
120#define MPROTO_SCHANNEL_CERT_SHARE_KEY "tls:schannel:cert:share"
121
122/* ALPN requires version 8.1 of the Windows SDK, which was
123 shipped with Visual Studio 2013, aka _MSC_VER 1800:
124 https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831771
125 Or mingw-w64 9.0 or upper.
126*/
127#if (defined(__MINGW64_VERSION_MAJOR) && __MINGW64_VERSION_MAJOR >= 9) || \
128 (defined(_MSC_VER) && (_MSC_VER >= 1800) && !defined(_USING_V110_SDK71_))
129#define HAS_ALPN_SCHANNEL
130static bool s_win_has_alpn;
131#endif
132
133static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType,
134 void *BufDataPtr, unsigned long BufByteSize)
135{
136 buffer->cbBuffer = BufByteSize;
137 buffer->BufferType = BufType;
138 buffer->pvBuffer = BufDataPtr;
139}
140
141static void InitSecBufferDesc(SecBufferDesc *desc, SecBuffer *BufArr,
142 unsigned long NumArrElem)
143{
144 desc->ulVersion = SECBUFFER_VERSION;
145 desc->pBuffers = BufArr;
146 desc->cBuffers = NumArrElem;
147}
148
149static CURLcode schannel_set_ssl_version_min_max(DWORD *enabled_protocols,
150 struct Curl_cfilter *cf,
151 struct Curl_easy *data)
152{
153 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
154 long ssl_version = conn_config->version;
155 long ssl_version_max = (long)conn_config->version_max;
156 long i = ssl_version;
157
158 switch(ssl_version_max) {
159 case CURL_SSLVERSION_MAX_NONE:
160 case CURL_SSLVERSION_MAX_DEFAULT:
161
162 /* Windows Server 2022 and newer (including Windows 11) support TLS 1.3
163 built-in. Previous builds of Windows 10 had broken TLS 1.3
164 implementations that could be enabled via registry.
165 */
166 if(curlx_verify_windows_version(10, 0, 20348, PLATFORM_WINNT,
167 VERSION_GREATER_THAN_EQUAL)) {
168 ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;
169 }
170 else /* Windows 10 and older */
171 ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
172
173 break;
174 }
175
176 for(; i <= (ssl_version_max >> 16); ++i) {
177 switch(i) {
178 case CURL_SSLVERSION_TLSv1_0:
179 *enabled_protocols |= SP_PROT_TLS1_0_CLIENT;
180 break;
181 case CURL_SSLVERSION_TLSv1_1:
182 *enabled_protocols |= SP_PROT_TLS1_1_CLIENT;
183 break;
184 case CURL_SSLVERSION_TLSv1_2:
185 *enabled_protocols |= SP_PROT_TLS1_2_CLIENT;
186 break;
187 case CURL_SSLVERSION_TLSv1_3:
188
189 /* Windows Server 2022 and newer */
190 if(curlx_verify_windows_version(10, 0, 20348, PLATFORM_WINNT,
191 VERSION_GREATER_THAN_EQUAL)) {
192 *enabled_protocols |= SP_PROT_TLS1_3_CLIENT;
193 break;
194 }
195 else { /* Windows 10 and older */
196 failf(data, "schannel: TLS 1.3 not supported on Windows prior to 11");
197 return CURLE_SSL_CONNECT_ERROR;
198 }
199 }
200 }
201 return CURLE_OK;
202}
203
204#define CIPHEROPTION(x) { #x, x }
205
206struct algo {
207 const char *name;
208 int id;
209};
210
211static const struct algo algs[] = {
212 CIPHEROPTION(CALG_MD2),
213 CIPHEROPTION(CALG_MD4),
214 CIPHEROPTION(CALG_MD5),
215 CIPHEROPTION(CALG_SHA),
216 CIPHEROPTION(CALG_SHA1),
217 CIPHEROPTION(CALG_MAC),
218 CIPHEROPTION(CALG_RSA_SIGN),
219 CIPHEROPTION(CALG_DSS_SIGN),
220 CIPHEROPTION(CALG_NO_SIGN),
221 CIPHEROPTION(CALG_RSA_KEYX),
222 CIPHEROPTION(CALG_DES),
223 CIPHEROPTION(CALG_3DES_112),
224 CIPHEROPTION(CALG_3DES),
225 CIPHEROPTION(CALG_DESX),
226 CIPHEROPTION(CALG_RC2),
227 CIPHEROPTION(CALG_RC4),
228 CIPHEROPTION(CALG_SEAL),
229 CIPHEROPTION(CALG_DH_SF),
230 CIPHEROPTION(CALG_DH_EPHEM),
231 CIPHEROPTION(CALG_AGREEDKEY_ANY),
232 CIPHEROPTION(CALG_HUGHES_MD5),
233 CIPHEROPTION(CALG_SKIPJACK),
234 CIPHEROPTION(CALG_TEK),
235 CIPHEROPTION(CALG_CYLINK_MEK), /* spellchecker:disable-line */
236 CIPHEROPTION(CALG_SSL3_SHAMD5),
237 CIPHEROPTION(CALG_SSL3_MASTER),
238 CIPHEROPTION(CALG_SCHANNEL_MASTER_HASH),
239 CIPHEROPTION(CALG_SCHANNEL_MAC_KEY),
240 CIPHEROPTION(CALG_SCHANNEL_ENC_KEY),
241 CIPHEROPTION(CALG_PCT1_MASTER),
242 CIPHEROPTION(CALG_SSL2_MASTER),
243 CIPHEROPTION(CALG_TLS1_MASTER),
244 CIPHEROPTION(CALG_RC5),
245 CIPHEROPTION(CALG_HMAC),
246 CIPHEROPTION(CALG_TLS1PRF),
247 CIPHEROPTION(CALG_HASH_REPLACE_OWF),
248 CIPHEROPTION(CALG_AES_128),
249 CIPHEROPTION(CALG_AES_192),
250 CIPHEROPTION(CALG_AES_256),
251 CIPHEROPTION(CALG_AES),
252 CIPHEROPTION(CALG_SHA_256),
253 CIPHEROPTION(CALG_SHA_384),
254 CIPHEROPTION(CALG_SHA_512),
255 CIPHEROPTION(CALG_ECDH),
256/* Offered by mingw-w64 v4+, MS SDK 6.0A/VS2008+ */
257#ifdef CALG_ECMQV
258 CIPHEROPTION(CALG_ECMQV),
259#endif
260 CIPHEROPTION(CALG_ECDSA),
261/* Offered by mingw-w64 v7+, MS SDK 7.0A/VS2010+ */
262#ifdef CALG_ECDH_EPHEM
263 CIPHEROPTION(CALG_ECDH_EPHEM),
264#endif
265 { NULL, 0 },
266};
267
268static int get_alg_id_by_name(const char *name)
269{
270 const char *nameEnd = strchr(name, ':');
271 size_t n = nameEnd ? (size_t)(nameEnd - name) : strlen(name);
272 int i;
273
274 for(i = 0; algs[i].name; i++) {
275 if((n == strlen(algs[i].name) && !strncmp(algs[i].name, name, n)))
276 return algs[i].id;
277 }
278 return 0; /* not found */
279}
280
281#define NUM_CIPHERS 47 /* There are a maximum of 47 options listed above */
282
283static CURLcode set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
284 ALG_ID *algIds)
285{
286 const char *startCur = ciphers;
287 int algCount = 0;
288 while(startCur && *startCur && (algCount < NUM_CIPHERS)) {
289 curl_off_t alg;
290 if(curlx_str_number(&startCur, &alg, INT_MAX) || !alg)
291 alg = get_alg_id_by_name(startCur);
292
293 if(alg)
294 algIds[algCount++] = (ALG_ID)alg;
295 else if(!strncmp(startCur, "USE_STRONG_CRYPTO",
296 sizeof("USE_STRONG_CRYPTO") - 1) ||
297 !strncmp(startCur, "SCH_USE_STRONG_CRYPTO",
298 sizeof("SCH_USE_STRONG_CRYPTO") - 1))
299 schannel_cred->dwFlags |= SCH_USE_STRONG_CRYPTO;
300 else
301 return CURLE_SSL_CIPHER;
302 startCur = strchr(startCur, ':');
303 if(startCur)
304 startCur++;
305 }
306 schannel_cred->palgSupportedAlgs = algIds;
307 schannel_cred->cSupportedAlgs = (DWORD)algCount;
308 return CURLE_OK;
309}
310
311/* Function allocates memory for store_path only if CURLE_OK is returned */
312static CURLcode get_cert_location(TCHAR *path, DWORD *store_name,
313 TCHAR **store_path, TCHAR **thumbprint)
314{
315 TCHAR *sep;
316 TCHAR *store_path_start;
317 size_t store_name_len;
318
319 sep = _tcschr(path, TEXT('\\'));
320 if(!sep)
321 return CURLE_SSL_CERTPROBLEM;
322
323 store_name_len = sep - path;
324
325 if(_tcsncmp(path, TEXT("CurrentUser"), store_name_len) == 0)
326 *store_name = CERT_SYSTEM_STORE_CURRENT_USER;
327 else if(_tcsncmp(path, TEXT("LocalMachine"), store_name_len) == 0)
328 *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE;
329 else if(_tcsncmp(path, TEXT("CurrentService"), store_name_len) == 0)
330 *store_name = CERT_SYSTEM_STORE_CURRENT_SERVICE;
331 else if(_tcsncmp(path, TEXT("Services"), store_name_len) == 0)
332 *store_name = CERT_SYSTEM_STORE_SERVICES;
333 else if(_tcsncmp(path, TEXT("Users"), store_name_len) == 0)
334 *store_name = CERT_SYSTEM_STORE_USERS;
335 else if(_tcsncmp(path, TEXT("CurrentUserGroupPolicy"), store_name_len) == 0)
336 *store_name = CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY;
337 else if(_tcsncmp(path, TEXT("LocalMachineGroupPolicy"), store_name_len) == 0)
338 *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY;
339 else if(_tcsncmp(path, TEXT("LocalMachineEnterprise"), store_name_len) == 0)
340 *store_name = CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE;
341 else
342 return CURLE_SSL_CERTPROBLEM;
343
344 store_path_start = sep + 1;
345
346 sep = _tcschr(store_path_start, TEXT('\\'));
347 if(!sep)
348 return CURLE_SSL_CERTPROBLEM;
349
350 *thumbprint = sep + 1;
351 if(_tcslen(*thumbprint) != CERT_THUMBPRINT_STR_LEN)
352 return CURLE_SSL_CERTPROBLEM;
353
354 *sep = TEXT('\0');
355 *store_path = curlx_tcsdup(store_path_start);
356 *sep = TEXT('\\');
357 if(!*store_path)
358 return CURLE_OUT_OF_MEMORY;
359
360 return CURLE_OK;
361}
362
363static CURLcode get_client_cert(struct Curl_easy *data,
364 HCERTSTORE *out_cert_store,
365 PCCERT_CONTEXT *out_cert_context)
366{
367 PCCERT_CONTEXT client_cert = NULL;
368 HCERTSTORE client_cert_store = NULL;
369 CURLcode result = CURLE_OK;
370
371 if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) {
372 DWORD cert_store_name = 0;
373 TCHAR *cert_store_path = NULL;
374 TCHAR *cert_thumbprint_str = NULL;
375 TCHAR cert_thumbprint_buf[CERT_THUMBPRINT_STR_LEN + 1];
376 CRYPT_HASH_BLOB cert_thumbprint;
377 BYTE cert_thumbprint_data[CERT_THUMBPRINT_DATA_LEN];
378 HCERTSTORE cert_store = NULL;
379 FILE *fInCert = NULL;
380 void *certdata = NULL;
381 size_t certsize = 0;
382 bool blob = data->set.ssl.primary.cert_blob != NULL;
383
384 if(blob) {
385 certdata = data->set.ssl.primary.cert_blob->data;
386 certsize = data->set.ssl.primary.cert_blob->len;
387 }
388 else {
389 TCHAR *cert_path =
390 curlx_convert_UTF8_to_tchar(data->set.ssl.primary.clientcert);
391 if(!cert_path)
392 return CURLE_OUT_OF_MEMORY;
393
394 result = get_cert_location(cert_path, &cert_store_name,
395 &cert_store_path, &cert_thumbprint_str);
396
397 /* 'cert_thumbprint_str' points in to the allocated 'cert_path', copy
398 the data. The string is verified to be CERT_THUMBPRINT_STR_LEN bytes
399 long within the get_cert_location() function. */
400 if(!result && cert_thumbprint_str) {
401 memcpy(cert_thumbprint_buf, cert_thumbprint_str,
402 sizeof(cert_thumbprint_buf));
403 cert_thumbprint_str = cert_thumbprint_buf;
404 }
405
406 curlx_free(cert_path);
407 if(result && (data->set.ssl.primary.clientcert[0] != '\0'))
408 fInCert = curlx_fopen(data->set.ssl.primary.clientcert, "rb");
409
410 if(result && !fInCert) {
411 failf(data, "schannel: Failed to get certificate location"
412 " or file for %s",
413 data->set.ssl.primary.clientcert);
414 return result;
415 }
416 }
417
418 if((fInCert || blob) && data->set.ssl.cert_type &&
419 !curl_strequal(data->set.ssl.cert_type, "P12")) {
420 failf(data, "schannel: certificate format compatibility error "
421 "for %s",
422 blob ? "(memory blob)" : data->set.ssl.primary.clientcert);
423 curlx_free(cert_store_path);
424 if(fInCert)
425 curlx_fclose(fInCert);
426 return CURLE_SSL_CERTPROBLEM;
427 }
428
429 if(fInCert || blob) {
430 /* Reading a .p12 or .pfx file, like the example at bottom of
431 https://learn.microsoft.com/archive/msdn-technet-forums/3e7bc95f-b21a-4bcd-bd2c-7f996718cae5
432 */
433 CRYPT_DATA_BLOB datablob;
434 WCHAR *pszPassword;
435 size_t pwd_len = 0;
436 int cert_find_flags;
437 const char *cert_showfilename_error = blob ?
438 "(memory blob)" : data->set.ssl.primary.clientcert;
439 curlx_free(cert_store_path);
440 if(fInCert) {
441 long cert_tell = 0;
442 bool continue_reading = fseek(fInCert, 0, SEEK_END) == 0;
443 if(continue_reading)
444 cert_tell = ftell(fInCert);
445 if(cert_tell < 0)
446 continue_reading = FALSE;
447 else
448 certsize = (size_t)cert_tell;
449 if(continue_reading)
450 continue_reading = fseek(fInCert, 0, SEEK_SET) == 0;
451 if(continue_reading && (certsize < CURL_MAX_INPUT_LENGTH))
452 certdata = curlx_malloc(certsize + 1);
453 if((!certdata) ||
454 ((int) fread(certdata, certsize, 1, fInCert) != 1))
455 continue_reading = FALSE;
456 curlx_fclose(fInCert);
457 if(!continue_reading) {
458 failf(data, "schannel: Failed to read cert file %s",
459 data->set.ssl.primary.clientcert);
460 curlx_free(certdata);
461 return CURLE_SSL_CERTPROBLEM;
462 }
463 }
464
465 /* Convert key-pair data to the in-memory certificate store */
466 datablob.pbData = (BYTE *)certdata;
467 datablob.cbData = (DWORD)certsize;
468
469 if(data->set.ssl.key_passwd)
470 pwd_len = strlen(data->set.ssl.key_passwd);
471 pszPassword = (WCHAR *)curlx_malloc(sizeof(WCHAR) * (pwd_len + 1));
472 if(pszPassword) {
473 int str_w_len = 0;
474 if(pwd_len > 0)
475 str_w_len = MultiByteToWideChar(CP_UTF8,
476 MB_ERR_INVALID_CHARS,
477 data->set.ssl.key_passwd,
478 (int)pwd_len,
479 pszPassword, (int)(pwd_len + 1));
480
481 if((str_w_len >= 0) && (str_w_len <= (int)pwd_len))
482 pszPassword[str_w_len] = 0;
483 else
484 pszPassword[0] = 0;
485
486 cert_store = PFXImportCertStore(&datablob, pszPassword,
487 PKCS12_NO_PERSIST_KEY);
488 curlx_free(pszPassword);
489 }
490 if(!blob)
491 curlx_free(certdata);
492 if(!cert_store) {
493 DWORD errorcode = GetLastError();
494 if(errorcode == ERROR_INVALID_PASSWORD)
495 failf(data, "schannel: Failed to import cert file %s, "
496 "password is bad",
497 cert_showfilename_error);
498 else
499 failf(data, "schannel: Failed to import cert file %s, "
500 "last error is 0x%08lx",
501 cert_showfilename_error, errorcode);
502 return CURLE_SSL_CERTPROBLEM;
503 }
504
505 /* CERT_FIND_HAS_PRIVATE_KEY is only available in Windows 8 / Server
506 2012, (NT v6.2). For earlier versions we use CURL_FIND_ANY. */
507 if(curlx_verify_windows_version(6, 2, 0, PLATFORM_WINNT,
508 VERSION_GREATER_THAN_EQUAL))
509 cert_find_flags = CERT_FIND_HAS_PRIVATE_KEY;
510 else
511 cert_find_flags = CERT_FIND_ANY;
512
513 client_cert =
514 CertFindCertificateInStore(cert_store,
515 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
516 cert_find_flags, NULL, NULL);
517
518 if(!client_cert) {
519 failf(data, "schannel: Failed to get certificate from file %s"
520 ", last error is 0x%08lx",
521 cert_showfilename_error, GetLastError());
522 CertCloseStore(cert_store, 0);
523 return CURLE_SSL_CERTPROBLEM;
524 }
525 }
526 else {
527 cert_store =
528 CertOpenStore(
529#ifdef UNICODE
530 CERT_STORE_PROV_SYSTEM_W,
531#else
532 CERT_STORE_PROV_SYSTEM_A,
533#endif
534 0,
535 (HCRYPTPROV)NULL,
536 CERT_STORE_OPEN_EXISTING_FLAG | cert_store_name,
537 cert_store_path);
538 if(!cert_store) {
539 char *path_utf8 =
540 curlx_convert_tchar_to_UTF8(cert_store_path);
541 failf(data, "schannel: Failed to open cert store %lx %s, "
542 "last error is 0x%08lx",
543 cert_store_name, (path_utf8 ? path_utf8 : "(unknown)"),
544 GetLastError());
545 curlx_free(cert_store_path);
546 curlx_free(path_utf8);
547 return CURLE_SSL_CERTPROBLEM;
548 }
549 curlx_free(cert_store_path);
550
551 cert_thumbprint.pbData = cert_thumbprint_data;
552 cert_thumbprint.cbData = CERT_THUMBPRINT_DATA_LEN;
553
554 if(!CryptStringToBinary(cert_thumbprint_str,
555 CERT_THUMBPRINT_STR_LEN,
556 CRYPT_STRING_HEX,
557 cert_thumbprint_data,
558 &cert_thumbprint.cbData,
559 NULL, NULL)) {
560 CertCloseStore(cert_store, 0);
561 return CURLE_SSL_CERTPROBLEM;
562 }
563
564 client_cert =
565 CertFindCertificateInStore(cert_store,
566 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
567 CERT_FIND_HASH, &cert_thumbprint, NULL);
568 if(!client_cert) {
569 /* CRYPT_E_NOT_FOUND / E_INVALIDARG */
570 CertCloseStore(cert_store, 0);
571 failf(data, "schannel: client cert not found in cert store");
572 return CURLE_SSL_CERTPROBLEM;
573 }
574 }
575 client_cert_store = cert_store;
576 }
577
578 *out_cert_store = client_cert_store;
579 *out_cert_context = client_cert;
580
581 return CURLE_OK;
582}
583
584static CURLcode acquire_sspi_handle(struct Curl_cfilter *cf,
585 struct Curl_easy *data,
586 struct schannel_ssl_backend_data *backend,
587 PCCERT_CONTEXT client_cert,
588 DWORD flags,
589 DWORD enabled_protocols)
590{
591 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
592 SECURITY_STATUS sspi_status = SEC_E_OK;
593 CURLcode result;
594
595 /* We support TLS 1.3 starting in Windows 10 version 1809 (OS build 17763) as
596 long as the user did not set a legacy algorithm list
597 (CURLOPT_SSL_CIPHER_LIST). */
598 if(!conn_config->cipher_list &&
599 curlx_verify_windows_version(10, 0, 17763, PLATFORM_WINNT,
600 VERSION_GREATER_THAN_EQUAL)) {
601
602 SCH_CREDENTIALS credentials = { 0 };
603 TLS_PARAMETERS tls_parameters = { 0 };
604 CRYPTO_SETTINGS crypto_settings[1];
605 PCCERT_CONTEXT client_certs[1];
606
607 if(client_cert)
608 client_certs[0] = client_cert;
609 else
610 client_certs[0] = NULL;
611
612 memset(crypto_settings, 0, sizeof(crypto_settings));
613
614 tls_parameters.pDisabledCrypto = crypto_settings;
615
616 /* The number of blocked suites */
617 tls_parameters.cDisabledCrypto = (DWORD)0;
618 credentials.pTlsParameters = &tls_parameters;
619 credentials.cTlsParameters = 1;
620
621 credentials.dwVersion = SCH_CREDENTIALS_VERSION;
622 credentials.dwFlags = flags | SCH_USE_STRONG_CRYPTO;
623
624 credentials.pTlsParameters->grbitDisabledProtocols = ~enabled_protocols;
625
626 if(client_certs[0]) {
627 credentials.cCreds = 1;
628 credentials.paCred = client_certs;
629 }
630
631 sspi_status =
632 Curl_pSecFn->AcquireCredentialsHandle(NULL,
633 (TCHAR *)CURL_UNCONST(UNISP_NAME),
634 SECPKG_CRED_OUTBOUND, NULL,
635 &credentials, NULL, NULL,
636 &backend->cred->cred_handle, NULL);
637 }
638 else {
639 /* Pre-Windows 10 1809 or the user set a legacy algorithm list.
640 Schannel does not negotiate TLS 1.3 when SCHANNEL_CRED is used. */
641 ALG_ID algIds[NUM_CIPHERS];
642 char *ciphers = conn_config->cipher_list;
643 SCHANNEL_CRED schannel_cred = { 0 };
644 PCCERT_CONTEXT client_certs[1];
645
646 if(client_cert)
647 client_certs[0] = client_cert;
648 else
649 client_certs[0] = NULL;
650
651 schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
652 schannel_cred.dwFlags = flags;
653 schannel_cred.grbitEnabledProtocols = enabled_protocols;
654
655 if(ciphers) {
656 if((enabled_protocols & SP_PROT_TLS1_3_CLIENT)) {
657 infof(data, "schannel: WARNING: This version of Schannel "
658 "negotiates a less-secure TLS version than TLS 1.3 because the "
659 "user set an algorithm cipher list.");
660 }
661 result = set_ssl_ciphers(&schannel_cred, ciphers, algIds);
662 if(result) {
663 failf(data, "schannel: Failed setting algorithm cipher list");
664 return result;
665 }
666 }
667 else {
668 schannel_cred.dwFlags = flags | SCH_USE_STRONG_CRYPTO;
669 }
670
671 if(client_certs[0]) {
672 schannel_cred.cCreds = 1;
673 schannel_cred.paCred = client_certs;
674 }
675
676 sspi_status =
677 Curl_pSecFn->AcquireCredentialsHandle(NULL,
678 (TCHAR *)CURL_UNCONST(UNISP_NAME),
679 SECPKG_CRED_OUTBOUND, NULL,
680 &schannel_cred, NULL, NULL,
681 &backend->cred->cred_handle, NULL);
682 }
683
684 if(sspi_status != SEC_E_OK) {
685 char buffer[STRERROR_LEN];
686 failf(data, "schannel: AcquireCredentialsHandle failed: %s",
687 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
688 switch(sspi_status) {
689 case SEC_E_INSUFFICIENT_MEMORY:
690 return CURLE_OUT_OF_MEMORY;
691 case SEC_E_NO_CREDENTIALS:
692 case SEC_E_SECPKG_NOT_FOUND:
693 case SEC_E_NOT_OWNER:
694 case SEC_E_UNKNOWN_CREDENTIALS:
695 case SEC_E_INTERNAL_ERROR:
696 default:
697 return CURLE_SSL_CONNECT_ERROR;
698 }
699 }
700
701 return CURLE_OK;
702}
703
704static CURLcode schannel_acquire_credential_handle(struct Curl_cfilter *cf,
705 struct Curl_easy *data)
706{
707 struct ssl_connect_data *connssl = cf->ctx;
708 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
709 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
710
711 PCCERT_CONTEXT client_cert = NULL;
712 HCERTSTORE client_cert_store = NULL;
713 CURLcode result;
714
715 /* setup Schannel API options */
716 DWORD flags = 0;
717 DWORD enabled_protocols = 0;
718
719 struct schannel_ssl_backend_data *backend =
720 (struct schannel_ssl_backend_data *)(connssl->backend);
721
722 DEBUGASSERT(backend);
723
724 if(conn_config->verifypeer) {
725 if(backend->use_manual_cred_validation)
726 flags = SCH_CRED_MANUAL_CRED_VALIDATION;
727 else
728 flags = SCH_CRED_AUTO_CRED_VALIDATION;
729
730 if(ssl_config->no_revoke) {
731 flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
732 SCH_CRED_IGNORE_REVOCATION_OFFLINE;
733
734 DEBUGF(infof(data, "schannel: disabled server certificate revocation "
735 "checks"));
736 }
737 else if(ssl_config->revoke_best_effort) {
738 flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
739 SCH_CRED_IGNORE_REVOCATION_OFFLINE |
740 SCH_CRED_REVOCATION_CHECK_CHAIN;
741
742 DEBUGF(infof(data, "schannel: ignore revocation offline errors"));
743 }
744 else {
745 flags |= SCH_CRED_REVOCATION_CHECK_CHAIN;
746
747 DEBUGF(infof(data, "schannel: checking server certificate revocation"));
748 }
749 }
750 else {
751 flags = SCH_CRED_MANUAL_CRED_VALIDATION |
752 SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
753 SCH_CRED_IGNORE_REVOCATION_OFFLINE;
754 DEBUGF(infof(data, "schannel: disabled server cert revocation checks"));
755 }
756
757 if(!conn_config->verifyhost) {
758 flags |= SCH_CRED_NO_SERVERNAME_CHECK;
759 DEBUGF(infof(data, "schannel: verifyhost setting prevents Schannel from "
760 "comparing the supplied target name with the subject "
761 "names in server certificates."));
762 }
763
764 if(!ssl_config->auto_client_cert) {
765 flags &= ~(DWORD)SCH_CRED_USE_DEFAULT_CREDS;
766 flags |= SCH_CRED_NO_DEFAULT_CREDS;
767 infof(data, "schannel: disabled automatic use of client certificate");
768 }
769 else
770 infof(data, "schannel: enabled automatic use of client certificate");
771
772 DEBUGASSERT(conn_config->version != CURL_SSLVERSION_DEFAULT);
773 switch(conn_config->version) {
774 case CURL_SSLVERSION_TLSv1:
775 case CURL_SSLVERSION_TLSv1_0:
776 case CURL_SSLVERSION_TLSv1_1:
777 case CURL_SSLVERSION_TLSv1_2:
778 case CURL_SSLVERSION_TLSv1_3: {
779 result = schannel_set_ssl_version_min_max(&enabled_protocols, cf, data);
780 if(result)
781 return result;
782 break;
783 }
784 case CURL_SSLVERSION_SSLv3:
785 case CURL_SSLVERSION_SSLv2:
786 failf(data, "SSL versions not supported");
787 return CURLE_NOT_BUILT_IN;
788 default:
789 failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
790 return CURLE_SSL_CONNECT_ERROR;
791 }
792
793 result = get_client_cert(data, &client_cert_store, &client_cert);
794 if(result)
795 return result;
796
797 /* allocate memory for the reusable credential handle */
798 backend->cred = (struct Curl_schannel_cred *)
799 curlx_calloc(1, sizeof(struct Curl_schannel_cred));
800 if(!backend->cred) {
801 failf(data, "schannel: unable to allocate memory");
802
803 if(client_cert)
804 CertFreeCertificateContext(client_cert);
805 if(client_cert_store)
806 CertCloseStore(client_cert_store, 0);
807
808 return CURLE_OUT_OF_MEMORY;
809 }
810 backend->cred->refcount = 1;
811
812 /* Since we did not persist the key, we need to extend the store's
813 * lifetime until the end of the connection
814 */
815 backend->cred->client_cert_store = client_cert_store;
816
817 result = acquire_sspi_handle(cf, data, backend, client_cert,
818 flags, enabled_protocols);
819
820 if(client_cert)
821 CertFreeCertificateContext(client_cert);
822
823 return result;
824}
825
826static CURLcode schannel_connect_step1(struct Curl_cfilter *cf,
827 struct Curl_easy *data)
828{
829 size_t written = 0;
830 struct ssl_connect_data *connssl = cf->ctx;
831 struct schannel_ssl_backend_data *backend =
832 (struct schannel_ssl_backend_data *)connssl->backend;
833 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
834 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
835 SecBuffer outbuf;
836 SecBufferDesc outbuf_desc;
837 SecBuffer inbuf;
838 SecBufferDesc inbuf_desc;
839#ifdef HAS_ALPN_SCHANNEL
840 unsigned char alpn_buffer[128];
841#endif
842 SECURITY_STATUS sspi_status = SEC_E_OK;
843 CURLcode result;
844
845 DEBUGASSERT(backend);
846 DEBUGF(infof(data, "schannel: SSL/TLS connection with %s port %d (step 1/3)",
847 connssl->peer.dest->hostname, connssl->peer.dest->port));
848
849#ifdef HAS_ALPN_SCHANNEL
850 backend->use_alpn = connssl->alpn && s_win_has_alpn;
851#else
852 backend->use_alpn = FALSE;
853#endif
854
855 if(conn_config->CAfile || conn_config->ca_info_blob) {
856 if(curlx_verify_windows_version(6, 1, 0, PLATFORM_WINNT,
857 VERSION_GREATER_THAN_EQUAL)) {
858 backend->use_manual_cred_validation = TRUE;
859 }
860 else {
861 failf(data, "schannel: this version of Windows is too old to support "
862 "certificate verification via CA bundle file.");
863 return CURLE_SSL_CACERT_BADFILE;
864 }
865 }
866 else
867 backend->use_manual_cred_validation = FALSE;
868
869 backend->cred = NULL;
870
871 /* check for an existing reusable credential handle */
872 if(Curl_ssl_scache_use(cf, data)) {
873 struct Curl_schannel_cred *old_cred;
874 Curl_ssl_scache_lock(data);
875 old_cred = Curl_ssl_scache_get_obj(cf, data, connssl->peer.scache_key);
876 if(old_cred) {
877 backend->cred = old_cred;
878 DEBUGF(infof(data, "schannel: reusing existing credential handle"));
879
880 /* increment the reference counter of the credential/session handle */
881 backend->cred->refcount++;
882 DEBUGF(infof(data,
883 "schannel: incremented credential handle refcount = %d",
884 backend->cred->refcount));
885 }
886 Curl_ssl_scache_unlock(data);
887 }
888
889 if(!backend->cred) {
890 char *snihost;
891 result = schannel_acquire_credential_handle(cf, data);
892 if(result || !backend->cred)
893 return result;
894 /* schannel_acquire_credential_handle() sets backend->cred accordingly or
895 it returns error otherwise. */
896
897 /* A hostname associated with the credential is needed by
898 InitializeSecurityContext for SNI and other reasons. */
899 snihost = connssl->peer.sni ?
900 connssl->peer.sni : connssl->peer.dest->hostname;
901 backend->cred->sni_hostname = curlx_convert_UTF8_to_tchar(snihost);
902 if(!backend->cred->sni_hostname)
903 return CURLE_OUT_OF_MEMORY;
904 }
905
906 /* Warn if SNI is disabled due to use of an IP address */
907 if(connssl->peer.type != CURL_SSL_PEER_DNS) {
908 infof(data, "schannel: using IP address, SNI is not supported by OS.");
909 }
910
911#ifdef HAS_ALPN_SCHANNEL
912 if(backend->use_alpn) {
913 int cur = 0;
914 int list_start_index = 0;
915 unsigned int *extension_len = NULL;
916 unsigned short *list_len = NULL;
917 struct alpn_proto_buf proto;
918
919 /* The first four bytes is an unsigned int indicating number
920 of bytes of data in the rest of the buffer. */
921 extension_len = (unsigned int *)(void *)(&alpn_buffer[cur]);
922 cur += (int)sizeof(unsigned int);
923
924 /* The next four bytes are an indicator that this buffer contains
925 ALPN data, as opposed to NPN, for example. */
926 *(unsigned int *)(void *)&alpn_buffer[cur] =
927 SecApplicationProtocolNegotiationExt_ALPN;
928 cur += (int)sizeof(unsigned int);
929
930 /* The next two bytes is an unsigned short indicating the number
931 of bytes used to list the preferred protocols. */
932 list_len = (unsigned short *)(void *)(&alpn_buffer[cur]);
933 cur += (int)sizeof(unsigned short);
934
935 list_start_index = cur;
936
937 result = Curl_alpn_to_proto_buf(&proto, connssl->alpn);
938 if(result) {
939 failf(data, "Error setting ALPN");
940 return CURLE_SSL_CONNECT_ERROR;
941 }
942 memcpy(&alpn_buffer[cur], proto.data, proto.len);
943 cur += proto.len;
944
945 *list_len = curlx_uitous(cur - list_start_index);
946 *extension_len = (unsigned int)(*list_len +
947 sizeof(unsigned int) + sizeof(unsigned short));
948
949 InitSecBuffer(&inbuf, SECBUFFER_APPLICATION_PROTOCOLS, alpn_buffer, cur);
950 InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
951
952 Curl_alpn_to_proto_str(&proto, connssl->alpn);
953 infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
954 }
955 else {
956 InitSecBuffer(&inbuf, SECBUFFER_EMPTY, NULL, 0);
957 InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
958 }
959#else /* HAS_ALPN_SCHANNEL */
960 InitSecBuffer(&inbuf, SECBUFFER_EMPTY, NULL, 0);
961 InitSecBufferDesc(&inbuf_desc, &inbuf, 1);
962#endif
963
964 /* setup output buffer */
965 InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
966 InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
967
968 /* security request flags */
969 backend->req_flags =
970 ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
971 ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
972 ISC_REQ_STREAM |
973 (!ssl_config->auto_client_cert ? ISC_REQ_USE_SUPPLIED_CREDS : 0);
974
975 /* allocate memory for the security context handle */
976 backend->ctxt = (struct Curl_schannel_ctxt *)
977 curlx_calloc(1, sizeof(struct Curl_schannel_ctxt));
978 if(!backend->ctxt) {
979 failf(data, "schannel: unable to allocate memory");
980 return CURLE_OUT_OF_MEMORY;
981 }
982
983 /* Schannel InitializeSecurityContext:
984 https://learn.microsoft.com/windows/win32/api/rrascfg/nn-rrascfg-ieapproviderconfig
985
986 At the moment we do not pass inbuf unless we are using ALPN since we only
987 use it for that, and WINE (for which we currently disable ALPN) is giving
988 us problems with inbuf regardless. https://github.com/curl/curl/issues/983
989 */
990 sspi_status = Curl_pSecFn->InitializeSecurityContext(
991 &backend->cred->cred_handle, NULL, backend->cred->sni_hostname,
992 backend->req_flags, 0, 0,
993 (backend->use_alpn ? &inbuf_desc : NULL),
994 0, &backend->ctxt->ctxt_handle,
995 &outbuf_desc, &backend->ret_flags, NULL);
996
997 if(sspi_status != SEC_I_CONTINUE_NEEDED) {
998 char buffer[STRERROR_LEN];
999 curlx_safefree(backend->ctxt);
1000 switch(sspi_status) {
1001 case SEC_E_INSUFFICIENT_MEMORY:
1002 failf(data, "schannel: initial InitializeSecurityContext failed: %s",
1003 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1004 return CURLE_OUT_OF_MEMORY;
1005 case SEC_E_WRONG_PRINCIPAL:
1006 failf(data, "schannel: SNI or certificate check failed: %s",
1007 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1008 return CURLE_PEER_FAILED_VERIFICATION;
1009#if 0
1010 case SEC_E_INVALID_HANDLE:
1011 case SEC_E_INVALID_TOKEN:
1012 case SEC_E_LOGON_DENIED:
1013 case SEC_E_TARGET_UNKNOWN:
1014 case SEC_E_NO_AUTHENTICATING_AUTHORITY:
1015 case SEC_E_INTERNAL_ERROR:
1016 case SEC_E_NO_CREDENTIALS:
1017 case SEC_E_UNSUPPORTED_FUNCTION:
1018 case SEC_E_APPLICATION_PROTOCOL_MISMATCH:
1019#endif
1020 default:
1021 failf(data, "schannel: initial InitializeSecurityContext failed: %s",
1022 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1023 return CURLE_SSL_CONNECT_ERROR;
1024 }
1025 }
1026
1027 DEBUGF(infof(data, "schannel: sending initial handshake data: "
1028 "sending %lu bytes.", outbuf.cbBuffer));
1029
1030 /* send initial handshake data which is now stored in output buffer */
1031 result = Curl_conn_cf_send(cf->next, data,
1032 (const uint8_t *)outbuf.pvBuffer,
1033 outbuf.cbBuffer, FALSE,
1034 &written);
1035 Curl_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
1036 if(result || (outbuf.cbBuffer != written)) {
1037 failf(data, "schannel: failed to send initial handshake data: "
1038 "sent %zu of %lu bytes", written, outbuf.cbBuffer);
1039 return CURLE_SSL_CONNECT_ERROR;
1040 }
1041
1042 DEBUGF(infof(data, "schannel: sent initial handshake data: "
1043 "sent %zu bytes", written));
1044
1045 backend->recv_unrecoverable_err = CURLE_OK;
1046 backend->recv_sspi_close_notify = FALSE;
1047 backend->recv_connection_closed = FALSE;
1048 backend->recv_renegotiating = FALSE;
1049 backend->renegotiate_state.started = FALSE;
1050 backend->encdata_is_incomplete = FALSE;
1051
1052 /* continue to second handshake step */
1053 connssl->connecting_state = ssl_connect_2;
1054
1055 return CURLE_OK;
1056}
1057
1058static CURLcode schannel_error(struct Curl_easy *data,
1059 SECURITY_STATUS sspi_status)
1060{
1061 char buffer[STRERROR_LEN];
1062 switch(sspi_status) {
1063 case SEC_E_INSUFFICIENT_MEMORY:
1064 failf(data, "schannel: next InitializeSecurityContext failed: %s",
1065 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1066 return CURLE_OUT_OF_MEMORY;
1067 case SEC_E_WRONG_PRINCIPAL:
1068 failf(data, "schannel: SNI or certificate check failed: %s",
1069 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1070 return CURLE_PEER_FAILED_VERIFICATION;
1071 case SEC_E_UNTRUSTED_ROOT:
1072 failf(data, "schannel: %s",
1073 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1074 return CURLE_PEER_FAILED_VERIFICATION;
1075#if 0
1076 case SEC_E_INVALID_HANDLE:
1077 case SEC_E_INVALID_TOKEN:
1078 case SEC_E_LOGON_DENIED:
1079 case SEC_E_TARGET_UNKNOWN:
1080 case SEC_E_NO_AUTHENTICATING_AUTHORITY:
1081 case SEC_E_INTERNAL_ERROR:
1082 case SEC_E_NO_CREDENTIALS:
1083 case SEC_E_UNSUPPORTED_FUNCTION:
1084 case SEC_E_APPLICATION_PROTOCOL_MISMATCH:
1085#endif
1086 default:
1087 failf(data, "schannel: next InitializeSecurityContext failed: %s",
1088 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1089 return CURLE_SSL_CONNECT_ERROR;
1090 }
1091}
1092
1093static CURLcode schannel_pkp_pin_peer_pubkey(struct Curl_cfilter *cf,
1094 struct Curl_easy *data,
1095 const char *pinnedpubkey)
1096{
1097 struct ssl_connect_data *connssl = cf->ctx;
1098 struct schannel_ssl_backend_data *backend =
1099 (struct schannel_ssl_backend_data *)connssl->backend;
1100 CERT_CONTEXT *pCertContextServer = NULL;
1101
1102 /* Result is returned to caller */
1103 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
1104
1105 DEBUGASSERT(backend);
1106
1107 /* if a path was not specified, do not pin */
1108 if(!pinnedpubkey)
1109 return CURLE_OK;
1110
1111 do {
1112 SECURITY_STATUS sspi_status;
1113 const char *x509_der;
1114 DWORD x509_der_len;
1115 struct Curl_X509certificate x509_parsed;
1116 struct Curl_asn1Element *pubkey;
1117
1118 sspi_status =
1119 Curl_pSecFn->QueryContextAttributes(&backend->ctxt->ctxt_handle,
1120 SECPKG_ATTR_REMOTE_CERT_CONTEXT,
1121 &pCertContextServer);
1122
1123 if((sspi_status != SEC_E_OK) || !pCertContextServer) {
1124 char buffer[STRERROR_LEN];
1125 failf(data, "schannel: Failed to read remote certificate context: %s",
1126 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
1127 break; /* failed */
1128 }
1129
1130 if(!(((pCertContextServer->dwCertEncodingType & X509_ASN_ENCODING) != 0) &&
1131 (pCertContextServer->cbCertEncoded > 0)))
1132 break;
1133
1134 x509_der = (const char *)pCertContextServer->pbCertEncoded;
1135 x509_der_len = pCertContextServer->cbCertEncoded;
1136 memset(&x509_parsed, 0, sizeof(x509_parsed));
1137 if(Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len))
1138 break;
1139
1140 pubkey = &x509_parsed.subjectPublicKeyInfo;
1141 if(!pubkey->header || pubkey->end <= pubkey->header) {
1142 failf(data, "SSL: failed retrieving public key from server certificate");
1143 break;
1144 }
1145
1146 result = Curl_pin_peer_pubkey(data,
1147 pinnedpubkey,
1148 (const unsigned char *)pubkey->header,
1149 (size_t)(pubkey->end - pubkey->header));
1150 if(result) {
1151 failf(data, "SSL: public key does not match pinned public key");
1152 }
1153 } while(0);
1154
1155 if(pCertContextServer)
1156 CertFreeCertificateContext(pCertContextServer);
1157
1158 return result;
1159}
1160
1161static CURLcode ensure_encoding_size(struct Curl_easy *data,
1162 struct sbuffer *encdata,
1163 size_t min_length)
1164{
1165 size_t size;
1166 DEBUGASSERT(encdata->length >= encdata->offset);
1167 if(encdata->length < encdata->offset)
1168 return CURLE_FAILED_INIT;
1169 size = encdata->length - encdata->offset;
1170 if(size < CURL_SCHANNEL_BUFFER_FREE_SIZE || encdata->length < min_length) {
1171 unsigned char *buffer;
1172 size_t length = encdata->offset + CURL_SCHANNEL_BUFFER_FREE_SIZE;
1173 if(length < min_length)
1174 length = min_length;
1175 buffer = curlx_realloc(encdata->buffer, length);
1176 if(!buffer) {
1177 failf(data, "schannel: unable to re-allocate memory");
1178 return CURLE_OUT_OF_MEMORY;
1179 }
1180
1181 encdata->buffer = buffer;
1182 encdata->length = length;
1183 SCH_DEV(infof(data, "schannel: encdata.buffer resized %zu",
1184 encdata->length));
1185 }
1186 return CURLE_OK;
1187}
1188
1189static CURLcode ensure_decoding_size(struct Curl_easy *data,
1190 struct sbuffer *decdata,
1191 size_t nowsize,
1192 size_t len)
1193{
1194 size_t size = nowsize > CURL_SCHANNEL_BUFFER_FREE_SIZE ?
1195 nowsize : CURL_SCHANNEL_BUFFER_FREE_SIZE;
1196 DEBUGASSERT(decdata->length >= decdata->offset);
1197 if(decdata->length < decdata->offset)
1198 return CURLE_FAILED_INIT;
1199 else if(decdata->length - decdata->offset < size ||
1200 decdata->length < len) {
1201 /* increase internal decrypted data buffer */
1202 size_t length = decdata->offset + size;
1203 unsigned char *buffer;
1204 /* make sure that the requested amount of data fits */
1205 if(length < len)
1206 length = len;
1207
1208 buffer = curlx_realloc(decdata->buffer, length);
1209 if(!buffer) {
1210 failf(data, "schannel: unable to re-allocate memory");
1211 return CURLE_OUT_OF_MEMORY;
1212 }
1213 decdata->buffer = buffer;
1214 decdata->length = length;
1215 }
1216 return CURLE_OK;
1217}
1218
1219static CURLcode schannel_connect_step2(struct Curl_cfilter *cf,
1220 struct Curl_easy *data)
1221{
1222 struct ssl_connect_data *connssl = cf->ctx;
1223 struct schannel_ssl_backend_data *backend =
1224 (struct schannel_ssl_backend_data *)connssl->backend;
1225 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
1226 int i;
1227 size_t nread = 0;
1228 SecBuffer outbuf[3];
1229 SecBufferDesc outbuf_desc;
1230 SecBuffer inbuf[2];
1231 SecBufferDesc inbuf_desc;
1232 SECURITY_STATUS sspi_status = SEC_E_OK;
1233 CURLcode result;
1234 bool doread;
1235 const char *pubkey_ptr;
1236
1237 DEBUGASSERT(backend);
1238
1239 doread = (connssl->io_need & CURL_SSL_IO_NEED_SEND) ? FALSE : TRUE;
1240 connssl->io_need = CURL_SSL_IO_NEED_NONE;
1241
1242 DEBUGF(infof(data, "schannel: SSL/TLS connection with %s port %d (step 2/3)",
1243 connssl->peer.dest->hostname, connssl->peer.dest->port));
1244
1245 if(!backend->cred || !backend->ctxt)
1246 return CURLE_SSL_CONNECT_ERROR;
1247
1248 /* buffer to store previously received and decrypted data */
1249 if(!backend->decdata.buffer) {
1250 backend->decdata.offset = 0;
1251 backend->decdata.length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
1252 backend->decdata.buffer = curlx_malloc(backend->decdata.length);
1253 if(!backend->decdata.buffer) {
1254 failf(data, "schannel: unable to allocate memory");
1255 return CURLE_OUT_OF_MEMORY;
1256 }
1257 }
1258
1259 /* buffer to store previously received and encrypted data */
1260 if(!backend->encdata.buffer) {
1261 backend->encdata_is_incomplete = FALSE;
1262 backend->encdata.offset = 0;
1263 backend->encdata.length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
1264 backend->encdata.buffer = curlx_malloc(backend->encdata.length);
1265 if(!backend->encdata.buffer) {
1266 failf(data, "schannel: unable to allocate memory");
1267 return CURLE_OUT_OF_MEMORY;
1268 }
1269 }
1270
1271 result = ensure_encoding_size(data, &backend->encdata, 0);
1272 if(result)
1273 return result;
1274
1275 for(;;) {
1276 if(doread) {
1277 /* read encrypted handshake data from socket */
1278 result = Curl_conn_cf_recv(cf->next, data,
1279 (char *)(backend->encdata.buffer +
1280 backend->encdata.offset),
1281 backend->encdata.length -
1282 backend->encdata.offset,
1283 &nread);
1284 if(result == CURLE_AGAIN) {
1285 if(!backend->encdata.offset || backend->encdata_is_incomplete) {
1286 connssl->io_need = CURL_SSL_IO_NEED_RECV;
1287 DEBUGF(infof(data, "schannel: failed to receive handshake, "
1288 "need more data"));
1289 return CURLE_OK;
1290 }
1291 else {
1292 DEBUGF(infof(data, "schannel: no new handshake data received, "
1293 "continuing to process existing handshake data"));
1294 }
1295 }
1296 else if(result || (nread == 0)) {
1297 failf(data, "schannel: failed to receive handshake, "
1298 "SSL/TLS connection failed");
1299 return CURLE_SSL_CONNECT_ERROR;
1300 }
1301 else {
1302 /* increase encrypted data buffer offset */
1303 backend->encdata.offset += nread;
1304 backend->encdata_is_incomplete = FALSE;
1305 SCH_DEV(infof(data, "schannel: encrypted data got %zu", nread));
1306 }
1307 }
1308
1309 SCH_DEV(infof(data,
1310 "schannel: encrypted data buffer: offset %zu length %zu",
1311 backend->encdata.offset, backend->encdata.length));
1312
1313 /* setup input buffers */
1314 InitSecBuffer(&inbuf[0], SECBUFFER_TOKEN,
1315 curlx_malloc(backend->encdata.offset),
1316 curlx_uztoul(backend->encdata.offset));
1317 InitSecBuffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
1318 InitSecBufferDesc(&inbuf_desc, inbuf, 2);
1319
1320 /* setup output buffers */
1321 InitSecBuffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
1322 InitSecBuffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
1323 InitSecBuffer(&outbuf[2], SECBUFFER_EMPTY, NULL, 0);
1324 InitSecBufferDesc(&outbuf_desc, outbuf, 3);
1325
1326 if(!inbuf[0].pvBuffer) {
1327 failf(data, "schannel: unable to allocate memory");
1328 return CURLE_OUT_OF_MEMORY;
1329 }
1330
1331 /* copy received handshake data into input buffer */
1332 memcpy(inbuf[0].pvBuffer, backend->encdata.buffer,
1333 backend->encdata.offset);
1334
1335 /* The socket must be writable (or a poll error occurred) before we call
1336 InitializeSecurityContext to continue processing the received TLS
1337 records. This is because that function is not idempotent and we do not
1338 support partial save/resume sending replies of handshake tokens. */
1339 if(!SOCKET_WRITABLE(Curl_conn_cf_get_socket(cf, data), 0)) {
1340 SCH_DEV(infof(data, "schannel: handshake waiting for writable socket"));
1341 connssl->io_need = CURL_SSL_IO_NEED_SEND;
1342 curlx_free(inbuf[0].pvBuffer);
1343 return CURLE_OK;
1344 }
1345
1346 sspi_status = Curl_pSecFn->InitializeSecurityContext(
1347 &backend->cred->cred_handle, &backend->ctxt->ctxt_handle,
1348 backend->cred->sni_hostname, backend->req_flags,
1349 0, 0, &inbuf_desc, 0, NULL,
1350 &outbuf_desc, &backend->ret_flags, NULL);
1351
1352 /* free buffer for received handshake data */
1353 curlx_safefree(inbuf[0].pvBuffer);
1354
1355 /* check if the handshake was incomplete */
1356 switch(sspi_status) {
1357 case SEC_E_INCOMPLETE_MESSAGE:
1358 backend->encdata_is_incomplete = TRUE;
1359 connssl->io_need = CURL_SSL_IO_NEED_RECV;
1360 DEBUGF(infof(data,
1361 "schannel: received incomplete message, need more data"));
1362 return CURLE_OK;
1363
1364 case SEC_I_CONTINUE_NEEDED:
1365 case SEC_E_OK:
1366 /* check if the handshake needs to be continued */
1367 result = CURLE_OK;
1368 for(i = 0; i < 3; i++) {
1369 /* search for handshake tokens that need to be send */
1370 if(outbuf[i].BufferType == SECBUFFER_TOKEN && outbuf[i].cbBuffer > 0) {
1371 size_t written = 0;
1372 DEBUGF(infof(data, "schannel: sending next handshake data: "
1373 "sending %lu bytes.", outbuf[i].cbBuffer));
1374
1375 /* send handshake token to server */
1376 result = Curl_conn_cf_send(cf->next, data,
1377 (const uint8_t *)outbuf[i].pvBuffer,
1378 outbuf[i].cbBuffer,
1379 FALSE, &written);
1380 if(result || (outbuf[i].cbBuffer != written)) {
1381 failf(data, "schannel: failed to send next handshake data: "
1382 "sent %zu of %lu bytes", written, outbuf[i].cbBuffer);
1383 result = CURLE_SSL_CONNECT_ERROR;
1384 }
1385 }
1386 }
1387 for(i = 0; i < 3; i++) {
1388 /* free obsolete buffer */
1389 if(outbuf[i].pvBuffer)
1390 Curl_pSecFn->FreeContextBuffer(outbuf[i].pvBuffer);
1391 }
1392 if(result)
1393 return result;
1394 break;
1395
1396 case SEC_I_INCOMPLETE_CREDENTIALS:
1397 if(!(backend->req_flags & ISC_REQ_USE_SUPPLIED_CREDS)) {
1398 /* If the server has requested a client certificate, attempt to
1399 continue the handshake without one. This allows connections to
1400 servers which request a client certificate but do not require
1401 it. */
1402 backend->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
1403 connssl->io_need = CURL_SSL_IO_NEED_SEND;
1404 DEBUGF(infof(data,
1405 "schannel: a client certificate has been requested"));
1406 return CURLE_OK;
1407 }
1408 FALLTHROUGH();
1409
1410 default:
1411 return schannel_error(data, sspi_status);
1412 }
1413
1414 /* check if there was additional remaining encrypted data */
1415 if(inbuf[1].BufferType == SECBUFFER_EXTRA && inbuf[1].cbBuffer > 0) {
1416 SCH_DEV(infof(data, "schannel: encrypted data length: %lu",
1417 inbuf[1].cbBuffer));
1418 /*
1419 There are two cases where we could be getting extra data here:
1420 1. If we are renegotiating a connection and the handshake is already
1421 complete (from the server perspective), it can encrypted app data
1422 (not handshake data) in an extra buffer at this point.
1423 2. (sspi_status == SEC_I_CONTINUE_NEEDED) We are negotiating a
1424 connection and this extra data is part of the handshake.
1425 We should process the data immediately; waiting for the socket to
1426 be ready may fail since the server is done sending handshake data.
1427 */
1428 /* check if the remaining data is less than the total amount
1429 and therefore begins after the already processed data */
1430 if(backend->encdata.offset > inbuf[1].cbBuffer) {
1431 memmove(backend->encdata.buffer,
1432 (backend->encdata.buffer + backend->encdata.offset) -
1433 inbuf[1].cbBuffer, inbuf[1].cbBuffer);
1434 backend->encdata.offset = inbuf[1].cbBuffer;
1435 if(sspi_status == SEC_I_CONTINUE_NEEDED) {
1436 doread = FALSE;
1437 continue;
1438 }
1439 }
1440 }
1441 else {
1442 backend->encdata.offset = 0;
1443 }
1444 break;
1445 }
1446
1447 /* check if the handshake needs to be continued */
1448 if(sspi_status == SEC_I_CONTINUE_NEEDED) {
1449 connssl->io_need = CURL_SSL_IO_NEED_RECV;
1450 return CURLE_OK;
1451 }
1452
1453 /* check if the handshake is complete */
1454 if(sspi_status == SEC_E_OK) {
1455 connssl->connecting_state = ssl_connect_3;
1456 DEBUGF(infof(data, "schannel: SSL/TLS handshake complete"));
1457 }
1458
1459#ifndef CURL_DISABLE_PROXY
1460 pubkey_ptr = Curl_ssl_cf_is_proxy(cf) ?
1461 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
1462 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
1463#else
1464 pubkey_ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
1465#endif
1466 if(pubkey_ptr) {
1467 result = schannel_pkp_pin_peer_pubkey(cf, data, pubkey_ptr);
1468 if(result) {
1469 failf(data, "SSL: public key does not match pinned public key");
1470 return result;
1471 }
1472 }
1473
1474 if(conn_config->verifypeer && backend->use_manual_cred_validation) {
1475 /* Certificate verification also verifies the hostname if verifyhost */
1476 return Curl_verify_certificate(cf, data);
1477 }
1478
1479 /* Verify the hostname manually when certificate verification is disabled,
1480 because in that case Schannel does not verify it. */
1481 if(!conn_config->verifypeer && conn_config->verifyhost)
1482 return Curl_verify_host(cf, data);
1483
1484 return CURLE_OK;
1485}
1486
1487static bool valid_cert_encoding(const CERT_CONTEXT *cert_context)
1488{
1489 return (cert_context != NULL) &&
1490 ((cert_context->dwCertEncodingType & X509_ASN_ENCODING) != 0) &&
1491 (cert_context->pbCertEncoded != NULL) &&
1492 (cert_context->cbCertEncoded > 0);
1493}
1494
1495typedef bool (*Read_crt_func)(const CERT_CONTEXT *ccert_context,
1496 bool reverse_order, void *arg);
1497
1498static void traverse_cert_store(const CERT_CONTEXT *context,
1499 Read_crt_func func, void *arg)
1500{
1501 const CERT_CONTEXT *current_context = NULL;
1502 bool should_continue = TRUE;
1503 bool first = TRUE;
1504 bool reverse_order = FALSE;
1505 while(should_continue &&
1506 (current_context = CertEnumCertificatesInStore(
1507 context->hCertStore,
1508 current_context)) != NULL) {
1509 /* Windows 11 22H2 OS Build 22621.674 or higher enumerates certificates in
1510 leaf-to-root order while all previous versions of Windows enumerate
1511 certificates in root-to-leaf order. Determine the order of enumeration
1512 by comparing SECPKG_ATTR_REMOTE_CERT_CONTEXT's pbCertContext with the
1513 first certificate's pbCertContext. */
1514 if(first && context->pbCertEncoded != current_context->pbCertEncoded)
1515 reverse_order = TRUE;
1516 should_continue = func(current_context, reverse_order, arg);
1517 first = FALSE;
1518 }
1519
1520 if(current_context)
1521 CertFreeCertificateContext(current_context);
1522}
1523
1524static bool cert_counter_callback(const CERT_CONTEXT *ccert_context,
1525 bool reverse_order, void *certs_count)
1526{
1527 (void)reverse_order;
1528 if(valid_cert_encoding(ccert_context))
1529 (*(int *)certs_count)++;
1530 if(*(int *)certs_count > MAX_ALLOWED_CERT_AMOUNT)
1531 return FALSE;
1532 return TRUE;
1533}
1534
1535struct Adder_args {
1536 struct Curl_easy *data;
1537 CURLcode result;
1538 int idx;
1539 int certs_count;
1540};
1541
1542static bool add_cert_to_certinfo(const CERT_CONTEXT *ccert_context,
1543 bool reverse_order, void *raw_arg)
1544{
1545 struct Adder_args *args = (struct Adder_args *)raw_arg;
1546 args->result = CURLE_OK;
1547 if(valid_cert_encoding(ccert_context)) {
1548 const char *beg = (const char *)ccert_context->pbCertEncoded;
1549 const char *end = beg + ccert_context->cbCertEncoded;
1550 int insert_index = reverse_order ? (args->certs_count - 1) - args->idx :
1551 args->idx;
1552 args->result = Curl_extract_certinfo(args->data, insert_index,
1553 beg, end);
1554 args->idx++;
1555 }
1556 return args->result == CURLE_OK;
1557}
1558
1559static void schannel_session_free(void *sessionid)
1560{
1561 /* this is expected to be called under sessionid lock */
1562 struct Curl_schannel_cred *cred = sessionid;
1563
1564 if(cred) {
1565 cred->refcount--;
1566 if(cred->refcount == 0) {
1567 Curl_pSecFn->FreeCredentialsHandle(&cred->cred_handle);
1568 curlx_free(cred->sni_hostname);
1569 if(cred->client_cert_store) {
1570 CertCloseStore(cred->client_cert_store, 0);
1571 cred->client_cert_store = NULL;
1572 }
1573 curlx_safefree(cred);
1574 }
1575 }
1576}
1577
1578static CURLcode schannel_connect_step3(struct Curl_cfilter *cf,
1579 struct Curl_easy *data)
1580{
1581 struct ssl_connect_data *connssl = cf->ctx;
1582 struct schannel_ssl_backend_data *backend =
1583 (struct schannel_ssl_backend_data *)connssl->backend;
1584 CURLcode result = CURLE_OK;
1585 SECURITY_STATUS sspi_status = SEC_E_OK;
1586 CERT_CONTEXT *ccert_context = NULL;
1587#ifdef HAS_ALPN_SCHANNEL
1588 SecPkgContext_ApplicationProtocol alpn_result;
1589#endif
1590
1591 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
1592 DEBUGASSERT(backend);
1593
1594 DEBUGF(infof(data, "schannel: SSL/TLS connection with %s port %d (step 3/3)",
1595 connssl->peer.dest->hostname, connssl->peer.dest->port));
1596
1597 if(!backend->cred)
1598 return CURLE_SSL_CONNECT_ERROR;
1599
1600 /* check if the required context attributes are met */
1601 if(backend->ret_flags != backend->req_flags) {
1602 if(!(backend->ret_flags & ISC_RET_SEQUENCE_DETECT))
1603 failf(data, "schannel: failed to setup sequence detection");
1604 if(!(backend->ret_flags & ISC_RET_REPLAY_DETECT))
1605 failf(data, "schannel: failed to setup replay detection");
1606 if(!(backend->ret_flags & ISC_RET_CONFIDENTIALITY))
1607 failf(data, "schannel: failed to setup confidentiality");
1608 if(!(backend->ret_flags & ISC_RET_ALLOCATED_MEMORY))
1609 failf(data, "schannel: failed to setup memory allocation");
1610 if(!(backend->ret_flags & ISC_RET_STREAM))
1611 failf(data, "schannel: failed to setup stream orientation");
1612 return CURLE_SSL_CONNECT_ERROR;
1613 }
1614
1615#ifdef HAS_ALPN_SCHANNEL
1616 if(backend->use_alpn) {
1617 sspi_status =
1618 Curl_pSecFn->QueryContextAttributes(&backend->ctxt->ctxt_handle,
1619 SECPKG_ATTR_APPLICATION_PROTOCOL,
1620 &alpn_result);
1621
1622 if(sspi_status != SEC_E_OK) {
1623 failf(data, "schannel: failed to retrieve ALPN result");
1624 return CURLE_SSL_CONNECT_ERROR;
1625 }
1626
1627 if(alpn_result.ProtoNegoStatus ==
1628 SecApplicationProtocolNegotiationStatus_Success) {
1629 if(backend->recv_renegotiating &&
1630 connssl->negotiated.alpn &&
1631 strncmp(connssl->negotiated.alpn,
1632 (const char *)alpn_result.ProtocolId,
1633 alpn_result.ProtocolIdSize)) {
1634 /* Renegotiation selected a different protocol now, we cannot
1635 * deal with this */
1636 failf(data, "schannel: server selected an ALPN protocol too late");
1637 return CURLE_SSL_CONNECT_ERROR;
1638 }
1639 Curl_alpn_set_negotiated(cf, data, connssl, alpn_result.ProtocolId,
1640 alpn_result.ProtocolIdSize);
1641 }
1642 else {
1643 if(!backend->recv_renegotiating)
1644 Curl_alpn_set_negotiated(cf, data, connssl, NULL, 0);
1645 }
1646 }
1647#endif
1648
1649 /* save the current session data for possible reuse */
1650 if(Curl_ssl_scache_use(cf, data)) {
1651 Curl_ssl_scache_lock(data);
1652 /* Up ref count since call takes ownership */
1653 backend->cred->refcount++;
1654 result = Curl_ssl_scache_add_obj(cf, data, connssl->peer.scache_key,
1655 backend->cred, schannel_session_free);
1656 Curl_ssl_scache_unlock(data);
1657 if(result)
1658 return result;
1659 }
1660
1661 if(data->set.ssl.certinfo) {
1662 int certs_count = 0;
1663 sspi_status =
1664 Curl_pSecFn->QueryContextAttributes(&backend->ctxt->ctxt_handle,
1665 SECPKG_ATTR_REMOTE_CERT_CONTEXT,
1666 &ccert_context);
1667
1668 if((sspi_status != SEC_E_OK) || !ccert_context) {
1669 failf(data, "schannel: failed to retrieve remote cert context");
1670 return CURLE_PEER_FAILED_VERIFICATION;
1671 }
1672
1673 traverse_cert_store(ccert_context, cert_counter_callback, &certs_count);
1674 if(certs_count > MAX_ALLOWED_CERT_AMOUNT) {
1675 failf(data, "%d certificates is more than allowed (%d)",
1676 certs_count, MAX_ALLOWED_CERT_AMOUNT);
1677 CertFreeCertificateContext(ccert_context);
1678 return CURLE_SSL_CONNECT_ERROR;
1679 }
1680
1681 result = Curl_ssl_init_certinfo(data, certs_count);
1682 if(!result) {
1683 struct Adder_args args;
1684 args.data = data;
1685 args.idx = 0;
1686 args.certs_count = certs_count;
1687 args.result = CURLE_OK;
1688 traverse_cert_store(ccert_context, add_cert_to_certinfo, &args);
1689 result = args.result;
1690 }
1691 CertFreeCertificateContext(ccert_context);
1692 if(result)
1693 return result;
1694 }
1695
1696 connssl->connecting_state = ssl_connect_done;
1697
1698 return CURLE_OK;
1699}
1700
1701static CURLcode schannel_connect(struct Curl_cfilter *cf,
1702 struct Curl_easy *data,
1703 bool *done)
1704{
1705 struct ssl_connect_data *connssl = cf->ctx;
1706 CURLcode result;
1707
1708 /* check if the connection has already been established */
1709 if(ssl_connection_complete == connssl->state) {
1710 *done = TRUE;
1711 return CURLE_OK;
1712 }
1713
1714 *done = FALSE;
1715
1716 if(ssl_connect_1 == connssl->connecting_state) {
1717 result = schannel_connect_step1(cf, data);
1718 if(result)
1719 return result;
1720 }
1721
1722 if(ssl_connect_2 == connssl->connecting_state) {
1723 result = schannel_connect_step2(cf, data);
1724 if(result)
1725 return result;
1726 }
1727
1728 if(ssl_connect_3 == connssl->connecting_state) {
1729 result = schannel_connect_step3(cf, data);
1730 if(result)
1731 return result;
1732 }
1733
1734 if(ssl_connect_done == connssl->connecting_state) {
1735 connssl->state = ssl_connection_complete;
1736
1737#ifdef SECPKG_ATTR_ENDPOINT_BINDINGS /* mingw-w64 v9+, MS SDK 7.0A/VS2010+ */
1738 /* When SSPI is used in combination with Schannel
1739 * we need the Schannel context to create the Schannel
1740 * binding to pass the IIS extended protection checks.
1741 * Available on Windows 7 or later.
1742 */
1743 {
1744 struct schannel_ssl_backend_data *backend =
1745 (struct schannel_ssl_backend_data *)connssl->backend;
1746 DEBUGASSERT(backend);
1747 cf->conn->sslContext = &backend->ctxt->ctxt_handle;
1748 }
1749#endif
1750
1751 *done = TRUE;
1752 }
1753
1754 return CURLE_OK;
1755}
1756
1757enum schannel_renegotiate_caller_t {
1758 SCH_RENEG_CALLER_IS_RECV,
1759 SCH_RENEG_CALLER_IS_SEND
1760};
1761
1762/* The maximum time we allow for Schannel renegotiation which may in some
1763 rare cases block either due to libcurl (waiting on the socket) or Windows
1764 (waiting on an interactive security prompt). Note Schannel "renegotiation"
1765 is not necessarily literal TLS renegotiation, but means DecryptMessage
1766 returned SEC_I_RENEGOTIATE which means at least the security context needs
1767 to be re-established. */
1768#define MAX_RENEG_BLOCK_TIME (60 * 1000) /* 60 seconds in milliseconds */
1769
1770/* This function renegotiates the connection due to a server request received
1771 by schannel_recv. This function returns CURLE_AGAIN if the renegotiation is
1772 incomplete. In that case, we remain in the renegotiation (connecting) stage
1773 and future calls to schannel_recv and schannel_send must call this function
1774 first to complete the renegotiation. */
1775static CURLcode schannel_recv_renegotiate(
1776 struct Curl_cfilter *cf, struct Curl_easy *data,
1777 enum schannel_renegotiate_caller_t caller)
1778{
1779 CURLcode result;
1780 curl_socket_t sockfd;
1781 struct ssl_connect_data *connssl = cf->ctx;
1782 struct schannel_ssl_backend_data *backend =
1783 (struct schannel_ssl_backend_data *)connssl->backend;
1784 struct schannel_renegotiate_state *rs = &backend->renegotiate_state;
1785
1786 if(!backend || !backend->recv_renegotiating) {
1787 failf(data, "schannel: unexpected call to schannel_recv_renegotiate");
1788 return CURLE_SSL_CONNECT_ERROR;
1789 }
1790 DEBUGASSERT(caller <= SCH_RENEG_CALLER_IS_SEND);
1791 if(caller == SCH_RENEG_CALLER_IS_RECV)
1792 SCH_DEV(infof(data, "schannel: renegotiation caller is schannel_recv"));
1793 else
1794 SCH_DEV(infof(data, "schannel: renegotiation caller is schannel_send"));
1795
1796 sockfd = Curl_conn_cf_get_socket(cf, data);
1797
1798 if(sockfd == CURL_SOCKET_BAD) {
1799 failf(data, "schannel: renegotiation missing socket");
1800 return CURLE_SSL_CONNECT_ERROR;
1801 }
1802
1803 if(!rs->started) { /* new renegotiation */
1804 infof(data, "schannel: renegotiating SSL/TLS connection");
1805 DEBUGASSERT(connssl->state == ssl_connection_complete);
1806 DEBUGASSERT(connssl->connecting_state == ssl_connect_done);
1807 connssl->state = ssl_connection_negotiating;
1808 connssl->connecting_state = ssl_connect_2;
1809 memset(rs, 0, sizeof(*rs));
1810 rs->io_need = CURL_SSL_IO_NEED_SEND;
1811 rs->start_time = *Curl_pgrs_now(data);
1812 rs->started = TRUE;
1813 }
1814
1815 for(;;) {
1816 bool block_read, block_write, blocking, done;
1817 curl_socket_t readfd, writefd;
1818 timediff_t elapsed;
1819
1820 elapsed = curlx_ptimediff_ms(Curl_pgrs_now(data), &rs->start_time);
1821 if(elapsed >= MAX_RENEG_BLOCK_TIME) {
1822 failf(data, "schannel: renegotiation timeout");
1823 result = CURLE_SSL_CONNECT_ERROR;
1824 break;
1825 }
1826
1827 /* the current io_need state may have been overwritten since the last time
1828 this function was called. restore the io_need state needed to continue
1829 the renegotiation. */
1830
1831 connssl->io_need = rs->io_need;
1832
1833 result = schannel_connect(cf, data, &done);
1834
1835 rs->io_need = connssl->io_need;
1836
1837 if(!result && !done)
1838 result = CURLE_AGAIN;
1839
1840 if(result != CURLE_AGAIN)
1841 break;
1842
1843 readfd = (rs->io_need & CURL_SSL_IO_NEED_RECV) ? sockfd : CURL_SOCKET_BAD;
1844 writefd = (rs->io_need & CURL_SSL_IO_NEED_SEND) ? sockfd : CURL_SOCKET_BAD;
1845
1846 if(readfd == CURL_SOCKET_BAD && writefd == CURL_SOCKET_BAD)
1847 continue;
1848
1849 /* connect should not have requested io read and write together */
1850 DEBUGASSERT(readfd == CURL_SOCKET_BAD || writefd == CURL_SOCKET_BAD);
1851
1852 /* This function is partially blocking to avoid a stoppage that would
1853 * occur if the user is waiting on the socket only in one direction.
1854 *
1855 * For example, if the user has called recv then they may not be waiting
1856 * for a writable socket and vice versa, so we block to avoid that.
1857 *
1858 * In practice a wait is unlikely to occur. For caller recv if handshake
1859 * data needs to be sent then we block for a writable socket that should
1860 * be writable immediately except for OS resource constraints. For caller
1861 * send if handshake data needs to be received then we block for a readable
1862 * socket, which could take some time, but it is more likely the user has
1863 * called recv since they had called it prior (only recv can start
1864 * renegotiation and probably the user is going to call it again to get
1865 * more of their data before calling send).
1866 */
1867
1868 block_read = (caller == SCH_RENEG_CALLER_IS_SEND) ? TRUE : FALSE;
1869 block_write = (caller == SCH_RENEG_CALLER_IS_RECV) ? TRUE : FALSE;
1870
1871 blocking = (block_read && (readfd != CURL_SOCKET_BAD)) ||
1872 (block_write && (writefd != CURL_SOCKET_BAD));
1873
1874 SCH_DEV_SHOWBOOL(block_read);
1875 SCH_DEV_SHOWBOOL(block_write);
1876 SCH_DEV_SHOWBOOL(blocking);
1877
1878 for(;;) {
1879 int what;
1880 timediff_t timeout_ms, remaining;
1881
1882 result = Curl_pgrsUpdate(data);
1883 if(result)
1884 break;
1885
1886 elapsed = curlx_ptimediff_ms(Curl_pgrs_now(data), &rs->start_time);
1887 if(elapsed >= MAX_RENEG_BLOCK_TIME) {
1888 failf(data, "schannel: renegotiation timeout");
1889 result = CURLE_SSL_CONNECT_ERROR;
1890 break;
1891 }
1892 remaining = MAX_RENEG_BLOCK_TIME - elapsed;
1893
1894 if(blocking) {
1895 timeout_ms = Curl_timeleft_ms(data);
1896
1897 if(timeout_ms < 0) {
1898 result = CURLE_OPERATION_TIMEDOUT;
1899 break;
1900 }
1901
1902 /* the blocking is in intervals so that the progress function can be
1903 called every second */
1904 if(!timeout_ms || timeout_ms > 1000)
1905 timeout_ms = 1000;
1906
1907 if(timeout_ms > remaining)
1908 timeout_ms = remaining;
1909 }
1910 else
1911 timeout_ms = 0;
1912
1913 SCH_DEV(infof(data, "schannel: renegotiation wait until socket is"
1914 "%s%s for up to %" FMT_TIMEDIFF_T " ms",
1915 ((readfd != CURL_SOCKET_BAD) ? " readable" : ""),
1916 ((writefd != CURL_SOCKET_BAD) ? " writable" : ""),
1917 timeout_ms));
1918
1919 what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd, timeout_ms);
1920
1921 if(what > 0 && (what & (CURL_CSELECT_IN | CURL_CSELECT_OUT))) {
1922 SCH_DEV(infof(data, "schannel: renegotiation socket %s%s",
1923 ((what & CURL_CSELECT_IN) ? "CURL_CSELECT_IN " : ""),
1924 ((what & CURL_CSELECT_OUT) ? "CURL_CSELECT_OUT " : "")));
1925 result = CURLE_AGAIN;
1926 break;
1927 }
1928 else if(!what) {
1929 SCH_DEV(infof(data, "schannel: renegotiation socket timeout"));
1930 if(blocking)
1931 continue;
1932 else
1933 return CURLE_AGAIN;
1934 }
1935
1936 failf(data, "schannel: socket error during renegotiation");
1937 result = CURLE_SSL_CONNECT_ERROR;
1938 break;
1939 }
1940 if(result != CURLE_AGAIN)
1941 break;
1942 }
1943
1944 DEBUGASSERT(result != CURLE_AGAIN);
1945
1946 rs->started = FALSE;
1947 backend->recv_renegotiating = FALSE;
1948 connssl->io_need = CURL_SSL_IO_NEED_NONE;
1949
1950 if(result)
1951 failf(data, "schannel: renegotiation failed");
1952 else
1953 infof(data, "schannel: SSL/TLS connection renegotiated");
1954
1955 return result;
1956}
1957
1958static CURLcode schannel_send(struct Curl_cfilter *cf, struct Curl_easy *data,
1959 const void *buf, size_t len, size_t *pnwritten)
1960{
1961 size_t data_len = 0;
1962 unsigned char *ptr = NULL;
1963 struct ssl_connect_data *connssl = cf->ctx;
1964 SecBuffer outbuf[4];
1965 SecBufferDesc outbuf_desc;
1966 SECURITY_STATUS sspi_status = SEC_E_OK;
1967 CURLcode result = CURLE_OK;
1968 struct schannel_ssl_backend_data *backend =
1969 (struct schannel_ssl_backend_data *)connssl->backend;
1970
1971 DEBUGASSERT(backend);
1972 *pnwritten = 0;
1973
1974 if(backend->recv_renegotiating) {
1975 result = schannel_recv_renegotiate(cf, data, SCH_RENEG_CALLER_IS_SEND);
1976 if(result)
1977 return result;
1978 }
1979
1980 /* check if the maximum stream sizes were queried */
1981 if(backend->stream_sizes.cbMaximumMessage == 0) {
1982 sspi_status = Curl_pSecFn->QueryContextAttributes(
1983 &backend->ctxt->ctxt_handle,
1984 SECPKG_ATTR_STREAM_SIZES,
1985 &backend->stream_sizes);
1986 if(sspi_status != SEC_E_OK) {
1987 return CURLE_SEND_ERROR;
1988 }
1989 }
1990
1991 /* check if the buffer is longer than the maximum message length */
1992 if(len > backend->stream_sizes.cbMaximumMessage) {
1993 len = backend->stream_sizes.cbMaximumMessage;
1994 }
1995
1996 /* calculate the complete message length and allocate a buffer for it */
1997 data_len = backend->stream_sizes.cbHeader + len +
1998 backend->stream_sizes.cbTrailer;
1999 ptr = (unsigned char *)curlx_malloc(data_len);
2000 if(!ptr) {
2001 return CURLE_OUT_OF_MEMORY;
2002 }
2003
2004 /* setup output buffers (header, data, trailer, empty) */
2005 InitSecBuffer(&outbuf[0], SECBUFFER_STREAM_HEADER,
2006 ptr, backend->stream_sizes.cbHeader);
2007 InitSecBuffer(&outbuf[1], SECBUFFER_DATA,
2008 ptr + backend->stream_sizes.cbHeader, curlx_uztoul(len));
2009 InitSecBuffer(&outbuf[2], SECBUFFER_STREAM_TRAILER,
2010 ptr + backend->stream_sizes.cbHeader + len,
2011 backend->stream_sizes.cbTrailer);
2012 InitSecBuffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0);
2013 InitSecBufferDesc(&outbuf_desc, outbuf, 4);
2014
2015 /* copy data into output buffer */
2016 memcpy(outbuf[1].pvBuffer, buf, len);
2017
2018 /* https://learn.microsoft.com/windows/win32/api/sspi/nf-sspi-encryptmessage */
2019 sspi_status = Curl_pSecFn->EncryptMessage(&backend->ctxt->ctxt_handle, 0,
2020 &outbuf_desc, 0);
2021
2022 /* check if the message was encrypted */
2023 if(sspi_status == SEC_E_OK) {
2024
2025 /* send the encrypted message including header, data and trailer */
2026 len = outbuf[0].cbBuffer + outbuf[1].cbBuffer + outbuf[2].cbBuffer;
2027
2028 /*
2029 it is important to send the full message which includes the header,
2030 encrypted payload, and trailer. Until the client receives all the
2031 data a coherent message has not been delivered and the client
2032 cannot read any of it.
2033
2034 If we wanted to buffer the unwritten encrypted bytes, we would
2035 tell the client that all data it has requested to be sent has been
2036 sent. The unwritten encrypted bytes would be the first bytes to
2037 send on the next invocation.
2038 Here's the catch with this - if we tell the client that all the
2039 bytes have been sent, does the client call this method again to
2040 send the buffered data? Looking at who calls this function, it
2041 seems the answer is NO.
2042 */
2043
2044 /* send entire message or fail */
2045 while(len > *pnwritten) {
2046 size_t this_write = 0;
2047 int what;
2048 timediff_t timeout_ms = Curl_timeleft_ms(data);
2049 if(timeout_ms < 0) {
2050 /* we already got the timeout */
2051 failf(data, "schannel: timed out sending data (bytes sent: %zu)",
2052 *pnwritten);
2053 result = CURLE_OPERATION_TIMEDOUT;
2054 break;
2055 }
2056 else if(!timeout_ms)
2057 timeout_ms = TIMEDIFF_T_MAX;
2058 what = SOCKET_WRITABLE(Curl_conn_cf_get_socket(cf, data), timeout_ms);
2059 if(what < 0) {
2060 /* fatal error */
2061 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2062 result = CURLE_SEND_ERROR;
2063 break;
2064 }
2065 else if(what == 0) {
2066 failf(data, "schannel: timed out sending data (bytes sent: %zu)",
2067 *pnwritten);
2068 result = CURLE_OPERATION_TIMEDOUT;
2069 break;
2070 }
2071 /* socket is writable */
2072
2073 result = Curl_conn_cf_send(cf->next, data,
2074 (const uint8_t *)ptr + *pnwritten,
2075 len - *pnwritten,
2076 FALSE, &this_write);
2077 if(result == CURLE_AGAIN)
2078 continue;
2079 else if(result) {
2080 break;
2081 }
2082
2083 *pnwritten += this_write;
2084 }
2085 }
2086 else if(sspi_status == SEC_E_INSUFFICIENT_MEMORY) {
2087 result = CURLE_OUT_OF_MEMORY;
2088 }
2089 else {
2090 result = CURLE_SEND_ERROR;
2091 }
2092
2093 curlx_safefree(ptr);
2094
2095 if(len == *pnwritten)
2096 /* Encrypted message including header, data and trailer entirely sent.
2097 The return value is the number of unencrypted bytes that were sent. */
2098 *pnwritten = outbuf[1].cbBuffer;
2099
2100 return result;
2101}
2102
2103static CURLcode schannel_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
2104 char *buf, size_t len, size_t *pnread)
2105{
2106 size_t size = 0;
2107 size_t nread = 0;
2108 struct ssl_connect_data *connssl = cf->ctx;
2109 SecBuffer inbuf[4];
2110 SecBufferDesc inbuf_desc;
2111 SECURITY_STATUS sspi_status = SEC_E_OK;
2112 struct schannel_ssl_backend_data *backend =
2113 (struct schannel_ssl_backend_data *)connssl->backend;
2114 CURLcode result = CURLE_OK;
2115
2116 DEBUGASSERT(backend);
2117 *pnread = 0;
2118
2119 if(backend->recv_renegotiating) {
2120 result = schannel_recv_renegotiate(cf, data, SCH_RENEG_CALLER_IS_RECV);
2121 if(result)
2122 return result;
2123 }
2124
2125 /****************************************************************************
2126 * Do not return or set backend->recv_unrecoverable_err unless in the
2127 * cleanup. The pattern for return error is set *err, optional infof, goto
2128 * cleanup.
2129 *
2130 * Some verbose debug messages are wrapped by SCH_DEV() instead of DEBUGF()
2131 * and only shown if CURL_SCHANNEL_DEV_DEBUG was defined at build time. These
2132 * messages are extra verbose and intended for curl developers debugging
2133 * Schannel recv decryption.
2134 *
2135 * Our priority is to always return as much decrypted data to the caller as
2136 * possible, even if an error occurs. The state of the decrypted buffer must
2137 * always be valid. Transfer of decrypted data to the caller's buffer is
2138 * handled in the cleanup.
2139 */
2140
2141 SCH_DEV(infof(data, "schannel: client wants to read %zu bytes", len));
2142
2143 if(len && len <= backend->decdata.offset) {
2144 SCH_DEV(infof(data,
2145 "schannel: enough decrypted data is already available"));
2146 goto cleanup;
2147 }
2148 else if(backend->recv_unrecoverable_err) {
2149 result = backend->recv_unrecoverable_err;
2150 infof(data, "schannel: an unrecoverable error occurred in a prior call");
2151 goto cleanup;
2152 }
2153 else if(backend->recv_sspi_close_notify) {
2154 /* once a server has indicated shutdown there is no more encrypted data */
2155 infof(data, "schannel: server indicated shutdown in a prior call");
2156 goto cleanup;
2157 }
2158 /* it is debatable what to return when !len. Regardless we cannot return
2159 immediately because there may be data to decrypt (in the case we want to
2160 decrypt all encrypted cached data) so handle !len later in cleanup.
2161 */
2162 else if(len && !backend->recv_connection_closed) {
2163 /* the encrypted buffer must be large enough to hold all the bytes
2164 requested and some TLS record overhead. 'len' is a buffer size, so this
2165 integer math cannot overflow. */
2166 const size_t min_encdata_length = len + CURL_SCHANNEL_BUFFER_FREE_SIZE;
2167
2168 /* make sure encrypt buffer fits the requested amount of data */
2169 result = ensure_encoding_size(data, &backend->encdata, min_encdata_length);
2170 if(result)
2171 goto cleanup;
2172
2173 SCH_DEV(infof(data,
2174 "schannel: encrypted data buffer: offset %zu length %zu",
2175 backend->encdata.offset, backend->encdata.length));
2176
2177 /* read encrypted data from socket */
2178 result = Curl_conn_cf_recv(cf->next, data,
2179 (char *)(backend->encdata.buffer +
2180 backend->encdata.offset),
2181 backend->encdata.length -
2182 backend->encdata.offset,
2183 &nread);
2184 if(result) {
2185 if(result == CURLE_AGAIN)
2186 SCH_DEV(infof(data, "schannel: recv returned CURLE_AGAIN"));
2187 else {
2188 infof(data, "schannel: recv returned error %d", result);
2189 backend->recv_unrecoverable_err = result;
2190 }
2191 }
2192 else if(nread == 0) {
2193 backend->recv_connection_closed = TRUE;
2194 DEBUGF(infof(data, "schannel: server closed the connection"));
2195 }
2196 else {
2197 backend->encdata.offset += nread;
2198 backend->encdata_is_incomplete = FALSE;
2199 SCH_DEV(infof(data, "schannel: encrypted data got %zu", nread));
2200 }
2201 }
2202
2203 SCH_DEV(infof(data, "schannel: encrypted data buffer: offset %zu length %zu",
2204 backend->encdata.offset, backend->encdata.length));
2205
2206 /* decrypt loop */
2207 while(backend->encdata.offset > 0 && sspi_status == SEC_E_OK &&
2208 (!len || backend->decdata.offset < len ||
2209 backend->recv_connection_closed)) {
2210 /* prepare data buffer for DecryptMessage call */
2211 InitSecBuffer(&inbuf[0], SECBUFFER_DATA, backend->encdata.buffer,
2212 curlx_uztoul(backend->encdata.offset));
2213
2214 /* we need 3 more empty input buffers for possible output */
2215 InitSecBuffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
2216 InitSecBuffer(&inbuf[2], SECBUFFER_EMPTY, NULL, 0);
2217 InitSecBuffer(&inbuf[3], SECBUFFER_EMPTY, NULL, 0);
2218 InitSecBufferDesc(&inbuf_desc, inbuf, 4);
2219
2220 /* https://learn.microsoft.com/windows/win32/api/sspi/nf-sspi-decryptmessage
2221 */
2222 sspi_status = Curl_pSecFn->DecryptMessage(&backend->ctxt->ctxt_handle,
2223 &inbuf_desc, 0, NULL);
2224
2225 /* check if everything went fine (server may want to renegotiate
2226 or shutdown the connection context) */
2227 if(sspi_status == SEC_E_OK || sspi_status == SEC_I_RENEGOTIATE ||
2228 sspi_status == SEC_I_CONTEXT_EXPIRED) {
2229 /* check for successfully decrypted data, even before actual
2230 renegotiation or shutdown of the connection context */
2231 if(inbuf[1].BufferType == SECBUFFER_DATA) {
2232 SCH_DEV(infof(data, "schannel: decrypted data length: %lu",
2233 inbuf[1].cbBuffer));
2234
2235 /* ensure the decode buffer fits the received amount of data */
2236 result = ensure_decoding_size(data, &backend->decdata,
2237 inbuf[1].cbBuffer, len);
2238 if(result)
2239 goto cleanup;
2240
2241 /* copy decrypted data to internal buffer */
2242 size = inbuf[1].cbBuffer;
2243 if(size) {
2244 memcpy(backend->decdata.buffer + backend->decdata.offset,
2245 inbuf[1].pvBuffer, size);
2246 backend->decdata.offset += size;
2247 }
2248
2249 SCH_DEV(infof(data, "schannel: decrypted data added: %zu", size));
2250 SCH_DEV(infof(data,
2251 "schannel: decrypted cached: offset %zu length %zu",
2252 backend->decdata.offset, backend->decdata.length));
2253 }
2254
2255 /* check for remaining encrypted data */
2256 if(inbuf[3].BufferType == SECBUFFER_EXTRA && inbuf[3].cbBuffer > 0) {
2257 SCH_DEV(infof(data, "schannel: encrypted data length: %lu",
2258 inbuf[3].cbBuffer));
2259
2260 /* check if the remaining data is less than the total amount
2261 * and therefore begins after the already processed data
2262 */
2263 if(backend->encdata.offset > inbuf[3].cbBuffer) {
2264 /* move remaining encrypted data forward to the beginning of
2265 buffer */
2266 memmove(backend->encdata.buffer,
2267 (backend->encdata.buffer + backend->encdata.offset) -
2268 inbuf[3].cbBuffer, inbuf[3].cbBuffer);
2269 backend->encdata.offset = inbuf[3].cbBuffer;
2270 }
2271
2272 SCH_DEV(infof(data,
2273 "schannel: encrypted cached: offset %zu length %zu",
2274 backend->encdata.offset, backend->encdata.length));
2275 }
2276 else {
2277 /* reset encrypted buffer offset, because there is no data remaining */
2278 backend->encdata.offset = 0;
2279 }
2280
2281 /* check if server wants to renegotiate the connection context */
2282 if(sspi_status == SEC_I_RENEGOTIATE) {
2283 infof(data, "schannel: remote party requests renegotiation");
2284 if(result && result != CURLE_AGAIN) {
2285 infof(data, "schannel: cannot renegotiate, an error is pending");
2286 goto cleanup;
2287 }
2288
2289 backend->recv_renegotiating = TRUE;
2290 result = schannel_recv_renegotiate(cf, data, SCH_RENEG_CALLER_IS_RECV);
2291 if(result)
2292 goto cleanup;
2293
2294 /* now retry receiving data */
2295 sspi_status = SEC_E_OK;
2296 continue;
2297 }
2298 /* check if the server closed the connection */
2299 else if(sspi_status == SEC_I_CONTEXT_EXPIRED) {
2300 /* In Windows 2000 SEC_I_CONTEXT_EXPIRED (close_notify) is not
2301 returned so we have to work around that in cleanup. */
2302 backend->recv_sspi_close_notify = TRUE;
2303 if(!backend->recv_connection_closed)
2304 backend->recv_connection_closed = TRUE;
2305 /* We received the close notify fine, any error we got
2306 * from the lower filters afterwards (e.g. the socket), is not
2307 * an error on the TLS data stream. That one ended here. */
2308 if(result == CURLE_RECV_ERROR)
2309 result = CURLE_OK;
2310 infof(data,
2311 "schannel: server close notification received (close_notify)");
2312 goto cleanup;
2313 }
2314 }
2315 else if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
2316 backend->encdata_is_incomplete = TRUE;
2317 if(!result)
2318 result = CURLE_AGAIN;
2319 SCH_DEV(infof(data, "schannel: failed to decrypt data, need more data"));
2320 goto cleanup;
2321 }
2322 else {
2323 char buffer[STRERROR_LEN];
2324 failf(data, "schannel: failed to read data from server: %s",
2325 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
2326 result = CURLE_RECV_ERROR;
2327 goto cleanup;
2328 }
2329 }
2330
2331 SCH_DEV(infof(data, "schannel: encrypted data buffer: offset %zu length %zu",
2332 backend->encdata.offset, backend->encdata.length));
2333
2334 SCH_DEV(infof(data, "schannel: decrypted data buffer: offset %zu length %zu",
2335 backend->decdata.offset, backend->decdata.length));
2336
2337cleanup:
2338 /* Warning- there is no guarantee the encdata state is valid at this point */
2339 SCH_DEV(infof(data, "schannel: schannel_recv cleanup"));
2340
2341 /* Error if the connection has closed without a close_notify.
2342
2343 The behavior here is a matter of debate. We do not want to be vulnerable
2344 to a truncation attack however there is some browser precedent for
2345 ignoring the close_notify for compatibility reasons.
2346 */
2347 if(len && !backend->decdata.offset && backend->recv_connection_closed &&
2348 !backend->recv_sspi_close_notify) {
2349 result = CURLE_RECV_ERROR;
2350 failf(data, "schannel: server closed abruptly (missing close_notify)");
2351 }
2352
2353 /* Any error other than CURLE_AGAIN is an unrecoverable error. */
2354 if(result && result != CURLE_AGAIN)
2355 backend->recv_unrecoverable_err = result;
2356
2357 size = len < backend->decdata.offset ? len : backend->decdata.offset;
2358 if(size) {
2359 memcpy(buf, backend->decdata.buffer, size);
2360 memmove(backend->decdata.buffer, backend->decdata.buffer + size,
2361 backend->decdata.offset - size);
2362 backend->decdata.offset -= size;
2363 SCH_DEV(infof(data, "schannel: decrypted data returned %zu", size));
2364 SCH_DEV(infof(data,
2365 "schannel: decrypted data buffer: offset %zu length %zu",
2366 backend->decdata.offset, backend->decdata.length));
2367 *pnread = size;
2368 return CURLE_OK;
2369 }
2370
2371 if(!result && !backend->recv_connection_closed)
2372 result = CURLE_AGAIN;
2373
2374 /* it is debatable what to return when !len. We could return whatever error
2375 we got from decryption but instead we override here so the return is
2376 consistent.
2377 */
2378 if(!len)
2379 return CURLE_OK;
2380
2381 return result;
2382}
2383
2384static bool schannel_data_pending(struct Curl_cfilter *cf,
2385 const struct Curl_easy *data)
2386{
2387 const struct ssl_connect_data *connssl = cf->ctx;
2388 struct schannel_ssl_backend_data *backend =
2389 (struct schannel_ssl_backend_data *)connssl->backend;
2390
2391 (void)data;
2392 DEBUGASSERT(backend);
2393
2394 if(backend->ctxt) /* SSL/TLS is in use */
2395 return backend->decdata.offset > 0 ||
2396 (backend->encdata.offset > 0 && !backend->encdata_is_incomplete) ||
2397 backend->recv_connection_closed ||
2398 backend->recv_sspi_close_notify ||
2399 backend->recv_unrecoverable_err;
2400 else
2401 return FALSE;
2402}
2403
2404/* shut down the SSL connection and clean up related memory.
2405 this function can be called multiple times on the same connection including
2406 if the SSL connection failed (eg connection made but failed handshake). */
2407static CURLcode schannel_shutdown(struct Curl_cfilter *cf,
2408 struct Curl_easy *data,
2409 bool send_shutdown, bool *done)
2410{
2411 /* See https://learn.microsoft.com/windows/win32/secauthn/shutting-down-an-schannel-connection
2412 * Shutting Down an Schannel Connection
2413 */
2414 struct ssl_connect_data *connssl = cf->ctx;
2415 struct schannel_ssl_backend_data *backend =
2416 (struct schannel_ssl_backend_data *)connssl->backend;
2417 CURLcode result = CURLE_OK;
2418
2419 if(cf->shutdown) {
2420 *done = TRUE;
2421 return CURLE_OK;
2422 }
2423
2424 DEBUGASSERT(data);
2425 DEBUGASSERT(backend);
2426
2427 /* Not supported in schannel */
2428 (void)send_shutdown;
2429
2430 *done = FALSE;
2431 if(backend->ctxt) {
2432 infof(data, "schannel: shutting down SSL/TLS connection with %s port %d",
2433 connssl->peer.dest->hostname, connssl->peer.dest->port);
2434 }
2435
2436 if(!backend->ctxt || cf->shutdown) {
2437 *done = TRUE;
2438 goto out;
2439 }
2440
2441 if(backend->cred && backend->ctxt && !backend->sent_shutdown) {
2442 SecBufferDesc BuffDesc;
2443 SecBuffer Buffer;
2444 SECURITY_STATUS sspi_status;
2445 SecBuffer outbuf;
2446 SecBufferDesc outbuf_desc;
2447 DWORD dwshut = SCHANNEL_SHUTDOWN;
2448
2449 InitSecBuffer(&Buffer, SECBUFFER_TOKEN, &dwshut, sizeof(dwshut));
2450 InitSecBufferDesc(&BuffDesc, &Buffer, 1);
2451
2452 sspi_status = Curl_pSecFn->ApplyControlToken(&backend->ctxt->ctxt_handle,
2453 &BuffDesc);
2454
2455 if(sspi_status != SEC_E_OK) {
2456 char buffer[STRERROR_LEN];
2457 failf(data, "schannel: ApplyControlToken failure: %s",
2458 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
2459 result = CURLE_SEND_ERROR;
2460 goto out;
2461 }
2462
2463 /* setup output buffer */
2464 InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
2465 InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
2466
2467 sspi_status = Curl_pSecFn->InitializeSecurityContext(
2468 &backend->cred->cred_handle,
2469 &backend->ctxt->ctxt_handle,
2470 backend->cred->sni_hostname,
2471 backend->req_flags,
2472 0,
2473 0,
2474 NULL,
2475 0,
2476 &backend->ctxt->ctxt_handle,
2477 &outbuf_desc,
2478 &backend->ret_flags, NULL);
2479
2480 if((sspi_status == SEC_E_OK) || (sspi_status == SEC_I_CONTEXT_EXPIRED)) {
2481 /* send close message which is in output buffer */
2482 size_t written;
2483
2484 result = Curl_conn_cf_send(cf->next, data,
2485 (const uint8_t *)outbuf.pvBuffer,
2486 outbuf.cbBuffer,
2487 FALSE, &written);
2488 Curl_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
2489 if(!result) {
2490 if(written < outbuf.cbBuffer) {
2491 result = CURLE_SEND_ERROR;
2492 failf(data, "schannel: failed to send close msg: %s"
2493 " (bytes written: %zu)", curl_easy_strerror(result), written);
2494 goto out;
2495 }
2496 backend->sent_shutdown = TRUE;
2497 *done = TRUE;
2498 }
2499 else if(result == CURLE_AGAIN) {
2500 connssl->io_need = CURL_SSL_IO_NEED_SEND;
2501 result = CURLE_OK;
2502 goto out;
2503 }
2504 else {
2505 if(!backend->recv_connection_closed) {
2506 result = CURLE_SEND_ERROR;
2507 failf(data, "schannel: error sending close msg: %d", result);
2508 goto out;
2509 }
2510 /* Looks like server already closed the connection.
2511 * An error to send our close notify is not a failure. */
2512 *done = TRUE;
2513 result = CURLE_OK;
2514 }
2515 }
2516 }
2517
2518 /* If the connection seems open and we have not seen the close notify
2519 * from the server yet, try to receive it. */
2520 if(backend->cred && backend->ctxt &&
2521 !backend->recv_sspi_close_notify && !backend->recv_connection_closed) {
2522 char buffer[1024];
2523 size_t nread;
2524
2525 result = schannel_recv(cf, data, buffer, sizeof(buffer), &nread);
2526 if(result == CURLE_AGAIN) {
2527 connssl->io_need = CURL_SSL_IO_NEED_RECV;
2528 }
2529 else if(result) {
2530 CURL_TRC_CF(data, cf, "SSL shutdown, error %d", result);
2531 result = CURLE_RECV_ERROR;
2532 }
2533 else if(nread == 0) {
2534 /* We got the close notify alert and are done. */
2535 backend->recv_connection_closed = TRUE;
2536 *done = TRUE;
2537 }
2538 else {
2539 /* still data coming in? */
2540 }
2541 }
2542
2543out:
2544 cf->shutdown = (result || *done);
2545 return result;
2546}
2547
2548static void schannel_close(struct Curl_cfilter *cf, struct Curl_easy *data)
2549{
2550 struct ssl_connect_data *connssl = cf->ctx;
2551 struct schannel_ssl_backend_data *backend =
2552 (struct schannel_ssl_backend_data *)connssl->backend;
2553
2554 DEBUGASSERT(data);
2555 DEBUGASSERT(backend);
2556
2557 /* free SSPI Schannel API security context handle */
2558 if(backend->ctxt) {
2559 DEBUGF(infof(data, "schannel: clear security context handle"));
2560 Curl_pSecFn->DeleteSecurityContext(&backend->ctxt->ctxt_handle);
2561 curlx_safefree(backend->ctxt);
2562 }
2563
2564 /* free SSPI Schannel API credential handle */
2565 if(backend->cred) {
2566 Curl_ssl_scache_lock(data);
2567 schannel_session_free(backend->cred);
2568 Curl_ssl_scache_unlock(data);
2569 backend->cred = NULL;
2570 }
2571
2572 /* free internal buffer for received encrypted data */
2573 if(backend->encdata.buffer) {
2574 curlx_safefree(backend->encdata.buffer);
2575 backend->encdata.length = 0;
2576 backend->encdata.offset = 0;
2577 backend->encdata_is_incomplete = FALSE;
2578 }
2579
2580 /* free internal buffer for received decrypted data */
2581 if(backend->decdata.buffer) {
2582 curlx_safefree(backend->decdata.buffer);
2583 backend->decdata.length = 0;
2584 backend->decdata.offset = 0;
2585 }
2586}
2587
2588static int schannel_init(void)
2589{
2590#ifdef HAS_ALPN_SCHANNEL
2591 typedef const char *(APIENTRY *WINE_GET_VERSION_FN)(void);
2592#if defined(__clang__) && __clang_major__ >= 16
2593#pragma clang diagnostic push
2594#pragma clang diagnostic ignored "-Wcast-function-type-strict"
2595#endif
2596 WINE_GET_VERSION_FN p_wine_get_version =
2597 CURLX_FUNCTION_CAST(WINE_GET_VERSION_FN,
2598 GetProcAddress(GetModuleHandle(TEXT("ntdll")), "wine_get_version"));
2599#if defined(__clang__) && __clang_major__ >= 16
2600#pragma clang diagnostic pop
2601#endif
2602 if(p_wine_get_version) { /* WINE detected */
2603 curl_off_t ver = 0;
2604 const char *wine_version = p_wine_get_version(); /* e.g. "6.0.2" */
2605 /* Assume ALPN support with WINE 6.0 or upper */
2606 if(wine_version)
2607 curlx_str_number(&wine_version, &ver, 20);
2608 s_win_has_alpn = (ver >= 6);
2609 }
2610 else {
2611 /* ALPN is supported on Windows 8.1 / Server 2012 R2 and above. */
2612 s_win_has_alpn = curlx_verify_windows_version(6, 3, 0, PLATFORM_WINNT,
2613 VERSION_GREATER_THAN_EQUAL);
2614 }
2615#endif /* HAS_ALPN_SCHANNEL */
2616
2617 return Curl_sspi_global_init() == CURLE_OK ? 1 : 0;
2618}
2619
2620static void schannel_cleanup(void)
2621{
2622 Curl_sspi_global_cleanup();
2623}
2624
2625static size_t schannel_version(char *buffer, size_t size)
2626{
2627 return curl_msnprintf(buffer, size, "Schannel");
2628}
2629
2630static CURLcode schannel_random(struct Curl_easy *data,
2631 unsigned char *entropy, size_t length)
2632{
2633 (void)data;
2634
2635 return Curl_win32_random(entropy, length);
2636}
2637
2638static void schannel_checksum(const unsigned char *input,
2639 size_t inputlen,
2640 unsigned char *checksum,
2641 size_t checksumlen,
2642 DWORD provType,
2643 const unsigned int algId)
2644{
2645 HCRYPTPROV hProv = 0;
2646 HCRYPTHASH hHash = 0;
2647
2648 /* since this can fail in multiple ways, zero memory first so we never
2649 * return old data
2650 */
2651 memset(checksum, 0, checksumlen);
2652
2653 if(!CryptAcquireContext(&hProv, NULL, NULL, provType,
2654 CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
2655 return; /* failed */
2656
2657 do {
2658 DWORD cbHashSize = 0;
2659 DWORD dwHashSizeLen = (DWORD)sizeof(cbHashSize);
2660 DWORD dwChecksumLen = (DWORD)checksumlen;
2661
2662 if(!CryptCreateHash(hProv, algId, 0, 0, &hHash))
2663 break; /* failed */
2664
2665 if(!CryptHashData(hHash, input, (DWORD)inputlen, 0))
2666 break; /* failed */
2667
2668 /* get hash size */
2669 if(!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&cbHashSize,
2670 &dwHashSizeLen, 0))
2671 break; /* failed */
2672
2673 /* check hash size */
2674 if(checksumlen < cbHashSize)
2675 break; /* failed */
2676
2677 if(CryptGetHashParam(hHash, HP_HASHVAL, checksum, &dwChecksumLen, 0))
2678 break; /* failed */
2679 } while(0);
2680
2681 if(hHash)
2682 CryptDestroyHash(hHash);
2683
2684 if(hProv)
2685 CryptReleaseContext(hProv, 0);
2686}
2687
2688static CURLcode schannel_sha256sum(const unsigned char *input,
2689 size_t inputlen,
2690 unsigned char *sha256sum,
2691 size_t sha256len)
2692{
2693 schannel_checksum(input, inputlen, sha256sum, sha256len,
2694 PROV_RSA_AES, CALG_SHA_256);
2695 return CURLE_OK;
2696}
2697
2698static void *schannel_get_internals(struct ssl_connect_data *connssl,
2699 CURLINFO info)
2700{
2701 struct schannel_ssl_backend_data *backend =
2702 (struct schannel_ssl_backend_data *)connssl->backend;
2703 (void)info;
2704 DEBUGASSERT(backend);
2705 return &backend->ctxt->ctxt_handle;
2706}
2707
2708HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf,
2709 struct Curl_easy *data)
2710{
2711 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2712 struct Curl_multi *multi = data->multi;
2713 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
2714 struct schannel_cert_share *share;
2715 const struct ssl_general_config *cfg = &data->set.general_ssl;
2716 timediff_t timeout_ms;
2717 unsigned char info_blob_digest[CURL_SHA256_DIGEST_LENGTH];
2718
2719 DEBUGASSERT(multi);
2720
2721 if(!multi) {
2722 return NULL;
2723 }
2724
2725 share = Curl_hash_pick(&multi->proto_hash,
2726 CURL_UNCONST(MPROTO_SCHANNEL_CERT_SHARE_KEY),
2727 sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY) - 1);
2728 if(!share || !share->cert_store) {
2729 return NULL;
2730 }
2731
2732 /* zero ca_cache_timeout completely disables caching */
2733 if(!cfg->ca_cache_timeout) {
2734 return NULL;
2735 }
2736
2737 /* check for cache timeout by using the cached_x509_store_expired timediff
2738 calculation pattern from openssl.c.
2739 negative timeout means retain forever. */
2740 timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
2741 if(timeout_ms >= 0) {
2742 timediff_t elapsed_ms =
2743 curlx_ptimediff_ms(Curl_pgrs_now(data), &share->time);
2744 if(elapsed_ms >= timeout_ms) {
2745 return NULL;
2746 }
2747 }
2748
2749 if(ca_info_blob) {
2750 if(share->CAinfo_blob_size != ca_info_blob->len) {
2751 return NULL;
2752 }
2753 schannel_sha256sum((const unsigned char *)ca_info_blob->data,
2754 ca_info_blob->len,
2755 info_blob_digest,
2756 CURL_SHA256_DIGEST_LENGTH);
2757 if(memcmp(share->CAinfo_blob_digest, info_blob_digest,
2758 CURL_SHA256_DIGEST_LENGTH)) {
2759 return NULL;
2760 }
2761 }
2762 else {
2763 if(!conn_config->CAfile || !share->CAfile ||
2764 strcmp(share->CAfile, conn_config->CAfile)) {
2765 return NULL;
2766 }
2767 }
2768
2769 return share->cert_store;
2770}
2771
2772static void schannel_cert_share_free(void *key, size_t key_len, void *p)
2773{
2774 struct schannel_cert_share *share = p;
2775 DEBUGASSERT(key_len == (sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY) - 1));
2776 DEBUGASSERT(!memcmp(MPROTO_SCHANNEL_CERT_SHARE_KEY, key, key_len));
2777 (void)key;
2778 (void)key_len;
2779 if(share->cert_store) {
2780 CertCloseStore(share->cert_store, 0);
2781 }
2782 curlx_free(share->CAfile);
2783 curlx_free(share);
2784}
2785
2786bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf,
2787 struct Curl_easy *data,
2788 HCERTSTORE cert_store)
2789{
2790 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2791 struct Curl_multi *multi = data->multi;
2792 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
2793 struct schannel_cert_share *share;
2794 size_t CAinfo_blob_size = 0;
2795 char *CAfile = NULL;
2796
2797 DEBUGASSERT(multi);
2798
2799 if(!multi) {
2800 return FALSE;
2801 }
2802
2803 share = Curl_hash_pick(&multi->proto_hash,
2804 CURL_UNCONST(MPROTO_SCHANNEL_CERT_SHARE_KEY),
2805 sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY) - 1);
2806 if(!share) {
2807 share = curlx_calloc(1, sizeof(*share));
2808 if(!share) {
2809 return FALSE;
2810 }
2811 if(!Curl_hash_add2(&multi->proto_hash,
2812 CURL_UNCONST(MPROTO_SCHANNEL_CERT_SHARE_KEY),
2813 sizeof(MPROTO_SCHANNEL_CERT_SHARE_KEY) - 1,
2814 share, schannel_cert_share_free)) {
2815 curlx_free(share);
2816 return FALSE;
2817 }
2818 }
2819
2820 if(ca_info_blob) {
2821 schannel_sha256sum((const unsigned char *)ca_info_blob->data,
2822 ca_info_blob->len,
2823 share->CAinfo_blob_digest,
2824 CURL_SHA256_DIGEST_LENGTH);
2825 CAinfo_blob_size = ca_info_blob->len;
2826 }
2827 else {
2828 if(conn_config->CAfile) {
2829 CAfile = curlx_strdup(conn_config->CAfile);
2830 if(!CAfile) {
2831 return FALSE;
2832 }
2833 }
2834 }
2835
2836 /* free old cache data */
2837 if(share->cert_store) {
2838 CertCloseStore(share->cert_store, 0);
2839 }
2840 curlx_free(share->CAfile);
2841
2842 share->time = curlx_now();
2843 share->cert_store = cert_store;
2844 share->CAinfo_blob_size = CAinfo_blob_size;
2845 share->CAfile = CAfile;
2846 return TRUE;
2847}
2848
2849const struct Curl_ssl Curl_ssl_schannel = {
2850 { CURLSSLBACKEND_SCHANNEL, "schannel" }, /* info */
2851
2852 SSLSUPP_CERTINFO |
2853 SSLSUPP_CAINFO_BLOB |
2854 SSLSUPP_PINNEDPUBKEY |
2855 SSLSUPP_CA_CACHE |
2856 SSLSUPP_HTTPS_PROXY |
2857 SSLSUPP_CIPHER_LIST,
2858
2859 sizeof(struct schannel_ssl_backend_data),
2860
2861 schannel_init, /* init */
2862 schannel_cleanup, /* cleanup */
2863 schannel_version, /* version */
2864 schannel_shutdown, /* shutdown */
2865 schannel_data_pending, /* data_pending */
2866 schannel_random, /* random */
2867 NULL, /* cert_status_request */
2868 schannel_connect, /* connect */
2869 Curl_ssl_adjust_pollset, /* adjust_pollset */
2870 schannel_get_internals, /* get_internals */
2871 schannel_close, /* close_one */
2872 NULL, /* close_all */
2873 NULL, /* set_engine */
2874 NULL, /* set_engine_default */
2875 NULL, /* engines_list */
2876 schannel_sha256sum, /* sha256sum */
2877 schannel_recv, /* recv decrypted data */
2878 schannel_send, /* send data to encrypt */
2879 NULL, /* get_channel_binding */
2880};
2881
2882#endif /* USE_SCHANNEL */