eve.tls.windows.schannel
Windows SChannel TLS Implementation (EXPERIMENTAL)
WARNING: This module is experimental. The API may change and security properties have not been fully audited. Do not use in production without independent security review.
This module provides TLS/SSL support for Windows using the native SChannel (Secure Channel) SSPI provider. SChannel is the Windows built-in SSL/TLS implementation requiring no external dependencies.
The implementation wraps the SSPI API to provide a clean interface matching the eve.tls.api contract.
Version Compatibility:
- Minimum: Windows Vista / Server 2008 (SSPI base API)
- TLS 1.2: Fully supported (Windows 7 / Server 2008 R2+)
- ALPN: Windows 8.1 / Server 2012 R2+
- TLS 1.3: Windows 10 1809 / Server 2019+
SSPI bindings are locally declared and audited against Windows SDK headers. All type sizes use platform-correct widths (size_t for DWORD_PTR/UINT_PTR, uint for DWORD/ULONG, void* for opaque handles).
Copyright
Types 17
Security status codes
Credential handle
size_t dwLowersize_t dwUpperContext handle
size_t dwLowersize_t dwUpperTimestamp structure
uint dwLowDateTimeuint dwHighDateTimeSecurity buffer
uint cbBufferuint bufferTypevoid * pvBufferSecurity buffer descriptor
Stream sizes for encryption
uint cbHeaderuint cbTraileruint cbMaximumMessageuint cBuffersuint cbBlockSizeSChannel credentials
uint dwVersionuint cCredsvoid * * paCredvoid * hRootStoreuint cMappersvoid * * aphMappersuint cSupportedAlgsuint * palgSupportedAlgsuint grbitEnabledProtocolsuint dwMinimumCipherStrengthuint dwMaximumCipherStrengthuint dwSessionLifespanuint dwFlagsuint dwCredFormatuint ProtoNegoStateuint ProtoNegoExtushort ProtocolIdSizechar * ProtocolIduint cbDataubyte * pbDatauint dwVersionCRYPT_DATA_BLOB SerialNumberCRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithmCRYPT_DATA_BLOB IssuerFILETIME NotBeforeFILETIME NotAfterCRYPT_DATA_BLOB Subjectushort wYearushort wMonthushort wDayOfWeekushort wDayushort wHourushort wMinuteushort wSecondushort wMillisecondsSChannel credential handle wrapper.
Manages the lifecycle of SSPI credentials used for TLS connections. Credentials are acquired based on the TlsContext configuration and must be released when no longer needed.
private CredHandle handleprivate bool valid_private void * rootStore_private CERT_CONTEXT * serverCert_private void * pfxStore_TlsErrorCode initialize(ref const(TlsContext) ctx) @trusted nothrowInitialize credentials from a TLS context.CERT_CONTEXT * loadCertAndKeyFromPfx(string path) @trusted nothrowLoad a certificate with its private key from a PFX (PKCS#12) file.SChannel TLS Stream.
Provides TLS encryption/decryption over an underlying transport. This struct wraps the SSPI/SChannel API to implement the TLS stream interface defined in eve.tls.api.
Parameters
Transport | The underlying transport type (must support read/write). |
Transport * transport_TlsContext context_SchannelCredentials credentials_CtxtHandle secContext_bool contextValid_TlsState state_HandshakeState handshakeState_SecPkgContext_StreamSizes streamSizes_bool streamSizesValid_ubyte[IO_BUFFER_SIZE] recvBuffer_size_t recvBufferLen_ubyte[IO_BUFFER_SIZE] decryptedBuffer_size_t decryptedBufferLen_size_t decryptedBufferPos_ubyte[IO_BUFFER_SIZE] pendingSendBuffer_size_t pendingSendLen_size_t pendingSendPos_ubyte[IO_BUFFER_SIZE] handshakeOutBuffer_size_t handshakeOutBufferLen_size_t handshakeOutBufferPos_TlsErrorCode lastError_TlsIoInterest ioInterest() const pure @safe nothrow @nogcGet the current I/O interest for the underlying transport.HandshakeResult performClientHandshake() @trustedHandshakeResult performServerHandshake() @trustedsize_t buildAlpnExtension(ubyte[] buf) nothrowTlsIOResult readAndDecrypt(ubyte[] buffer) @trustedTlsIOResult encryptAndSend(const(ubyte)[] data) @trustedthis(Transport * transport, TlsContext ctx)Construct a TLS stream over the given transport.Functions 28
SECURITY_STATUS AcquireCredentialsHandleA(
PCHAR pszPrincipal,
PCHAR pszPackage,
ULONG fCredentialUse,
void * pvLogonId,
void * pAuthData,
void * pGetKeyFn,
void * pvGetKeyArgument,
CredHandle * phCredential,
TimeStamp * ptsExpiry
)SECURITY_STATUS FreeCredentialsHandle(CredHandle * phCredential)SECURITY_STATUS InitializeSecurityContextA(
CredHandle * phCredential,
CtxtHandle * phContext,
PCHAR pszTargetName,
ULONG fContextReq,
ULONG Reserved1,
ULONG TargetDataRep,
SecBufferDesc * pInput,
ULONG Reserved2,
CtxtHandle * phNewContext,
SecBufferDesc * pOutput,
ULONG * pfContextAttr,
TimeStamp * ptsExpiry
)SECURITY_STATUS AcceptSecurityContext(
CredHandle * phCredential,
CtxtHandle * phContext,
SecBufferDesc * pInput,
ULONG fContextReq,
ULONG TargetDataRep,
CtxtHandle * phNewContext,
SecBufferDesc * pOutput,
ULONG * pfContextAttr,
TimeStamp * ptsExpiry
)SECURITY_STATUS DeleteSecurityContext(CtxtHandle * phContext)SECURITY_STATUS QueryContextAttributesA(
CtxtHandle * phContext,
ULONG ulAttribute,
void * pBuffer
)SECURITY_STATUS EncryptMessage(
CtxtHandle * phContext,
ULONG fQOP,
SecBufferDesc * pMessage,
ULONG MessageSeqNo
)SECURITY_STATUS DecryptMessage(
CtxtHandle * phContext,
SecBufferDesc * pMessage,
ULONG MessageSeqNo,
ULONG * pfQOP
)SECURITY_STATUS FreeContextBuffer(void * pvContextBuffer)SECURITY_STATUS ApplyControlToken(
CtxtHandle * phContext,
SecBufferDesc * pInput
)int send(size_t s, const(void) * buf, int len, int flags)int recv(size_t s, void * buf, int len, int flags)int WSAGetLastError()DWORD CertGetNameStringA(
CERT_CONTEXT * pCertContext,
DWORD dwType,
DWORD dwFlags,
void * pvTypePara,
PCHAR pszNameString,
DWORD cchNameString
)void CertFreeCertificateContext(CERT_CONTEXT * pCertContext)BOOL FileTimeToSystemTime(const FILETIME * lpFileTime, SYSTEMTIME * lpSystemTime)void * CertOpenStore(PCHAR lpszStoreProvider, DWORD dwMsgAndCertEncodingType,
void * hCryptProv, DWORD dwFlags, const void * pvPara)BOOL CertCloseStore(void * hCertStore, DWORD dwFlags)CERT_CONTEXT * CertCreateCertificateContext(DWORD dwCertEncodingType,
const(ubyte) * pbCertEncoded, DWORD cbCertEncoded)BOOL CertAddCertificateContextToStore(void * hCertStore,
CERT_CONTEXT * pCertContext, DWORD dwAddDisposition,
CERT_CONTEXT * * ppStoreContext)BOOL CryptStringToBinaryA(PCHAR pszString, DWORD cchString,
DWORD dwFlags, ubyte * pbBinary, DWORD * pcbBinary,
DWORD * pdwSkip, DWORD * pdwFlags)void * PFXImportCertStore(CRYPT_DATA_BLOB * pPFX, const(wchar) * szPassword,
DWORD dwFlags)CERT_CONTEXT * CertFindCertificateInStore(void * hCertStore,
DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType,
const void * pvFindPara, CERT_CONTEXT * pPrevCertContext)uint tlsVersionToProtocol(TlsVersion ver, bool isClient) pure @safe nothrow @nogcConvert TlsVersion to SChannel protocol flags.uint buildProtocolFlags(TlsVersion minVer, TlsVersion maxVer, bool isClient) pure @safe nothrow @nogcBuild protocol flags for a version range.TlsErrorCode statusToErrorCode(SECURITY_STATUS status) pure @safe nothrow @nogcConvert SECURITY_STATUS to TlsErrorCode.Variables 68
SECPKG_CRED_OUTBOUND = 0x00000002SECPKG_CRED_INBOUND = 0x00000001ISC_REQ_SEQUENCE_DETECT = 0x00000008ISC_REQ_REPLAY_DETECT = 0x00000004ISC_REQ_CONFIDENTIALITY = 0x00000010ISC_REQ_USE_SUPPLIED_CREDS = 0x00000080ISC_REQ_ALLOCATE_MEMORY = 0x00000100ISC_REQ_STREAM = 0x00008000ISC_REQ_MANUAL_CRED_VALIDATION = 0x00080000ASC_REQ_SEQUENCE_DETECT = 0x00000008ASC_REQ_REPLAY_DETECT = 0x00000004ASC_REQ_CONFIDENTIALITY = 0x00000010ASC_REQ_ALLOCATE_MEMORY = 0x00000100ASC_REQ_STREAM = 0x00008000SECBUFFER_VERSION = 0SECBUFFER_EMPTY = 0SECBUFFER_DATA = 1SECBUFFER_TOKEN = 2SECBUFFER_EXTRA = 5SECBUFFER_STREAM_TRAILER = 6SECBUFFER_STREAM_HEADER = 7SECBUFFER_ALERT = 17SCHANNEL_CRED_VERSION = 4SCH_CRED_NO_DEFAULT_CREDS = 0x00000010SCH_CRED_MANUAL_CRED_VALIDATION = 0x00000008SCH_USE_STRONG_CRYPTO = 0x00400000SP_PROT_TLS1_0_CLIENT = 0x00000080SP_PROT_TLS1_0_SERVER = 0x00000040SP_PROT_TLS1_1_CLIENT = 0x00000200SP_PROT_TLS1_1_SERVER = 0x00000100SP_PROT_TLS1_2_CLIENT = 0x00000800SP_PROT_TLS1_2_SERVER = 0x00000400SP_PROT_TLS1_3_CLIENT = 0x00002000SP_PROT_TLS1_3_SERVER = 0x00001000SEC_E_OK = 0x00000000SEC_I_CONTINUE_NEEDED = 0x00090312SEC_E_INCOMPLETE_MESSAGE = 0x80090318SEC_I_INCOMPLETE_CREDENTIALS = 0x00090320SEC_I_CONTEXT_EXPIRED = 0x00090317SEC_E_INTERNAL_ERROR = 0x80090304SEC_E_INVALID_HANDLE = 0x80090301SEC_E_INVALID_TOKEN = 0x80090308SEC_E_CERT_EXPIRED = 0x80090328SEC_E_CERT_UNKNOWN = 0x80090327SEC_E_UNTRUSTED_ROOT = 0x80090325SEC_E_WRONG_PRINCIPAL = 0x80090322SECPKG_ATTR_STREAM_SIZES = 4SECPKG_ATTR_REMOTE_CERT_CONTEXT = 0x40SECPKG_ATTR_APPLICATION_PROTOCOL = 0x5CSECBUFFER_SEND_GENERIC_TLS_EXTENSION = 45SEC_APPLICATION_PROTOCOL_NEGOTIATION_STATUS_Negotiated = 3SecPkgApplicationProtocolNegotiationExt_ALPN = 2TLS1_ALPN_EXTENSION = 0x0010SOCKET_ERROR = - 1WSAEWOULDBLOCK = 10035CERT_NAME_SIMPLE_DISPLAY_TYPE = 4CERT_NAME_ISSUER_FLAG = 0x00000001CERT_STORE_PROV_MEMORY = 2CERT_STORE_ADD_ALWAYS = 4X509_ASN_ENCODING = 0x00000001PKCS_7_ASN_ENCODING = 0x00010000CRYPT_STRING_BASE64HEADER = 0x00000000CRYPT_STRING_BASE64_ANY = 0x00000006PKCS12_NO_PERSIST_KEY = 0x00008000CERT_FIND_ANY = 0CERT_ENCODING_TYPE = X509_ASN_ENCODING | PKCS_7_ASN_ENCODINGTLS_MAX_RECORD_SIZE = 16384Maximum TLS record size.
IO_BUFFER_SIZE = TLS_MAX_RECORD_SIZE + 512Buffer size for I/O operations.