Major plugin refactor and cleanup.

Switched to POCO library for unified platform/library interface. Deprecated the external module API. It was creating more problems than solving. Removed most built-in libraries in favor of system libraries for easier maintenance. Cleaned and secured code with help from static analyzers.
2025-06-21 17:47:13 +02:00 · 2021-01-30 08:51:39 +02:00
parent e0e34b4030
commit 4a6bfc086c
6219 changed files with 1209835 additions and 454916 deletions
--- a/vendor/POCO/NetSSL_Win/include/Poco/Net/Context.h
+++ b/vendor/POCO/NetSSL_Win/include/Poco/Net/Context.h
@ -0,0 +1,310 @@
+//
+// Context.h
+//
+// Library: NetSSL_Win
+// Package: SSLCore
+// Module:  Context
+//
+// Definition of the Context class.
+//
+// Copyright (c) 2006-2014, Applied Informatics Software Engineering GmbH.
+// and Contributors.
+//
+// SPDX-License-Identifier:	BSL-1.0
+//
+
+
+#ifndef NetSSL_Context_INCLUDED
+#define NetSSL_Context_INCLUDED
+
+
+#include "Poco/Net/NetSSL.h"
+#include "Poco/Net/X509Certificate.h"
+#include "Poco/RefCountedObject.h"
+#include "Poco/AutoPtr.h"
+#include "Poco/Mutex.h"
+#include <vector>
+#if defined(POCO_OS_FAMILY_WINDOWS)
+#include <windows.h>
+#include <wincrypt.h>
+#include <schannel.h>
+#ifndef SECURITY_WIN32
+#define SECURITY_WIN32
+#endif
+#include <security.h>
+#include <sspi.h>
+#endif
+
+
+namespace Poco {
+namespace Net {
+
+
+class NetSSL_Win_API Context: public Poco::RefCountedObject
+	/// This class encapsulates context information for
+	/// an SSL server or client, such as the certificate
+	/// verification mode and which certificates and
+	/// protocols to use.
+	///
+	/// The Context class is also used to control
+	/// SSL session caching on the server and client side.
+{
+public:
+	using Ptr = Poco::AutoPtr<Context>;
+
+	enum Usage
+	{
+		TLS_CLIENT_USE,     /// Context is used by a client for TLSv1 or higher. Use requireMinimumProtocol() or disableProtocols() to disable undesired older versions.
+		TLS_SERVER_USE,     /// Context is used by a client for TLSv1 or higher. Use requireMinimumProtocol() or disableProtocols() to disable undesired older versions.
+		CLIENT_USE, 	    /// DEPRECATED. Context is used by a client.
+		SERVER_USE,         /// DEPRECATED. Context is used by a server.
+		TLSV1_CLIENT_USE,   /// DEPRECATED. Context is used by a client requiring TLSv1.
+		TLSV1_SERVER_USE,   /// DEPRECATED. Context is used by a server requiring TLSv1.
+		TLSV1_1_CLIENT_USE, /// DEPRECATED. Context is used by a client requiring TLSv1.1. Not supported on Windows Embedded Compact.
+		TLSV1_1_SERVER_USE, /// DEPRECATED. Context is used by a server requiring TLSv1.1. Not supported on Windows Embedded Compact.
+		TLSV1_2_CLIENT_USE, /// DEPRECATED. Context is used by a client requiring TLSv1.2. Not supported on Windows Embedded Compact.
+		TLSV1_2_SERVER_USE, /// DEPRECATED. Context is used by a server requiring TLSv1.2. Not supported on Windows Embedded Compact.
+		TLSV1_3_CLIENT_USE, /// DEPRECATED. Context is used by a client requiring TLSv1.3. Not supported on Windows Embedded Compact.
+		TLSV1_3_SERVER_USE  /// DEPRECATED. Context is used by a server requiring TLSv1.3. Not supported on Windows Embedded Compact.
+	};
+
+	enum VerificationMode 
+	{
+		VERIFY_NONE    = 0, 
+			/// Server: The server will not send a client certificate 
+			/// request to the client, so the client will not send a certificate. 
+			///
+			/// Client: If not using an anonymous cipher (by default disabled), 
+			/// the server will send a certificate which will be checked, but
+			/// the result of the check will be ignored.
+
+		VERIFY_RELAXED = 1, 
+			/// Server: The server sends a client certificate request to the 
+			/// client. The certificate returned (if any) is checked. 
+			/// If the verification process fails, the TLS/SSL handshake is 
+			/// immediately terminated with an alert message containing the 
+			/// reason for the verification failure. 
+			///
+			/// Client: The server certificate is verified, if one is provided. 
+			/// If the verification process fails, the TLS/SSL handshake is
+			/// immediately terminated with an alert message containing the 
+			/// reason for the verification failure. 
+
+		VERIFY_STRICT  = 2,
+			/// Server: If the client did not return a certificate, the TLS/SSL 
+			/// handshake is immediately terminated with a handshake failure
+			/// alert. 
+			///
+			/// Client: Same as VERIFY_RELAXED. 
+
+		VERIFY_ONCE    = 1
+			/// Same as VERIFY_RELAXED (provided for interface compatibility with 
+			/// the OpenSSL implementation.
+	};
+
+	enum Protocols
+	{
+		PROTO_SSLV2   = 0x01,
+		PROTO_SSLV3   = 0x02,
+		PROTO_TLSV1   = 0x04,
+		PROTO_TLSV1_1 = 0x08,
+		PROTO_TLSV1_2 = 0x10,
+		PROTO_TLSV1_3 = 0x20
+	};
+
+	enum Options
+	{
+		OPT_PERFORM_REVOCATION_CHECK    = 0x01,
+			/// Check certificates against revocation list. Not supported (ignored) on Windows Embedded Compact.
+		OPT_TRUST_ROOTS_WIN_CERT_STORE  = 0x02,
+			/// Trust root certificates from Windows root certificate store.
+		OPT_USE_MACHINE_STORE           = 0x04,
+			/// If specified, the windows machine certificate store is used (server only).
+			/// Otherwise, the user's certificate store is used.
+		OPT_USE_STRONG_CRYPTO           = 0x08,
+			/// Disable known weak cryptographic algorithms, cipher suites, and 
+			/// SSL/TLS protocol versions that may be otherwise enabled for better interoperability. 
+		OPT_LOAD_CERT_FROM_FILE         = 0x10,
+			/// Load certificate and private key from a PKCS #12 (.pfx) file, 
+			/// and not from the certificate store.
+		OPT_DEFAULTS                    = OPT_PERFORM_REVOCATION_CHECK | OPT_TRUST_ROOTS_WIN_CERT_STORE | OPT_USE_STRONG_CRYPTO
+	};
+
+	Context(Usage usage,
+		const std::string& certificateNameOrPath, 
+		VerificationMode verMode = VERIFY_RELAXED,
+		int options = OPT_DEFAULTS,
+		const std::string& certificateStoreName = CERT_STORE_MY);
+			/// Creates a Context.
+			/// 
+			///   * usage specifies whether the context is used by a client or server,
+			///     as well as which protocol to use.
+			///   * certificateNameOrPath specifies either the subject name of the certificate to use,
+			///     or the path of a PKCS #12 file containing the certificate and corresponding private key.
+			///     If a subject name is specified, the certificate must be located in the certificate 
+			///     store specified by certificateStoreName. If a path is given, the OPT_LOAD_CERT_FROM_FILE
+			///     option must be set.
+			///   * verificationMode specifies whether and how peer certificates are validated.
+			///   * options is a combination of Option flags.
+			///   * certificateStoreName specifies the name of the Windows certificate store
+			///     to use for loading the certificate. Predefined constants
+			///     CERT_STORE_MY, CERT_STORE_ROOT, etc. can be used.
+			///
+			/// Note: you can use OpenSSL to convert a certificate and private key in PEM format
+			/// into PKCS #12 format required to import into the Context:
+			///
+			///     openssl pkcs12 -export -inkey cert.key -in cert.crt -out cert.pfx 
+
+	~Context();
+		/// Destroys the Context.
+
+	VerificationMode verificationMode() const;
+		/// Returns the certificate verification mode.
+
+	Usage usage() const;
+		/// Returns whether the context is for use by a client or by a server
+		/// and whether TLSv1.x is required.
+
+	bool isForServerUse() const;
+		/// Returns true iff the context is for use by a server.
+
+	bool sessionCacheEnabled() const;
+		/// Returns true iff the session cache is enabled.
+
+	void enableExtendedCertificateVerification(bool flag = true);
+		/// Enable or disable the automatic post-connection
+		/// extended certificate verification.
+		///
+		/// See X509Certificate::verify() for more information.
+		
+	bool extendedCertificateVerificationEnabled() const;
+		/// Returns true iff automatic extended certificate 
+		/// verification is enabled.
+
+	int options() const;
+		/// Returns the options flags.
+
+	void addTrustedCert(const Poco::Net::X509Certificate& cert);
+		/// Adds the certificate to the trusted certs. Takes ownership of pCert.
+
+	void disableProtocols(int protocols);
+		/// Disables the given protocols.
+		///
+		/// The protocols to be disabled are specified by OR-ing
+		/// values from the Protocols enumeration, e.g.:
+		///
+		///   context.disableProtocols(PROTO_SSLV2 | PROTO_SSLV3);
+
+	void requireMinimumProtocol(Protocols protocol);
+		/// Disables all protocol version lower than the given one.
+		/// To require at least TLS 1.2 or later:
+		///
+		///   context.requireMinimumProtocol(PROTO_TLSV1_2);
+
+	Poco::Net::X509Certificate certificate();
+		/// Loads or imports and returns the certificate specified in the constructor.
+		///
+		/// Throws a NoCertificateException if the certificate cannot
+		/// be found or no certificate name has been provided in the constructor.
+		///
+		/// May also throw a filesystem-related exception if the certificate file
+		/// cannot be found.
+
+	HCERTSTORE certificateStore() const;
+		/// Returns a handle to the certificate store.
+
+	CredHandle& credentials();
+		/// Returns a reference to the Schannel credentials for this Context.
+
+	static const std::string CERT_STORE_MY;
+	static const std::string CERT_STORE_ROOT;
+	static const std::string CERT_STORE_TRUST;
+	static const std::string CERT_STORE_CA;
+	static const std::string CERT_STORE_USERDS;
+
+protected:
+	void init();
+	void loadCertificate();
+	void importCertificate();
+	void importCertificate(const char* pBuffer, std::size_t size);
+	void acquireSchannelCredentials(CredHandle& credHandle) const;
+	DWORD proto() const;
+	DWORD enabledProtocols() const;
+
+private:
+	Context(const Context&);
+	Context& operator = (const Context&);
+
+	Usage                      _usage;
+	Context::VerificationMode  _mode;
+	int                        _options;
+	int                        _disabledProtocols;
+	bool                       _extendedCertificateVerification;
+	std::string                _certNameOrPath;
+	std::string                _certStoreName;
+	HCERTSTORE                 _hMemCertStore;
+	HCERTSTORE                 _hCollectionCertStore;
+	HCERTSTORE                 _hRootCertStore;
+	HCERTSTORE                 _hCertStore;
+	PCCERT_CONTEXT             _pCert;
+	CredHandle                 _hCreds;
+	SecurityFunctionTableW&    _securityFunctions;
+	mutable Poco::FastMutex    _mutex;
+};
+
+
+//
+// inlines
+//
+inline Context::VerificationMode Context::verificationMode() const
+{
+	return _mode;
+}
+
+
+inline Context::Usage Context::usage() const
+{
+	return _usage;
+}
+
+
+inline int Context::options() const
+{
+	return _options;
+}
+
+
+inline bool Context::isForServerUse() const
+{
+	return _usage == SERVER_USE
+		|| _usage == TLS_SERVER_USE
+		|| _usage == TLSV1_SERVER_USE
+		|| _usage == TLSV1_1_SERVER_USE
+		|| _usage == TLSV1_2_SERVER_USE
+		|| _usage == TLSV1_3_SERVER_USE;
+}
+
+
+inline bool Context::extendedCertificateVerificationEnabled() const
+{
+	return _extendedCertificateVerification;
+}
+
+
+inline bool Context::sessionCacheEnabled() const
+{
+	return true;
+		/// Session cache is always enabled with Schannel.
+}
+
+
+inline HCERTSTORE Context::certificateStore() const
+{
+	return _hCollectionCertStore;
+}
+
+
+} } // namespace Poco::Net
+
+
+#endif // NetSSL_Context_INCLUDED