From c220674ac451231e05df1686bd3da473e5c37252 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Wed, 11 Feb 2026 13:54:27 +0100
Subject: [PATCH] windows: tidy up includes, macros, document dependencies

- define `SECURITY_WIN32` globally in `curl_setup.h`.
  To make sure it applies to all includes.

- document which Windows headers require `SECURITY_WIN32`.

- stop suppressing MSVC warning:
  `C4201 is: nonstandard extension used : nameless struct/union`
  The warning is no longer seen in supported build envs with the current
  codebase.
  Follow-up to 8beff4355956e3d18ceb3afc21c1f3edec82543c #8419

- document why `SCHANNEL_USE_BLACKLISTS` is needed.

- just define `SCHANNEL_USE_BLACKLISTS`, drop the unnecessary value `1`.

- stop defining unused `SCH_CRED_MAX_SUPPORTED*` fallback macros.
  Follow-up to 8beff4355956e3d18ceb3afc21c1f3edec82543c #8419

- document why `subauth.h` is included (where missing).

- move and de-dupe `subauth.h` include into `curl_setup.h`, limit to
  Schannel builds.

- stop include `schnlsp.h`. It is a 1-to-1 compatibility wrapper for
  `schannel.h`.

- curl_sspi.h: clarify comment about `SP_NAME_` macros.
  They are local macros, their SDK names are different and curl does not
  use them.

- curl_sspi.h: drop superfluous includes `security.h` and `rpc.h`.

Cherry-picked from #20556

Closes #20564
---
 lib/curl_setup.h        | 10 +++++++++-
 lib/curl_sspi.h         | 12 +-----------
 lib/ldap.c              |  8 --------
 lib/vtls/schannel.h     | 11 +----------
 lib/vtls/schannel_int.h |  5 -----
 5 files changed, 11 insertions(+), 35 deletions(-)

diff --git a/lib/curl_setup.h b/lib/curl_setup.h
index 478c94ead5..559f586b78 100644
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@@ -106,6 +106,7 @@
 #  ifndef NOGDI
 #  define NOGDI
 #  endif
+
 /* Detect Windows App environment which has a restricted access
  * to the Win32 APIs. */
 #  if (defined(_WIN32_WINNT) && (_WIN32_WINNT >= 0x0602)) || \
@@ -116,6 +117,12 @@
 #      define CURL_WINDOWS_UWP
 #    endif
 #  endif
+
+/* Mandatory to define SECURITY_WIN32 or SECURITY_KERNEL to indicating who is
+   compiling the code. */
+#undef SECURITY_KERNEL
+#undef SECURITY_WIN32
+#define SECURITY_WIN32  /* for <sspi.h> */
 #endif
 
 /* Compatibility */
@@ -837,7 +844,8 @@
 #ifdef USE_SCHANNEL
 /* Must set this before <schannel.h> is included directly or indirectly by
    another Windows header. */
-#  define SCHANNEL_USE_BLACKLISTS 1
+#  define SCHANNEL_USE_BLACKLISTS  /* for SCH_CREDENTIALS */
+#  include <subauth.h>  /* for [P]UNICODE_STRING in SCH_CREDENTIALS */
 #endif
 
 #ifdef __hpux
diff --git a/lib/curl_sspi.h b/lib/curl_sspi.h
index 0fba510357..3779d51753 100644
--- a/lib/curl_sspi.h
+++ b/lib/curl_sspi.h
@@ -27,17 +27,7 @@
 
 #ifdef USE_WINDOWS_SSPI
 
-/*
- * When including the following three headers, it is mandatory to define either
- * SECURITY_WIN32 or SECURITY_KERNEL, indicating who is compiling the code.
- */
-
-#undef SECURITY_WIN32
-#undef SECURITY_KERNEL
-#define SECURITY_WIN32 1
-#include <security.h>
 #include <sspi.h>
-#include <rpc.h>
 
 CURLcode Curl_sspi_global_init(void);
 void Curl_sspi_global_cleanup(void);
@@ -56,7 +46,7 @@ void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY *identity);
 /* Forward-declaration of global variables defined in curl_sspi.c */
 extern PSecurityFunctionTable Curl_pSecFn;
 
-/* Provide some definitions missing in old headers */
+/* Provide Service Principal names as macros */
 #define SP_NAME_DIGEST              "WDigest"
 #define SP_NAME_NTLM                "NTLM"
 #define SP_NAME_NEGOTIATE           "Negotiate"
diff --git a/lib/ldap.c b/lib/ldap.c
index 3e7bbaa040..046fcd48e8 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -56,14 +56,6 @@
 #endif
 
 #ifdef USE_WIN32_LDAP           /* Use Windows LDAP implementation. */
-# ifdef _MSC_VER
-#  pragma warning(push)
-#  pragma warning(disable:4201)
-# endif
-# include <subauth.h>  /* for [P]UNICODE_STRING */
-# ifdef _MSC_VER
-#  pragma warning(pop)
-# endif
 # include <winldap.h>
 # include <winber.h>
 #else
diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index f66bcf2933..c617233e08 100644
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -28,14 +28,6 @@
 
 #ifdef USE_SCHANNEL
 
-#ifdef _MSC_VER
-#pragma warning(push)
-#pragma warning(disable:4201)
-#endif
-#include <subauth.h>
-#ifdef _MSC_VER
-#pragma warning(pop)
-#endif
 /* Wincrypt must be included before anything that could include OpenSSL. */
 #ifdef USE_WIN32_CRYPTO
 #include <wincrypt.h>
@@ -48,14 +40,13 @@
 #undef OCSP_RESPONSE
 #endif
 
-#include <schnlsp.h>
 #include <schannel.h>
 #include "../curl_sspi.h"
 
 #include "../cfilters.h"
 #include "../urldata.h"
 
-/* <wincrypt.h> has been included via the above <schnlsp.h>.
+/* <wincrypt.h> has been included via the above <schannel.h>.
  * Or in case of ldap.c, it was included via <winldap.h>.
  * And since <wincrypt.h> has this:
  *   #define X509_NAME  ((LPCSTR)7)
diff --git a/lib/vtls/schannel_int.h b/lib/vtls/schannel_int.h
index 0146bf8619..8a8291f6ba 100644
--- a/lib/vtls/schannel_int.h
+++ b/lib/vtls/schannel_int.h
@@ -91,11 +91,6 @@ typedef struct _SCH_CREDENTIALS {
   PTLS_PARAMETERS     pTlsParameters;
 } SCH_CREDENTIALS, * PSCH_CREDENTIALS;
 
-#define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
-#define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
-#define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
-#define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
-
 #endif /* SCH_CREDENTIALS_VERSION */
 
 struct Curl_schannel_cred {