Annotation of embedaddon/curl/lib/vtls/schannel_verify.c, revision 1.1
1.1 ! misho 1: /***************************************************************************
! 2: * _ _ ____ _
! 3: * Project ___| | | | _ \| |
! 4: * / __| | | | |_) | |
! 5: * | (__| |_| | _ <| |___
! 6: * \___|\___/|_| \_\_____|
! 7: *
! 8: * Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de>
! 9: * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
! 10: * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
! 11: *
! 12: * This software is licensed as described in the file COPYING, which
! 13: * you should have received as part of this distribution. The terms
! 14: * are also available at https://curl.haxx.se/docs/copyright.html.
! 15: *
! 16: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
! 17: * copies of the Software, and permit persons to whom the Software is
! 18: * furnished to do so, under the terms of the COPYING file.
! 19: *
! 20: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
! 21: * KIND, either express or implied.
! 22: *
! 23: ***************************************************************************/
! 24:
! 25: /*
! 26: * Source file for Schannel-specific certificate verification. This code should
! 27: * only be invoked by code in schannel.c.
! 28: */
! 29:
! 30: #include "curl_setup.h"
! 31:
! 32: #ifdef USE_SCHANNEL
! 33: #ifndef USE_WINDOWS_SSPI
! 34: # error "Can't compile SCHANNEL support without SSPI."
! 35: #endif
! 36:
! 37: #define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
! 38: #include "schannel.h"
! 39:
! 40: #ifdef HAS_MANUAL_VERIFY_API
! 41:
! 42: #include "vtls.h"
! 43: #include "sendf.h"
! 44: #include "strerror.h"
! 45: #include "curl_multibyte.h"
! 46: #include "curl_printf.h"
! 47: #include "hostcheck.h"
! 48: #include "system_win32.h"
! 49:
! 50: /* The last #include file should be: */
! 51: #include "curl_memory.h"
! 52: #include "memdebug.h"
! 53:
! 54: #define BACKEND connssl->backend
! 55:
! 56: #define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
! 57: #define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
! 58: #define END_CERT "\n-----END CERTIFICATE-----"
! 59:
! 60: typedef struct {
! 61: DWORD cbSize;
! 62: HCERTSTORE hRestrictedRoot;
! 63: HCERTSTORE hRestrictedTrust;
! 64: HCERTSTORE hRestrictedOther;
! 65: DWORD cAdditionalStore;
! 66: HCERTSTORE *rghAdditionalStore;
! 67: DWORD dwFlags;
! 68: DWORD dwUrlRetrievalTimeout;
! 69: DWORD MaximumCachedCertificates;
! 70: DWORD CycleDetectionModulus;
! 71: HCERTSTORE hExclusiveRoot;
! 72: HCERTSTORE hExclusiveTrustedPeople;
! 73: } CERT_CHAIN_ENGINE_CONFIG_WIN7, *PCERT_CHAIN_ENGINE_CONFIG_WIN7;
! 74:
! 75: static int is_cr_or_lf(char c)
! 76: {
! 77: return c == '\r' || c == '\n';
! 78: }
! 79:
! 80: static CURLcode add_certs_to_store(HCERTSTORE trust_store,
! 81: const char *ca_file,
! 82: struct connectdata *conn)
! 83: {
! 84: CURLcode result;
! 85: struct Curl_easy *data = conn->data;
! 86: HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
! 87: LARGE_INTEGER file_size;
! 88: char *ca_file_buffer = NULL;
! 89: char *current_ca_file_ptr = NULL;
! 90: TCHAR *ca_file_tstr = NULL;
! 91: size_t ca_file_bufsize = 0;
! 92: DWORD total_bytes_read = 0;
! 93: bool more_certs = 0;
! 94: int num_certs = 0;
! 95: size_t END_CERT_LEN;
! 96:
! 97: ca_file_tstr = Curl_convert_UTF8_to_tchar((char *)ca_file);
! 98: if(!ca_file_tstr) {
! 99: char buffer[STRERROR_LEN];
! 100: failf(data,
! 101: "schannel: invalid path name for CA file '%s': %s",
! 102: ca_file,
! 103: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 104: result = CURLE_SSL_CACERT_BADFILE;
! 105: goto cleanup;
! 106: }
! 107:
! 108: /*
! 109: * Read the CA file completely into memory before parsing it. This
! 110: * optimizes for the common case where the CA file will be relatively
! 111: * small ( < 1 MiB ).
! 112: */
! 113: ca_file_handle = CreateFile(ca_file_tstr,
! 114: GENERIC_READ,
! 115: FILE_SHARE_READ,
! 116: NULL,
! 117: OPEN_EXISTING,
! 118: FILE_ATTRIBUTE_NORMAL,
! 119: NULL);
! 120: if(ca_file_handle == INVALID_HANDLE_VALUE) {
! 121: char buffer[STRERROR_LEN];
! 122: failf(data,
! 123: "schannel: failed to open CA file '%s': %s",
! 124: ca_file,
! 125: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 126: result = CURLE_SSL_CACERT_BADFILE;
! 127: goto cleanup;
! 128: }
! 129:
! 130: if(!GetFileSizeEx(ca_file_handle, &file_size)) {
! 131: char buffer[STRERROR_LEN];
! 132: failf(data,
! 133: "schannel: failed to determine size of CA file '%s': %s",
! 134: ca_file,
! 135: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 136: result = CURLE_SSL_CACERT_BADFILE;
! 137: goto cleanup;
! 138: }
! 139:
! 140: if(file_size.QuadPart > MAX_CAFILE_SIZE) {
! 141: failf(data,
! 142: "schannel: CA file exceeds max size of %u bytes",
! 143: MAX_CAFILE_SIZE);
! 144: result = CURLE_SSL_CACERT_BADFILE;
! 145: goto cleanup;
! 146: }
! 147:
! 148: ca_file_bufsize = (size_t)file_size.QuadPart;
! 149: ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
! 150: if(!ca_file_buffer) {
! 151: result = CURLE_OUT_OF_MEMORY;
! 152: goto cleanup;
! 153: }
! 154:
! 155: result = CURLE_OK;
! 156: while(total_bytes_read < ca_file_bufsize) {
! 157: DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
! 158: DWORD bytes_read = 0;
! 159:
! 160: if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
! 161: bytes_to_read, &bytes_read, NULL)) {
! 162: char buffer[STRERROR_LEN];
! 163: failf(data,
! 164: "schannel: failed to read from CA file '%s': %s",
! 165: ca_file,
! 166: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 167: result = CURLE_SSL_CACERT_BADFILE;
! 168: goto cleanup;
! 169: }
! 170: if(bytes_read == 0) {
! 171: /* Premature EOF -- adjust the bufsize to the new value */
! 172: ca_file_bufsize = total_bytes_read;
! 173: }
! 174: else {
! 175: total_bytes_read += bytes_read;
! 176: }
! 177: }
! 178:
! 179: /* Null terminate the buffer */
! 180: ca_file_buffer[ca_file_bufsize] = '\0';
! 181:
! 182: if(result != CURLE_OK) {
! 183: goto cleanup;
! 184: }
! 185:
! 186: END_CERT_LEN = strlen(END_CERT);
! 187:
! 188: more_certs = 1;
! 189: current_ca_file_ptr = ca_file_buffer;
! 190: while(more_certs && *current_ca_file_ptr != '\0') {
! 191: char *begin_cert_ptr = strstr(current_ca_file_ptr, BEGIN_CERT);
! 192: if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[strlen(BEGIN_CERT)])) {
! 193: more_certs = 0;
! 194: }
! 195: else {
! 196: char *end_cert_ptr = strstr(begin_cert_ptr, END_CERT);
! 197: if(!end_cert_ptr) {
! 198: failf(data,
! 199: "schannel: CA file '%s' is not correctly formatted",
! 200: ca_file);
! 201: result = CURLE_SSL_CACERT_BADFILE;
! 202: more_certs = 0;
! 203: }
! 204: else {
! 205: CERT_BLOB cert_blob;
! 206: CERT_CONTEXT *cert_context = NULL;
! 207: BOOL add_cert_result = FALSE;
! 208: DWORD actual_content_type = 0;
! 209: DWORD cert_size = (DWORD)
! 210: ((end_cert_ptr + END_CERT_LEN) - begin_cert_ptr);
! 211:
! 212: cert_blob.pbData = (BYTE *)begin_cert_ptr;
! 213: cert_blob.cbData = cert_size;
! 214: if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
! 215: &cert_blob,
! 216: CERT_QUERY_CONTENT_FLAG_CERT,
! 217: CERT_QUERY_FORMAT_FLAG_ALL,
! 218: 0,
! 219: NULL,
! 220: &actual_content_type,
! 221: NULL,
! 222: NULL,
! 223: NULL,
! 224: (const void **)&cert_context)) {
! 225: char buffer[STRERROR_LEN];
! 226: failf(data,
! 227: "schannel: failed to extract certificate from CA file "
! 228: "'%s': %s",
! 229: ca_file,
! 230: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 231: result = CURLE_SSL_CACERT_BADFILE;
! 232: more_certs = 0;
! 233: }
! 234: else {
! 235: current_ca_file_ptr = begin_cert_ptr + cert_size;
! 236:
! 237: /* Sanity check that the cert_context object is the right type */
! 238: if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
! 239: failf(data,
! 240: "schannel: unexpected content type '%d' when extracting "
! 241: "certificate from CA file '%s'",
! 242: actual_content_type, ca_file);
! 243: result = CURLE_SSL_CACERT_BADFILE;
! 244: more_certs = 0;
! 245: }
! 246: else {
! 247: add_cert_result =
! 248: CertAddCertificateContextToStore(trust_store,
! 249: cert_context,
! 250: CERT_STORE_ADD_ALWAYS,
! 251: NULL);
! 252: CertFreeCertificateContext(cert_context);
! 253: if(!add_cert_result) {
! 254: char buffer[STRERROR_LEN];
! 255: failf(data,
! 256: "schannel: failed to add certificate from CA file '%s' "
! 257: "to certificate store: %s",
! 258: ca_file,
! 259: Curl_winapi_strerror(GetLastError(), buffer,
! 260: sizeof(buffer)));
! 261: result = CURLE_SSL_CACERT_BADFILE;
! 262: more_certs = 0;
! 263: }
! 264: else {
! 265: num_certs++;
! 266: }
! 267: }
! 268: }
! 269: }
! 270: }
! 271: }
! 272:
! 273: if(result == CURLE_OK) {
! 274: if(!num_certs) {
! 275: infof(data,
! 276: "schannel: did not add any certificates from CA file '%s'\n",
! 277: ca_file);
! 278: }
! 279: else {
! 280: infof(data,
! 281: "schannel: added %d certificate(s) from CA file '%s'\n",
! 282: num_certs, ca_file);
! 283: }
! 284: }
! 285:
! 286: cleanup:
! 287: if(ca_file_handle != INVALID_HANDLE_VALUE) {
! 288: CloseHandle(ca_file_handle);
! 289: }
! 290: Curl_safefree(ca_file_buffer);
! 291: Curl_unicodefree(ca_file_tstr);
! 292:
! 293: return result;
! 294: }
! 295:
! 296: /*
! 297: * Returns the number of characters necessary to populate all the host_names.
! 298: * If host_names is not NULL, populate it with all the host names. Each string
! 299: * in the host_names is null-terminated and the last string is double
! 300: * null-terminated. If no DNS names are found, a single null-terminated empty
! 301: * string is returned.
! 302: */
! 303: static DWORD cert_get_name_string(struct Curl_easy *data,
! 304: CERT_CONTEXT *cert_context,
! 305: LPTSTR host_names,
! 306: DWORD length)
! 307: {
! 308: DWORD actual_length = 0;
! 309: BOOL compute_content = FALSE;
! 310: CERT_INFO *cert_info = NULL;
! 311: CERT_EXTENSION *extension = NULL;
! 312: CRYPT_DECODE_PARA decode_para = {0, 0, 0};
! 313: CERT_ALT_NAME_INFO *alt_name_info = NULL;
! 314: DWORD alt_name_info_size = 0;
! 315: BOOL ret_val = FALSE;
! 316: LPTSTR current_pos = NULL;
! 317: DWORD i;
! 318:
! 319: /* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
! 320: if(Curl_verify_windows_version(6, 2, PLATFORM_WINNT,
! 321: VERSION_GREATER_THAN_EQUAL)) {
! 322: #ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
! 323: /* CertGetNameString will provide the 8-bit character string without
! 324: * any decoding */
! 325: DWORD name_flags =
! 326: CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
! 327: actual_length = CertGetNameString(cert_context,
! 328: CERT_NAME_DNS_TYPE,
! 329: name_flags,
! 330: NULL,
! 331: host_names,
! 332: length);
! 333: return actual_length;
! 334: #endif
! 335: }
! 336:
! 337: compute_content = host_names != NULL && length != 0;
! 338:
! 339: /* Initialize default return values. */
! 340: actual_length = 1;
! 341: if(compute_content) {
! 342: *host_names = '\0';
! 343: }
! 344:
! 345: if(!cert_context) {
! 346: failf(data, "schannel: Null certificate context.");
! 347: return actual_length;
! 348: }
! 349:
! 350: cert_info = cert_context->pCertInfo;
! 351: if(!cert_info) {
! 352: failf(data, "schannel: Null certificate info.");
! 353: return actual_length;
! 354: }
! 355:
! 356: extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
! 357: cert_info->cExtension,
! 358: cert_info->rgExtension);
! 359: if(!extension) {
! 360: failf(data, "schannel: CertFindExtension() returned no extension.");
! 361: return actual_length;
! 362: }
! 363:
! 364: decode_para.cbSize = sizeof(CRYPT_DECODE_PARA);
! 365:
! 366: ret_val =
! 367: CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
! 368: szOID_SUBJECT_ALT_NAME2,
! 369: extension->Value.pbData,
! 370: extension->Value.cbData,
! 371: CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
! 372: &decode_para,
! 373: &alt_name_info,
! 374: &alt_name_info_size);
! 375: if(!ret_val) {
! 376: failf(data,
! 377: "schannel: CryptDecodeObjectEx() returned no alternate name "
! 378: "information.");
! 379: return actual_length;
! 380: }
! 381:
! 382: current_pos = host_names;
! 383:
! 384: /* Iterate over the alternate names and populate host_names. */
! 385: for(i = 0; i < alt_name_info->cAltEntry; i++) {
! 386: const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
! 387: wchar_t *dns_w = NULL;
! 388: size_t current_length = 0;
! 389:
! 390: if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
! 391: continue;
! 392: }
! 393: if(entry->pwszDNSName == NULL) {
! 394: infof(data, "schannel: Empty DNS name.");
! 395: continue;
! 396: }
! 397: current_length = wcslen(entry->pwszDNSName) + 1;
! 398: if(!compute_content) {
! 399: actual_length += (DWORD)current_length;
! 400: continue;
! 401: }
! 402: /* Sanity check to prevent buffer overrun. */
! 403: if((actual_length + current_length) > length) {
! 404: failf(data, "schannel: Not enough memory to list all host names.");
! 405: break;
! 406: }
! 407: dns_w = entry->pwszDNSName;
! 408: /* pwszDNSName is in ia5 string format and hence doesn't contain any
! 409: * non-ascii characters. */
! 410: while(*dns_w != '\0') {
! 411: *current_pos++ = (char)(*dns_w++);
! 412: }
! 413: *current_pos++ = '\0';
! 414: actual_length += (DWORD)current_length;
! 415: }
! 416: if(compute_content) {
! 417: /* Last string has double null-terminator. */
! 418: *current_pos = '\0';
! 419: }
! 420: return actual_length;
! 421: }
! 422:
! 423: static CURLcode verify_host(struct Curl_easy *data,
! 424: CERT_CONTEXT *pCertContextServer,
! 425: const char * const conn_hostname)
! 426: {
! 427: CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
! 428: TCHAR *cert_hostname_buff = NULL;
! 429: size_t cert_hostname_buff_index = 0;
! 430: DWORD len = 0;
! 431: DWORD actual_len = 0;
! 432:
! 433: /* Determine the size of the string needed for the cert hostname */
! 434: len = cert_get_name_string(data, pCertContextServer, NULL, 0);
! 435: if(len == 0) {
! 436: failf(data,
! 437: "schannel: CertGetNameString() returned no "
! 438: "certificate name information");
! 439: result = CURLE_PEER_FAILED_VERIFICATION;
! 440: goto cleanup;
! 441: }
! 442:
! 443: /* CertGetNameString guarantees that the returned name will not contain
! 444: * embedded null bytes. This appears to be undocumented behavior.
! 445: */
! 446: cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
! 447: if(!cert_hostname_buff) {
! 448: result = CURLE_OUT_OF_MEMORY;
! 449: goto cleanup;
! 450: }
! 451: actual_len = cert_get_name_string(
! 452: data, pCertContextServer, (LPTSTR)cert_hostname_buff, len);
! 453:
! 454: /* Sanity check */
! 455: if(actual_len != len) {
! 456: failf(data,
! 457: "schannel: CertGetNameString() returned certificate "
! 458: "name information of unexpected size");
! 459: result = CURLE_PEER_FAILED_VERIFICATION;
! 460: goto cleanup;
! 461: }
! 462:
! 463: /* If HAVE_CERT_NAME_SEARCH_ALL_NAMES is available, the output
! 464: * will contain all DNS names, where each name is null-terminated
! 465: * and the last DNS name is double null-terminated. Due to this
! 466: * encoding, use the length of the buffer to iterate over all names.
! 467: */
! 468: result = CURLE_PEER_FAILED_VERIFICATION;
! 469: while(cert_hostname_buff_index < len &&
! 470: cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
! 471: result == CURLE_PEER_FAILED_VERIFICATION) {
! 472:
! 473: char *cert_hostname;
! 474:
! 475: /* Comparing the cert name and the connection hostname encoded as UTF-8
! 476: * is acceptable since both values are assumed to use ASCII
! 477: * (or some equivalent) encoding
! 478: */
! 479: cert_hostname = Curl_convert_tchar_to_UTF8(
! 480: &cert_hostname_buff[cert_hostname_buff_index]);
! 481: if(!cert_hostname) {
! 482: result = CURLE_OUT_OF_MEMORY;
! 483: }
! 484: else {
! 485: int match_result;
! 486:
! 487: match_result = Curl_cert_hostcheck(cert_hostname, conn_hostname);
! 488: if(match_result == CURL_HOST_MATCH) {
! 489: infof(data,
! 490: "schannel: connection hostname (%s) validated "
! 491: "against certificate name (%s)\n",
! 492: conn_hostname, cert_hostname);
! 493: result = CURLE_OK;
! 494: }
! 495: else {
! 496: size_t cert_hostname_len;
! 497:
! 498: infof(data,
! 499: "schannel: connection hostname (%s) did not match "
! 500: "against certificate name (%s)\n",
! 501: conn_hostname, cert_hostname);
! 502:
! 503: cert_hostname_len = _tcslen(
! 504: &cert_hostname_buff[cert_hostname_buff_index]);
! 505:
! 506: /* Move on to next cert name */
! 507: cert_hostname_buff_index += cert_hostname_len + 1;
! 508:
! 509: result = CURLE_PEER_FAILED_VERIFICATION;
! 510: }
! 511: Curl_unicodefree(cert_hostname);
! 512: }
! 513: }
! 514:
! 515: if(result == CURLE_PEER_FAILED_VERIFICATION) {
! 516: failf(data,
! 517: "schannel: CertGetNameString() failed to match "
! 518: "connection hostname (%s) against server certificate names",
! 519: conn_hostname);
! 520: }
! 521: else if(result != CURLE_OK)
! 522: failf(data, "schannel: server certificate name verification failed");
! 523:
! 524: cleanup:
! 525: Curl_unicodefree(cert_hostname_buff);
! 526:
! 527: return result;
! 528: }
! 529:
! 530: CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
! 531: {
! 532: SECURITY_STATUS sspi_status;
! 533: struct Curl_easy *data = conn->data;
! 534: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
! 535: CURLcode result = CURLE_OK;
! 536: CERT_CONTEXT *pCertContextServer = NULL;
! 537: const CERT_CHAIN_CONTEXT *pChainContext = NULL;
! 538: HCERTCHAINENGINE cert_chain_engine = NULL;
! 539: HCERTSTORE trust_store = NULL;
! 540: const char * const conn_hostname = SSL_IS_PROXY() ?
! 541: conn->http_proxy.host.name :
! 542: conn->host.name;
! 543:
! 544: sspi_status =
! 545: s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
! 546: SECPKG_ATTR_REMOTE_CERT_CONTEXT,
! 547: &pCertContextServer);
! 548:
! 549: if((sspi_status != SEC_E_OK) || (pCertContextServer == NULL)) {
! 550: char buffer[STRERROR_LEN];
! 551: failf(data, "schannel: Failed to read remote certificate context: %s",
! 552: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
! 553: result = CURLE_PEER_FAILED_VERIFICATION;
! 554: }
! 555:
! 556: if(result == CURLE_OK && SSL_CONN_CONFIG(CAfile) &&
! 557: BACKEND->use_manual_cred_validation) {
! 558: /*
! 559: * Create a chain engine that uses the certificates in the CA file as
! 560: * trusted certificates. This is only supported on Windows 7+.
! 561: */
! 562:
! 563: if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT, VERSION_LESS_THAN)) {
! 564: failf(data, "schannel: this version of Windows is too old to support "
! 565: "certificate verification via CA bundle file.");
! 566: result = CURLE_SSL_CACERT_BADFILE;
! 567: }
! 568: else {
! 569: /* Open the certificate store */
! 570: trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
! 571: 0,
! 572: (HCRYPTPROV)NULL,
! 573: CERT_STORE_CREATE_NEW_FLAG,
! 574: NULL);
! 575: if(!trust_store) {
! 576: char buffer[STRERROR_LEN];
! 577: failf(data, "schannel: failed to create certificate store: %s",
! 578: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 579: result = CURLE_SSL_CACERT_BADFILE;
! 580: }
! 581: else {
! 582: result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile),
! 583: conn);
! 584: }
! 585: }
! 586:
! 587: if(result == CURLE_OK) {
! 588: CERT_CHAIN_ENGINE_CONFIG_WIN7 engine_config;
! 589: BOOL create_engine_result;
! 590:
! 591: memset(&engine_config, 0, sizeof(engine_config));
! 592: engine_config.cbSize = sizeof(engine_config);
! 593: engine_config.hExclusiveRoot = trust_store;
! 594:
! 595: /* CertCreateCertificateChainEngine will check the expected size of the
! 596: * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
! 597: * does not match the expected size. When this occurs, it indicates that
! 598: * CAINFO is not supported on the version of Windows in use.
! 599: */
! 600: create_engine_result =
! 601: CertCreateCertificateChainEngine(
! 602: (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
! 603: if(!create_engine_result) {
! 604: char buffer[STRERROR_LEN];
! 605: failf(data,
! 606: "schannel: failed to create certificate chain engine: %s",
! 607: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 608: result = CURLE_SSL_CACERT_BADFILE;
! 609: }
! 610: }
! 611: }
! 612:
! 613: if(result == CURLE_OK) {
! 614: CERT_CHAIN_PARA ChainPara;
! 615:
! 616: memset(&ChainPara, 0, sizeof(ChainPara));
! 617: ChainPara.cbSize = sizeof(ChainPara);
! 618:
! 619: if(!CertGetCertificateChain(cert_chain_engine,
! 620: pCertContextServer,
! 621: NULL,
! 622: pCertContextServer->hCertStore,
! 623: &ChainPara,
! 624: (data->set.ssl.no_revoke ? 0 :
! 625: CERT_CHAIN_REVOCATION_CHECK_CHAIN),
! 626: NULL,
! 627: &pChainContext)) {
! 628: char buffer[STRERROR_LEN];
! 629: failf(data, "schannel: CertGetCertificateChain failed: %s",
! 630: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
! 631: pChainContext = NULL;
! 632: result = CURLE_PEER_FAILED_VERIFICATION;
! 633: }
! 634:
! 635: if(result == CURLE_OK) {
! 636: CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
! 637: DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
! 638: dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
! 639:
! 640: if(data->set.ssl.revoke_best_effort) {
! 641: /* Ignore errors when root certificates are missing the revocation
! 642: * list URL, or when the list could not be downloaded because the
! 643: * server is currently unreachable. */
! 644: dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
! 645: CERT_TRUST_IS_OFFLINE_REVOCATION);
! 646: }
! 647:
! 648: if(dwTrustErrorMask) {
! 649: if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
! 650: failf(data, "schannel: CertGetCertificateChain trust error"
! 651: " CERT_TRUST_IS_REVOKED");
! 652: else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
! 653: failf(data, "schannel: CertGetCertificateChain trust error"
! 654: " CERT_TRUST_IS_PARTIAL_CHAIN");
! 655: else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
! 656: failf(data, "schannel: CertGetCertificateChain trust error"
! 657: " CERT_TRUST_IS_UNTRUSTED_ROOT");
! 658: else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
! 659: failf(data, "schannel: CertGetCertificateChain trust error"
! 660: " CERT_TRUST_IS_NOT_TIME_VALID");
! 661: else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
! 662: failf(data, "schannel: CertGetCertificateChain trust error"
! 663: " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
! 664: else
! 665: failf(data, "schannel: CertGetCertificateChain error mask: 0x%08x",
! 666: dwTrustErrorMask);
! 667: result = CURLE_PEER_FAILED_VERIFICATION;
! 668: }
! 669: }
! 670: }
! 671:
! 672: if(result == CURLE_OK) {
! 673: if(SSL_CONN_CONFIG(verifyhost)) {
! 674: result = verify_host(conn->data, pCertContextServer, conn_hostname);
! 675: }
! 676: }
! 677:
! 678: if(cert_chain_engine) {
! 679: CertFreeCertificateChainEngine(cert_chain_engine);
! 680: }
! 681:
! 682: if(trust_store) {
! 683: CertCloseStore(trust_store, 0);
! 684: }
! 685:
! 686: if(pChainContext)
! 687: CertFreeCertificateChain(pChainContext);
! 688:
! 689: if(pCertContextServer)
! 690: CertFreeCertificateContext(pCertContextServer);
! 691:
! 692: return result;
! 693: }
! 694:
! 695: #endif /* HAS_MANUAL_VERIFY_API */
! 696: #endif /* USE_SCHANNEL */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to schannel_verify.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vtls