Annotation of embedaddon/curl/lib/vtls/schannel_verify.c, revision 1.1.1.1
1.1 misho 1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de>
9: * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
10: * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
11: *
12: * This software is licensed as described in the file COPYING, which
13: * you should have received as part of this distribution. The terms
14: * are also available at https://curl.haxx.se/docs/copyright.html.
15: *
16: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17: * copies of the Software, and permit persons to whom the Software is
18: * furnished to do so, under the terms of the COPYING file.
19: *
20: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21: * KIND, either express or implied.
22: *
23: ***************************************************************************/
24:
25: /*
26: * Source file for Schannel-specific certificate verification. This code should
27: * only be invoked by code in schannel.c.
28: */
29:
30: #include "curl_setup.h"
31:
32: #ifdef USE_SCHANNEL
33: #ifndef USE_WINDOWS_SSPI
34: # error "Can't compile SCHANNEL support without SSPI."
35: #endif
36:
37: #define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
38: #include "schannel.h"
39:
40: #ifdef HAS_MANUAL_VERIFY_API
41:
42: #include "vtls.h"
43: #include "sendf.h"
44: #include "strerror.h"
45: #include "curl_multibyte.h"
46: #include "curl_printf.h"
47: #include "hostcheck.h"
48: #include "system_win32.h"
49:
50: /* The last #include file should be: */
51: #include "curl_memory.h"
52: #include "memdebug.h"
53:
54: #define BACKEND connssl->backend
55:
56: #define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
57: #define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
58: #define END_CERT "\n-----END CERTIFICATE-----"
59:
60: typedef struct {
61: DWORD cbSize;
62: HCERTSTORE hRestrictedRoot;
63: HCERTSTORE hRestrictedTrust;
64: HCERTSTORE hRestrictedOther;
65: DWORD cAdditionalStore;
66: HCERTSTORE *rghAdditionalStore;
67: DWORD dwFlags;
68: DWORD dwUrlRetrievalTimeout;
69: DWORD MaximumCachedCertificates;
70: DWORD CycleDetectionModulus;
71: HCERTSTORE hExclusiveRoot;
72: HCERTSTORE hExclusiveTrustedPeople;
73: } CERT_CHAIN_ENGINE_CONFIG_WIN7, *PCERT_CHAIN_ENGINE_CONFIG_WIN7;
74:
75: static int is_cr_or_lf(char c)
76: {
77: return c == '\r' || c == '\n';
78: }
79:
80: static CURLcode add_certs_to_store(HCERTSTORE trust_store,
81: const char *ca_file,
82: struct connectdata *conn)
83: {
84: CURLcode result;
85: struct Curl_easy *data = conn->data;
86: HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
87: LARGE_INTEGER file_size;
88: char *ca_file_buffer = NULL;
89: char *current_ca_file_ptr = NULL;
90: TCHAR *ca_file_tstr = NULL;
91: size_t ca_file_bufsize = 0;
92: DWORD total_bytes_read = 0;
93: bool more_certs = 0;
94: int num_certs = 0;
95: size_t END_CERT_LEN;
96:
97: ca_file_tstr = Curl_convert_UTF8_to_tchar((char *)ca_file);
98: if(!ca_file_tstr) {
99: char buffer[STRERROR_LEN];
100: failf(data,
101: "schannel: invalid path name for CA file '%s': %s",
102: ca_file,
103: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
104: result = CURLE_SSL_CACERT_BADFILE;
105: goto cleanup;
106: }
107:
108: /*
109: * Read the CA file completely into memory before parsing it. This
110: * optimizes for the common case where the CA file will be relatively
111: * small ( < 1 MiB ).
112: */
113: ca_file_handle = CreateFile(ca_file_tstr,
114: GENERIC_READ,
115: FILE_SHARE_READ,
116: NULL,
117: OPEN_EXISTING,
118: FILE_ATTRIBUTE_NORMAL,
119: NULL);
120: if(ca_file_handle == INVALID_HANDLE_VALUE) {
121: char buffer[STRERROR_LEN];
122: failf(data,
123: "schannel: failed to open CA file '%s': %s",
124: ca_file,
125: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
126: result = CURLE_SSL_CACERT_BADFILE;
127: goto cleanup;
128: }
129:
130: if(!GetFileSizeEx(ca_file_handle, &file_size)) {
131: char buffer[STRERROR_LEN];
132: failf(data,
133: "schannel: failed to determine size of CA file '%s': %s",
134: ca_file,
135: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
136: result = CURLE_SSL_CACERT_BADFILE;
137: goto cleanup;
138: }
139:
140: if(file_size.QuadPart > MAX_CAFILE_SIZE) {
141: failf(data,
142: "schannel: CA file exceeds max size of %u bytes",
143: MAX_CAFILE_SIZE);
144: result = CURLE_SSL_CACERT_BADFILE;
145: goto cleanup;
146: }
147:
148: ca_file_bufsize = (size_t)file_size.QuadPart;
149: ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
150: if(!ca_file_buffer) {
151: result = CURLE_OUT_OF_MEMORY;
152: goto cleanup;
153: }
154:
155: result = CURLE_OK;
156: while(total_bytes_read < ca_file_bufsize) {
157: DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
158: DWORD bytes_read = 0;
159:
160: if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
161: bytes_to_read, &bytes_read, NULL)) {
162: char buffer[STRERROR_LEN];
163: failf(data,
164: "schannel: failed to read from CA file '%s': %s",
165: ca_file,
166: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
167: result = CURLE_SSL_CACERT_BADFILE;
168: goto cleanup;
169: }
170: if(bytes_read == 0) {
171: /* Premature EOF -- adjust the bufsize to the new value */
172: ca_file_bufsize = total_bytes_read;
173: }
174: else {
175: total_bytes_read += bytes_read;
176: }
177: }
178:
179: /* Null terminate the buffer */
180: ca_file_buffer[ca_file_bufsize] = '\0';
181:
182: if(result != CURLE_OK) {
183: goto cleanup;
184: }
185:
186: END_CERT_LEN = strlen(END_CERT);
187:
188: more_certs = 1;
189: current_ca_file_ptr = ca_file_buffer;
190: while(more_certs && *current_ca_file_ptr != '\0') {
191: char *begin_cert_ptr = strstr(current_ca_file_ptr, BEGIN_CERT);
192: if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[strlen(BEGIN_CERT)])) {
193: more_certs = 0;
194: }
195: else {
196: char *end_cert_ptr = strstr(begin_cert_ptr, END_CERT);
197: if(!end_cert_ptr) {
198: failf(data,
199: "schannel: CA file '%s' is not correctly formatted",
200: ca_file);
201: result = CURLE_SSL_CACERT_BADFILE;
202: more_certs = 0;
203: }
204: else {
205: CERT_BLOB cert_blob;
206: CERT_CONTEXT *cert_context = NULL;
207: BOOL add_cert_result = FALSE;
208: DWORD actual_content_type = 0;
209: DWORD cert_size = (DWORD)
210: ((end_cert_ptr + END_CERT_LEN) - begin_cert_ptr);
211:
212: cert_blob.pbData = (BYTE *)begin_cert_ptr;
213: cert_blob.cbData = cert_size;
214: if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
215: &cert_blob,
216: CERT_QUERY_CONTENT_FLAG_CERT,
217: CERT_QUERY_FORMAT_FLAG_ALL,
218: 0,
219: NULL,
220: &actual_content_type,
221: NULL,
222: NULL,
223: NULL,
224: (const void **)&cert_context)) {
225: char buffer[STRERROR_LEN];
226: failf(data,
227: "schannel: failed to extract certificate from CA file "
228: "'%s': %s",
229: ca_file,
230: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
231: result = CURLE_SSL_CACERT_BADFILE;
232: more_certs = 0;
233: }
234: else {
235: current_ca_file_ptr = begin_cert_ptr + cert_size;
236:
237: /* Sanity check that the cert_context object is the right type */
238: if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
239: failf(data,
240: "schannel: unexpected content type '%d' when extracting "
241: "certificate from CA file '%s'",
242: actual_content_type, ca_file);
243: result = CURLE_SSL_CACERT_BADFILE;
244: more_certs = 0;
245: }
246: else {
247: add_cert_result =
248: CertAddCertificateContextToStore(trust_store,
249: cert_context,
250: CERT_STORE_ADD_ALWAYS,
251: NULL);
252: CertFreeCertificateContext(cert_context);
253: if(!add_cert_result) {
254: char buffer[STRERROR_LEN];
255: failf(data,
256: "schannel: failed to add certificate from CA file '%s' "
257: "to certificate store: %s",
258: ca_file,
259: Curl_winapi_strerror(GetLastError(), buffer,
260: sizeof(buffer)));
261: result = CURLE_SSL_CACERT_BADFILE;
262: more_certs = 0;
263: }
264: else {
265: num_certs++;
266: }
267: }
268: }
269: }
270: }
271: }
272:
273: if(result == CURLE_OK) {
274: if(!num_certs) {
275: infof(data,
276: "schannel: did not add any certificates from CA file '%s'\n",
277: ca_file);
278: }
279: else {
280: infof(data,
281: "schannel: added %d certificate(s) from CA file '%s'\n",
282: num_certs, ca_file);
283: }
284: }
285:
286: cleanup:
287: if(ca_file_handle != INVALID_HANDLE_VALUE) {
288: CloseHandle(ca_file_handle);
289: }
290: Curl_safefree(ca_file_buffer);
291: Curl_unicodefree(ca_file_tstr);
292:
293: return result;
294: }
295:
296: /*
297: * Returns the number of characters necessary to populate all the host_names.
298: * If host_names is not NULL, populate it with all the host names. Each string
299: * in the host_names is null-terminated and the last string is double
300: * null-terminated. If no DNS names are found, a single null-terminated empty
301: * string is returned.
302: */
303: static DWORD cert_get_name_string(struct Curl_easy *data,
304: CERT_CONTEXT *cert_context,
305: LPTSTR host_names,
306: DWORD length)
307: {
308: DWORD actual_length = 0;
309: BOOL compute_content = FALSE;
310: CERT_INFO *cert_info = NULL;
311: CERT_EXTENSION *extension = NULL;
312: CRYPT_DECODE_PARA decode_para = {0, 0, 0};
313: CERT_ALT_NAME_INFO *alt_name_info = NULL;
314: DWORD alt_name_info_size = 0;
315: BOOL ret_val = FALSE;
316: LPTSTR current_pos = NULL;
317: DWORD i;
318:
319: /* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
320: if(Curl_verify_windows_version(6, 2, PLATFORM_WINNT,
321: VERSION_GREATER_THAN_EQUAL)) {
322: #ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
323: /* CertGetNameString will provide the 8-bit character string without
324: * any decoding */
325: DWORD name_flags =
326: CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
327: actual_length = CertGetNameString(cert_context,
328: CERT_NAME_DNS_TYPE,
329: name_flags,
330: NULL,
331: host_names,
332: length);
333: return actual_length;
334: #endif
335: }
336:
337: compute_content = host_names != NULL && length != 0;
338:
339: /* Initialize default return values. */
340: actual_length = 1;
341: if(compute_content) {
342: *host_names = '\0';
343: }
344:
345: if(!cert_context) {
346: failf(data, "schannel: Null certificate context.");
347: return actual_length;
348: }
349:
350: cert_info = cert_context->pCertInfo;
351: if(!cert_info) {
352: failf(data, "schannel: Null certificate info.");
353: return actual_length;
354: }
355:
356: extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
357: cert_info->cExtension,
358: cert_info->rgExtension);
359: if(!extension) {
360: failf(data, "schannel: CertFindExtension() returned no extension.");
361: return actual_length;
362: }
363:
364: decode_para.cbSize = sizeof(CRYPT_DECODE_PARA);
365:
366: ret_val =
367: CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
368: szOID_SUBJECT_ALT_NAME2,
369: extension->Value.pbData,
370: extension->Value.cbData,
371: CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
372: &decode_para,
373: &alt_name_info,
374: &alt_name_info_size);
375: if(!ret_val) {
376: failf(data,
377: "schannel: CryptDecodeObjectEx() returned no alternate name "
378: "information.");
379: return actual_length;
380: }
381:
382: current_pos = host_names;
383:
384: /* Iterate over the alternate names and populate host_names. */
385: for(i = 0; i < alt_name_info->cAltEntry; i++) {
386: const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
387: wchar_t *dns_w = NULL;
388: size_t current_length = 0;
389:
390: if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
391: continue;
392: }
393: if(entry->pwszDNSName == NULL) {
394: infof(data, "schannel: Empty DNS name.");
395: continue;
396: }
397: current_length = wcslen(entry->pwszDNSName) + 1;
398: if(!compute_content) {
399: actual_length += (DWORD)current_length;
400: continue;
401: }
402: /* Sanity check to prevent buffer overrun. */
403: if((actual_length + current_length) > length) {
404: failf(data, "schannel: Not enough memory to list all host names.");
405: break;
406: }
407: dns_w = entry->pwszDNSName;
408: /* pwszDNSName is in ia5 string format and hence doesn't contain any
409: * non-ascii characters. */
410: while(*dns_w != '\0') {
411: *current_pos++ = (char)(*dns_w++);
412: }
413: *current_pos++ = '\0';
414: actual_length += (DWORD)current_length;
415: }
416: if(compute_content) {
417: /* Last string has double null-terminator. */
418: *current_pos = '\0';
419: }
420: return actual_length;
421: }
422:
423: static CURLcode verify_host(struct Curl_easy *data,
424: CERT_CONTEXT *pCertContextServer,
425: const char * const conn_hostname)
426: {
427: CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
428: TCHAR *cert_hostname_buff = NULL;
429: size_t cert_hostname_buff_index = 0;
430: DWORD len = 0;
431: DWORD actual_len = 0;
432:
433: /* Determine the size of the string needed for the cert hostname */
434: len = cert_get_name_string(data, pCertContextServer, NULL, 0);
435: if(len == 0) {
436: failf(data,
437: "schannel: CertGetNameString() returned no "
438: "certificate name information");
439: result = CURLE_PEER_FAILED_VERIFICATION;
440: goto cleanup;
441: }
442:
443: /* CertGetNameString guarantees that the returned name will not contain
444: * embedded null bytes. This appears to be undocumented behavior.
445: */
446: cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
447: if(!cert_hostname_buff) {
448: result = CURLE_OUT_OF_MEMORY;
449: goto cleanup;
450: }
451: actual_len = cert_get_name_string(
452: data, pCertContextServer, (LPTSTR)cert_hostname_buff, len);
453:
454: /* Sanity check */
455: if(actual_len != len) {
456: failf(data,
457: "schannel: CertGetNameString() returned certificate "
458: "name information of unexpected size");
459: result = CURLE_PEER_FAILED_VERIFICATION;
460: goto cleanup;
461: }
462:
463: /* If HAVE_CERT_NAME_SEARCH_ALL_NAMES is available, the output
464: * will contain all DNS names, where each name is null-terminated
465: * and the last DNS name is double null-terminated. Due to this
466: * encoding, use the length of the buffer to iterate over all names.
467: */
468: result = CURLE_PEER_FAILED_VERIFICATION;
469: while(cert_hostname_buff_index < len &&
470: cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
471: result == CURLE_PEER_FAILED_VERIFICATION) {
472:
473: char *cert_hostname;
474:
475: /* Comparing the cert name and the connection hostname encoded as UTF-8
476: * is acceptable since both values are assumed to use ASCII
477: * (or some equivalent) encoding
478: */
479: cert_hostname = Curl_convert_tchar_to_UTF8(
480: &cert_hostname_buff[cert_hostname_buff_index]);
481: if(!cert_hostname) {
482: result = CURLE_OUT_OF_MEMORY;
483: }
484: else {
485: int match_result;
486:
487: match_result = Curl_cert_hostcheck(cert_hostname, conn_hostname);
488: if(match_result == CURL_HOST_MATCH) {
489: infof(data,
490: "schannel: connection hostname (%s) validated "
491: "against certificate name (%s)\n",
492: conn_hostname, cert_hostname);
493: result = CURLE_OK;
494: }
495: else {
496: size_t cert_hostname_len;
497:
498: infof(data,
499: "schannel: connection hostname (%s) did not match "
500: "against certificate name (%s)\n",
501: conn_hostname, cert_hostname);
502:
503: cert_hostname_len = _tcslen(
504: &cert_hostname_buff[cert_hostname_buff_index]);
505:
506: /* Move on to next cert name */
507: cert_hostname_buff_index += cert_hostname_len + 1;
508:
509: result = CURLE_PEER_FAILED_VERIFICATION;
510: }
511: Curl_unicodefree(cert_hostname);
512: }
513: }
514:
515: if(result == CURLE_PEER_FAILED_VERIFICATION) {
516: failf(data,
517: "schannel: CertGetNameString() failed to match "
518: "connection hostname (%s) against server certificate names",
519: conn_hostname);
520: }
521: else if(result != CURLE_OK)
522: failf(data, "schannel: server certificate name verification failed");
523:
524: cleanup:
525: Curl_unicodefree(cert_hostname_buff);
526:
527: return result;
528: }
529:
530: CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
531: {
532: SECURITY_STATUS sspi_status;
533: struct Curl_easy *data = conn->data;
534: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
535: CURLcode result = CURLE_OK;
536: CERT_CONTEXT *pCertContextServer = NULL;
537: const CERT_CHAIN_CONTEXT *pChainContext = NULL;
538: HCERTCHAINENGINE cert_chain_engine = NULL;
539: HCERTSTORE trust_store = NULL;
540: const char * const conn_hostname = SSL_IS_PROXY() ?
541: conn->http_proxy.host.name :
542: conn->host.name;
543:
544: sspi_status =
545: s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
546: SECPKG_ATTR_REMOTE_CERT_CONTEXT,
547: &pCertContextServer);
548:
549: if((sspi_status != SEC_E_OK) || (pCertContextServer == NULL)) {
550: char buffer[STRERROR_LEN];
551: failf(data, "schannel: Failed to read remote certificate context: %s",
552: Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
553: result = CURLE_PEER_FAILED_VERIFICATION;
554: }
555:
556: if(result == CURLE_OK && SSL_CONN_CONFIG(CAfile) &&
557: BACKEND->use_manual_cred_validation) {
558: /*
559: * Create a chain engine that uses the certificates in the CA file as
560: * trusted certificates. This is only supported on Windows 7+.
561: */
562:
563: if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT, VERSION_LESS_THAN)) {
564: failf(data, "schannel: this version of Windows is too old to support "
565: "certificate verification via CA bundle file.");
566: result = CURLE_SSL_CACERT_BADFILE;
567: }
568: else {
569: /* Open the certificate store */
570: trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
571: 0,
572: (HCRYPTPROV)NULL,
573: CERT_STORE_CREATE_NEW_FLAG,
574: NULL);
575: if(!trust_store) {
576: char buffer[STRERROR_LEN];
577: failf(data, "schannel: failed to create certificate store: %s",
578: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
579: result = CURLE_SSL_CACERT_BADFILE;
580: }
581: else {
582: result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile),
583: conn);
584: }
585: }
586:
587: if(result == CURLE_OK) {
588: CERT_CHAIN_ENGINE_CONFIG_WIN7 engine_config;
589: BOOL create_engine_result;
590:
591: memset(&engine_config, 0, sizeof(engine_config));
592: engine_config.cbSize = sizeof(engine_config);
593: engine_config.hExclusiveRoot = trust_store;
594:
595: /* CertCreateCertificateChainEngine will check the expected size of the
596: * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
597: * does not match the expected size. When this occurs, it indicates that
598: * CAINFO is not supported on the version of Windows in use.
599: */
600: create_engine_result =
601: CertCreateCertificateChainEngine(
602: (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
603: if(!create_engine_result) {
604: char buffer[STRERROR_LEN];
605: failf(data,
606: "schannel: failed to create certificate chain engine: %s",
607: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
608: result = CURLE_SSL_CACERT_BADFILE;
609: }
610: }
611: }
612:
613: if(result == CURLE_OK) {
614: CERT_CHAIN_PARA ChainPara;
615:
616: memset(&ChainPara, 0, sizeof(ChainPara));
617: ChainPara.cbSize = sizeof(ChainPara);
618:
619: if(!CertGetCertificateChain(cert_chain_engine,
620: pCertContextServer,
621: NULL,
622: pCertContextServer->hCertStore,
623: &ChainPara,
624: (data->set.ssl.no_revoke ? 0 :
625: CERT_CHAIN_REVOCATION_CHECK_CHAIN),
626: NULL,
627: &pChainContext)) {
628: char buffer[STRERROR_LEN];
629: failf(data, "schannel: CertGetCertificateChain failed: %s",
630: Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
631: pChainContext = NULL;
632: result = CURLE_PEER_FAILED_VERIFICATION;
633: }
634:
635: if(result == CURLE_OK) {
636: CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
637: DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
638: dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
639:
640: if(data->set.ssl.revoke_best_effort) {
641: /* Ignore errors when root certificates are missing the revocation
642: * list URL, or when the list could not be downloaded because the
643: * server is currently unreachable. */
644: dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
645: CERT_TRUST_IS_OFFLINE_REVOCATION);
646: }
647:
648: if(dwTrustErrorMask) {
649: if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
650: failf(data, "schannel: CertGetCertificateChain trust error"
651: " CERT_TRUST_IS_REVOKED");
652: else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
653: failf(data, "schannel: CertGetCertificateChain trust error"
654: " CERT_TRUST_IS_PARTIAL_CHAIN");
655: else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
656: failf(data, "schannel: CertGetCertificateChain trust error"
657: " CERT_TRUST_IS_UNTRUSTED_ROOT");
658: else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
659: failf(data, "schannel: CertGetCertificateChain trust error"
660: " CERT_TRUST_IS_NOT_TIME_VALID");
661: else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
662: failf(data, "schannel: CertGetCertificateChain trust error"
663: " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
664: else
665: failf(data, "schannel: CertGetCertificateChain error mask: 0x%08x",
666: dwTrustErrorMask);
667: result = CURLE_PEER_FAILED_VERIFICATION;
668: }
669: }
670: }
671:
672: if(result == CURLE_OK) {
673: if(SSL_CONN_CONFIG(verifyhost)) {
674: result = verify_host(conn->data, pCertContextServer, conn_hostname);
675: }
676: }
677:
678: if(cert_chain_engine) {
679: CertFreeCertificateChainEngine(cert_chain_engine);
680: }
681:
682: if(trust_store) {
683: CertCloseStore(trust_store, 0);
684: }
685:
686: if(pChainContext)
687: CertFreeCertificateChain(pChainContext);
688:
689: if(pCertContextServer)
690: CertFreeCertificateContext(pCertContextServer);
691:
692: return result;
693: }
694:
695: #endif /* HAS_MANUAL_VERIFY_API */
696: #endif /* USE_SCHANNEL */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to schannel_verify.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vtls