123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869 |
- /***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>
- * Copyright (C) Mark Salisbury, <mark.salisbury@hp.com>
- * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- * SPDX-License-Identifier: curl
- *
- ***************************************************************************/
- /*
- * Source file for Schannel-specific certificate verification. This code should
- * only be invoked by code in schannel.c.
- */
- #include "curl_setup.h"
- #ifdef USE_SCHANNEL
- #ifndef USE_WINDOWS_SSPI
- # error "cannot compile SCHANNEL support without SSPI."
- #endif
- #include "schannel.h"
- #include "schannel_int.h"
- #include "inet_pton.h"
- #include "vtls.h"
- #include "vtls_int.h"
- #include "sendf.h"
- #include "strerror.h"
- #include "curl_multibyte.h"
- #include "curl_printf.h"
- #include "hostcheck.h"
- #include "version_win32.h"
- /* The last #include file should be: */
- #include "curl_memory.h"
- #include "memdebug.h"
- #define BACKEND ((struct schannel_ssl_backend_data *)connssl->backend)
- #ifdef HAS_MANUAL_VERIFY_API
- #define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
- #define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
- #define END_CERT "\n-----END CERTIFICATE-----"
- struct cert_chain_engine_config_win7 {
- DWORD cbSize;
- HCERTSTORE hRestrictedRoot;
- HCERTSTORE hRestrictedTrust;
- HCERTSTORE hRestrictedOther;
- DWORD cAdditionalStore;
- HCERTSTORE *rghAdditionalStore;
- DWORD dwFlags;
- DWORD dwUrlRetrievalTimeout;
- DWORD MaximumCachedCertificates;
- DWORD CycleDetectionModulus;
- HCERTSTORE hExclusiveRoot;
- HCERTSTORE hExclusiveTrustedPeople;
- };
- static int is_cr_or_lf(char c)
- {
- return c == '\r' || c == '\n';
- }
- /* Search the substring needle,needlelen into string haystack,haystacklen
- * Strings do not need to be terminated by a '\0'.
- * Similar of macOS/Linux memmem (not available on Visual Studio).
- * Return position of beginning of first occurrence or NULL if not found
- */
- static const char *c_memmem(const void *haystack, size_t haystacklen,
- const void *needle, size_t needlelen)
- {
- const char *p;
- char first;
- const char *str_limit = (const char *)haystack + haystacklen;
- if(!needlelen || needlelen > haystacklen)
- return NULL;
- first = *(const char *)needle;
- for(p = (const char *)haystack; p <= (str_limit - needlelen); p++)
- if(((*p) == first) && (memcmp(p, needle, needlelen) == 0))
- return p;
- return NULL;
- }
- static CURLcode add_certs_data_to_store(HCERTSTORE trust_store,
- const char *ca_buffer,
- size_t ca_buffer_size,
- const char *ca_file_text,
- struct Curl_easy *data)
- {
- const size_t begin_cert_len = strlen(BEGIN_CERT);
- const size_t end_cert_len = strlen(END_CERT);
- CURLcode result = CURLE_OK;
- int num_certs = 0;
- bool more_certs = 1;
- const char *current_ca_file_ptr = ca_buffer;
- const char *ca_buffer_limit = ca_buffer + ca_buffer_size;
- while(more_certs && (current_ca_file_ptr < ca_buffer_limit)) {
- const char *begin_cert_ptr = c_memmem(current_ca_file_ptr,
- ca_buffer_limit-current_ca_file_ptr,
- BEGIN_CERT,
- begin_cert_len);
- if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[begin_cert_len])) {
- more_certs = 0;
- }
- else {
- const char *end_cert_ptr = c_memmem(begin_cert_ptr,
- ca_buffer_limit-begin_cert_ptr,
- END_CERT,
- end_cert_len);
- if(!end_cert_ptr) {
- failf(data,
- "schannel: CA file '%s' is not correctly formatted",
- ca_file_text);
- result = CURLE_SSL_CACERT_BADFILE;
- more_certs = 0;
- }
- else {
- CERT_BLOB cert_blob;
- CERT_CONTEXT *cert_context = NULL;
- BOOL add_cert_result = FALSE;
- DWORD actual_content_type = 0;
- DWORD cert_size = (DWORD)
- ((end_cert_ptr + end_cert_len) - begin_cert_ptr);
- cert_blob.pbData = (BYTE *)begin_cert_ptr;
- cert_blob.cbData = cert_size;
- if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
- &cert_blob,
- CERT_QUERY_CONTENT_FLAG_CERT,
- CERT_QUERY_FORMAT_FLAG_ALL,
- 0,
- NULL,
- &actual_content_type,
- NULL,
- NULL,
- NULL,
- (const void **)&cert_context)) {
- char buffer[STRERROR_LEN];
- failf(data,
- "schannel: failed to extract certificate from CA file "
- "'%s': %s",
- ca_file_text,
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- more_certs = 0;
- }
- else {
- current_ca_file_ptr = begin_cert_ptr + cert_size;
- /* Sanity check that the cert_context object is the right type */
- if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
- failf(data,
- "schannel: unexpected content type '%lu' when extracting "
- "certificate from CA file '%s'",
- actual_content_type, ca_file_text);
- result = CURLE_SSL_CACERT_BADFILE;
- more_certs = 0;
- }
- else {
- add_cert_result =
- CertAddCertificateContextToStore(trust_store,
- cert_context,
- CERT_STORE_ADD_ALWAYS,
- NULL);
- CertFreeCertificateContext(cert_context);
- if(!add_cert_result) {
- char buffer[STRERROR_LEN];
- failf(data,
- "schannel: failed to add certificate from CA file '%s' "
- "to certificate store: %s",
- ca_file_text,
- Curl_winapi_strerror(GetLastError(), buffer,
- sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- more_certs = 0;
- }
- else {
- num_certs++;
- }
- }
- }
- }
- }
- }
- if(result == CURLE_OK) {
- if(!num_certs) {
- infof(data,
- "schannel: did not add any certificates from CA file '%s'",
- ca_file_text);
- }
- else {
- infof(data,
- "schannel: added %d certificate(s) from CA file '%s'",
- num_certs, ca_file_text);
- }
- }
- return result;
- }
- static CURLcode add_certs_file_to_store(HCERTSTORE trust_store,
- const char *ca_file,
- struct Curl_easy *data)
- {
- CURLcode result;
- HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
- LARGE_INTEGER file_size;
- char *ca_file_buffer = NULL;
- TCHAR *ca_file_tstr = NULL;
- size_t ca_file_bufsize = 0;
- DWORD total_bytes_read = 0;
- ca_file_tstr = curlx_convert_UTF8_to_tchar((char *)ca_file);
- if(!ca_file_tstr) {
- char buffer[STRERROR_LEN];
- failf(data,
- "schannel: invalid path name for CA file '%s': %s",
- ca_file,
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- goto cleanup;
- }
- /*
- * Read the CA file completely into memory before parsing it. This
- * optimizes for the common case where the CA file will be relatively
- * small ( < 1 MiB ).
- */
- ca_file_handle = CreateFile(ca_file_tstr,
- GENERIC_READ,
- FILE_SHARE_READ,
- NULL,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL,
- NULL);
- if(ca_file_handle == INVALID_HANDLE_VALUE) {
- char buffer[STRERROR_LEN];
- failf(data,
- "schannel: failed to open CA file '%s': %s",
- ca_file,
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- goto cleanup;
- }
- if(!GetFileSizeEx(ca_file_handle, &file_size)) {
- char buffer[STRERROR_LEN];
- failf(data,
- "schannel: failed to determine size of CA file '%s': %s",
- ca_file,
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- goto cleanup;
- }
- if(file_size.QuadPart > MAX_CAFILE_SIZE) {
- failf(data,
- "schannel: CA file exceeds max size of %u bytes",
- MAX_CAFILE_SIZE);
- result = CURLE_SSL_CACERT_BADFILE;
- goto cleanup;
- }
- ca_file_bufsize = (size_t)file_size.QuadPart;
- ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
- if(!ca_file_buffer) {
- result = CURLE_OUT_OF_MEMORY;
- goto cleanup;
- }
- while(total_bytes_read < ca_file_bufsize) {
- DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
- DWORD bytes_read = 0;
- if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
- bytes_to_read, &bytes_read, NULL)) {
- char buffer[STRERROR_LEN];
- failf(data,
- "schannel: failed to read from CA file '%s': %s",
- ca_file,
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- goto cleanup;
- }
- if(bytes_read == 0) {
- /* Premature EOF -- adjust the bufsize to the new value */
- ca_file_bufsize = total_bytes_read;
- }
- else {
- total_bytes_read += bytes_read;
- }
- }
- /* Null terminate the buffer */
- ca_file_buffer[ca_file_bufsize] = '\0';
- result = add_certs_data_to_store(trust_store,
- ca_file_buffer, ca_file_bufsize,
- ca_file,
- data);
- cleanup:
- if(ca_file_handle != INVALID_HANDLE_VALUE) {
- CloseHandle(ca_file_handle);
- }
- Curl_safefree(ca_file_buffer);
- curlx_unicodefree(ca_file_tstr);
- return result;
- }
- #endif /* HAS_MANUAL_VERIFY_API */
- /*
- * Returns the number of characters necessary to populate all the host_names.
- * If host_names is not NULL, populate it with all the hostnames. Each string
- * in the host_names is null-terminated and the last string is double
- * null-terminated. If no DNS names are found, a single null-terminated empty
- * string is returned.
- */
- static DWORD cert_get_name_string(struct Curl_easy *data,
- CERT_CONTEXT *cert_context,
- LPTSTR host_names,
- DWORD length,
- PCERT_ALT_NAME_INFO alt_name_info,
- BOOL Win8_compat)
- {
- DWORD actual_length = 0;
- #if defined(CURL_WINDOWS_UWP)
- (void)data;
- (void)cert_context;
- (void)host_names;
- (void)length;
- (void)alt_name_info;
- (void)Win8_compat;
- #else
- BOOL compute_content = FALSE;
- LPTSTR current_pos = NULL;
- DWORD i;
- #ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
- /* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
- if(Win8_compat) {
- /* CertGetNameString will provide the 8-bit character string without
- * any decoding */
- DWORD name_flags =
- CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
- actual_length = CertGetNameString(cert_context,
- CERT_NAME_DNS_TYPE,
- name_flags,
- NULL,
- host_names,
- length);
- return actual_length;
- }
- #else
- (void)cert_context;
- (void)Win8_compat;
- #endif
- compute_content = host_names != NULL && length != 0;
- /* Initialize default return values. */
- actual_length = 1;
- if(compute_content) {
- *host_names = '\0';
- }
- current_pos = host_names;
- /* Iterate over the alternate names and populate host_names. */
- for(i = 0; i < alt_name_info->cAltEntry; i++) {
- const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
- wchar_t *dns_w = NULL;
- size_t current_length = 0;
- if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
- continue;
- }
- if(!entry->pwszDNSName) {
- infof(data, "schannel: Empty DNS name.");
- continue;
- }
- current_length = wcslen(entry->pwszDNSName) + 1;
- if(!compute_content) {
- actual_length += (DWORD)current_length;
- continue;
- }
- /* Sanity check to prevent buffer overrun. */
- if((actual_length + current_length) > length) {
- failf(data, "schannel: Not enough memory to list all hostnames.");
- break;
- }
- dns_w = entry->pwszDNSName;
- /* pwszDNSName is in ia5 string format and hence does not contain any
- * non-ASCII characters. */
- while(*dns_w != '\0') {
- *current_pos++ = (TCHAR)(*dns_w++);
- }
- *current_pos++ = '\0';
- actual_length += (DWORD)current_length;
- }
- if(compute_content) {
- /* Last string has double null-terminator. */
- *current_pos = '\0';
- }
- #endif
- return actual_length;
- }
- /*
- * Returns TRUE if the hostname is a numeric IPv4/IPv6 Address,
- * and populates the buffer with IPv4/IPv6 info.
- */
- static bool get_num_host_info(struct num_ip_data *ip_blob,
- LPCSTR hostname)
- {
- struct in_addr ia;
- struct in6_addr ia6;
- bool result = FALSE;
- int res = Curl_inet_pton(AF_INET, hostname, &ia);
- if(res) {
- ip_blob->size = sizeof(struct in_addr);
- memcpy(&ip_blob->bData.ia, &ia, sizeof(struct in_addr));
- result = TRUE;
- }
- else {
- res = Curl_inet_pton(AF_INET6, hostname, &ia6);
- if(res) {
- ip_blob->size = sizeof(struct in6_addr);
- memcpy(&ip_blob->bData.ia6, &ia6, sizeof(struct in6_addr));
- result = TRUE;
- }
- }
- return result;
- }
- static bool get_alt_name_info(struct Curl_easy *data,
- PCCERT_CONTEXT ctx,
- PCERT_ALT_NAME_INFO *alt_name_info,
- LPDWORD alt_name_info_size)
- {
- bool result = FALSE;
- #if defined(CURL_WINDOWS_UWP)
- (void)data;
- (void)ctx;
- (void)alt_name_info;
- (void)alt_name_info_size;
- #else
- PCERT_INFO cert_info = NULL;
- PCERT_EXTENSION extension = NULL;
- CRYPT_DECODE_PARA decode_para = { sizeof(CRYPT_DECODE_PARA), NULL, NULL };
- if(!ctx) {
- failf(data, "schannel: Null certificate context.");
- return result;
- }
- cert_info = ctx->pCertInfo;
- if(!cert_info) {
- failf(data, "schannel: Null certificate info.");
- return result;
- }
- extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
- cert_info->cExtension,
- cert_info->rgExtension);
- if(!extension) {
- failf(data, "schannel: CertFindExtension() returned no extension.");
- return result;
- }
- if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- szOID_SUBJECT_ALT_NAME2,
- extension->Value.pbData,
- extension->Value.cbData,
- CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
- &decode_para,
- alt_name_info,
- alt_name_info_size)) {
- failf(data,
- "schannel: CryptDecodeObjectEx() returned no alternate name "
- "information.");
- return result;
- }
- result = TRUE;
- #endif
- return result;
- }
- /* Verify the server's hostname */
- CURLcode Curl_verify_host(struct Curl_cfilter *cf,
- struct Curl_easy *data)
- {
- struct ssl_connect_data *connssl = cf->ctx;
- SECURITY_STATUS sspi_status;
- CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
- CERT_CONTEXT *pCertContextServer = NULL;
- TCHAR *cert_hostname_buff = NULL;
- size_t cert_hostname_buff_index = 0;
- const char *conn_hostname = connssl->peer.hostname;
- size_t hostlen = strlen(conn_hostname);
- DWORD len = 0;
- DWORD actual_len = 0;
- PCERT_ALT_NAME_INFO alt_name_info = NULL;
- DWORD alt_name_info_size = 0;
- struct num_ip_data ip_blob = { 0 };
- bool Win8_compat;
- struct num_ip_data *p = &ip_blob;
- DWORD i;
- sspi_status =
- Curl_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
- SECPKG_ATTR_REMOTE_CERT_CONTEXT,
- &pCertContextServer);
- if((sspi_status != SEC_E_OK) || !pCertContextServer) {
- char buffer[STRERROR_LEN];
- failf(data, "schannel: Failed to read remote certificate context: %s",
- Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
- goto cleanup;
- }
- Win8_compat = curlx_verify_windows_version(6, 2, 0, PLATFORM_WINNT,
- VERSION_GREATER_THAN_EQUAL);
- if(get_num_host_info(p, conn_hostname) || !Win8_compat) {
- if(!get_alt_name_info(data, pCertContextServer,
- &alt_name_info, &alt_name_info_size)) {
- goto cleanup;
- }
- }
- if(p->size && alt_name_info) {
- for(i = 0; i < alt_name_info->cAltEntry; ++i) {
- PCERT_ALT_NAME_ENTRY entry = &alt_name_info->rgAltEntry[i];
- if(entry->dwAltNameChoice == CERT_ALT_NAME_IP_ADDRESS) {
- if(entry->IPAddress.cbData == p->size) {
- if(!memcmp(entry->IPAddress.pbData, &p->bData,
- entry->IPAddress.cbData)) {
- result = CURLE_OK;
- infof(data,
- "schannel: connection hostname (%s) matched cert's IP address!",
- conn_hostname);
- break;
- }
- }
- }
- }
- }
- else {
- /* Determine the size of the string needed for the cert hostname */
- len = cert_get_name_string(data, pCertContextServer,
- NULL, 0, alt_name_info, Win8_compat);
- if(len == 0) {
- failf(data,
- "schannel: CertGetNameString() returned no "
- "certificate name information");
- goto cleanup;
- }
- /* CertGetNameString guarantees that the returned name will not contain
- * embedded null bytes. This appears to be undocumented behavior.
- */
- cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
- if(!cert_hostname_buff) {
- result = CURLE_OUT_OF_MEMORY;
- goto cleanup;
- }
- actual_len = cert_get_name_string(data, pCertContextServer,
- (LPTSTR)cert_hostname_buff, len, alt_name_info, Win8_compat);
- /* Sanity check */
- if(actual_len != len) {
- failf(data,
- "schannel: CertGetNameString() returned certificate "
- "name information of unexpected size");
- goto cleanup;
- }
- /* cert_hostname_buff contains all DNS names, where each name is
- * null-terminated and the last DNS name is double null-terminated. Due to
- * this encoding, use the length of the buffer to iterate over all names.
- */
- while(cert_hostname_buff_index < len &&
- cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
- result == CURLE_PEER_FAILED_VERIFICATION) {
- char *cert_hostname;
- /* Comparing the cert name and the connection hostname encoded as UTF-8
- * is acceptable since both values are assumed to use ASCII
- * (or some equivalent) encoding
- */
- cert_hostname = curlx_convert_tchar_to_UTF8(
- &cert_hostname_buff[cert_hostname_buff_index]);
- if(!cert_hostname) {
- result = CURLE_OUT_OF_MEMORY;
- }
- else {
- if(Curl_cert_hostcheck(cert_hostname, strlen(cert_hostname),
- conn_hostname, hostlen)) {
- infof(data,
- "schannel: connection hostname (%s) validated "
- "against certificate name (%s)",
- conn_hostname, cert_hostname);
- result = CURLE_OK;
- }
- else {
- size_t cert_hostname_len;
- infof(data,
- "schannel: connection hostname (%s) did not match "
- "against certificate name (%s)",
- conn_hostname, cert_hostname);
- cert_hostname_len =
- _tcslen(&cert_hostname_buff[cert_hostname_buff_index]);
- /* Move on to next cert name */
- cert_hostname_buff_index += cert_hostname_len + 1;
- result = CURLE_PEER_FAILED_VERIFICATION;
- }
- curlx_unicodefree(cert_hostname);
- }
- }
- if(result == CURLE_PEER_FAILED_VERIFICATION) {
- failf(data,
- "schannel: CertGetNameString() failed to match "
- "connection hostname (%s) against server certificate names",
- conn_hostname);
- }
- else if(result != CURLE_OK)
- failf(data, "schannel: server certificate name verification failed");
- }
- cleanup:
- Curl_safefree(cert_hostname_buff);
- if(pCertContextServer)
- CertFreeCertificateContext(pCertContextServer);
- return result;
- }
- #ifdef HAS_MANUAL_VERIFY_API
- /* Verify the server's certificate and hostname */
- CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
- struct Curl_easy *data)
- {
- struct ssl_connect_data *connssl = cf->ctx;
- struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
- struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
- SECURITY_STATUS sspi_status;
- CURLcode result = CURLE_OK;
- CERT_CONTEXT *pCertContextServer = NULL;
- const CERT_CHAIN_CONTEXT *pChainContext = NULL;
- HCERTCHAINENGINE cert_chain_engine = NULL;
- HCERTSTORE trust_store = NULL;
- HCERTSTORE own_trust_store = NULL;
- DEBUGASSERT(BACKEND);
- sspi_status =
- Curl_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
- SECPKG_ATTR_REMOTE_CERT_CONTEXT,
- &pCertContextServer);
- if((sspi_status != SEC_E_OK) || !pCertContextServer) {
- char buffer[STRERROR_LEN];
- failf(data, "schannel: Failed to read remote certificate context: %s",
- Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
- result = CURLE_PEER_FAILED_VERIFICATION;
- }
- if(result == CURLE_OK &&
- (conn_config->CAfile || conn_config->ca_info_blob) &&
- BACKEND->use_manual_cred_validation) {
- /*
- * Create a chain engine that uses the certificates in the CA file as
- * trusted certificates. This is only supported on Windows 7+.
- */
- if(curlx_verify_windows_version(6, 1, 0, PLATFORM_WINNT,
- VERSION_LESS_THAN)) {
- failf(data, "schannel: this version of Windows is too old to support "
- "certificate verification via CA bundle file.");
- result = CURLE_SSL_CACERT_BADFILE;
- }
- else {
- /* try cache */
- trust_store = Curl_schannel_get_cached_cert_store(cf, data);
- if(trust_store) {
- infof(data, "schannel: reusing certificate store from cache");
- }
- else {
- /* Open the certificate store */
- trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
- 0,
- (HCRYPTPROV)NULL,
- CERT_STORE_CREATE_NEW_FLAG,
- NULL);
- if(!trust_store) {
- char buffer[STRERROR_LEN];
- failf(data, "schannel: failed to create certificate store: %s",
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- }
- else {
- const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
- own_trust_store = trust_store;
- if(ca_info_blob) {
- result = add_certs_data_to_store(trust_store,
- (const char *)ca_info_blob->data,
- ca_info_blob->len,
- "(memory blob)",
- data);
- }
- else {
- result = add_certs_file_to_store(trust_store,
- conn_config->CAfile,
- data);
- }
- if(result == CURLE_OK) {
- if(Curl_schannel_set_cached_cert_store(cf, data, trust_store)) {
- own_trust_store = NULL;
- }
- }
- }
- }
- }
- if(result == CURLE_OK) {
- struct cert_chain_engine_config_win7 engine_config;
- BOOL create_engine_result;
- memset(&engine_config, 0, sizeof(engine_config));
- engine_config.cbSize = sizeof(engine_config);
- engine_config.hExclusiveRoot = trust_store;
- /* CertCreateCertificateChainEngine will check the expected size of the
- * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
- * does not match the expected size. When this occurs, it indicates that
- * CAINFO is not supported on the version of Windows in use.
- */
- create_engine_result =
- CertCreateCertificateChainEngine(
- (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
- if(!create_engine_result) {
- char buffer[STRERROR_LEN];
- failf(data,
- "schannel: failed to create certificate chain engine: %s",
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- result = CURLE_SSL_CACERT_BADFILE;
- }
- }
- }
- if(result == CURLE_OK) {
- CERT_CHAIN_PARA ChainPara;
- memset(&ChainPara, 0, sizeof(ChainPara));
- ChainPara.cbSize = sizeof(ChainPara);
- if(!CertGetCertificateChain(cert_chain_engine,
- pCertContextServer,
- NULL,
- pCertContextServer->hCertStore,
- &ChainPara,
- (ssl_config->no_revoke ? 0 :
- CERT_CHAIN_REVOCATION_CHECK_CHAIN),
- NULL,
- &pChainContext)) {
- char buffer[STRERROR_LEN];
- failf(data, "schannel: CertGetCertificateChain failed: %s",
- Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
- pChainContext = NULL;
- result = CURLE_PEER_FAILED_VERIFICATION;
- }
- if(result == CURLE_OK) {
- CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
- DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
- dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
- if(data->set.ssl.revoke_best_effort) {
- /* Ignore errors when root certificates are missing the revocation
- * list URL, or when the list could not be downloaded because the
- * server is currently unreachable. */
- dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
- CERT_TRUST_IS_OFFLINE_REVOCATION);
- }
- if(dwTrustErrorMask) {
- if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
- failf(data, "schannel: CertGetCertificateChain trust error"
- " CERT_TRUST_IS_REVOKED");
- else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
- failf(data, "schannel: CertGetCertificateChain trust error"
- " CERT_TRUST_IS_PARTIAL_CHAIN");
- else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
- failf(data, "schannel: CertGetCertificateChain trust error"
- " CERT_TRUST_IS_UNTRUSTED_ROOT");
- else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
- failf(data, "schannel: CertGetCertificateChain trust error"
- " CERT_TRUST_IS_NOT_TIME_VALID");
- else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
- failf(data, "schannel: CertGetCertificateChain trust error"
- " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
- else
- failf(data, "schannel: CertGetCertificateChain error mask: 0x%08lx",
- dwTrustErrorMask);
- result = CURLE_PEER_FAILED_VERIFICATION;
- }
- }
- }
- if(result == CURLE_OK) {
- if(conn_config->verifyhost) {
- result = Curl_verify_host(cf, data);
- }
- }
- if(cert_chain_engine) {
- CertFreeCertificateChainEngine(cert_chain_engine);
- }
- if(own_trust_store) {
- CertCloseStore(own_trust_store, 0);
- }
- if(pChainContext)
- CertFreeCertificateChain(pChainContext);
- if(pCertContextServer)
- CertFreeCertificateContext(pCertContextServer);
- return result;
- }
- #endif /* HAS_MANUAL_VERIFY_API */
- #endif /* USE_SCHANNEL */
|