schannel_verify.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de>
  9. * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
  10. * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
  11. *
  12. * This software is licensed as described in the file COPYING, which
  13. * you should have received as part of this distribution. The terms
  14. * are also available at https://curl.haxx.se/docs/copyright.html.
  15. *
  16. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  17. * copies of the Software, and permit persons to whom the Software is
  18. * furnished to do so, under the terms of the COPYING file.
  19. *
  20. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  21. * KIND, either express or implied.
  22. *
  23. ***************************************************************************/
  24. /*
  25. * Source file for Schannel-specific certificate verification. This code should
  26. * only be invoked by code in schannel.c.
  27. */
  28. #include "curl_setup.h"
  29. #ifdef USE_SCHANNEL
  30. #ifndef USE_WINDOWS_SSPI
  31. # error "Can't compile SCHANNEL support without SSPI."
  32. #endif
  33. #define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
  34. #include "schannel.h"
  35. #ifdef HAS_MANUAL_VERIFY_API
  36. #include "vtls.h"
  37. #include "sendf.h"
  38. #include "strerror.h"
  39. #include "curl_multibyte.h"
  40. #include "curl_printf.h"
  41. #include "hostcheck.h"
  42. #include "system_win32.h"
  43. /* The last #include file should be: */
  44. #include "curl_memory.h"
  45. #include "memdebug.h"
  46. #define BACKEND connssl->backend
  47. #define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
  48. #define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
  49. #define END_CERT "\n-----END CERTIFICATE-----"
  50. struct cert_chain_engine_config_win7 {
  51. DWORD cbSize;
  52. HCERTSTORE hRestrictedRoot;
  53. HCERTSTORE hRestrictedTrust;
  54. HCERTSTORE hRestrictedOther;
  55. DWORD cAdditionalStore;
  56. HCERTSTORE *rghAdditionalStore;
  57. DWORD dwFlags;
  58. DWORD dwUrlRetrievalTimeout;
  59. DWORD MaximumCachedCertificates;
  60. DWORD CycleDetectionModulus;
  61. HCERTSTORE hExclusiveRoot;
  62. HCERTSTORE hExclusiveTrustedPeople;
  63. };
  64. static int is_cr_or_lf(char c)
  65. {
  66. return c == '\r' || c == '\n';
  67. }
  68. static CURLcode add_certs_to_store(HCERTSTORE trust_store,
  69. const char *ca_file,
  70. struct connectdata *conn)
  71. {
  72. CURLcode result;
  73. struct Curl_easy *data = conn->data;
  74. HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
  75. LARGE_INTEGER file_size;
  76. char *ca_file_buffer = NULL;
  77. char *current_ca_file_ptr = NULL;
  78. TCHAR *ca_file_tstr = NULL;
  79. size_t ca_file_bufsize = 0;
  80. DWORD total_bytes_read = 0;
  81. bool more_certs = 0;
  82. int num_certs = 0;
  83. size_t END_CERT_LEN;
  84. ca_file_tstr = curlx_convert_UTF8_to_tchar((char *)ca_file);
  85. if(!ca_file_tstr) {
  86. char buffer[STRERROR_LEN];
  87. failf(data,
  88. "schannel: invalid path name for CA file '%s': %s",
  89. ca_file,
  90. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  91. result = CURLE_SSL_CACERT_BADFILE;
  92. goto cleanup;
  93. }
  94. /*
  95. * Read the CA file completely into memory before parsing it. This
  96. * optimizes for the common case where the CA file will be relatively
  97. * small ( < 1 MiB ).
  98. */
  99. ca_file_handle = CreateFile(ca_file_tstr,
  100. GENERIC_READ,
  101. FILE_SHARE_READ,
  102. NULL,
  103. OPEN_EXISTING,
  104. FILE_ATTRIBUTE_NORMAL,
  105. NULL);
  106. if(ca_file_handle == INVALID_HANDLE_VALUE) {
  107. char buffer[STRERROR_LEN];
  108. failf(data,
  109. "schannel: failed to open CA file '%s': %s",
  110. ca_file,
  111. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  112. result = CURLE_SSL_CACERT_BADFILE;
  113. goto cleanup;
  114. }
  115. if(!GetFileSizeEx(ca_file_handle, &file_size)) {
  116. char buffer[STRERROR_LEN];
  117. failf(data,
  118. "schannel: failed to determine size of CA file '%s': %s",
  119. ca_file,
  120. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  121. result = CURLE_SSL_CACERT_BADFILE;
  122. goto cleanup;
  123. }
  124. if(file_size.QuadPart > MAX_CAFILE_SIZE) {
  125. failf(data,
  126. "schannel: CA file exceeds max size of %u bytes",
  127. MAX_CAFILE_SIZE);
  128. result = CURLE_SSL_CACERT_BADFILE;
  129. goto cleanup;
  130. }
  131. ca_file_bufsize = (size_t)file_size.QuadPart;
  132. ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
  133. if(!ca_file_buffer) {
  134. result = CURLE_OUT_OF_MEMORY;
  135. goto cleanup;
  136. }
  137. result = CURLE_OK;
  138. while(total_bytes_read < ca_file_bufsize) {
  139. DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
  140. DWORD bytes_read = 0;
  141. if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
  142. bytes_to_read, &bytes_read, NULL)) {
  143. char buffer[STRERROR_LEN];
  144. failf(data,
  145. "schannel: failed to read from CA file '%s': %s",
  146. ca_file,
  147. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  148. result = CURLE_SSL_CACERT_BADFILE;
  149. goto cleanup;
  150. }
  151. if(bytes_read == 0) {
  152. /* Premature EOF -- adjust the bufsize to the new value */
  153. ca_file_bufsize = total_bytes_read;
  154. }
  155. else {
  156. total_bytes_read += bytes_read;
  157. }
  158. }
  159. /* Null terminate the buffer */
  160. ca_file_buffer[ca_file_bufsize] = '\0';
  161. if(result != CURLE_OK) {
  162. goto cleanup;
  163. }
  164. END_CERT_LEN = strlen(END_CERT);
  165. more_certs = 1;
  166. current_ca_file_ptr = ca_file_buffer;
  167. while(more_certs && *current_ca_file_ptr != '\0') {
  168. char *begin_cert_ptr = strstr(current_ca_file_ptr, BEGIN_CERT);
  169. if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[strlen(BEGIN_CERT)])) {
  170. more_certs = 0;
  171. }
  172. else {
  173. char *end_cert_ptr = strstr(begin_cert_ptr, END_CERT);
  174. if(!end_cert_ptr) {
  175. failf(data,
  176. "schannel: CA file '%s' is not correctly formatted",
  177. ca_file);
  178. result = CURLE_SSL_CACERT_BADFILE;
  179. more_certs = 0;
  180. }
  181. else {
  182. CERT_BLOB cert_blob;
  183. CERT_CONTEXT *cert_context = NULL;
  184. BOOL add_cert_result = FALSE;
  185. DWORD actual_content_type = 0;
  186. DWORD cert_size = (DWORD)
  187. ((end_cert_ptr + END_CERT_LEN) - begin_cert_ptr);
  188. cert_blob.pbData = (BYTE *)begin_cert_ptr;
  189. cert_blob.cbData = cert_size;
  190. if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
  191. &cert_blob,
  192. CERT_QUERY_CONTENT_FLAG_CERT,
  193. CERT_QUERY_FORMAT_FLAG_ALL,
  194. 0,
  195. NULL,
  196. &actual_content_type,
  197. NULL,
  198. NULL,
  199. NULL,
  200. (const void **)&cert_context)) {
  201. char buffer[STRERROR_LEN];
  202. failf(data,
  203. "schannel: failed to extract certificate from CA file "
  204. "'%s': %s",
  205. ca_file,
  206. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  207. result = CURLE_SSL_CACERT_BADFILE;
  208. more_certs = 0;
  209. }
  210. else {
  211. current_ca_file_ptr = begin_cert_ptr + cert_size;
  212. /* Sanity check that the cert_context object is the right type */
  213. if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
  214. failf(data,
  215. "schannel: unexpected content type '%d' when extracting "
  216. "certificate from CA file '%s'",
  217. actual_content_type, ca_file);
  218. result = CURLE_SSL_CACERT_BADFILE;
  219. more_certs = 0;
  220. }
  221. else {
  222. add_cert_result =
  223. CertAddCertificateContextToStore(trust_store,
  224. cert_context,
  225. CERT_STORE_ADD_ALWAYS,
  226. NULL);
  227. CertFreeCertificateContext(cert_context);
  228. if(!add_cert_result) {
  229. char buffer[STRERROR_LEN];
  230. failf(data,
  231. "schannel: failed to add certificate from CA file '%s' "
  232. "to certificate store: %s",
  233. ca_file,
  234. Curl_winapi_strerror(GetLastError(), buffer,
  235. sizeof(buffer)));
  236. result = CURLE_SSL_CACERT_BADFILE;
  237. more_certs = 0;
  238. }
  239. else {
  240. num_certs++;
  241. }
  242. }
  243. }
  244. }
  245. }
  246. }
  247. if(result == CURLE_OK) {
  248. if(!num_certs) {
  249. infof(data,
  250. "schannel: did not add any certificates from CA file '%s'\n",
  251. ca_file);
  252. }
  253. else {
  254. infof(data,
  255. "schannel: added %d certificate(s) from CA file '%s'\n",
  256. num_certs, ca_file);
  257. }
  258. }
  259. cleanup:
  260. if(ca_file_handle != INVALID_HANDLE_VALUE) {
  261. CloseHandle(ca_file_handle);
  262. }
  263. Curl_safefree(ca_file_buffer);
  264. curlx_unicodefree(ca_file_tstr);
  265. return result;
  266. }
  267. /*
  268. * Returns the number of characters necessary to populate all the host_names.
  269. * If host_names is not NULL, populate it with all the host names. Each string
  270. * in the host_names is null-terminated and the last string is double
  271. * null-terminated. If no DNS names are found, a single null-terminated empty
  272. * string is returned.
  273. */
  274. static DWORD cert_get_name_string(struct Curl_easy *data,
  275. CERT_CONTEXT *cert_context,
  276. LPTSTR host_names,
  277. DWORD length)
  278. {
  279. DWORD actual_length = 0;
  280. BOOL compute_content = FALSE;
  281. CERT_INFO *cert_info = NULL;
  282. CERT_EXTENSION *extension = NULL;
  283. CRYPT_DECODE_PARA decode_para = {0, 0, 0};
  284. CERT_ALT_NAME_INFO *alt_name_info = NULL;
  285. DWORD alt_name_info_size = 0;
  286. BOOL ret_val = FALSE;
  287. LPTSTR current_pos = NULL;
  288. DWORD i;
  289. /* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
  290. if(Curl_verify_windows_version(6, 2, PLATFORM_WINNT,
  291. VERSION_GREATER_THAN_EQUAL)) {
  292. #ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
  293. /* CertGetNameString will provide the 8-bit character string without
  294. * any decoding */
  295. DWORD name_flags =
  296. CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
  297. actual_length = CertGetNameString(cert_context,
  298. CERT_NAME_DNS_TYPE,
  299. name_flags,
  300. NULL,
  301. host_names,
  302. length);
  303. return actual_length;
  304. #endif
  305. }
  306. compute_content = host_names != NULL && length != 0;
  307. /* Initialize default return values. */
  308. actual_length = 1;
  309. if(compute_content) {
  310. *host_names = '\0';
  311. }
  312. if(!cert_context) {
  313. failf(data, "schannel: Null certificate context.");
  314. return actual_length;
  315. }
  316. cert_info = cert_context->pCertInfo;
  317. if(!cert_info) {
  318. failf(data, "schannel: Null certificate info.");
  319. return actual_length;
  320. }
  321. extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
  322. cert_info->cExtension,
  323. cert_info->rgExtension);
  324. if(!extension) {
  325. failf(data, "schannel: CertFindExtension() returned no extension.");
  326. return actual_length;
  327. }
  328. decode_para.cbSize = sizeof(CRYPT_DECODE_PARA);
  329. ret_val =
  330. CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  331. szOID_SUBJECT_ALT_NAME2,
  332. extension->Value.pbData,
  333. extension->Value.cbData,
  334. CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
  335. &decode_para,
  336. &alt_name_info,
  337. &alt_name_info_size);
  338. if(!ret_val) {
  339. failf(data,
  340. "schannel: CryptDecodeObjectEx() returned no alternate name "
  341. "information.");
  342. return actual_length;
  343. }
  344. current_pos = host_names;
  345. /* Iterate over the alternate names and populate host_names. */
  346. for(i = 0; i < alt_name_info->cAltEntry; i++) {
  347. const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
  348. wchar_t *dns_w = NULL;
  349. size_t current_length = 0;
  350. if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
  351. continue;
  352. }
  353. if(entry->pwszDNSName == NULL) {
  354. infof(data, "schannel: Empty DNS name.");
  355. continue;
  356. }
  357. current_length = wcslen(entry->pwszDNSName) + 1;
  358. if(!compute_content) {
  359. actual_length += (DWORD)current_length;
  360. continue;
  361. }
  362. /* Sanity check to prevent buffer overrun. */
  363. if((actual_length + current_length) > length) {
  364. failf(data, "schannel: Not enough memory to list all host names.");
  365. break;
  366. }
  367. dns_w = entry->pwszDNSName;
  368. /* pwszDNSName is in ia5 string format and hence doesn't contain any
  369. * non-ascii characters. */
  370. while(*dns_w != '\0') {
  371. *current_pos++ = (char)(*dns_w++);
  372. }
  373. *current_pos++ = '\0';
  374. actual_length += (DWORD)current_length;
  375. }
  376. if(compute_content) {
  377. /* Last string has double null-terminator. */
  378. *current_pos = '\0';
  379. }
  380. return actual_length;
  381. }
  382. static CURLcode verify_host(struct Curl_easy *data,
  383. CERT_CONTEXT *pCertContextServer,
  384. const char * const conn_hostname)
  385. {
  386. CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
  387. TCHAR *cert_hostname_buff = NULL;
  388. size_t cert_hostname_buff_index = 0;
  389. DWORD len = 0;
  390. DWORD actual_len = 0;
  391. /* Determine the size of the string needed for the cert hostname */
  392. len = cert_get_name_string(data, pCertContextServer, NULL, 0);
  393. if(len == 0) {
  394. failf(data,
  395. "schannel: CertGetNameString() returned no "
  396. "certificate name information");
  397. result = CURLE_PEER_FAILED_VERIFICATION;
  398. goto cleanup;
  399. }
  400. /* CertGetNameString guarantees that the returned name will not contain
  401. * embedded null bytes. This appears to be undocumented behavior.
  402. */
  403. cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
  404. if(!cert_hostname_buff) {
  405. result = CURLE_OUT_OF_MEMORY;
  406. goto cleanup;
  407. }
  408. actual_len = cert_get_name_string(
  409. data, pCertContextServer, (LPTSTR)cert_hostname_buff, len);
  410. /* Sanity check */
  411. if(actual_len != len) {
  412. failf(data,
  413. "schannel: CertGetNameString() returned certificate "
  414. "name information of unexpected size");
  415. result = CURLE_PEER_FAILED_VERIFICATION;
  416. goto cleanup;
  417. }
  418. /* If HAVE_CERT_NAME_SEARCH_ALL_NAMES is available, the output
  419. * will contain all DNS names, where each name is null-terminated
  420. * and the last DNS name is double null-terminated. Due to this
  421. * encoding, use the length of the buffer to iterate over all names.
  422. */
  423. result = CURLE_PEER_FAILED_VERIFICATION;
  424. while(cert_hostname_buff_index < len &&
  425. cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
  426. result == CURLE_PEER_FAILED_VERIFICATION) {
  427. char *cert_hostname;
  428. /* Comparing the cert name and the connection hostname encoded as UTF-8
  429. * is acceptable since both values are assumed to use ASCII
  430. * (or some equivalent) encoding
  431. */
  432. cert_hostname = curlx_convert_tchar_to_UTF8(
  433. &cert_hostname_buff[cert_hostname_buff_index]);
  434. if(!cert_hostname) {
  435. result = CURLE_OUT_OF_MEMORY;
  436. }
  437. else {
  438. int match_result;
  439. match_result = Curl_cert_hostcheck(cert_hostname, conn_hostname);
  440. if(match_result == CURL_HOST_MATCH) {
  441. infof(data,
  442. "schannel: connection hostname (%s) validated "
  443. "against certificate name (%s)\n",
  444. conn_hostname, cert_hostname);
  445. result = CURLE_OK;
  446. }
  447. else {
  448. size_t cert_hostname_len;
  449. infof(data,
  450. "schannel: connection hostname (%s) did not match "
  451. "against certificate name (%s)\n",
  452. conn_hostname, cert_hostname);
  453. cert_hostname_len = _tcslen(
  454. &cert_hostname_buff[cert_hostname_buff_index]);
  455. /* Move on to next cert name */
  456. cert_hostname_buff_index += cert_hostname_len + 1;
  457. result = CURLE_PEER_FAILED_VERIFICATION;
  458. }
  459. curlx_unicodefree(cert_hostname);
  460. }
  461. }
  462. if(result == CURLE_PEER_FAILED_VERIFICATION) {
  463. failf(data,
  464. "schannel: CertGetNameString() failed to match "
  465. "connection hostname (%s) against server certificate names",
  466. conn_hostname);
  467. }
  468. else if(result != CURLE_OK)
  469. failf(data, "schannel: server certificate name verification failed");
  470. cleanup:
  471. curlx_unicodefree(cert_hostname_buff);
  472. return result;
  473. }
  474. CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
  475. {
  476. SECURITY_STATUS sspi_status;
  477. struct Curl_easy *data = conn->data;
  478. struct ssl_connect_data *connssl = &conn->ssl[sockindex];
  479. CURLcode result = CURLE_OK;
  480. CERT_CONTEXT *pCertContextServer = NULL;
  481. const CERT_CHAIN_CONTEXT *pChainContext = NULL;
  482. HCERTCHAINENGINE cert_chain_engine = NULL;
  483. HCERTSTORE trust_store = NULL;
  484. const char * const conn_hostname = SSL_IS_PROXY() ?
  485. conn->http_proxy.host.name :
  486. conn->host.name;
  487. sspi_status =
  488. s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
  489. SECPKG_ATTR_REMOTE_CERT_CONTEXT,
  490. &pCertContextServer);
  491. if((sspi_status != SEC_E_OK) || (pCertContextServer == NULL)) {
  492. char buffer[STRERROR_LEN];
  493. failf(data, "schannel: Failed to read remote certificate context: %s",
  494. Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
  495. result = CURLE_PEER_FAILED_VERIFICATION;
  496. }
  497. if(result == CURLE_OK && SSL_CONN_CONFIG(CAfile) &&
  498. BACKEND->use_manual_cred_validation) {
  499. /*
  500. * Create a chain engine that uses the certificates in the CA file as
  501. * trusted certificates. This is only supported on Windows 7+.
  502. */
  503. if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT, VERSION_LESS_THAN)) {
  504. failf(data, "schannel: this version of Windows is too old to support "
  505. "certificate verification via CA bundle file.");
  506. result = CURLE_SSL_CACERT_BADFILE;
  507. }
  508. else {
  509. /* Open the certificate store */
  510. trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
  511. 0,
  512. (HCRYPTPROV)NULL,
  513. CERT_STORE_CREATE_NEW_FLAG,
  514. NULL);
  515. if(!trust_store) {
  516. char buffer[STRERROR_LEN];
  517. failf(data, "schannel: failed to create certificate store: %s",
  518. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  519. result = CURLE_SSL_CACERT_BADFILE;
  520. }
  521. else {
  522. result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile),
  523. conn);
  524. }
  525. }
  526. if(result == CURLE_OK) {
  527. struct cert_chain_engine_config_win7 engine_config;
  528. BOOL create_engine_result;
  529. memset(&engine_config, 0, sizeof(engine_config));
  530. engine_config.cbSize = sizeof(engine_config);
  531. engine_config.hExclusiveRoot = trust_store;
  532. /* CertCreateCertificateChainEngine will check the expected size of the
  533. * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
  534. * does not match the expected size. When this occurs, it indicates that
  535. * CAINFO is not supported on the version of Windows in use.
  536. */
  537. create_engine_result =
  538. CertCreateCertificateChainEngine(
  539. (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
  540. if(!create_engine_result) {
  541. char buffer[STRERROR_LEN];
  542. failf(data,
  543. "schannel: failed to create certificate chain engine: %s",
  544. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  545. result = CURLE_SSL_CACERT_BADFILE;
  546. }
  547. }
  548. }
  549. if(result == CURLE_OK) {
  550. CERT_CHAIN_PARA ChainPara;
  551. memset(&ChainPara, 0, sizeof(ChainPara));
  552. ChainPara.cbSize = sizeof(ChainPara);
  553. if(!CertGetCertificateChain(cert_chain_engine,
  554. pCertContextServer,
  555. NULL,
  556. pCertContextServer->hCertStore,
  557. &ChainPara,
  558. (data->set.ssl.no_revoke ? 0 :
  559. CERT_CHAIN_REVOCATION_CHECK_CHAIN),
  560. NULL,
  561. &pChainContext)) {
  562. char buffer[STRERROR_LEN];
  563. failf(data, "schannel: CertGetCertificateChain failed: %s",
  564. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  565. pChainContext = NULL;
  566. result = CURLE_PEER_FAILED_VERIFICATION;
  567. }
  568. if(result == CURLE_OK) {
  569. CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
  570. DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
  571. dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
  572. if(data->set.ssl.revoke_best_effort) {
  573. /* Ignore errors when root certificates are missing the revocation
  574. * list URL, or when the list could not be downloaded because the
  575. * server is currently unreachable. */
  576. dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
  577. CERT_TRUST_IS_OFFLINE_REVOCATION);
  578. }
  579. if(dwTrustErrorMask) {
  580. if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
  581. failf(data, "schannel: CertGetCertificateChain trust error"
  582. " CERT_TRUST_IS_REVOKED");
  583. else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
  584. failf(data, "schannel: CertGetCertificateChain trust error"
  585. " CERT_TRUST_IS_PARTIAL_CHAIN");
  586. else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
  587. failf(data, "schannel: CertGetCertificateChain trust error"
  588. " CERT_TRUST_IS_UNTRUSTED_ROOT");
  589. else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
  590. failf(data, "schannel: CertGetCertificateChain trust error"
  591. " CERT_TRUST_IS_NOT_TIME_VALID");
  592. else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
  593. failf(data, "schannel: CertGetCertificateChain trust error"
  594. " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
  595. else
  596. failf(data, "schannel: CertGetCertificateChain error mask: 0x%08x",
  597. dwTrustErrorMask);
  598. result = CURLE_PEER_FAILED_VERIFICATION;
  599. }
  600. }
  601. }
  602. if(result == CURLE_OK) {
  603. if(SSL_CONN_CONFIG(verifyhost)) {
  604. result = verify_host(conn->data, pCertContextServer, conn_hostname);
  605. }
  606. }
  607. if(cert_chain_engine) {
  608. CertFreeCertificateChainEngine(cert_chain_engine);
  609. }
  610. if(trust_store) {
  611. CertCloseStore(trust_store, 0);
  612. }
  613. if(pChainContext)
  614. CertFreeCertificateChain(pChainContext);
  615. if(pCertContextServer)
  616. CertFreeCertificateContext(pCertContextServer);
  617. return result;
  618. }
  619. #endif /* HAS_MANUAL_VERIFY_API */
  620. #endif /* USE_SCHANNEL */