schannel_verify.c 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>
  9. * Copyright (C) Mark Salisbury, <mark.salisbury@hp.com>
  10. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  11. *
  12. * This software is licensed as described in the file COPYING, which
  13. * you should have received as part of this distribution. The terms
  14. * are also available at https://curl.se/docs/copyright.html.
  15. *
  16. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  17. * copies of the Software, and permit persons to whom the Software is
  18. * furnished to do so, under the terms of the COPYING file.
  19. *
  20. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  21. * KIND, either express or implied.
  22. *
  23. * SPDX-License-Identifier: curl
  24. *
  25. ***************************************************************************/
  26. /*
  27. * Source file for Schannel-specific certificate verification. This code should
  28. * only be invoked by code in schannel.c.
  29. */
  30. #include "curl_setup.h"
  31. #ifdef USE_SCHANNEL
  32. #ifndef USE_WINDOWS_SSPI
  33. # error "cannot compile SCHANNEL support without SSPI."
  34. #endif
  35. #include "schannel.h"
  36. #include "schannel_int.h"
  37. #include "vtls.h"
  38. #include "vtls_int.h"
  39. #include "sendf.h"
  40. #include "strerror.h"
  41. #include "curl_multibyte.h"
  42. #include "curl_printf.h"
  43. #include "hostcheck.h"
  44. #include "version_win32.h"
  45. /* The last #include file should be: */
  46. #include "curl_memory.h"
  47. #include "memdebug.h"
  48. #define BACKEND ((struct schannel_ssl_backend_data *)connssl->backend)
  49. #ifdef HAS_MANUAL_VERIFY_API
  50. #define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
  51. #define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
  52. #define END_CERT "\n-----END CERTIFICATE-----"
  53. struct cert_chain_engine_config_win7 {
  54. DWORD cbSize;
  55. HCERTSTORE hRestrictedRoot;
  56. HCERTSTORE hRestrictedTrust;
  57. HCERTSTORE hRestrictedOther;
  58. DWORD cAdditionalStore;
  59. HCERTSTORE *rghAdditionalStore;
  60. DWORD dwFlags;
  61. DWORD dwUrlRetrievalTimeout;
  62. DWORD MaximumCachedCertificates;
  63. DWORD CycleDetectionModulus;
  64. HCERTSTORE hExclusiveRoot;
  65. HCERTSTORE hExclusiveTrustedPeople;
  66. };
  67. static int is_cr_or_lf(char c)
  68. {
  69. return c == '\r' || c == '\n';
  70. }
  71. /* Search the substring needle,needlelen into string haystack,haystacklen
  72. * Strings do not need to be terminated by a '\0'.
  73. * Similar of OSX/Linux memmem (not available on Visual Studio).
  74. * Return position of beginning of first occurrence or NULL if not found
  75. */
  76. static const char *c_memmem(const void *haystack, size_t haystacklen,
  77. const void *needle, size_t needlelen)
  78. {
  79. const char *p;
  80. char first;
  81. const char *str_limit = (const char *)haystack + haystacklen;
  82. if(!needlelen || needlelen > haystacklen)
  83. return NULL;
  84. first = *(const char *)needle;
  85. for(p = (const char *)haystack; p <= (str_limit - needlelen); p++)
  86. if(((*p) == first) && (memcmp(p, needle, needlelen) == 0))
  87. return p;
  88. return NULL;
  89. }
  90. static CURLcode add_certs_data_to_store(HCERTSTORE trust_store,
  91. const char *ca_buffer,
  92. size_t ca_buffer_size,
  93. const char *ca_file_text,
  94. struct Curl_easy *data)
  95. {
  96. const size_t begin_cert_len = strlen(BEGIN_CERT);
  97. const size_t end_cert_len = strlen(END_CERT);
  98. CURLcode result = CURLE_OK;
  99. int num_certs = 0;
  100. bool more_certs = 1;
  101. const char *current_ca_file_ptr = ca_buffer;
  102. const char *ca_buffer_limit = ca_buffer + ca_buffer_size;
  103. while(more_certs && (current_ca_file_ptr<ca_buffer_limit)) {
  104. const char *begin_cert_ptr = c_memmem(current_ca_file_ptr,
  105. ca_buffer_limit-current_ca_file_ptr,
  106. BEGIN_CERT,
  107. begin_cert_len);
  108. if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[begin_cert_len])) {
  109. more_certs = 0;
  110. }
  111. else {
  112. const char *end_cert_ptr = c_memmem(begin_cert_ptr,
  113. ca_buffer_limit-begin_cert_ptr,
  114. END_CERT,
  115. end_cert_len);
  116. if(!end_cert_ptr) {
  117. failf(data,
  118. "schannel: CA file '%s' is not correctly formatted",
  119. ca_file_text);
  120. result = CURLE_SSL_CACERT_BADFILE;
  121. more_certs = 0;
  122. }
  123. else {
  124. CERT_BLOB cert_blob;
  125. CERT_CONTEXT *cert_context = NULL;
  126. BOOL add_cert_result = FALSE;
  127. DWORD actual_content_type = 0;
  128. DWORD cert_size = (DWORD)
  129. ((end_cert_ptr + end_cert_len) - begin_cert_ptr);
  130. cert_blob.pbData = (BYTE *)begin_cert_ptr;
  131. cert_blob.cbData = cert_size;
  132. if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
  133. &cert_blob,
  134. CERT_QUERY_CONTENT_FLAG_CERT,
  135. CERT_QUERY_FORMAT_FLAG_ALL,
  136. 0,
  137. NULL,
  138. &actual_content_type,
  139. NULL,
  140. NULL,
  141. NULL,
  142. (const void **)&cert_context)) {
  143. char buffer[STRERROR_LEN];
  144. failf(data,
  145. "schannel: failed to extract certificate from CA file "
  146. "'%s': %s",
  147. ca_file_text,
  148. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  149. result = CURLE_SSL_CACERT_BADFILE;
  150. more_certs = 0;
  151. }
  152. else {
  153. current_ca_file_ptr = begin_cert_ptr + cert_size;
  154. /* Sanity check that the cert_context object is the right type */
  155. if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
  156. failf(data,
  157. "schannel: unexpected content type '%lu' when extracting "
  158. "certificate from CA file '%s'",
  159. actual_content_type, ca_file_text);
  160. result = CURLE_SSL_CACERT_BADFILE;
  161. more_certs = 0;
  162. }
  163. else {
  164. add_cert_result =
  165. CertAddCertificateContextToStore(trust_store,
  166. cert_context,
  167. CERT_STORE_ADD_ALWAYS,
  168. NULL);
  169. CertFreeCertificateContext(cert_context);
  170. if(!add_cert_result) {
  171. char buffer[STRERROR_LEN];
  172. failf(data,
  173. "schannel: failed to add certificate from CA file '%s' "
  174. "to certificate store: %s",
  175. ca_file_text,
  176. Curl_winapi_strerror(GetLastError(), buffer,
  177. sizeof(buffer)));
  178. result = CURLE_SSL_CACERT_BADFILE;
  179. more_certs = 0;
  180. }
  181. else {
  182. num_certs++;
  183. }
  184. }
  185. }
  186. }
  187. }
  188. }
  189. if(result == CURLE_OK) {
  190. if(!num_certs) {
  191. infof(data,
  192. "schannel: did not add any certificates from CA file '%s'",
  193. ca_file_text);
  194. }
  195. else {
  196. infof(data,
  197. "schannel: added %d certificate(s) from CA file '%s'",
  198. num_certs, ca_file_text);
  199. }
  200. }
  201. return result;
  202. }
  203. static CURLcode add_certs_file_to_store(HCERTSTORE trust_store,
  204. const char *ca_file,
  205. struct Curl_easy *data)
  206. {
  207. CURLcode result;
  208. HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
  209. LARGE_INTEGER file_size;
  210. char *ca_file_buffer = NULL;
  211. TCHAR *ca_file_tstr = NULL;
  212. size_t ca_file_bufsize = 0;
  213. DWORD total_bytes_read = 0;
  214. ca_file_tstr = curlx_convert_UTF8_to_tchar((char *)ca_file);
  215. if(!ca_file_tstr) {
  216. char buffer[STRERROR_LEN];
  217. failf(data,
  218. "schannel: invalid path name for CA file '%s': %s",
  219. ca_file,
  220. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  221. result = CURLE_SSL_CACERT_BADFILE;
  222. goto cleanup;
  223. }
  224. /*
  225. * Read the CA file completely into memory before parsing it. This
  226. * optimizes for the common case where the CA file will be relatively
  227. * small ( < 1 MiB ).
  228. */
  229. ca_file_handle = CreateFile(ca_file_tstr,
  230. GENERIC_READ,
  231. FILE_SHARE_READ,
  232. NULL,
  233. OPEN_EXISTING,
  234. FILE_ATTRIBUTE_NORMAL,
  235. NULL);
  236. if(ca_file_handle == INVALID_HANDLE_VALUE) {
  237. char buffer[STRERROR_LEN];
  238. failf(data,
  239. "schannel: failed to open CA file '%s': %s",
  240. ca_file,
  241. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  242. result = CURLE_SSL_CACERT_BADFILE;
  243. goto cleanup;
  244. }
  245. if(!GetFileSizeEx(ca_file_handle, &file_size)) {
  246. char buffer[STRERROR_LEN];
  247. failf(data,
  248. "schannel: failed to determine size of CA file '%s': %s",
  249. ca_file,
  250. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  251. result = CURLE_SSL_CACERT_BADFILE;
  252. goto cleanup;
  253. }
  254. if(file_size.QuadPart > MAX_CAFILE_SIZE) {
  255. failf(data,
  256. "schannel: CA file exceeds max size of %u bytes",
  257. MAX_CAFILE_SIZE);
  258. result = CURLE_SSL_CACERT_BADFILE;
  259. goto cleanup;
  260. }
  261. ca_file_bufsize = (size_t)file_size.QuadPart;
  262. ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
  263. if(!ca_file_buffer) {
  264. result = CURLE_OUT_OF_MEMORY;
  265. goto cleanup;
  266. }
  267. while(total_bytes_read < ca_file_bufsize) {
  268. DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
  269. DWORD bytes_read = 0;
  270. if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
  271. bytes_to_read, &bytes_read, NULL)) {
  272. char buffer[STRERROR_LEN];
  273. failf(data,
  274. "schannel: failed to read from CA file '%s': %s",
  275. ca_file,
  276. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  277. result = CURLE_SSL_CACERT_BADFILE;
  278. goto cleanup;
  279. }
  280. if(bytes_read == 0) {
  281. /* Premature EOF -- adjust the bufsize to the new value */
  282. ca_file_bufsize = total_bytes_read;
  283. }
  284. else {
  285. total_bytes_read += bytes_read;
  286. }
  287. }
  288. /* Null terminate the buffer */
  289. ca_file_buffer[ca_file_bufsize] = '\0';
  290. result = add_certs_data_to_store(trust_store,
  291. ca_file_buffer, ca_file_bufsize,
  292. ca_file,
  293. data);
  294. cleanup:
  295. if(ca_file_handle != INVALID_HANDLE_VALUE) {
  296. CloseHandle(ca_file_handle);
  297. }
  298. Curl_safefree(ca_file_buffer);
  299. curlx_unicodefree(ca_file_tstr);
  300. return result;
  301. }
  302. #endif /* HAS_MANUAL_VERIFY_API */
  303. /*
  304. * Returns the number of characters necessary to populate all the host_names.
  305. * If host_names is not NULL, populate it with all the hostnames. Each string
  306. * in the host_names is null-terminated and the last string is double
  307. * null-terminated. If no DNS names are found, a single null-terminated empty
  308. * string is returned.
  309. */
  310. static DWORD cert_get_name_string(struct Curl_easy *data,
  311. CERT_CONTEXT *cert_context,
  312. LPTSTR host_names,
  313. DWORD length)
  314. {
  315. DWORD actual_length = 0;
  316. #if defined(CURL_WINDOWS_APP)
  317. (void)data;
  318. (void)cert_context;
  319. (void)host_names;
  320. (void)length;
  321. #else
  322. BOOL compute_content = FALSE;
  323. CERT_INFO *cert_info = NULL;
  324. CERT_EXTENSION *extension = NULL;
  325. CRYPT_DECODE_PARA decode_para = {0, 0, 0};
  326. CERT_ALT_NAME_INFO *alt_name_info = NULL;
  327. DWORD alt_name_info_size = 0;
  328. BOOL ret_val = FALSE;
  329. LPTSTR current_pos = NULL;
  330. DWORD i;
  331. #ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
  332. /* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
  333. if(curlx_verify_windows_version(6, 2, 0, PLATFORM_WINNT,
  334. VERSION_GREATER_THAN_EQUAL)) {
  335. /* CertGetNameString will provide the 8-bit character string without
  336. * any decoding */
  337. DWORD name_flags =
  338. CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
  339. actual_length = CertGetNameString(cert_context,
  340. CERT_NAME_DNS_TYPE,
  341. name_flags,
  342. NULL,
  343. host_names,
  344. length);
  345. return actual_length;
  346. }
  347. #endif
  348. compute_content = host_names != NULL && length != 0;
  349. /* Initialize default return values. */
  350. actual_length = 1;
  351. if(compute_content) {
  352. *host_names = '\0';
  353. }
  354. if(!cert_context) {
  355. failf(data, "schannel: Null certificate context.");
  356. return actual_length;
  357. }
  358. cert_info = cert_context->pCertInfo;
  359. if(!cert_info) {
  360. failf(data, "schannel: Null certificate info.");
  361. return actual_length;
  362. }
  363. extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
  364. cert_info->cExtension,
  365. cert_info->rgExtension);
  366. if(!extension) {
  367. failf(data, "schannel: CertFindExtension() returned no extension.");
  368. return actual_length;
  369. }
  370. decode_para.cbSize = sizeof(CRYPT_DECODE_PARA);
  371. ret_val =
  372. CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  373. szOID_SUBJECT_ALT_NAME2,
  374. extension->Value.pbData,
  375. extension->Value.cbData,
  376. CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
  377. &decode_para,
  378. &alt_name_info,
  379. &alt_name_info_size);
  380. if(!ret_val) {
  381. failf(data,
  382. "schannel: CryptDecodeObjectEx() returned no alternate name "
  383. "information.");
  384. return actual_length;
  385. }
  386. current_pos = host_names;
  387. /* Iterate over the alternate names and populate host_names. */
  388. for(i = 0; i < alt_name_info->cAltEntry; i++) {
  389. const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
  390. wchar_t *dns_w = NULL;
  391. size_t current_length = 0;
  392. if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
  393. continue;
  394. }
  395. if(!entry->pwszDNSName) {
  396. infof(data, "schannel: Empty DNS name.");
  397. continue;
  398. }
  399. current_length = wcslen(entry->pwszDNSName) + 1;
  400. if(!compute_content) {
  401. actual_length += (DWORD)current_length;
  402. continue;
  403. }
  404. /* Sanity check to prevent buffer overrun. */
  405. if((actual_length + current_length) > length) {
  406. failf(data, "schannel: Not enough memory to list all hostnames.");
  407. break;
  408. }
  409. dns_w = entry->pwszDNSName;
  410. /* pwszDNSName is in ia5 string format and hence does not contain any
  411. * non-ascii characters. */
  412. while(*dns_w != '\0') {
  413. *current_pos++ = (TCHAR)(*dns_w++);
  414. }
  415. *current_pos++ = '\0';
  416. actual_length += (DWORD)current_length;
  417. }
  418. if(compute_content) {
  419. /* Last string has double null-terminator. */
  420. *current_pos = '\0';
  421. }
  422. #endif
  423. return actual_length;
  424. }
  425. /* Verify the server's hostname */
  426. CURLcode Curl_verify_host(struct Curl_cfilter *cf,
  427. struct Curl_easy *data)
  428. {
  429. struct ssl_connect_data *connssl = cf->ctx;
  430. SECURITY_STATUS sspi_status;
  431. CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
  432. CERT_CONTEXT *pCertContextServer = NULL;
  433. TCHAR *cert_hostname_buff = NULL;
  434. size_t cert_hostname_buff_index = 0;
  435. const char *conn_hostname = connssl->peer.hostname;
  436. size_t hostlen = strlen(conn_hostname);
  437. DWORD len = 0;
  438. DWORD actual_len = 0;
  439. sspi_status =
  440. s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
  441. SECPKG_ATTR_REMOTE_CERT_CONTEXT,
  442. &pCertContextServer);
  443. if((sspi_status != SEC_E_OK) || !pCertContextServer) {
  444. char buffer[STRERROR_LEN];
  445. failf(data, "schannel: Failed to read remote certificate context: %s",
  446. Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
  447. result = CURLE_PEER_FAILED_VERIFICATION;
  448. goto cleanup;
  449. }
  450. /* Determine the size of the string needed for the cert hostname */
  451. len = cert_get_name_string(data, pCertContextServer, NULL, 0);
  452. if(len == 0) {
  453. failf(data,
  454. "schannel: CertGetNameString() returned no "
  455. "certificate name information");
  456. result = CURLE_PEER_FAILED_VERIFICATION;
  457. goto cleanup;
  458. }
  459. /* CertGetNameString guarantees that the returned name will not contain
  460. * embedded null bytes. This appears to be undocumented behavior.
  461. */
  462. cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
  463. if(!cert_hostname_buff) {
  464. result = CURLE_OUT_OF_MEMORY;
  465. goto cleanup;
  466. }
  467. actual_len = cert_get_name_string(
  468. data, pCertContextServer, (LPTSTR)cert_hostname_buff, len);
  469. /* Sanity check */
  470. if(actual_len != len) {
  471. failf(data,
  472. "schannel: CertGetNameString() returned certificate "
  473. "name information of unexpected size");
  474. result = CURLE_PEER_FAILED_VERIFICATION;
  475. goto cleanup;
  476. }
  477. /* cert_hostname_buff contains all DNS names, where each name is
  478. * null-terminated and the last DNS name is double null-terminated. Due to
  479. * this encoding, use the length of the buffer to iterate over all names.
  480. */
  481. result = CURLE_PEER_FAILED_VERIFICATION;
  482. while(cert_hostname_buff_index < len &&
  483. cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
  484. result == CURLE_PEER_FAILED_VERIFICATION) {
  485. char *cert_hostname;
  486. /* Comparing the cert name and the connection hostname encoded as UTF-8
  487. * is acceptable since both values are assumed to use ASCII
  488. * (or some equivalent) encoding
  489. */
  490. cert_hostname = curlx_convert_tchar_to_UTF8(
  491. &cert_hostname_buff[cert_hostname_buff_index]);
  492. if(!cert_hostname) {
  493. result = CURLE_OUT_OF_MEMORY;
  494. }
  495. else {
  496. if(Curl_cert_hostcheck(cert_hostname, strlen(cert_hostname),
  497. conn_hostname, hostlen)) {
  498. infof(data,
  499. "schannel: connection hostname (%s) validated "
  500. "against certificate name (%s)",
  501. conn_hostname, cert_hostname);
  502. result = CURLE_OK;
  503. }
  504. else {
  505. size_t cert_hostname_len;
  506. infof(data,
  507. "schannel: connection hostname (%s) did not match "
  508. "against certificate name (%s)",
  509. conn_hostname, cert_hostname);
  510. cert_hostname_len =
  511. _tcslen(&cert_hostname_buff[cert_hostname_buff_index]);
  512. /* Move on to next cert name */
  513. cert_hostname_buff_index += cert_hostname_len + 1;
  514. result = CURLE_PEER_FAILED_VERIFICATION;
  515. }
  516. curlx_unicodefree(cert_hostname);
  517. }
  518. }
  519. if(result == CURLE_PEER_FAILED_VERIFICATION) {
  520. failf(data,
  521. "schannel: CertGetNameString() failed to match "
  522. "connection hostname (%s) against server certificate names",
  523. conn_hostname);
  524. }
  525. else if(result != CURLE_OK)
  526. failf(data, "schannel: server certificate name verification failed");
  527. cleanup:
  528. Curl_safefree(cert_hostname_buff);
  529. if(pCertContextServer)
  530. CertFreeCertificateContext(pCertContextServer);
  531. return result;
  532. }
  533. #ifdef HAS_MANUAL_VERIFY_API
  534. /* Verify the server's certificate and hostname */
  535. CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
  536. struct Curl_easy *data)
  537. {
  538. struct ssl_connect_data *connssl = cf->ctx;
  539. struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  540. struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  541. SECURITY_STATUS sspi_status;
  542. CURLcode result = CURLE_OK;
  543. CERT_CONTEXT *pCertContextServer = NULL;
  544. const CERT_CHAIN_CONTEXT *pChainContext = NULL;
  545. HCERTCHAINENGINE cert_chain_engine = NULL;
  546. HCERTSTORE trust_store = NULL;
  547. HCERTSTORE own_trust_store = NULL;
  548. DEBUGASSERT(BACKEND);
  549. sspi_status =
  550. s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
  551. SECPKG_ATTR_REMOTE_CERT_CONTEXT,
  552. &pCertContextServer);
  553. if((sspi_status != SEC_E_OK) || !pCertContextServer) {
  554. char buffer[STRERROR_LEN];
  555. failf(data, "schannel: Failed to read remote certificate context: %s",
  556. Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
  557. result = CURLE_PEER_FAILED_VERIFICATION;
  558. }
  559. if(result == CURLE_OK &&
  560. (conn_config->CAfile || conn_config->ca_info_blob) &&
  561. BACKEND->use_manual_cred_validation) {
  562. /*
  563. * Create a chain engine that uses the certificates in the CA file as
  564. * trusted certificates. This is only supported on Windows 7+.
  565. */
  566. if(curlx_verify_windows_version(6, 1, 0, PLATFORM_WINNT,
  567. VERSION_LESS_THAN)) {
  568. failf(data, "schannel: this version of Windows is too old to support "
  569. "certificate verification via CA bundle file.");
  570. result = CURLE_SSL_CACERT_BADFILE;
  571. }
  572. else {
  573. /* try cache */
  574. trust_store = Curl_schannel_get_cached_cert_store(cf, data);
  575. if(trust_store) {
  576. infof(data, "schannel: reusing certificate store from cache");
  577. }
  578. else {
  579. /* Open the certificate store */
  580. trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
  581. 0,
  582. (HCRYPTPROV)NULL,
  583. CERT_STORE_CREATE_NEW_FLAG,
  584. NULL);
  585. if(!trust_store) {
  586. char buffer[STRERROR_LEN];
  587. failf(data, "schannel: failed to create certificate store: %s",
  588. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  589. result = CURLE_SSL_CACERT_BADFILE;
  590. }
  591. else {
  592. const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
  593. own_trust_store = trust_store;
  594. if(ca_info_blob) {
  595. result = add_certs_data_to_store(trust_store,
  596. (const char *)ca_info_blob->data,
  597. ca_info_blob->len,
  598. "(memory blob)",
  599. data);
  600. }
  601. else {
  602. result = add_certs_file_to_store(trust_store,
  603. conn_config->CAfile,
  604. data);
  605. }
  606. if(result == CURLE_OK) {
  607. if(Curl_schannel_set_cached_cert_store(cf, data, trust_store)) {
  608. own_trust_store = NULL;
  609. }
  610. }
  611. }
  612. }
  613. }
  614. if(result == CURLE_OK) {
  615. struct cert_chain_engine_config_win7 engine_config;
  616. BOOL create_engine_result;
  617. memset(&engine_config, 0, sizeof(engine_config));
  618. engine_config.cbSize = sizeof(engine_config);
  619. engine_config.hExclusiveRoot = trust_store;
  620. /* CertCreateCertificateChainEngine will check the expected size of the
  621. * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
  622. * does not match the expected size. When this occurs, it indicates that
  623. * CAINFO is not supported on the version of Windows in use.
  624. */
  625. create_engine_result =
  626. CertCreateCertificateChainEngine(
  627. (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
  628. if(!create_engine_result) {
  629. char buffer[STRERROR_LEN];
  630. failf(data,
  631. "schannel: failed to create certificate chain engine: %s",
  632. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  633. result = CURLE_SSL_CACERT_BADFILE;
  634. }
  635. }
  636. }
  637. if(result == CURLE_OK) {
  638. CERT_CHAIN_PARA ChainPara;
  639. memset(&ChainPara, 0, sizeof(ChainPara));
  640. ChainPara.cbSize = sizeof(ChainPara);
  641. if(!CertGetCertificateChain(cert_chain_engine,
  642. pCertContextServer,
  643. NULL,
  644. pCertContextServer->hCertStore,
  645. &ChainPara,
  646. (ssl_config->no_revoke ? 0 :
  647. CERT_CHAIN_REVOCATION_CHECK_CHAIN),
  648. NULL,
  649. &pChainContext)) {
  650. char buffer[STRERROR_LEN];
  651. failf(data, "schannel: CertGetCertificateChain failed: %s",
  652. Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
  653. pChainContext = NULL;
  654. result = CURLE_PEER_FAILED_VERIFICATION;
  655. }
  656. if(result == CURLE_OK) {
  657. CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
  658. DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
  659. dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
  660. if(data->set.ssl.revoke_best_effort) {
  661. /* Ignore errors when root certificates are missing the revocation
  662. * list URL, or when the list could not be downloaded because the
  663. * server is currently unreachable. */
  664. dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
  665. CERT_TRUST_IS_OFFLINE_REVOCATION);
  666. }
  667. if(dwTrustErrorMask) {
  668. if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
  669. failf(data, "schannel: CertGetCertificateChain trust error"
  670. " CERT_TRUST_IS_REVOKED");
  671. else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
  672. failf(data, "schannel: CertGetCertificateChain trust error"
  673. " CERT_TRUST_IS_PARTIAL_CHAIN");
  674. else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
  675. failf(data, "schannel: CertGetCertificateChain trust error"
  676. " CERT_TRUST_IS_UNTRUSTED_ROOT");
  677. else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
  678. failf(data, "schannel: CertGetCertificateChain trust error"
  679. " CERT_TRUST_IS_NOT_TIME_VALID");
  680. else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
  681. failf(data, "schannel: CertGetCertificateChain trust error"
  682. " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
  683. else
  684. failf(data, "schannel: CertGetCertificateChain error mask: 0x%08lx",
  685. dwTrustErrorMask);
  686. result = CURLE_PEER_FAILED_VERIFICATION;
  687. }
  688. }
  689. }
  690. if(result == CURLE_OK) {
  691. if(conn_config->verifyhost) {
  692. result = Curl_verify_host(cf, data);
  693. }
  694. }
  695. if(cert_chain_engine) {
  696. CertFreeCertificateChainEngine(cert_chain_engine);
  697. }
  698. if(own_trust_store) {
  699. CertCloseStore(own_trust_store, 0);
  700. }
  701. if(pChainContext)
  702. CertFreeCertificateChain(pChainContext);
  703. if(pCertContextServer)
  704. CertFreeCertificateContext(pCertContextServer);
  705. return result;
  706. }
  707. #endif /* HAS_MANUAL_VERIFY_API */
  708. #endif /* USE_SCHANNEL */