Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-winehq
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-winehq
Commits
82d07c40
Commit
82d07c40
authored
Dec 03, 2009
by
Juan Lang
Committed by
Alexandre Julliard
Dec 04, 2009
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
winhttp: Check the certificate in an https connection using the crypto api.
parent
48a75801
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
144 additions
and
30 deletions
+144
-30
net.c
dlls/winhttp/net.c
+144
-30
No files found.
dlls/winhttp/net.c
View file @
82d07c40
...
...
@@ -212,15 +212,156 @@ static int sock_get_error( int err )
}
#ifdef SONAME_LIBSSL
static
PCCERT_CONTEXT
X509_to_cert_context
(
X509
*
cert
)
{
unsigned
char
*
buffer
,
*
p
;
int
len
;
BOOL
malloc
=
FALSE
;
PCCERT_CONTEXT
ret
;
p
=
NULL
;
if
((
len
=
pi2d_X509
(
cert
,
&
p
))
<
0
)
return
NULL
;
/*
* SSL 0.9.7 and above malloc the buffer if it is null.
* however earlier version do not and so we would need to alloc the buffer.
*
* see the i2d_X509 man page for more details.
*/
if
(
!
p
)
{
if
(
!
(
buffer
=
heap_alloc
(
len
)))
return
NULL
;
p
=
buffer
;
len
=
pi2d_X509
(
cert
,
&
p
);
}
else
{
buffer
=
p
;
malloc
=
TRUE
;
}
ret
=
CertCreateCertificateContext
(
X509_ASN_ENCODING
,
buffer
,
len
);
if
(
malloc
)
free
(
buffer
);
else
heap_free
(
buffer
);
return
ret
;
}
static
BOOL
netconn_verify_cert
(
PCCERT_CONTEXT
cert
,
HCERTSTORE
store
,
WCHAR
*
server
)
{
BOOL
ret
;
CERT_CHAIN_PARA
chainPara
=
{
sizeof
(
chainPara
),
{
0
}
};
PCCERT_CHAIN_CONTEXT
chain
;
char
oid_server_auth
[]
=
szOID_PKIX_KP_SERVER_AUTH
;
char
*
server_auth
[]
=
{
oid_server_auth
};
DWORD
err
;
TRACE
(
"verifying %s
\n
"
,
debugstr_w
(
server
));
chainPara
.
RequestedUsage
.
Usage
.
cUsageIdentifier
=
1
;
chainPara
.
RequestedUsage
.
Usage
.
rgpszUsageIdentifier
=
server_auth
;
if
((
ret
=
CertGetCertificateChain
(
NULL
,
cert
,
NULL
,
store
,
&
chainPara
,
0
,
NULL
,
&
chain
)))
{
if
(
chain
->
TrustStatus
.
dwErrorStatus
)
{
if
(
chain
->
TrustStatus
.
dwErrorStatus
&
CERT_TRUST_IS_NOT_TIME_VALID
)
err
=
ERROR_WINHTTP_SECURE_CERT_DATE_INVALID
;
else
if
(
chain
->
TrustStatus
.
dwErrorStatus
&
CERT_TRUST_IS_UNTRUSTED_ROOT
)
err
=
ERROR_WINHTTP_SECURE_INVALID_CA
;
else
if
((
chain
->
TrustStatus
.
dwErrorStatus
&
CERT_TRUST_IS_OFFLINE_REVOCATION
)
||
(
chain
->
TrustStatus
.
dwErrorStatus
&
CERT_TRUST_REVOCATION_STATUS_UNKNOWN
))
err
=
ERROR_WINHTTP_SECURE_CERT_REV_FAILED
;
else
if
(
chain
->
TrustStatus
.
dwErrorStatus
&
CERT_TRUST_IS_REVOKED
)
err
=
ERROR_WINHTTP_SECURE_CERT_REVOKED
;
else
if
(
chain
->
TrustStatus
.
dwErrorStatus
&
CERT_TRUST_IS_NOT_VALID_FOR_USAGE
)
err
=
ERROR_WINHTTP_SECURE_CERT_WRONG_USAGE
;
else
err
=
ERROR_WINHTTP_SECURE_INVALID_CERT
;
set_last_error
(
err
);
ret
=
FALSE
;
}
else
{
CERT_CHAIN_POLICY_PARA
policyPara
;
SSL_EXTRA_CERT_CHAIN_POLICY_PARA
sslExtraPolicyPara
;
CERT_CHAIN_POLICY_STATUS
policyStatus
;
sslExtraPolicyPara
.
cbSize
=
sizeof
(
sslExtraPolicyPara
);
sslExtraPolicyPara
.
dwAuthType
=
AUTHTYPE_SERVER
;
sslExtraPolicyPara
.
pwszServerName
=
server
;
policyPara
.
cbSize
=
sizeof
(
policyPara
);
policyPara
.
dwFlags
=
0
;
policyPara
.
pvExtraPolicyPara
=
&
sslExtraPolicyPara
;
ret
=
CertVerifyCertificateChainPolicy
(
CERT_CHAIN_POLICY_SSL
,
chain
,
&
policyPara
,
&
policyStatus
);
/* Any error in the policy status indicates that the
* policy couldn't be verified.
*/
if
(
ret
&&
policyStatus
.
dwError
)
{
if
(
policyStatus
.
dwError
==
CERT_E_CN_NO_MATCH
)
err
=
ERROR_WINHTTP_SECURE_CERT_CN_INVALID
;
else
err
=
ERROR_WINHTTP_SECURE_INVALID_CERT
;
set_last_error
(
err
);
ret
=
FALSE
;
}
}
CertFreeCertificateChain
(
chain
);
}
TRACE
(
"returning %d
\n
"
,
ret
);
return
ret
;
}
static
int
netconn_secure_verify
(
int
preverify_ok
,
X509_STORE_CTX
*
ctx
)
{
SSL
*
ssl
;
WCHAR
*
server
;
BOOL
ret
=
FALSE
;
ssl
=
pX509_STORE_CTX_get_ex_data
(
ctx
,
pSSL_get_ex_data_X509_STORE_CTX_idx
()
);
server
=
pSSL_get_ex_data
(
ssl
,
hostname_idx
);
FIXME
(
"verify %s
\n
"
,
debugstr_w
(
server
));
return
preverify_ok
;
if
(
preverify_ok
)
{
HCERTSTORE
store
=
CertOpenStore
(
CERT_STORE_PROV_MEMORY
,
0
,
0
,
CERT_STORE_CREATE_NEW_FLAG
,
NULL
);
if
(
store
)
{
X509
*
cert
;
int
i
;
PCCERT_CONTEXT
endCert
=
NULL
;
ret
=
TRUE
;
for
(
i
=
0
;
ret
&&
i
<
ctx
->
chain
->
num
;
i
++
)
{
PCCERT_CONTEXT
context
;
cert
=
(
X509
*
)
ctx
->
chain
->
data
[
i
];
if
((
context
=
X509_to_cert_context
(
cert
)))
{
if
(
i
==
0
)
ret
=
CertAddCertificateContextToStore
(
store
,
context
,
CERT_STORE_ADD_ALWAYS
,
&
endCert
);
else
ret
=
CertAddCertificateContextToStore
(
store
,
context
,
CERT_STORE_ADD_ALWAYS
,
NULL
);
CertFreeCertificateContext
(
context
);
}
}
if
(
ret
)
ret
=
netconn_verify_cert
(
endCert
,
store
,
server
);
CertFreeCertificateContext
(
endCert
);
CertCloseStore
(
store
,
0
);
}
}
return
ret
;
}
#endif
...
...
@@ -794,39 +935,12 @@ const void *netconn_get_certificate( netconn_t *conn )
{
#ifdef SONAME_LIBSSL
X509
*
cert
;
unsigned
char
*
buffer
,
*
p
;
int
len
;
BOOL
malloc
=
FALSE
;
const
CERT_CONTEXT
*
ret
;
if
(
!
conn
->
secure
)
return
NULL
;
if
(
!
(
cert
=
pSSL_get_peer_certificate
(
conn
->
ssl_conn
)))
return
NULL
;
p
=
NULL
;
if
((
len
=
pi2d_X509
(
cert
,
&
p
))
<
0
)
return
NULL
;
/*
* SSL 0.9.7 and above malloc the buffer if it is null.
* however earlier version do not and so we would need to alloc the buffer.
*
* see the i2d_X509 man page for more details.
*/
if
(
!
p
)
{
if
(
!
(
buffer
=
heap_alloc
(
len
)))
return
NULL
;
p
=
buffer
;
len
=
pi2d_X509
(
cert
,
&
p
);
}
else
{
buffer
=
p
;
malloc
=
TRUE
;
}
ret
=
CertCreateCertificateContext
(
X509_ASN_ENCODING
,
buffer
,
len
);
if
(
malloc
)
free
(
buffer
);
else
heap_free
(
buffer
);
ret
=
X509_to_cert_context
(
cert
);
return
ret
;
#else
return
NULL
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment