1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Marc Hoersken, <info@marc-hoersken.de>
9 * Copyright (C) Mark Salisbury, <mark.salisbury@hp.com>
10 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
11 *
12 * This software is licensed as described in the file COPYING, which
13 * you should have received as part of this distribution. The terms
14 * are also available at https://curl.se/docs/copyright.html.
15 *
16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17 * copies of the Software, and permit persons to whom the Software is
18 * furnished to do so, under the terms of the COPYING file.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 * SPDX-License-Identifier: curl
24 *
25 ***************************************************************************/
26
27 /*
28 * Source file for Schannel-specific certificate verification. This code should
29 * only be invoked by code in schannel.c.
30 */
31
32 #include "curl_setup.h"
33
34 #ifdef USE_SCHANNEL
35 #ifndef USE_WINDOWS_SSPI
36 # error "cannot compile SCHANNEL support without SSPI."
37 #endif
38
39 #include "schannel.h"
40 #include "schannel_int.h"
41
42 #include "inet_pton.h"
43 #include "vtls.h"
44 #include "vtls_int.h"
45 #include "sendf.h"
46 #include "strerror.h"
47 #include "curl_multibyte.h"
48 #include "curl_printf.h"
49 #include "hostcheck.h"
50 #include "version_win32.h"
51
52 /* The last #include file should be: */
53 #include "curl_memory.h"
54 #include "memdebug.h"
55
56 #define BACKEND ((struct schannel_ssl_backend_data *)connssl->backend)
57
58 #ifdef HAS_MANUAL_VERIFY_API
59
60 #define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
61 #define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
62 #define END_CERT "\n-----END CERTIFICATE-----"
63
64 struct cert_chain_engine_config_win7 {
65 DWORD cbSize;
66 HCERTSTORE hRestrictedRoot;
67 HCERTSTORE hRestrictedTrust;
68 HCERTSTORE hRestrictedOther;
69 DWORD cAdditionalStore;
70 HCERTSTORE *rghAdditionalStore;
71 DWORD dwFlags;
72 DWORD dwUrlRetrievalTimeout;
73 DWORD MaximumCachedCertificates;
74 DWORD CycleDetectionModulus;
75 HCERTSTORE hExclusiveRoot;
76 HCERTSTORE hExclusiveTrustedPeople;
77 };
78
is_cr_or_lf(char c)79 static int is_cr_or_lf(char c)
80 {
81 return c == '\r' || c == '\n';
82 }
83
84 /* Search the substring needle,needlelen into string haystack,haystacklen
85 * Strings do not need to be terminated by a '\0'.
86 * Similar of macOS/Linux memmem (not available on Visual Studio).
87 * Return position of beginning of first occurrence or NULL if not found
88 */
c_memmem(const void * haystack,size_t haystacklen,const void * needle,size_t needlelen)89 static const char *c_memmem(const void *haystack, size_t haystacklen,
90 const void *needle, size_t needlelen)
91 {
92 const char *p;
93 char first;
94 const char *str_limit = (const char *)haystack + haystacklen;
95 if(!needlelen || needlelen > haystacklen)
96 return NULL;
97 first = *(const char *)needle;
98 for(p = (const char *)haystack; p <= (str_limit - needlelen); p++)
99 if(((*p) == first) && (memcmp(p, needle, needlelen) == 0))
100 return p;
101
102 return NULL;
103 }
104
add_certs_data_to_store(HCERTSTORE trust_store,const char * ca_buffer,size_t ca_buffer_size,const char * ca_file_text,struct Curl_easy * data)105 static CURLcode add_certs_data_to_store(HCERTSTORE trust_store,
106 const char *ca_buffer,
107 size_t ca_buffer_size,
108 const char *ca_file_text,
109 struct Curl_easy *data)
110 {
111 const size_t begin_cert_len = strlen(BEGIN_CERT);
112 const size_t end_cert_len = strlen(END_CERT);
113 CURLcode result = CURLE_OK;
114 int num_certs = 0;
115 bool more_certs = 1;
116 const char *current_ca_file_ptr = ca_buffer;
117 const char *ca_buffer_limit = ca_buffer + ca_buffer_size;
118
119 while(more_certs && (current_ca_file_ptr < ca_buffer_limit)) {
120 const char *begin_cert_ptr = c_memmem(current_ca_file_ptr,
121 ca_buffer_limit-current_ca_file_ptr,
122 BEGIN_CERT,
123 begin_cert_len);
124 if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[begin_cert_len])) {
125 more_certs = 0;
126 }
127 else {
128 const char *end_cert_ptr = c_memmem(begin_cert_ptr,
129 ca_buffer_limit-begin_cert_ptr,
130 END_CERT,
131 end_cert_len);
132 if(!end_cert_ptr) {
133 failf(data,
134 "schannel: CA file '%s' is not correctly formatted",
135 ca_file_text);
136 result = CURLE_SSL_CACERT_BADFILE;
137 more_certs = 0;
138 }
139 else {
140 CERT_BLOB cert_blob;
141 CERT_CONTEXT *cert_context = NULL;
142 BOOL add_cert_result = FALSE;
143 DWORD actual_content_type = 0;
144 DWORD cert_size = (DWORD)
145 ((end_cert_ptr + end_cert_len) - begin_cert_ptr);
146
147 cert_blob.pbData = (BYTE *)begin_cert_ptr;
148 cert_blob.cbData = cert_size;
149 if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
150 &cert_blob,
151 CERT_QUERY_CONTENT_FLAG_CERT,
152 CERT_QUERY_FORMAT_FLAG_ALL,
153 0,
154 NULL,
155 &actual_content_type,
156 NULL,
157 NULL,
158 NULL,
159 (const void **)&cert_context)) {
160 char buffer[STRERROR_LEN];
161 failf(data,
162 "schannel: failed to extract certificate from CA file "
163 "'%s': %s",
164 ca_file_text,
165 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
166 result = CURLE_SSL_CACERT_BADFILE;
167 more_certs = 0;
168 }
169 else {
170 current_ca_file_ptr = begin_cert_ptr + cert_size;
171
172 /* Sanity check that the cert_context object is the right type */
173 if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
174 failf(data,
175 "schannel: unexpected content type '%lu' when extracting "
176 "certificate from CA file '%s'",
177 actual_content_type, ca_file_text);
178 result = CURLE_SSL_CACERT_BADFILE;
179 more_certs = 0;
180 }
181 else {
182 add_cert_result =
183 CertAddCertificateContextToStore(trust_store,
184 cert_context,
185 CERT_STORE_ADD_ALWAYS,
186 NULL);
187 CertFreeCertificateContext(cert_context);
188 if(!add_cert_result) {
189 char buffer[STRERROR_LEN];
190 failf(data,
191 "schannel: failed to add certificate from CA file '%s' "
192 "to certificate store: %s",
193 ca_file_text,
194 Curl_winapi_strerror(GetLastError(), buffer,
195 sizeof(buffer)));
196 result = CURLE_SSL_CACERT_BADFILE;
197 more_certs = 0;
198 }
199 else {
200 num_certs++;
201 }
202 }
203 }
204 }
205 }
206 }
207
208 if(result == CURLE_OK) {
209 if(!num_certs) {
210 infof(data,
211 "schannel: did not add any certificates from CA file '%s'",
212 ca_file_text);
213 }
214 else {
215 infof(data,
216 "schannel: added %d certificate(s) from CA file '%s'",
217 num_certs, ca_file_text);
218 }
219 }
220 return result;
221 }
222
add_certs_file_to_store(HCERTSTORE trust_store,const char * ca_file,struct Curl_easy * data)223 static CURLcode add_certs_file_to_store(HCERTSTORE trust_store,
224 const char *ca_file,
225 struct Curl_easy *data)
226 {
227 CURLcode result;
228 HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
229 LARGE_INTEGER file_size;
230 char *ca_file_buffer = NULL;
231 TCHAR *ca_file_tstr = NULL;
232 size_t ca_file_bufsize = 0;
233 DWORD total_bytes_read = 0;
234
235 ca_file_tstr = curlx_convert_UTF8_to_tchar((char *)ca_file);
236 if(!ca_file_tstr) {
237 char buffer[STRERROR_LEN];
238 failf(data,
239 "schannel: invalid path name for CA file '%s': %s",
240 ca_file,
241 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
242 result = CURLE_SSL_CACERT_BADFILE;
243 goto cleanup;
244 }
245
246 /*
247 * Read the CA file completely into memory before parsing it. This
248 * optimizes for the common case where the CA file will be relatively
249 * small ( < 1 MiB ).
250 */
251 ca_file_handle = CreateFile(ca_file_tstr,
252 GENERIC_READ,
253 FILE_SHARE_READ,
254 NULL,
255 OPEN_EXISTING,
256 FILE_ATTRIBUTE_NORMAL,
257 NULL);
258 if(ca_file_handle == INVALID_HANDLE_VALUE) {
259 char buffer[STRERROR_LEN];
260 failf(data,
261 "schannel: failed to open CA file '%s': %s",
262 ca_file,
263 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
264 result = CURLE_SSL_CACERT_BADFILE;
265 goto cleanup;
266 }
267
268 if(!GetFileSizeEx(ca_file_handle, &file_size)) {
269 char buffer[STRERROR_LEN];
270 failf(data,
271 "schannel: failed to determine size of CA file '%s': %s",
272 ca_file,
273 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
274 result = CURLE_SSL_CACERT_BADFILE;
275 goto cleanup;
276 }
277
278 if(file_size.QuadPart > MAX_CAFILE_SIZE) {
279 failf(data,
280 "schannel: CA file exceeds max size of %u bytes",
281 MAX_CAFILE_SIZE);
282 result = CURLE_SSL_CACERT_BADFILE;
283 goto cleanup;
284 }
285
286 ca_file_bufsize = (size_t)file_size.QuadPart;
287 ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
288 if(!ca_file_buffer) {
289 result = CURLE_OUT_OF_MEMORY;
290 goto cleanup;
291 }
292
293 while(total_bytes_read < ca_file_bufsize) {
294 DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
295 DWORD bytes_read = 0;
296
297 if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
298 bytes_to_read, &bytes_read, NULL)) {
299 char buffer[STRERROR_LEN];
300 failf(data,
301 "schannel: failed to read from CA file '%s': %s",
302 ca_file,
303 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
304 result = CURLE_SSL_CACERT_BADFILE;
305 goto cleanup;
306 }
307 if(bytes_read == 0) {
308 /* Premature EOF -- adjust the bufsize to the new value */
309 ca_file_bufsize = total_bytes_read;
310 }
311 else {
312 total_bytes_read += bytes_read;
313 }
314 }
315
316 /* Null terminate the buffer */
317 ca_file_buffer[ca_file_bufsize] = '\0';
318
319 result = add_certs_data_to_store(trust_store,
320 ca_file_buffer, ca_file_bufsize,
321 ca_file,
322 data);
323
324 cleanup:
325 if(ca_file_handle != INVALID_HANDLE_VALUE) {
326 CloseHandle(ca_file_handle);
327 }
328 Curl_safefree(ca_file_buffer);
329 curlx_unicodefree(ca_file_tstr);
330
331 return result;
332 }
333
334 #endif /* HAS_MANUAL_VERIFY_API */
335
336 /*
337 * Returns the number of characters necessary to populate all the host_names.
338 * If host_names is not NULL, populate it with all the hostnames. Each string
339 * in the host_names is null-terminated and the last string is double
340 * null-terminated. If no DNS names are found, a single null-terminated empty
341 * string is returned.
342 */
cert_get_name_string(struct Curl_easy * data,CERT_CONTEXT * cert_context,LPTSTR host_names,DWORD length,PCERT_ALT_NAME_INFO alt_name_info,BOOL Win8_compat)343 static DWORD cert_get_name_string(struct Curl_easy *data,
344 CERT_CONTEXT *cert_context,
345 LPTSTR host_names,
346 DWORD length,
347 PCERT_ALT_NAME_INFO alt_name_info,
348 BOOL Win8_compat)
349 {
350 DWORD actual_length = 0;
351 #if defined(CURL_WINDOWS_UWP)
352 (void)data;
353 (void)cert_context;
354 (void)host_names;
355 (void)length;
356 (void)alt_name_info;
357 (void)Win8_compat;
358 #else
359 BOOL compute_content = FALSE;
360 LPTSTR current_pos = NULL;
361 DWORD i;
362
363 #ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
364 /* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
365 if(Win8_compat) {
366 /* CertGetNameString will provide the 8-bit character string without
367 * any decoding */
368 DWORD name_flags =
369 CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
370 actual_length = CertGetNameString(cert_context,
371 CERT_NAME_DNS_TYPE,
372 name_flags,
373 NULL,
374 host_names,
375 length);
376 return actual_length;
377 }
378 #else
379 (void)cert_context;
380 (void)Win8_compat;
381 #endif
382
383 compute_content = host_names != NULL && length != 0;
384
385 /* Initialize default return values. */
386 actual_length = 1;
387 if(compute_content) {
388 *host_names = '\0';
389 }
390
391 current_pos = host_names;
392
393 /* Iterate over the alternate names and populate host_names. */
394 for(i = 0; i < alt_name_info->cAltEntry; i++) {
395 const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
396 wchar_t *dns_w = NULL;
397 size_t current_length = 0;
398
399 if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
400 continue;
401 }
402 if(!entry->pwszDNSName) {
403 infof(data, "schannel: Empty DNS name.");
404 continue;
405 }
406 current_length = wcslen(entry->pwszDNSName) + 1;
407 if(!compute_content) {
408 actual_length += (DWORD)current_length;
409 continue;
410 }
411 /* Sanity check to prevent buffer overrun. */
412 if((actual_length + current_length) > length) {
413 failf(data, "schannel: Not enough memory to list all hostnames.");
414 break;
415 }
416 dns_w = entry->pwszDNSName;
417 /* pwszDNSName is in ia5 string format and hence does not contain any
418 * non-ASCII characters. */
419 while(*dns_w != '\0') {
420 *current_pos++ = (TCHAR)(*dns_w++);
421 }
422 *current_pos++ = '\0';
423 actual_length += (DWORD)current_length;
424 }
425 if(compute_content) {
426 /* Last string has double null-terminator. */
427 *current_pos = '\0';
428 }
429 #endif
430 return actual_length;
431 }
432
433 /*
434 * Returns TRUE if the hostname is a numeric IPv4/IPv6 Address,
435 * and populates the buffer with IPv4/IPv6 info.
436 */
437
get_num_host_info(struct num_ip_data * ip_blob,LPCSTR hostname)438 static bool get_num_host_info(struct num_ip_data *ip_blob,
439 LPCSTR hostname)
440 {
441 struct in_addr ia;
442 struct in6_addr ia6;
443 bool result = FALSE;
444
445 int res = Curl_inet_pton(AF_INET, hostname, &ia);
446 if(res) {
447 ip_blob->size = sizeof(struct in_addr);
448 memcpy(&ip_blob->bData.ia, &ia, sizeof(struct in_addr));
449 result = TRUE;
450 }
451 else {
452 res = Curl_inet_pton(AF_INET6, hostname, &ia6);
453 if(res) {
454 ip_blob->size = sizeof(struct in6_addr);
455 memcpy(&ip_blob->bData.ia6, &ia6, sizeof(struct in6_addr));
456 result = TRUE;
457 }
458 }
459 return result;
460 }
461
get_alt_name_info(struct Curl_easy * data,PCCERT_CONTEXT ctx,PCERT_ALT_NAME_INFO * alt_name_info,LPDWORD alt_name_info_size)462 static bool get_alt_name_info(struct Curl_easy *data,
463 PCCERT_CONTEXT ctx,
464 PCERT_ALT_NAME_INFO *alt_name_info,
465 LPDWORD alt_name_info_size)
466 {
467 bool result = FALSE;
468 #if defined(CURL_WINDOWS_UWP)
469 (void)data;
470 (void)ctx;
471 (void)alt_name_info;
472 (void)alt_name_info_size;
473 #else
474 PCERT_INFO cert_info = NULL;
475 PCERT_EXTENSION extension = NULL;
476 CRYPT_DECODE_PARA decode_para = { sizeof(CRYPT_DECODE_PARA), NULL, NULL };
477
478 if(!ctx) {
479 failf(data, "schannel: Null certificate context.");
480 return result;
481 }
482
483 cert_info = ctx->pCertInfo;
484 if(!cert_info) {
485 failf(data, "schannel: Null certificate info.");
486 return result;
487 }
488
489 extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
490 cert_info->cExtension,
491 cert_info->rgExtension);
492 if(!extension) {
493 failf(data, "schannel: CertFindExtension() returned no extension.");
494 return result;
495 }
496
497 if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
498 szOID_SUBJECT_ALT_NAME2,
499 extension->Value.pbData,
500 extension->Value.cbData,
501 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
502 &decode_para,
503 alt_name_info,
504 alt_name_info_size)) {
505 failf(data,
506 "schannel: CryptDecodeObjectEx() returned no alternate name "
507 "information.");
508 return result;
509 }
510 result = TRUE;
511 #endif
512 return result;
513 }
514
515 /* Verify the server's hostname */
Curl_verify_host(struct Curl_cfilter * cf,struct Curl_easy * data)516 CURLcode Curl_verify_host(struct Curl_cfilter *cf,
517 struct Curl_easy *data)
518 {
519 struct ssl_connect_data *connssl = cf->ctx;
520 SECURITY_STATUS sspi_status;
521 CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
522 CERT_CONTEXT *pCertContextServer = NULL;
523 TCHAR *cert_hostname_buff = NULL;
524 size_t cert_hostname_buff_index = 0;
525 const char *conn_hostname = connssl->peer.hostname;
526 size_t hostlen = strlen(conn_hostname);
527 DWORD len = 0;
528 DWORD actual_len = 0;
529 PCERT_ALT_NAME_INFO alt_name_info = NULL;
530 DWORD alt_name_info_size = 0;
531 struct num_ip_data ip_blob = { 0 };
532 bool Win8_compat;
533 struct num_ip_data *p = &ip_blob;
534 DWORD i;
535
536 sspi_status =
537 Curl_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
538 SECPKG_ATTR_REMOTE_CERT_CONTEXT,
539 &pCertContextServer);
540
541 if((sspi_status != SEC_E_OK) || !pCertContextServer) {
542 char buffer[STRERROR_LEN];
543 failf(data, "schannel: Failed to read remote certificate context: %s",
544 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
545 goto cleanup;
546 }
547
548 Win8_compat = curlx_verify_windows_version(6, 2, 0, PLATFORM_WINNT,
549 VERSION_GREATER_THAN_EQUAL);
550 if(get_num_host_info(p, conn_hostname) || !Win8_compat) {
551 if(!get_alt_name_info(data, pCertContextServer,
552 &alt_name_info, &alt_name_info_size)) {
553 goto cleanup;
554 }
555 }
556
557 if(p->size) {
558 for(i = 0; i < alt_name_info->cAltEntry; ++i) {
559 PCERT_ALT_NAME_ENTRY entry = &alt_name_info->rgAltEntry[i];
560 if(entry->dwAltNameChoice == CERT_ALT_NAME_IP_ADDRESS) {
561 if(entry->IPAddress.cbData == p->size) {
562 if(!memcmp(entry->IPAddress.pbData, &p->bData,
563 entry->IPAddress.cbData)) {
564 result = CURLE_OK;
565 infof(data,
566 "schannel: connection hostname (%s) matched cert's IP address!",
567 conn_hostname);
568 break;
569 }
570 }
571 }
572 }
573 }
574
575 else {
576 /* Determine the size of the string needed for the cert hostname */
577 len = cert_get_name_string(data, pCertContextServer,
578 NULL, 0, alt_name_info, Win8_compat);
579 if(len == 0) {
580 failf(data,
581 "schannel: CertGetNameString() returned no "
582 "certificate name information");
583 goto cleanup;
584 }
585
586 /* CertGetNameString guarantees that the returned name will not contain
587 * embedded null bytes. This appears to be undocumented behavior.
588 */
589 cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
590 if(!cert_hostname_buff) {
591 result = CURLE_OUT_OF_MEMORY;
592 goto cleanup;
593 }
594 actual_len = cert_get_name_string(data, pCertContextServer,
595 (LPTSTR)cert_hostname_buff, len, alt_name_info, Win8_compat);
596
597 /* Sanity check */
598 if(actual_len != len) {
599 failf(data,
600 "schannel: CertGetNameString() returned certificate "
601 "name information of unexpected size");
602 goto cleanup;
603 }
604
605 /* cert_hostname_buff contains all DNS names, where each name is
606 * null-terminated and the last DNS name is double null-terminated. Due to
607 * this encoding, use the length of the buffer to iterate over all names.
608 */
609 while(cert_hostname_buff_index < len &&
610 cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
611 result == CURLE_PEER_FAILED_VERIFICATION) {
612
613 char *cert_hostname;
614
615 /* Comparing the cert name and the connection hostname encoded as UTF-8
616 * is acceptable since both values are assumed to use ASCII
617 * (or some equivalent) encoding
618 */
619 cert_hostname = curlx_convert_tchar_to_UTF8(
620 &cert_hostname_buff[cert_hostname_buff_index]);
621 if(!cert_hostname) {
622 result = CURLE_OUT_OF_MEMORY;
623 }
624 else {
625 if(Curl_cert_hostcheck(cert_hostname, strlen(cert_hostname),
626 conn_hostname, hostlen)) {
627 infof(data,
628 "schannel: connection hostname (%s) validated "
629 "against certificate name (%s)",
630 conn_hostname, cert_hostname);
631 result = CURLE_OK;
632 }
633 else {
634 size_t cert_hostname_len;
635
636 infof(data,
637 "schannel: connection hostname (%s) did not match "
638 "against certificate name (%s)",
639 conn_hostname, cert_hostname);
640
641 cert_hostname_len =
642 _tcslen(&cert_hostname_buff[cert_hostname_buff_index]);
643
644 /* Move on to next cert name */
645 cert_hostname_buff_index += cert_hostname_len + 1;
646
647 result = CURLE_PEER_FAILED_VERIFICATION;
648 }
649 curlx_unicodefree(cert_hostname);
650 }
651 }
652
653 if(result == CURLE_PEER_FAILED_VERIFICATION) {
654 failf(data,
655 "schannel: CertGetNameString() failed to match "
656 "connection hostname (%s) against server certificate names",
657 conn_hostname);
658 }
659 else if(result != CURLE_OK)
660 failf(data, "schannel: server certificate name verification failed");
661 }
662
663 cleanup:
664 Curl_safefree(cert_hostname_buff);
665
666 if(pCertContextServer)
667 CertFreeCertificateContext(pCertContextServer);
668
669 return result;
670 }
671
672 #ifdef HAS_MANUAL_VERIFY_API
673 /* Verify the server's certificate and hostname */
Curl_verify_certificate(struct Curl_cfilter * cf,struct Curl_easy * data)674 CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
675 struct Curl_easy *data)
676 {
677 struct ssl_connect_data *connssl = cf->ctx;
678 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
679 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
680 SECURITY_STATUS sspi_status;
681 CURLcode result = CURLE_OK;
682 CERT_CONTEXT *pCertContextServer = NULL;
683 const CERT_CHAIN_CONTEXT *pChainContext = NULL;
684 HCERTCHAINENGINE cert_chain_engine = NULL;
685 HCERTSTORE trust_store = NULL;
686 HCERTSTORE own_trust_store = NULL;
687
688 DEBUGASSERT(BACKEND);
689
690 sspi_status =
691 Curl_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
692 SECPKG_ATTR_REMOTE_CERT_CONTEXT,
693 &pCertContextServer);
694
695 if((sspi_status != SEC_E_OK) || !pCertContextServer) {
696 char buffer[STRERROR_LEN];
697 failf(data, "schannel: Failed to read remote certificate context: %s",
698 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
699 result = CURLE_PEER_FAILED_VERIFICATION;
700 }
701
702 if(result == CURLE_OK &&
703 (conn_config->CAfile || conn_config->ca_info_blob) &&
704 BACKEND->use_manual_cred_validation) {
705 /*
706 * Create a chain engine that uses the certificates in the CA file as
707 * trusted certificates. This is only supported on Windows 7+.
708 */
709
710 if(curlx_verify_windows_version(6, 1, 0, PLATFORM_WINNT,
711 VERSION_LESS_THAN)) {
712 failf(data, "schannel: this version of Windows is too old to support "
713 "certificate verification via CA bundle file.");
714 result = CURLE_SSL_CACERT_BADFILE;
715 }
716 else {
717 /* try cache */
718 trust_store = Curl_schannel_get_cached_cert_store(cf, data);
719
720 if(trust_store) {
721 infof(data, "schannel: reusing certificate store from cache");
722 }
723 else {
724 /* Open the certificate store */
725 trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
726 0,
727 (HCRYPTPROV)NULL,
728 CERT_STORE_CREATE_NEW_FLAG,
729 NULL);
730 if(!trust_store) {
731 char buffer[STRERROR_LEN];
732 failf(data, "schannel: failed to create certificate store: %s",
733 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
734 result = CURLE_SSL_CACERT_BADFILE;
735 }
736 else {
737 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
738 own_trust_store = trust_store;
739
740 if(ca_info_blob) {
741 result = add_certs_data_to_store(trust_store,
742 (const char *)ca_info_blob->data,
743 ca_info_blob->len,
744 "(memory blob)",
745 data);
746 }
747 else {
748 result = add_certs_file_to_store(trust_store,
749 conn_config->CAfile,
750 data);
751 }
752 if(result == CURLE_OK) {
753 if(Curl_schannel_set_cached_cert_store(cf, data, trust_store)) {
754 own_trust_store = NULL;
755 }
756 }
757 }
758 }
759 }
760
761 if(result == CURLE_OK) {
762 struct cert_chain_engine_config_win7 engine_config;
763 BOOL create_engine_result;
764
765 memset(&engine_config, 0, sizeof(engine_config));
766 engine_config.cbSize = sizeof(engine_config);
767 engine_config.hExclusiveRoot = trust_store;
768
769 /* CertCreateCertificateChainEngine will check the expected size of the
770 * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
771 * does not match the expected size. When this occurs, it indicates that
772 * CAINFO is not supported on the version of Windows in use.
773 */
774 create_engine_result =
775 CertCreateCertificateChainEngine(
776 (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
777 if(!create_engine_result) {
778 char buffer[STRERROR_LEN];
779 failf(data,
780 "schannel: failed to create certificate chain engine: %s",
781 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
782 result = CURLE_SSL_CACERT_BADFILE;
783 }
784 }
785 }
786
787 if(result == CURLE_OK) {
788 CERT_CHAIN_PARA ChainPara;
789
790 memset(&ChainPara, 0, sizeof(ChainPara));
791 ChainPara.cbSize = sizeof(ChainPara);
792
793 if(!CertGetCertificateChain(cert_chain_engine,
794 pCertContextServer,
795 NULL,
796 pCertContextServer->hCertStore,
797 &ChainPara,
798 (ssl_config->no_revoke ? 0 :
799 CERT_CHAIN_REVOCATION_CHECK_CHAIN),
800 NULL,
801 &pChainContext)) {
802 char buffer[STRERROR_LEN];
803 failf(data, "schannel: CertGetCertificateChain failed: %s",
804 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
805 pChainContext = NULL;
806 result = CURLE_PEER_FAILED_VERIFICATION;
807 }
808
809 if(result == CURLE_OK) {
810 CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
811 DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
812 dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
813
814 if(data->set.ssl.revoke_best_effort) {
815 /* Ignore errors when root certificates are missing the revocation
816 * list URL, or when the list could not be downloaded because the
817 * server is currently unreachable. */
818 dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
819 CERT_TRUST_IS_OFFLINE_REVOCATION);
820 }
821
822 if(dwTrustErrorMask) {
823 if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
824 failf(data, "schannel: CertGetCertificateChain trust error"
825 " CERT_TRUST_IS_REVOKED");
826 else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
827 failf(data, "schannel: CertGetCertificateChain trust error"
828 " CERT_TRUST_IS_PARTIAL_CHAIN");
829 else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
830 failf(data, "schannel: CertGetCertificateChain trust error"
831 " CERT_TRUST_IS_UNTRUSTED_ROOT");
832 else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
833 failf(data, "schannel: CertGetCertificateChain trust error"
834 " CERT_TRUST_IS_NOT_TIME_VALID");
835 else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
836 failf(data, "schannel: CertGetCertificateChain trust error"
837 " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
838 else
839 failf(data, "schannel: CertGetCertificateChain error mask: 0x%08lx",
840 dwTrustErrorMask);
841 result = CURLE_PEER_FAILED_VERIFICATION;
842 }
843 }
844 }
845
846 if(result == CURLE_OK) {
847 if(conn_config->verifyhost) {
848 result = Curl_verify_host(cf, data);
849 }
850 }
851
852 if(cert_chain_engine) {
853 CertFreeCertificateChainEngine(cert_chain_engine);
854 }
855
856 if(own_trust_store) {
857 CertCloseStore(own_trust_store, 0);
858 }
859
860 if(pChainContext)
861 CertFreeCertificateChain(pChainContext);
862
863 if(pCertContextServer)
864 CertFreeCertificateContext(pCertContextServer);
865
866 return result;
867 }
868
869 #endif /* HAS_MANUAL_VERIFY_API */
870 #endif /* USE_SCHANNEL */
871
