1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 01:28:51 -05:00

schannel: disable manual verify if APIs not available

.. because original MinGW and old compilers do not have the Windows API
definitions needed to support manual verification.
This commit is contained in:
Jay Satiro 2018-05-16 02:02:29 -04:00
parent 1592ea9792
commit 4584cc4499
3 changed files with 37 additions and 4 deletions

View File

@ -307,10 +307,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
#endif #endif
#ifdef _WIN32_WCE #ifdef _WIN32_WCE
#ifdef HAS_MANUAL_VERIFY_API
/* certificate validation on CE doesn't seem to work right; we'll /* certificate validation on CE doesn't seem to work right; we'll
* do it following a more manual process. */ * do it following a more manual process. */
BACKEND->use_manual_cred_validation = true; BACKEND->use_manual_cred_validation = true;
#else #else
#error "compiler too old to support requisite manual cert verify for Win CE"
#endif
#else
#ifdef HAS_MANUAL_VERIFY_API
if(SSL_CONN_CONFIG(CAfile)) { if(SSL_CONN_CONFIG(CAfile)) {
if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT, if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT,
VERSION_GREATER_THAN_EQUAL)) { VERSION_GREATER_THAN_EQUAL)) {
@ -324,6 +329,12 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
} }
else else
BACKEND->use_manual_cred_validation = false; BACKEND->use_manual_cred_validation = false;
#else
if(SSL_CONN_CONFIG(CAfile)) {
failf(data, "schannel: CA cert support not built in");
return CURLE_NOT_BUILT_IN;
}
#endif
#endif #endif
BACKEND->cred = NULL; BACKEND->cred = NULL;
@ -349,9 +360,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION; schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
if(conn->ssl_config.verifypeer) { if(conn->ssl_config.verifypeer) {
#ifdef HAS_MANUAL_VERIFY_API
if(BACKEND->use_manual_cred_validation) if(BACKEND->use_manual_cred_validation)
schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
else else
#endif
schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION;
/* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */ /* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */
@ -892,9 +905,11 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
} }
} }
#ifdef HAS_MANUAL_VERIFY_API
if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) { if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
return verify_certificate(conn, sockindex); return verify_certificate(conn, sockindex);
} }
#endif
return CURLE_OK; return CURLE_OK;
} }

View File

@ -38,6 +38,19 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex);
/* structs to expose only in schannel.c and schannel_verify.c */ /* structs to expose only in schannel.c and schannel_verify.c */
#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
#ifdef __MINGW32__
#include <_mingw.h>
#ifdef __MINGW64_VERSION_MAJOR
#define HAS_MANUAL_VERIFY_API
#endif
#else
#include <wincrypt.h>
#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
#define HAS_MANUAL_VERIFY_API
#endif
#endif
struct curl_schannel_cred { struct curl_schannel_cred {
CredHandle cred_handle; CredHandle cred_handle;
TimeStamp time_stamp; TimeStamp time_stamp;
@ -66,7 +79,9 @@ struct ssl_backend_data {
bool recv_sspi_close_notify; /* true if connection closed by close_notify */ bool recv_sspi_close_notify; /* true if connection closed by close_notify */
bool recv_connection_closed; /* true if connection closed, regardless how */ bool recv_connection_closed; /* true if connection closed, regardless how */
bool use_alpn; /* true if ALPN is used for this connection */ bool use_alpn; /* true if ALPN is used for this connection */
#ifdef HAS_MANUAL_VERIFY_API
bool use_manual_cred_validation; /* true if manual cred validation is used */ bool use_manual_cred_validation; /* true if manual cred validation is used */
#endif
}; };
#endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */

View File

@ -29,15 +29,17 @@
#include "curl_setup.h" #include "curl_setup.h"
#ifdef USE_SCHANNEL
#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
#ifndef USE_WINDOWS_SSPI #ifndef USE_WINDOWS_SSPI
# error "Can't compile SCHANNEL support without SSPI." # error "Can't compile SCHANNEL support without SSPI."
#endif #endif
#ifdef USE_SCHANNEL
#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
#include "schannel.h" #include "schannel.h"
#ifdef HAS_MANUAL_VERIFY_API
#include "vtls.h" #include "vtls.h"
#include "sendf.h" #include "sendf.h"
#include "strerror.h" #include "strerror.h"
@ -548,4 +550,5 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex)
return result; return result;
} }
#endif /* HAS_MANUAL_VERIFY_API */
#endif /* USE_SCHANNEL */ #endif /* USE_SCHANNEL */