mirror of
https://github.com/moparisthebest/curl
synced 2024-12-24 17:18:48 -05:00
schannel: disable manual verify if APIs not available
.. because original MinGW and old compilers do not have the Windows API definitions needed to support manual verification.
This commit is contained in:
parent
1592ea9792
commit
4584cc4499
@ -307,10 +307,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef _WIN32_WCE
|
#ifdef _WIN32_WCE
|
||||||
|
#ifdef HAS_MANUAL_VERIFY_API
|
||||||
/* certificate validation on CE doesn't seem to work right; we'll
|
/* certificate validation on CE doesn't seem to work right; we'll
|
||||||
* do it following a more manual process. */
|
* do it following a more manual process. */
|
||||||
BACKEND->use_manual_cred_validation = true;
|
BACKEND->use_manual_cred_validation = true;
|
||||||
#else
|
#else
|
||||||
|
#error "compiler too old to support requisite manual cert verify for Win CE"
|
||||||
|
#endif
|
||||||
|
#else
|
||||||
|
#ifdef HAS_MANUAL_VERIFY_API
|
||||||
if(SSL_CONN_CONFIG(CAfile)) {
|
if(SSL_CONN_CONFIG(CAfile)) {
|
||||||
if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT,
|
if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT,
|
||||||
VERSION_GREATER_THAN_EQUAL)) {
|
VERSION_GREATER_THAN_EQUAL)) {
|
||||||
@ -324,6 +329,12 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
BACKEND->use_manual_cred_validation = false;
|
BACKEND->use_manual_cred_validation = false;
|
||||||
|
#else
|
||||||
|
if(SSL_CONN_CONFIG(CAfile)) {
|
||||||
|
failf(data, "schannel: CA cert support not built in");
|
||||||
|
return CURLE_NOT_BUILT_IN;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
BACKEND->cred = NULL;
|
BACKEND->cred = NULL;
|
||||||
@ -349,9 +360,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
|
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
|
||||||
|
|
||||||
if(conn->ssl_config.verifypeer) {
|
if(conn->ssl_config.verifypeer) {
|
||||||
|
#ifdef HAS_MANUAL_VERIFY_API
|
||||||
if(BACKEND->use_manual_cred_validation)
|
if(BACKEND->use_manual_cred_validation)
|
||||||
schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
|
schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
|
||||||
else
|
else
|
||||||
|
#endif
|
||||||
schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION;
|
schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION;
|
||||||
|
|
||||||
/* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */
|
/* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */
|
||||||
@ -892,9 +905,11 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAS_MANUAL_VERIFY_API
|
||||||
if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
|
if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
|
||||||
return verify_certificate(conn, sockindex);
|
return verify_certificate(conn, sockindex);
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
}
|
}
|
||||||
|
@ -38,6 +38,19 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex);
|
|||||||
|
|
||||||
/* structs to expose only in schannel.c and schannel_verify.c */
|
/* structs to expose only in schannel.c and schannel_verify.c */
|
||||||
#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
|
#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
|
||||||
|
|
||||||
|
#ifdef __MINGW32__
|
||||||
|
#include <_mingw.h>
|
||||||
|
#ifdef __MINGW64_VERSION_MAJOR
|
||||||
|
#define HAS_MANUAL_VERIFY_API
|
||||||
|
#endif
|
||||||
|
#else
|
||||||
|
#include <wincrypt.h>
|
||||||
|
#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
|
||||||
|
#define HAS_MANUAL_VERIFY_API
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
struct curl_schannel_cred {
|
struct curl_schannel_cred {
|
||||||
CredHandle cred_handle;
|
CredHandle cred_handle;
|
||||||
TimeStamp time_stamp;
|
TimeStamp time_stamp;
|
||||||
@ -66,7 +79,9 @@ struct ssl_backend_data {
|
|||||||
bool recv_sspi_close_notify; /* true if connection closed by close_notify */
|
bool recv_sspi_close_notify; /* true if connection closed by close_notify */
|
||||||
bool recv_connection_closed; /* true if connection closed, regardless how */
|
bool recv_connection_closed; /* true if connection closed, regardless how */
|
||||||
bool use_alpn; /* true if ALPN is used for this connection */
|
bool use_alpn; /* true if ALPN is used for this connection */
|
||||||
|
#ifdef HAS_MANUAL_VERIFY_API
|
||||||
bool use_manual_cred_validation; /* true if manual cred validation is used */
|
bool use_manual_cred_validation; /* true if manual cred validation is used */
|
||||||
|
#endif
|
||||||
};
|
};
|
||||||
#endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
|
#endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
|
||||||
|
|
||||||
|
@ -29,15 +29,17 @@
|
|||||||
|
|
||||||
#include "curl_setup.h"
|
#include "curl_setup.h"
|
||||||
|
|
||||||
#ifdef USE_SCHANNEL
|
|
||||||
|
|
||||||
#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
|
|
||||||
|
|
||||||
#ifndef USE_WINDOWS_SSPI
|
#ifndef USE_WINDOWS_SSPI
|
||||||
# error "Can't compile SCHANNEL support without SSPI."
|
# error "Can't compile SCHANNEL support without SSPI."
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_SCHANNEL
|
||||||
|
|
||||||
|
#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
|
||||||
#include "schannel.h"
|
#include "schannel.h"
|
||||||
|
|
||||||
|
#ifdef HAS_MANUAL_VERIFY_API
|
||||||
|
|
||||||
#include "vtls.h"
|
#include "vtls.h"
|
||||||
#include "sendf.h"
|
#include "sendf.h"
|
||||||
#include "strerror.h"
|
#include "strerror.h"
|
||||||
@ -548,4 +550,5 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex)
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#endif /* HAS_MANUAL_VERIFY_API */
|
||||||
#endif /* USE_SCHANNEL */
|
#endif /* USE_SCHANNEL */
|
||||||
|
Loading…
Reference in New Issue
Block a user