VirtualBox

source: vbox/trunk/src/libs/curl-7.64.0/lib/vtls/schannel_verify.c@ 90406

Last change on this file since 90406 was 85671, checked in by vboxsync, 5 years ago

Export out internal curl copy to make it a lot simpler to build VBox (OSE) on Windows. bugref:9814
  • Property svn:eol-style set to native
File size: 18.4 KB
Line 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 2012 - 2016, Marc Hoersken, <[email protected]>
9 * Copyright (C) 2012, Mark Salisbury, <[email protected]>
10 * Copyright (C) 2012 - 2019, Daniel Stenberg, <[email protected]>, et al.
11 *
12 * This software is licensed as described in the file COPYING, which
13 * you should have received as part of this distribution. The terms
14 * are also available at https://curl.haxx.se/docs/copyright.html.
15 *
16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17 * copies of the Software, and permit persons to whom the Software is
18 * furnished to do so, under the terms of the COPYING file.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 ***************************************************************************/
24
25/*
26 * Source file for Schannel-specific certificate verification. This code should
27 * only be invoked by code in schannel.c.
28 */
29
30#include "curl_setup.h"
31
32#ifdef USE_SCHANNEL
33#ifndef USE_WINDOWS_SSPI
34# error "Can't compile SCHANNEL support without SSPI."
35#endif
36
37#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
38#include "schannel.h"
39
40#ifdef HAS_MANUAL_VERIFY_API
41
42#include "vtls.h"
43#include "sendf.h"
44#include "strerror.h"
45#include "curl_multibyte.h"
46#include "curl_printf.h"
47#include "hostcheck.h"
48#include "system_win32.h"
49
50/* The last #include file should be: */
51#include "curl_memory.h"
52#include "memdebug.h"
53
54#define BACKEND connssl->backend
55
56#define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
57#define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
58#define END_CERT "\n-----END CERTIFICATE-----"
59
60typedef struct {
61 DWORD cbSize;
62 HCERTSTORE hRestrictedRoot;
63 HCERTSTORE hRestrictedTrust;
64 HCERTSTORE hRestrictedOther;
65 DWORD cAdditionalStore;
66 HCERTSTORE *rghAdditionalStore;
67 DWORD dwFlags;
68 DWORD dwUrlRetrievalTimeout;
69 DWORD MaximumCachedCertificates;
70 DWORD CycleDetectionModulus;
71 HCERTSTORE hExclusiveRoot;
72 HCERTSTORE hExclusiveTrustedPeople;
73} CERT_CHAIN_ENGINE_CONFIG_WIN7, *PCERT_CHAIN_ENGINE_CONFIG_WIN7;
74
75static int is_cr_or_lf(char c)
76{
77 return c == '\r' || c == '\n';
78}
79
80static CURLcode add_certs_to_store(HCERTSTORE trust_store,
81 const char *ca_file,
82 struct connectdata *conn)
83{
84 CURLcode result;
85 struct Curl_easy *data = conn->data;
86 HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
87 LARGE_INTEGER file_size;
88 char *ca_file_buffer = NULL;
89 char *current_ca_file_ptr = NULL;
90 TCHAR *ca_file_tstr = NULL;
91 size_t ca_file_bufsize = 0;
92 DWORD total_bytes_read = 0;
93 bool more_certs = 0;
94 int num_certs = 0;
95 size_t END_CERT_LEN;
96
97 ca_file_tstr = Curl_convert_UTF8_to_tchar((char *)ca_file);
98 if(!ca_file_tstr) {
99 failf(data,
100 "schannel: invalid path name for CA file '%s': %s",
101 ca_file, Curl_strerror(conn, GetLastError()));
102 result = CURLE_SSL_CACERT_BADFILE;
103 goto cleanup;
104 }
105
106 /*
107 * Read the CA file completely into memory before parsing it. This
108 * optimizes for the common case where the CA file will be relatively
109 * small ( < 1 MiB ).
110 */
111 ca_file_handle = CreateFile(ca_file_tstr,
112 GENERIC_READ,
113 0,
114 NULL,
115 OPEN_EXISTING,
116 FILE_ATTRIBUTE_NORMAL,
117 NULL);
118 if(ca_file_handle == INVALID_HANDLE_VALUE) {
119 failf(data,
120 "schannel: failed to open CA file '%s': %s",
121 ca_file, Curl_strerror(conn, GetLastError()));
122 result = CURLE_SSL_CACERT_BADFILE;
123 goto cleanup;
124 }
125
126 if(!GetFileSizeEx(ca_file_handle, &file_size)) {
127 failf(data,
128 "schannel: failed to determine size of CA file '%s': %s",
129 ca_file, Curl_strerror(conn, GetLastError()));
130 result = CURLE_SSL_CACERT_BADFILE;
131 goto cleanup;
132 }
133
134 if(file_size.QuadPart > MAX_CAFILE_SIZE) {
135 failf(data,
136 "schannel: CA file exceeds max size of %u bytes",
137 MAX_CAFILE_SIZE);
138 result = CURLE_SSL_CACERT_BADFILE;
139 goto cleanup;
140 }
141
142 ca_file_bufsize = (size_t)file_size.QuadPart;
143 ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
144 if(!ca_file_buffer) {
145 result = CURLE_OUT_OF_MEMORY;
146 goto cleanup;
147 }
148
149 result = CURLE_OK;
150 while(total_bytes_read < ca_file_bufsize) {
151 DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
152 DWORD bytes_read = 0;
153
154 if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
155 bytes_to_read, &bytes_read, NULL)) {
156
157 failf(data,
158 "schannel: failed to read from CA file '%s': %s",
159 ca_file, Curl_strerror(conn, GetLastError()));
160 result = CURLE_SSL_CACERT_BADFILE;
161 goto cleanup;
162 }
163 if(bytes_read == 0) {
164 /* Premature EOF -- adjust the bufsize to the new value */
165 ca_file_bufsize = total_bytes_read;
166 }
167 else {
168 total_bytes_read += bytes_read;
169 }
170 }
171
172 /* Null terminate the buffer */
173 ca_file_buffer[ca_file_bufsize] = '\0';
174
175 if(result != CURLE_OK) {
176 goto cleanup;
177 }
178
179 END_CERT_LEN = strlen(END_CERT);
180
181 more_certs = 1;
182 current_ca_file_ptr = ca_file_buffer;
183 while(more_certs && *current_ca_file_ptr != '\0') {
184 char *begin_cert_ptr = strstr(current_ca_file_ptr, BEGIN_CERT);
185 if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[strlen(BEGIN_CERT)])) {
186 more_certs = 0;
187 }
188 else {
189 char *end_cert_ptr = strstr(begin_cert_ptr, END_CERT);
190 if(!end_cert_ptr) {
191 failf(data,
192 "schannel: CA file '%s' is not correctly formatted",
193 ca_file);
194 result = CURLE_SSL_CACERT_BADFILE;
195 more_certs = 0;
196 }
197 else {
198 CERT_BLOB cert_blob;
199 CERT_CONTEXT *cert_context = NULL;
200 BOOL add_cert_result = FALSE;
201 DWORD actual_content_type = 0;
202 DWORD cert_size = (DWORD)
203 ((end_cert_ptr + END_CERT_LEN) - begin_cert_ptr);
204
205 cert_blob.pbData = (BYTE *)begin_cert_ptr;
206 cert_blob.cbData = cert_size;
207 if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
208 &cert_blob,
209 CERT_QUERY_CONTENT_FLAG_CERT,
210 CERT_QUERY_FORMAT_FLAG_ALL,
211 0,
212 NULL,
213 &actual_content_type,
214 NULL,
215 NULL,
216 NULL,
217 (const void **)&cert_context)) {
218
219 failf(data,
220 "schannel: failed to extract certificate from CA file "
221 "'%s': %s",
222 ca_file, Curl_strerror(conn, GetLastError()));
223 result = CURLE_SSL_CACERT_BADFILE;
224 more_certs = 0;
225 }
226 else {
227 current_ca_file_ptr = begin_cert_ptr + cert_size;
228
229 /* Sanity check that the cert_context object is the right type */
230 if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
231 failf(data,
232 "schannel: unexpected content type '%d' when extracting "
233 "certificate from CA file '%s'",
234 actual_content_type, ca_file);
235 result = CURLE_SSL_CACERT_BADFILE;
236 more_certs = 0;
237 }
238 else {
239 add_cert_result =
240 CertAddCertificateContextToStore(trust_store,
241 cert_context,
242 CERT_STORE_ADD_ALWAYS,
243 NULL);
244 CertFreeCertificateContext(cert_context);
245 if(!add_cert_result) {
246 failf(data,
247 "schannel: failed to add certificate from CA file '%s' "
248 "to certificate store: %s",
249 ca_file, Curl_strerror(conn, GetLastError()));
250 result = CURLE_SSL_CACERT_BADFILE;
251 more_certs = 0;
252 }
253 else {
254 num_certs++;
255 }
256 }
257 }
258 }
259 }
260 }
261
262 if(result == CURLE_OK) {
263 if(!num_certs) {
264 infof(data,
265 "schannel: did not add any certificates from CA file '%s'\n",
266 ca_file);
267 }
268 else {
269 infof(data,
270 "schannel: added %d certificate(s) from CA file '%s'\n",
271 num_certs, ca_file);
272 }
273 }
274
275cleanup:
276 if(ca_file_handle != INVALID_HANDLE_VALUE) {
277 CloseHandle(ca_file_handle);
278 }
279 Curl_safefree(ca_file_buffer);
280 Curl_unicodefree(ca_file_tstr);
281
282 return result;
283}
284
285static CURLcode verify_host(struct Curl_easy *data,
286 CERT_CONTEXT *pCertContextServer,
287 const char * const conn_hostname)
288{
289 CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
290 TCHAR *cert_hostname_buff = NULL;
291 size_t cert_hostname_buff_index = 0;
292 DWORD len = 0;
293 DWORD actual_len = 0;
294
295 /* CertGetNameString will provide the 8-bit character string without
296 * any decoding */
297 DWORD name_flags = CERT_NAME_DISABLE_IE4_UTF8_FLAG;
298
299#ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
300 name_flags |= CERT_NAME_SEARCH_ALL_NAMES_FLAG;
301#endif
302
303 /* Determine the size of the string needed for the cert hostname */
304 len = CertGetNameString(pCertContextServer,
305 CERT_NAME_DNS_TYPE,
306 name_flags,
307 NULL,
308 NULL,
309 0);
310 if(len == 0) {
311 failf(data,
312 "schannel: CertGetNameString() returned no "
313 "certificate name information");
314 result = CURLE_PEER_FAILED_VERIFICATION;
315 goto cleanup;
316 }
317
318 /* CertGetNameString guarantees that the returned name will not contain
319 * embedded null bytes. This appears to be undocumented behavior.
320 */
321 cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
322 if(!cert_hostname_buff) {
323 result = CURLE_OUT_OF_MEMORY;
324 goto cleanup;
325 }
326 actual_len = CertGetNameString(pCertContextServer,
327 CERT_NAME_DNS_TYPE,
328 name_flags,
329 NULL,
330 (LPTSTR) cert_hostname_buff,
331 len);
332
333 /* Sanity check */
334 if(actual_len != len) {
335 failf(data,
336 "schannel: CertGetNameString() returned certificate "
337 "name information of unexpected size");
338 result = CURLE_PEER_FAILED_VERIFICATION;
339 goto cleanup;
340 }
341
342 /* If HAVE_CERT_NAME_SEARCH_ALL_NAMES is available, the output
343 * will contain all DNS names, where each name is null-terminated
344 * and the last DNS name is double null-terminated. Due to this
345 * encoding, use the length of the buffer to iterate over all names.
346 */
347 result = CURLE_PEER_FAILED_VERIFICATION;
348 while(cert_hostname_buff_index < len &&
349 cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
350 result == CURLE_PEER_FAILED_VERIFICATION) {
351
352 char *cert_hostname;
353
354 /* Comparing the cert name and the connection hostname encoded as UTF-8
355 * is acceptable since both values are assumed to use ASCII
356 * (or some equivalent) encoding
357 */
358 cert_hostname = Curl_convert_tchar_to_UTF8(
359 &cert_hostname_buff[cert_hostname_buff_index]);
360 if(!cert_hostname) {
361 result = CURLE_OUT_OF_MEMORY;
362 }
363 else {
364 int match_result;
365
366 match_result = Curl_cert_hostcheck(cert_hostname, conn_hostname);
367 if(match_result == CURL_HOST_MATCH) {
368 infof(data,
369 "schannel: connection hostname (%s) validated "
370 "against certificate name (%s)\n",
371 conn_hostname, cert_hostname);
372 result = CURLE_OK;
373 }
374 else {
375 size_t cert_hostname_len;
376
377 infof(data,
378 "schannel: connection hostname (%s) did not match "
379 "against certificate name (%s)\n",
380 conn_hostname, cert_hostname);
381
382 cert_hostname_len = _tcslen(
383 &cert_hostname_buff[cert_hostname_buff_index]);
384
385 /* Move on to next cert name */
386 cert_hostname_buff_index += cert_hostname_len + 1;
387
388 result = CURLE_PEER_FAILED_VERIFICATION;
389 }
390 Curl_unicodefree(cert_hostname);
391 }
392 }
393
394 if(result == CURLE_PEER_FAILED_VERIFICATION) {
395 failf(data,
396 "schannel: CertGetNameString() failed to match "
397 "connection hostname (%s) against server certificate names",
398 conn_hostname);
399 }
400 else if(result != CURLE_OK)
401 failf(data, "schannel: server certificate name verification failed");
402
403cleanup:
404 Curl_unicodefree(cert_hostname_buff);
405
406 return result;
407}
408
409CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
410{
411 SECURITY_STATUS status;
412 struct Curl_easy *data = conn->data;
413 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
414 CURLcode result = CURLE_OK;
415 CERT_CONTEXT *pCertContextServer = NULL;
416 const CERT_CHAIN_CONTEXT *pChainContext = NULL;
417 HCERTCHAINENGINE cert_chain_engine = NULL;
418 HCERTSTORE trust_store = NULL;
419 const char * const conn_hostname = SSL_IS_PROXY() ?
420 conn->http_proxy.host.name :
421 conn->host.name;
422
423 status = s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
424 SECPKG_ATTR_REMOTE_CERT_CONTEXT,
425 &pCertContextServer);
426
427 if((status != SEC_E_OK) || (pCertContextServer == NULL)) {
428 failf(data, "schannel: Failed to read remote certificate context: %s",
429 Curl_sspi_strerror(conn, status));
430 result = CURLE_PEER_FAILED_VERIFICATION;
431 }
432
433 if(result == CURLE_OK && SSL_CONN_CONFIG(CAfile) &&
434 BACKEND->use_manual_cred_validation) {
435 /*
436 * Create a chain engine that uses the certificates in the CA file as
437 * trusted certificates. This is only supported on Windows 7+.
438 */
439
440 if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT, VERSION_LESS_THAN)) {
441 failf(data, "schannel: this version of Windows is too old to support "
442 "certificate verification via CA bundle file.");
443 result = CURLE_SSL_CACERT_BADFILE;
444 }
445 else {
446 /* Open the certificate store */
447 trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
448 0,
449 (HCRYPTPROV)NULL,
450 CERT_STORE_CREATE_NEW_FLAG,
451 NULL);
452 if(!trust_store) {
453 failf(data, "schannel: failed to create certificate store: %s",
454 Curl_strerror(conn, GetLastError()));
455 result = CURLE_SSL_CACERT_BADFILE;
456 }
457 else {
458 result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile),
459 conn);
460 }
461 }
462
463 if(result == CURLE_OK) {
464 CERT_CHAIN_ENGINE_CONFIG_WIN7 engine_config;
465 BOOL create_engine_result;
466
467 memset(&engine_config, 0, sizeof(engine_config));
468 engine_config.cbSize = sizeof(engine_config);
469 engine_config.hExclusiveRoot = trust_store;
470
471 /* CertCreateCertificateChainEngine will check the expected size of the
472 * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
473 * does not match the expected size. When this occurs, it indicates that
474 * CAINFO is not supported on the version of Windows in use.
475 */
476 create_engine_result =
477 CertCreateCertificateChainEngine(
478 (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
479 if(!create_engine_result) {
480 failf(data,
481 "schannel: failed to create certificate chain engine: %s",
482 Curl_strerror(conn, GetLastError()));
483 result = CURLE_SSL_CACERT_BADFILE;
484 }
485 }
486 }
487
488 if(result == CURLE_OK) {
489 CERT_CHAIN_PARA ChainPara;
490
491 memset(&ChainPara, 0, sizeof(ChainPara));
492 ChainPara.cbSize = sizeof(ChainPara);
493
494 if(!CertGetCertificateChain(cert_chain_engine,
495 pCertContextServer,
496 NULL,
497 pCertContextServer->hCertStore,
498 &ChainPara,
499 (data->set.ssl.no_revoke ? 0 :
500 CERT_CHAIN_REVOCATION_CHECK_CHAIN),
501 NULL,
502 &pChainContext)) {
503 failf(data, "schannel: CertGetCertificateChain failed: %s",
504 Curl_sspi_strerror(conn, GetLastError()));
505 pChainContext = NULL;
506 result = CURLE_PEER_FAILED_VERIFICATION;
507 }
508
509 if(result == CURLE_OK) {
510 CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
511 DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
512 dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
513 if(dwTrustErrorMask) {
514 if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
515 failf(data, "schannel: CertGetCertificateChain trust error"
516 " CERT_TRUST_IS_REVOKED");
517 else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
518 failf(data, "schannel: CertGetCertificateChain trust error"
519 " CERT_TRUST_IS_PARTIAL_CHAIN");
520 else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
521 failf(data, "schannel: CertGetCertificateChain trust error"
522 " CERT_TRUST_IS_UNTRUSTED_ROOT");
523 else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
524 failf(data, "schannel: CertGetCertificateChain trust error"
525 " CERT_TRUST_IS_NOT_TIME_VALID");
526 else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
527 failf(data, "schannel: CertGetCertificateChain trust error"
528 " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
529 else
530 failf(data, "schannel: CertGetCertificateChain error mask: 0x%08x",
531 dwTrustErrorMask);
532 result = CURLE_PEER_FAILED_VERIFICATION;
533 }
534 }
535 }
536
537 if(result == CURLE_OK) {
538 if(SSL_CONN_CONFIG(verifyhost)) {
539 result = verify_host(conn->data, pCertContextServer, conn_hostname);
540 }
541 }
542
543 if(cert_chain_engine) {
544 CertFreeCertificateChainEngine(cert_chain_engine);
545 }
546
547 if(trust_store) {
548 CertCloseStore(trust_store, 0);
549 }
550
551 if(pChainContext)
552 CertFreeCertificateChain(pChainContext);
553
554 if(pCertContextServer)
555 CertFreeCertificateContext(pCertContextServer);
556
557 return result;
558}
559
560#endif /* HAS_MANUAL_VERIFY_API */
561#endif /* USE_SCHANNEL */
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette