Commit 4584cc44 authored by Jay Satiro's avatar Jay Satiro
Browse files

schannel: disable manual verify if APIs not available 

.. because original MinGW and old compilers do not have the Windows API
definitions needed to support manual verification.
parent 1592ea97

lib/vtls/schannel.c

+15 −0
Original line number Diff line number Diff line
@@ -307,10 +307,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) 
#endif



#ifdef _WIN32_WCE

#ifdef HAS_MANUAL_VERIFY_API

  /* certificate validation on CE doesn't seem to work right; we'll

   * do it following a more manual process. */

  BACKEND->use_manual_cred_validation = true;

#else

#error "compiler too old to support requisite manual cert verify for Win CE"

#endif

#else

#ifdef HAS_MANUAL_VERIFY_API

  if(SSL_CONN_CONFIG(CAfile)) {

    if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT,

                                   VERSION_GREATER_THAN_EQUAL)) {
@@ -324,6 +329,12 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) 
  }

  else

    BACKEND->use_manual_cred_validation = false;

#else

  if(SSL_CONN_CONFIG(CAfile)) {

    failf(data, "schannel: CA cert support not built in");

    return CURLE_NOT_BUILT_IN;

  }

#endif

#endif



  BACKEND->cred = NULL;
@@ -349,9 +360,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) 
    schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;



    if(conn->ssl_config.verifypeer) {

#ifdef HAS_MANUAL_VERIFY_API

      if(BACKEND->use_manual_cred_validation)

        schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;

      else

#endif

        schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION;



      /* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */
@@ -892,9 +905,11 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) 
    }

  }



#ifdef HAS_MANUAL_VERIFY_API

  if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {

    return verify_certificate(conn, sockindex);

  }

#endif



  return CURLE_OK;

}

lib/vtls/schannel.h

+15 −0
Original line number Diff line number Diff line
@@ -38,6 +38,19 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex); 


/* structs to expose only in schannel.c and schannel_verify.c */

#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS



#ifdef __MINGW32__

#include <_mingw.h>

#ifdef __MINGW64_VERSION_MAJOR

#define HAS_MANUAL_VERIFY_API

#endif

#else

#include <wincrypt.h>

#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN

#define HAS_MANUAL_VERIFY_API

#endif

#endif



struct curl_schannel_cred {

  CredHandle cred_handle;

  TimeStamp time_stamp;
@@ -66,7 +79,9 @@ struct ssl_backend_data { 
  bool recv_sspi_close_notify; /* true if connection closed by close_notify */

  bool recv_connection_closed; /* true if connection closed, regardless how */

  bool use_alpn; /* true if ALPN is used for this connection */

#ifdef HAS_MANUAL_VERIFY_API

  bool use_manual_cred_validation; /* true if manual cred validation is used */

#endif

};

#endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */

lib/vtls/schannel_verify.c

+7 −4
Original line number Diff line number Diff line
@@ -29,15 +29,17 @@ 


#include "curl_setup.h"



#ifdef USE_SCHANNEL



#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS



#ifndef USE_WINDOWS_SSPI

#  error "Can't compile SCHANNEL support without SSPI."

#endif



#ifdef USE_SCHANNEL



#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS

#include "schannel.h"



#ifdef HAS_MANUAL_VERIFY_API



#include "vtls.h"

#include "sendf.h"

#include "strerror.h"
@@ -548,4 +550,5 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex) 
  return result;

}



#endif /* HAS_MANUAL_VERIFY_API */

#endif /* USE_SCHANNEL */