[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 02/163: schannel: disable manual verify if APIs not
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 02/163: schannel: disable manual verify if APIs not available |
Date: |
Sun, 05 Aug 2018 12:35:28 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 4584cc44996c2db82542f0e702aee4a6ce5dcb18
Author: Jay Satiro <address@hidden>
AuthorDate: Wed May 16 02:02:29 2018 -0400
schannel: disable manual verify if APIs not available
.. because original MinGW and old compilers do not have the Windows API
definitions needed to support manual verification.
---
lib/vtls/schannel.c | 15 +++++++++++++++
lib/vtls/schannel.h | 15 +++++++++++++++
lib/vtls/schannel_verify.c | 11 +++++++----
3 files changed, 37 insertions(+), 4 deletions(-)
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 9a20b8eff..e00bde2ca 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -307,10 +307,15 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
#endif
#ifdef _WIN32_WCE
+#ifdef HAS_MANUAL_VERIFY_API
/* certificate validation on CE doesn't seem to work right; we'll
* do it following a more manual process. */
BACKEND->use_manual_cred_validation = true;
#else
+#error "compiler too old to support requisite manual cert verify for Win CE"
+#endif
+#else
+#ifdef HAS_MANUAL_VERIFY_API
if(SSL_CONN_CONFIG(CAfile)) {
if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT,
VERSION_GREATER_THAN_EQUAL)) {
@@ -324,6 +329,12 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
}
else
BACKEND->use_manual_cred_validation = false;
+#else
+ if(SSL_CONN_CONFIG(CAfile)) {
+ failf(data, "schannel: CA cert support not built in");
+ return CURLE_NOT_BUILT_IN;
+ }
+#endif
#endif
BACKEND->cred = NULL;
@@ -349,9 +360,11 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
if(conn->ssl_config.verifypeer) {
+#ifdef HAS_MANUAL_VERIFY_API
if(BACKEND->use_manual_cred_validation)
schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
else
+#endif
schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION;
/* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */
@@ -892,9 +905,11 @@ schannel_connect_step2(struct connectdata *conn, int
sockindex)
}
}
+#ifdef HAS_MANUAL_VERIFY_API
if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
return verify_certificate(conn, sockindex);
}
+#endif
return CURLE_OK;
}
diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index 447690027..aa44e8e89 100644
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -38,6 +38,19 @@ CURLcode verify_certificate(struct connectdata *conn, int
sockindex);
/* structs to expose only in schannel.c and schannel_verify.c */
#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
+
+#ifdef __MINGW32__
+#include <_mingw.h>
+#ifdef __MINGW64_VERSION_MAJOR
+#define HAS_MANUAL_VERIFY_API
+#endif
+#else
+#include <wincrypt.h>
+#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
+#define HAS_MANUAL_VERIFY_API
+#endif
+#endif
+
struct curl_schannel_cred {
CredHandle cred_handle;
TimeStamp time_stamp;
@@ -66,7 +79,9 @@ struct ssl_backend_data {
bool recv_sspi_close_notify; /* true if connection closed by close_notify */
bool recv_connection_closed; /* true if connection closed, regardless how */
bool use_alpn; /* true if ALPN is used for this connection */
+#ifdef HAS_MANUAL_VERIFY_API
bool use_manual_cred_validation; /* true if manual cred validation is used */
+#endif
};
#endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c
index db187dd6b..552b1afe9 100644
--- a/lib/vtls/schannel_verify.c
+++ b/lib/vtls/schannel_verify.c
@@ -29,15 +29,17 @@
#include "curl_setup.h"
-#ifdef USE_SCHANNEL
-
-#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
-
#ifndef USE_WINDOWS_SSPI
# error "Can't compile SCHANNEL support without SSPI."
#endif
+#ifdef USE_SCHANNEL
+
+#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
#include "schannel.h"
+
+#ifdef HAS_MANUAL_VERIFY_API
+
#include "vtls.h"
#include "sendf.h"
#include "strerror.h"
@@ -548,4 +550,5 @@ CURLcode verify_certificate(struct connectdata *conn, int
sockindex)
return result;
}
+#endif /* HAS_MANUAL_VERIFY_API */
#endif /* USE_SCHANNEL */
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] branch master updated (cb5937f5c -> 2a23ac742), gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 03/163: rand: fix typo, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 02/163: schannel: disable manual verify if APIs not available,
gnunet <=
- [GNUnet-SVN] [gnurl] 12/163: checksrc: fix too long line, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 04/163: schannel_verify: fix build for non-schannel, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 07/163: openssl: acknowledge --tls-max for default version too, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 13/163: curl_fnmatch: only allow two asterisks for matching, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 09/163: stub_gssapi: fix numerous 'unused parameter' warnings, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 10/163: examples/progressfunc: make it build on older libcurls, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 01/163: schannel: disable client cert option if APIs not available, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 05/163: tests/libtest/Makefile: Do not unconditionally add gcc-specific flags, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 15/163: configure: replace AC_TRY_RUN with CURL_RUN_IFELSE, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 23/163: schannel: make CAinfo parsing resilient to CR/LF, gnunet, 2018/08/05