1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de>
9 * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
10 * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
11 *
12 * This software is licensed as described in the file COPYING, which
13 * you should have received as part of this distribution. The terms
14 * are also available at https://curl.haxx.se/docs/copyright.html.
15 *
16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17 * copies of the Software, and permit persons to whom the Software is
18 * furnished to do so, under the terms of the COPYING file.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 ***************************************************************************/
24
25 /*
26 * Source file for Schannel-specific certificate verification. This code should
27 * only be invoked by code in schannel.c.
28 */
29
30 #include "curl_setup.h"
31
32 #ifdef USE_SCHANNEL
33 #ifndef USE_WINDOWS_SSPI
34 # error "Can't compile SCHANNEL support without SSPI."
35 #endif
36
37 #define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
38 #include "schannel.h"
39
40 #ifdef HAS_MANUAL_VERIFY_API
41
42 #include "vtls.h"
43 #include "sendf.h"
44 #include "strerror.h"
45 #include "curl_multibyte.h"
46 #include "curl_printf.h"
47 #include "hostcheck.h"
48 #include "version_win32.h"
49
50 /* The last #include file should be: */
51 #include "curl_memory.h"
52 #include "memdebug.h"
53
54 #define BACKEND connssl->backend
55
56 #define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
57 #define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
58 #define END_CERT "\n-----END CERTIFICATE-----"
59
60 struct cert_chain_engine_config_win7 {
61 DWORD cbSize;
62 HCERTSTORE hRestrictedRoot;
63 HCERTSTORE hRestrictedTrust;
64 HCERTSTORE hRestrictedOther;
65 DWORD cAdditionalStore;
66 HCERTSTORE *rghAdditionalStore;
67 DWORD dwFlags;
68 DWORD dwUrlRetrievalTimeout;
69 DWORD MaximumCachedCertificates;
70 DWORD CycleDetectionModulus;
71 HCERTSTORE hExclusiveRoot;
72 HCERTSTORE hExclusiveTrustedPeople;
73 };
74
is_cr_or_lf(char c)75 static int is_cr_or_lf(char c)
76 {
77 return c == '\r' || c == '\n';
78 }
79
add_certs_to_store(HCERTSTORE trust_store,const char * ca_file,struct connectdata * conn)80 static CURLcode add_certs_to_store(HCERTSTORE trust_store,
81 const char *ca_file,
82 struct connectdata *conn)
83 {
84 CURLcode result;
85 struct Curl_easy *data = conn->data;
86 HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
87 LARGE_INTEGER file_size;
88 char *ca_file_buffer = NULL;
89 char *current_ca_file_ptr = NULL;
90 TCHAR *ca_file_tstr = NULL;
91 size_t ca_file_bufsize = 0;
92 DWORD total_bytes_read = 0;
93 bool more_certs = 0;
94 int num_certs = 0;
95 size_t END_CERT_LEN;
96
97 ca_file_tstr = curlx_convert_UTF8_to_tchar((char *)ca_file);
98 if(!ca_file_tstr) {
99 char buffer[STRERROR_LEN];
100 failf(data,
101 "schannel: invalid path name for CA file '%s': %s",
102 ca_file,
103 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
104 result = CURLE_SSL_CACERT_BADFILE;
105 goto cleanup;
106 }
107
108 /*
109 * Read the CA file completely into memory before parsing it. This
110 * optimizes for the common case where the CA file will be relatively
111 * small ( < 1 MiB ).
112 */
113 ca_file_handle = CreateFile(ca_file_tstr,
114 GENERIC_READ,
115 FILE_SHARE_READ,
116 NULL,
117 OPEN_EXISTING,
118 FILE_ATTRIBUTE_NORMAL,
119 NULL);
120 if(ca_file_handle == INVALID_HANDLE_VALUE) {
121 char buffer[STRERROR_LEN];
122 failf(data,
123 "schannel: failed to open CA file '%s': %s",
124 ca_file,
125 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
126 result = CURLE_SSL_CACERT_BADFILE;
127 goto cleanup;
128 }
129
130 if(!GetFileSizeEx(ca_file_handle, &file_size)) {
131 char buffer[STRERROR_LEN];
132 failf(data,
133 "schannel: failed to determine size of CA file '%s': %s",
134 ca_file,
135 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
136 result = CURLE_SSL_CACERT_BADFILE;
137 goto cleanup;
138 }
139
140 if(file_size.QuadPart > MAX_CAFILE_SIZE) {
141 failf(data,
142 "schannel: CA file exceeds max size of %u bytes",
143 MAX_CAFILE_SIZE);
144 result = CURLE_SSL_CACERT_BADFILE;
145 goto cleanup;
146 }
147
148 ca_file_bufsize = (size_t)file_size.QuadPart;
149 ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
150 if(!ca_file_buffer) {
151 result = CURLE_OUT_OF_MEMORY;
152 goto cleanup;
153 }
154
155 result = CURLE_OK;
156 while(total_bytes_read < ca_file_bufsize) {
157 DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
158 DWORD bytes_read = 0;
159
160 if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
161 bytes_to_read, &bytes_read, NULL)) {
162 char buffer[STRERROR_LEN];
163 failf(data,
164 "schannel: failed to read from CA file '%s': %s",
165 ca_file,
166 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
167 result = CURLE_SSL_CACERT_BADFILE;
168 goto cleanup;
169 }
170 if(bytes_read == 0) {
171 /* Premature EOF -- adjust the bufsize to the new value */
172 ca_file_bufsize = total_bytes_read;
173 }
174 else {
175 total_bytes_read += bytes_read;
176 }
177 }
178
179 /* Null terminate the buffer */
180 ca_file_buffer[ca_file_bufsize] = '\0';
181
182 if(result != CURLE_OK) {
183 goto cleanup;
184 }
185
186 END_CERT_LEN = strlen(END_CERT);
187
188 more_certs = 1;
189 current_ca_file_ptr = ca_file_buffer;
190 while(more_certs && *current_ca_file_ptr != '\0') {
191 char *begin_cert_ptr = strstr(current_ca_file_ptr, BEGIN_CERT);
192 if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[strlen(BEGIN_CERT)])) {
193 more_certs = 0;
194 }
195 else {
196 char *end_cert_ptr = strstr(begin_cert_ptr, END_CERT);
197 if(!end_cert_ptr) {
198 failf(data,
199 "schannel: CA file '%s' is not correctly formatted",
200 ca_file);
201 result = CURLE_SSL_CACERT_BADFILE;
202 more_certs = 0;
203 }
204 else {
205 CERT_BLOB cert_blob;
206 CERT_CONTEXT *cert_context = NULL;
207 BOOL add_cert_result = FALSE;
208 DWORD actual_content_type = 0;
209 DWORD cert_size = (DWORD)
210 ((end_cert_ptr + END_CERT_LEN) - begin_cert_ptr);
211
212 cert_blob.pbData = (BYTE *)begin_cert_ptr;
213 cert_blob.cbData = cert_size;
214 if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
215 &cert_blob,
216 CERT_QUERY_CONTENT_FLAG_CERT,
217 CERT_QUERY_FORMAT_FLAG_ALL,
218 0,
219 NULL,
220 &actual_content_type,
221 NULL,
222 NULL,
223 NULL,
224 (const void **)&cert_context)) {
225 char buffer[STRERROR_LEN];
226 failf(data,
227 "schannel: failed to extract certificate from CA file "
228 "'%s': %s",
229 ca_file,
230 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
231 result = CURLE_SSL_CACERT_BADFILE;
232 more_certs = 0;
233 }
234 else {
235 current_ca_file_ptr = begin_cert_ptr + cert_size;
236
237 /* Sanity check that the cert_context object is the right type */
238 if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
239 failf(data,
240 "schannel: unexpected content type '%d' when extracting "
241 "certificate from CA file '%s'",
242 actual_content_type, ca_file);
243 result = CURLE_SSL_CACERT_BADFILE;
244 more_certs = 0;
245 }
246 else {
247 add_cert_result =
248 CertAddCertificateContextToStore(trust_store,
249 cert_context,
250 CERT_STORE_ADD_ALWAYS,
251 NULL);
252 CertFreeCertificateContext(cert_context);
253 if(!add_cert_result) {
254 char buffer[STRERROR_LEN];
255 failf(data,
256 "schannel: failed to add certificate from CA file '%s' "
257 "to certificate store: %s",
258 ca_file,
259 Curl_winapi_strerror(GetLastError(), buffer,
260 sizeof(buffer)));
261 result = CURLE_SSL_CACERT_BADFILE;
262 more_certs = 0;
263 }
264 else {
265 num_certs++;
266 }
267 }
268 }
269 }
270 }
271 }
272
273 if(result == CURLE_OK) {
274 if(!num_certs) {
275 infof(data,
276 "schannel: did not add any certificates from CA file '%s'\n",
277 ca_file);
278 }
279 else {
280 infof(data,
281 "schannel: added %d certificate(s) from CA file '%s'\n",
282 num_certs, ca_file);
283 }
284 }
285
286 cleanup:
287 if(ca_file_handle != INVALID_HANDLE_VALUE) {
288 CloseHandle(ca_file_handle);
289 }
290 Curl_safefree(ca_file_buffer);
291 curlx_unicodefree(ca_file_tstr);
292
293 return result;
294 }
295
296 /*
297 * Returns the number of characters necessary to populate all the host_names.
298 * If host_names is not NULL, populate it with all the host names. Each string
299 * in the host_names is null-terminated and the last string is double
300 * null-terminated. If no DNS names are found, a single null-terminated empty
301 * string is returned.
302 */
cert_get_name_string(struct Curl_easy * data,CERT_CONTEXT * cert_context,LPTSTR host_names,DWORD length)303 static DWORD cert_get_name_string(struct Curl_easy *data,
304 CERT_CONTEXT *cert_context,
305 LPTSTR host_names,
306 DWORD length)
307 {
308 DWORD actual_length = 0;
309 BOOL compute_content = FALSE;
310 CERT_INFO *cert_info = NULL;
311 CERT_EXTENSION *extension = NULL;
312 CRYPT_DECODE_PARA decode_para = {0, 0, 0};
313 CERT_ALT_NAME_INFO *alt_name_info = NULL;
314 DWORD alt_name_info_size = 0;
315 BOOL ret_val = FALSE;
316 LPTSTR current_pos = NULL;
317 DWORD i;
318
319 /* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
320 if(curlx_verify_windows_version(6, 2, PLATFORM_WINNT,
321 VERSION_GREATER_THAN_EQUAL)) {
322 #ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
323 /* CertGetNameString will provide the 8-bit character string without
324 * any decoding */
325 DWORD name_flags =
326 CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
327 actual_length = CertGetNameString(cert_context,
328 CERT_NAME_DNS_TYPE,
329 name_flags,
330 NULL,
331 host_names,
332 length);
333 return actual_length;
334 #endif
335 }
336
337 compute_content = host_names != NULL && length != 0;
338
339 /* Initialize default return values. */
340 actual_length = 1;
341 if(compute_content) {
342 *host_names = '\0';
343 }
344
345 if(!cert_context) {
346 failf(data, "schannel: Null certificate context.");
347 return actual_length;
348 }
349
350 cert_info = cert_context->pCertInfo;
351 if(!cert_info) {
352 failf(data, "schannel: Null certificate info.");
353 return actual_length;
354 }
355
356 extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
357 cert_info->cExtension,
358 cert_info->rgExtension);
359 if(!extension) {
360 failf(data, "schannel: CertFindExtension() returned no extension.");
361 return actual_length;
362 }
363
364 decode_para.cbSize = sizeof(CRYPT_DECODE_PARA);
365
366 ret_val =
367 CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
368 szOID_SUBJECT_ALT_NAME2,
369 extension->Value.pbData,
370 extension->Value.cbData,
371 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
372 &decode_para,
373 &alt_name_info,
374 &alt_name_info_size);
375 if(!ret_val) {
376 failf(data,
377 "schannel: CryptDecodeObjectEx() returned no alternate name "
378 "information.");
379 return actual_length;
380 }
381
382 current_pos = host_names;
383
384 /* Iterate over the alternate names and populate host_names. */
385 for(i = 0; i < alt_name_info->cAltEntry; i++) {
386 const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
387 wchar_t *dns_w = NULL;
388 size_t current_length = 0;
389
390 if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
391 continue;
392 }
393 if(entry->pwszDNSName == NULL) {
394 infof(data, "schannel: Empty DNS name.");
395 continue;
396 }
397 current_length = wcslen(entry->pwszDNSName) + 1;
398 if(!compute_content) {
399 actual_length += (DWORD)current_length;
400 continue;
401 }
402 /* Sanity check to prevent buffer overrun. */
403 if((actual_length + current_length) > length) {
404 failf(data, "schannel: Not enough memory to list all host names.");
405 break;
406 }
407 dns_w = entry->pwszDNSName;
408 /* pwszDNSName is in ia5 string format and hence doesn't contain any
409 * non-ascii characters. */
410 while(*dns_w != '\0') {
411 *current_pos++ = (char)(*dns_w++);
412 }
413 *current_pos++ = '\0';
414 actual_length += (DWORD)current_length;
415 }
416 if(compute_content) {
417 /* Last string has double null-terminator. */
418 *current_pos = '\0';
419 }
420 return actual_length;
421 }
422
verify_host(struct Curl_easy * data,CERT_CONTEXT * pCertContextServer,const char * const conn_hostname)423 static CURLcode verify_host(struct Curl_easy *data,
424 CERT_CONTEXT *pCertContextServer,
425 const char * const conn_hostname)
426 {
427 CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
428 TCHAR *cert_hostname_buff = NULL;
429 size_t cert_hostname_buff_index = 0;
430 DWORD len = 0;
431 DWORD actual_len = 0;
432
433 /* Determine the size of the string needed for the cert hostname */
434 len = cert_get_name_string(data, pCertContextServer, NULL, 0);
435 if(len == 0) {
436 failf(data,
437 "schannel: CertGetNameString() returned no "
438 "certificate name information");
439 result = CURLE_PEER_FAILED_VERIFICATION;
440 goto cleanup;
441 }
442
443 /* CertGetNameString guarantees that the returned name will not contain
444 * embedded null bytes. This appears to be undocumented behavior.
445 */
446 cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
447 if(!cert_hostname_buff) {
448 result = CURLE_OUT_OF_MEMORY;
449 goto cleanup;
450 }
451 actual_len = cert_get_name_string(
452 data, pCertContextServer, (LPTSTR)cert_hostname_buff, len);
453
454 /* Sanity check */
455 if(actual_len != len) {
456 failf(data,
457 "schannel: CertGetNameString() returned certificate "
458 "name information of unexpected size");
459 result = CURLE_PEER_FAILED_VERIFICATION;
460 goto cleanup;
461 }
462
463 /* If HAVE_CERT_NAME_SEARCH_ALL_NAMES is available, the output
464 * will contain all DNS names, where each name is null-terminated
465 * and the last DNS name is double null-terminated. Due to this
466 * encoding, use the length of the buffer to iterate over all names.
467 */
468 result = CURLE_PEER_FAILED_VERIFICATION;
469 while(cert_hostname_buff_index < len &&
470 cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
471 result == CURLE_PEER_FAILED_VERIFICATION) {
472
473 char *cert_hostname;
474
475 /* Comparing the cert name and the connection hostname encoded as UTF-8
476 * is acceptable since both values are assumed to use ASCII
477 * (or some equivalent) encoding
478 */
479 cert_hostname = curlx_convert_tchar_to_UTF8(
480 &cert_hostname_buff[cert_hostname_buff_index]);
481 if(!cert_hostname) {
482 result = CURLE_OUT_OF_MEMORY;
483 }
484 else {
485 int match_result;
486
487 match_result = Curl_cert_hostcheck(cert_hostname, conn_hostname);
488 if(match_result == CURL_HOST_MATCH) {
489 infof(data,
490 "schannel: connection hostname (%s) validated "
491 "against certificate name (%s)\n",
492 conn_hostname, cert_hostname);
493 result = CURLE_OK;
494 }
495 else {
496 size_t cert_hostname_len;
497
498 infof(data,
499 "schannel: connection hostname (%s) did not match "
500 "against certificate name (%s)\n",
501 conn_hostname, cert_hostname);
502
503 cert_hostname_len = _tcslen(
504 &cert_hostname_buff[cert_hostname_buff_index]);
505
506 /* Move on to next cert name */
507 cert_hostname_buff_index += cert_hostname_len + 1;
508
509 result = CURLE_PEER_FAILED_VERIFICATION;
510 }
511 curlx_unicodefree(cert_hostname);
512 }
513 }
514
515 if(result == CURLE_PEER_FAILED_VERIFICATION) {
516 failf(data,
517 "schannel: CertGetNameString() failed to match "
518 "connection hostname (%s) against server certificate names",
519 conn_hostname);
520 }
521 else if(result != CURLE_OK)
522 failf(data, "schannel: server certificate name verification failed");
523
524 cleanup:
525 curlx_unicodefree(cert_hostname_buff);
526
527 return result;
528 }
529
Curl_verify_certificate(struct connectdata * conn,int sockindex)530 CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
531 {
532 SECURITY_STATUS sspi_status;
533 struct Curl_easy *data = conn->data;
534 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
535 CURLcode result = CURLE_OK;
536 CERT_CONTEXT *pCertContextServer = NULL;
537 const CERT_CHAIN_CONTEXT *pChainContext = NULL;
538 HCERTCHAINENGINE cert_chain_engine = NULL;
539 HCERTSTORE trust_store = NULL;
540 #ifndef CURL_DISABLE_PROXY
541 const char * const conn_hostname = SSL_IS_PROXY() ?
542 conn->http_proxy.host.name :
543 conn->host.name;
544 #else
545 const char * const conn_hostname = conn->host.name;
546 #endif
547
548 sspi_status =
549 s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
550 SECPKG_ATTR_REMOTE_CERT_CONTEXT,
551 &pCertContextServer);
552
553 if((sspi_status != SEC_E_OK) || (pCertContextServer == NULL)) {
554 char buffer[STRERROR_LEN];
555 failf(data, "schannel: Failed to read remote certificate context: %s",
556 Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
557 result = CURLE_PEER_FAILED_VERIFICATION;
558 }
559
560 if(result == CURLE_OK && SSL_CONN_CONFIG(CAfile) &&
561 BACKEND->use_manual_cred_validation) {
562 /*
563 * Create a chain engine that uses the certificates in the CA file as
564 * trusted certificates. This is only supported on Windows 7+.
565 */
566
567 if(curlx_verify_windows_version(6, 1, PLATFORM_WINNT, VERSION_LESS_THAN)) {
568 failf(data, "schannel: this version of Windows is too old to support "
569 "certificate verification via CA bundle file.");
570 result = CURLE_SSL_CACERT_BADFILE;
571 }
572 else {
573 /* Open the certificate store */
574 trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
575 0,
576 (HCRYPTPROV)NULL,
577 CERT_STORE_CREATE_NEW_FLAG,
578 NULL);
579 if(!trust_store) {
580 char buffer[STRERROR_LEN];
581 failf(data, "schannel: failed to create certificate store: %s",
582 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
583 result = CURLE_SSL_CACERT_BADFILE;
584 }
585 else {
586 result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile),
587 conn);
588 }
589 }
590
591 if(result == CURLE_OK) {
592 struct cert_chain_engine_config_win7 engine_config;
593 BOOL create_engine_result;
594
595 memset(&engine_config, 0, sizeof(engine_config));
596 engine_config.cbSize = sizeof(engine_config);
597 engine_config.hExclusiveRoot = trust_store;
598
599 /* CertCreateCertificateChainEngine will check the expected size of the
600 * CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
601 * does not match the expected size. When this occurs, it indicates that
602 * CAINFO is not supported on the version of Windows in use.
603 */
604 create_engine_result =
605 CertCreateCertificateChainEngine(
606 (CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
607 if(!create_engine_result) {
608 char buffer[STRERROR_LEN];
609 failf(data,
610 "schannel: failed to create certificate chain engine: %s",
611 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
612 result = CURLE_SSL_CACERT_BADFILE;
613 }
614 }
615 }
616
617 if(result == CURLE_OK) {
618 CERT_CHAIN_PARA ChainPara;
619
620 memset(&ChainPara, 0, sizeof(ChainPara));
621 ChainPara.cbSize = sizeof(ChainPara);
622
623 if(!CertGetCertificateChain(cert_chain_engine,
624 pCertContextServer,
625 NULL,
626 pCertContextServer->hCertStore,
627 &ChainPara,
628 (data->set.ssl.no_revoke ? 0 :
629 CERT_CHAIN_REVOCATION_CHECK_CHAIN),
630 NULL,
631 &pChainContext)) {
632 char buffer[STRERROR_LEN];
633 failf(data, "schannel: CertGetCertificateChain failed: %s",
634 Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
635 pChainContext = NULL;
636 result = CURLE_PEER_FAILED_VERIFICATION;
637 }
638
639 if(result == CURLE_OK) {
640 CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
641 DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
642 dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
643
644 if(data->set.ssl.revoke_best_effort) {
645 /* Ignore errors when root certificates are missing the revocation
646 * list URL, or when the list could not be downloaded because the
647 * server is currently unreachable. */
648 dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
649 CERT_TRUST_IS_OFFLINE_REVOCATION);
650 }
651
652 if(dwTrustErrorMask) {
653 if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
654 failf(data, "schannel: CertGetCertificateChain trust error"
655 " CERT_TRUST_IS_REVOKED");
656 else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
657 failf(data, "schannel: CertGetCertificateChain trust error"
658 " CERT_TRUST_IS_PARTIAL_CHAIN");
659 else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
660 failf(data, "schannel: CertGetCertificateChain trust error"
661 " CERT_TRUST_IS_UNTRUSTED_ROOT");
662 else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
663 failf(data, "schannel: CertGetCertificateChain trust error"
664 " CERT_TRUST_IS_NOT_TIME_VALID");
665 else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
666 failf(data, "schannel: CertGetCertificateChain trust error"
667 " CERT_TRUST_REVOCATION_STATUS_UNKNOWN");
668 else
669 failf(data, "schannel: CertGetCertificateChain error mask: 0x%08x",
670 dwTrustErrorMask);
671 result = CURLE_PEER_FAILED_VERIFICATION;
672 }
673 }
674 }
675
676 if(result == CURLE_OK) {
677 if(SSL_CONN_CONFIG(verifyhost)) {
678 result = verify_host(conn->data, pCertContextServer, conn_hostname);
679 }
680 }
681
682 if(cert_chain_engine) {
683 CertFreeCertificateChainEngine(cert_chain_engine);
684 }
685
686 if(trust_store) {
687 CertCloseStore(trust_store, 0);
688 }
689
690 if(pChainContext)
691 CertFreeCertificateChain(pChainContext);
692
693 if(pCertContextServer)
694 CertFreeCertificateContext(pCertContextServer);
695
696 return result;
697 }
698
699 #endif /* HAS_MANUAL_VERIFY_API */
700 #endif /* USE_SCHANNEL */
701