Juan Lang : winhttp: Set callback to verify hostname with peer' s certificate.

Alexandre Julliard julliard at winehq.org
Fri Dec 4 09:11:26 CST 2009


Module: wine
Branch: master
Commit: 48a7580135b03c270c2a6328cc4ba1df7b40fc2c
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=48a7580135b03c270c2a6328cc4ba1df7b40fc2c

Author: Juan Lang <juan.lang at gmail.com>
Date:   Wed Dec  2 16:56:40 2009 -0800

winhttp: Set callback to verify hostname with peer's certificate.

---

 dlls/winhttp/net.c |   41 +++++++++++++++++++++++++++++++++--------
 1 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/dlls/winhttp/net.c b/dlls/winhttp/net.c
index cf83f20..a86a5a6 100644
--- a/dlls/winhttp/net.c
+++ b/dlls/winhttp/net.c
@@ -110,9 +110,12 @@ MAKE_FUNCPTR( SSL_read );
 MAKE_FUNCPTR( SSL_get_ex_new_index );
 MAKE_FUNCPTR( SSL_get_ex_data );
 MAKE_FUNCPTR( SSL_set_ex_data );
+MAKE_FUNCPTR( SSL_get_ex_data_X509_STORE_CTX_idx );
 MAKE_FUNCPTR( SSL_get_verify_result );
 MAKE_FUNCPTR( SSL_get_peer_certificate );
 MAKE_FUNCPTR( SSL_CTX_set_default_verify_paths );
+MAKE_FUNCPTR( SSL_CTX_set_verify );
+MAKE_FUNCPTR( X509_STORE_CTX_get_ex_data );
 
 MAKE_FUNCPTR( BIO_new_fp );
 MAKE_FUNCPTR( CRYPTO_num_locks );
@@ -208,6 +211,19 @@ static int sock_get_error( int err )
     return err;
 }
 
+#ifdef SONAME_LIBSSL
+static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx )
+{
+    SSL *ssl;
+    WCHAR *server;
+
+    ssl = pX509_STORE_CTX_get_ex_data( ctx, pSSL_get_ex_data_X509_STORE_CTX_idx() );
+    server = pSSL_get_ex_data( ssl, hostname_idx );
+    FIXME("verify %s\n", debugstr_w(server));
+    return preverify_ok;
+}
+#endif
+
 BOOL netconn_init( netconn_t *conn, BOOL secure )
 {
 #if defined(SONAME_LIBSSL) && defined(SONAME_LIBCRYPTO)
@@ -261,9 +277,12 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
     LOAD_FUNCPTR( SSL_get_ex_new_index );
     LOAD_FUNCPTR( SSL_get_ex_data );
     LOAD_FUNCPTR( SSL_set_ex_data );
+    LOAD_FUNCPTR( SSL_get_ex_data_X509_STORE_CTX_idx );
     LOAD_FUNCPTR( SSL_get_verify_result );
     LOAD_FUNCPTR( SSL_get_peer_certificate );
     LOAD_FUNCPTR( SSL_CTX_set_default_verify_paths );
+    LOAD_FUNCPTR( SSL_CTX_set_verify );
+    LOAD_FUNCPTR( X509_STORE_CTX_get_ex_data );
 #undef LOAD_FUNCPTR
 
 #define LOAD_FUNCPTR(x) \
@@ -297,6 +316,14 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
         return FALSE;
     }
     hostname_idx = pSSL_get_ex_new_index( 0, (void *)"hostname index", NULL, NULL, NULL );
+    if (hostname_idx == -1)
+    {
+        ERR("SSL_get_ex_new_index failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+        set_last_error( ERROR_OUTOFMEMORY );
+        LeaveCriticalSection( &init_ssl_cs );
+        return FALSE;
+    }
+    pSSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, netconn_secure_verify );
 
     pCRYPTO_set_id_callback(ssl_thread_id);
     num_ssl_locks = pCRYPTO_num_locks();
@@ -429,7 +456,6 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned
 BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
 {
 #ifdef SONAME_LIBSSL
-    X509 *cert;
     long res;
 
     if (!(conn->ssl_conn = pSSL_new( ctx )))
@@ -438,22 +464,21 @@ BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
         set_last_error( ERROR_OUTOFMEMORY );
         goto fail;
     }
-    if (!pSSL_set_fd( conn->ssl_conn, conn->socket ))
+    if (!pSSL_set_ex_data( conn->ssl_conn, hostname_idx, hostname ))
     {
-        ERR("SSL_set_fd failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+        ERR("SSL_set_ex_data failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
         set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
         goto fail;
     }
-    if (pSSL_connect( conn->ssl_conn ) <= 0)
+    if (!pSSL_set_fd( conn->ssl_conn, conn->socket ))
     {
-        ERR("SSL_connect failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+        ERR("SSL_set_fd failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
         set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
         goto fail;
     }
-    pSSL_set_ex_data( conn->ssl_conn, hostname_idx, hostname );
-    if (!(cert = pSSL_get_peer_certificate( conn->ssl_conn )))
+    if (pSSL_connect( conn->ssl_conn ) <= 0)
     {
-        ERR("No certificate for server: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+        ERR("SSL_connect failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
         set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
         goto fail;
     }




More information about the wine-cvs mailing list