Juan Lang : winhttp: Set callback to verify hostname with peer' s certificate.
Alexandre Julliard
julliard at winehq.org
Fri Dec 4 09:11:26 CST 2009
Module: wine
Branch: master
Commit: 48a7580135b03c270c2a6328cc4ba1df7b40fc2c
URL: http://source.winehq.org/git/wine.git/?a=commit;h=48a7580135b03c270c2a6328cc4ba1df7b40fc2c
Author: Juan Lang <juan.lang at gmail.com>
Date: Wed Dec 2 16:56:40 2009 -0800
winhttp: Set callback to verify hostname with peer's certificate.
---
dlls/winhttp/net.c | 41 +++++++++++++++++++++++++++++++++--------
1 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/dlls/winhttp/net.c b/dlls/winhttp/net.c
index cf83f20..a86a5a6 100644
--- a/dlls/winhttp/net.c
+++ b/dlls/winhttp/net.c
@@ -110,9 +110,12 @@ MAKE_FUNCPTR( SSL_read );
MAKE_FUNCPTR( SSL_get_ex_new_index );
MAKE_FUNCPTR( SSL_get_ex_data );
MAKE_FUNCPTR( SSL_set_ex_data );
+MAKE_FUNCPTR( SSL_get_ex_data_X509_STORE_CTX_idx );
MAKE_FUNCPTR( SSL_get_verify_result );
MAKE_FUNCPTR( SSL_get_peer_certificate );
MAKE_FUNCPTR( SSL_CTX_set_default_verify_paths );
+MAKE_FUNCPTR( SSL_CTX_set_verify );
+MAKE_FUNCPTR( X509_STORE_CTX_get_ex_data );
MAKE_FUNCPTR( BIO_new_fp );
MAKE_FUNCPTR( CRYPTO_num_locks );
@@ -208,6 +211,19 @@ static int sock_get_error( int err )
return err;
}
+#ifdef SONAME_LIBSSL
+static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx )
+{
+ SSL *ssl;
+ WCHAR *server;
+
+ ssl = pX509_STORE_CTX_get_ex_data( ctx, pSSL_get_ex_data_X509_STORE_CTX_idx() );
+ server = pSSL_get_ex_data( ssl, hostname_idx );
+ FIXME("verify %s\n", debugstr_w(server));
+ return preverify_ok;
+}
+#endif
+
BOOL netconn_init( netconn_t *conn, BOOL secure )
{
#if defined(SONAME_LIBSSL) && defined(SONAME_LIBCRYPTO)
@@ -261,9 +277,12 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
LOAD_FUNCPTR( SSL_get_ex_new_index );
LOAD_FUNCPTR( SSL_get_ex_data );
LOAD_FUNCPTR( SSL_set_ex_data );
+ LOAD_FUNCPTR( SSL_get_ex_data_X509_STORE_CTX_idx );
LOAD_FUNCPTR( SSL_get_verify_result );
LOAD_FUNCPTR( SSL_get_peer_certificate );
LOAD_FUNCPTR( SSL_CTX_set_default_verify_paths );
+ LOAD_FUNCPTR( SSL_CTX_set_verify );
+ LOAD_FUNCPTR( X509_STORE_CTX_get_ex_data );
#undef LOAD_FUNCPTR
#define LOAD_FUNCPTR(x) \
@@ -297,6 +316,14 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
return FALSE;
}
hostname_idx = pSSL_get_ex_new_index( 0, (void *)"hostname index", NULL, NULL, NULL );
+ if (hostname_idx == -1)
+ {
+ ERR("SSL_get_ex_new_index failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+ set_last_error( ERROR_OUTOFMEMORY );
+ LeaveCriticalSection( &init_ssl_cs );
+ return FALSE;
+ }
+ pSSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, netconn_secure_verify );
pCRYPTO_set_id_callback(ssl_thread_id);
num_ssl_locks = pCRYPTO_num_locks();
@@ -429,7 +456,6 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned
BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
{
#ifdef SONAME_LIBSSL
- X509 *cert;
long res;
if (!(conn->ssl_conn = pSSL_new( ctx )))
@@ -438,22 +464,21 @@ BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
set_last_error( ERROR_OUTOFMEMORY );
goto fail;
}
- if (!pSSL_set_fd( conn->ssl_conn, conn->socket ))
+ if (!pSSL_set_ex_data( conn->ssl_conn, hostname_idx, hostname ))
{
- ERR("SSL_set_fd failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+ ERR("SSL_set_ex_data failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
goto fail;
}
- if (pSSL_connect( conn->ssl_conn ) <= 0)
+ if (!pSSL_set_fd( conn->ssl_conn, conn->socket ))
{
- ERR("SSL_connect failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+ ERR("SSL_set_fd failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
goto fail;
}
- pSSL_set_ex_data( conn->ssl_conn, hostname_idx, hostname );
- if (!(cert = pSSL_get_peer_certificate( conn->ssl_conn )))
+ if (pSSL_connect( conn->ssl_conn ) <= 0)
{
- ERR("No certificate for server: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+ ERR("SSL_connect failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
goto fail;
}
More information about the wine-cvs
mailing list