X Tutup
Skip to content

Commit 4d59012

Browse files
Apprentice-AlchemistApprentice-Alchemist
committed
[ssl] use win32 apis to verify certificates
1 parent f5e5223 commit 4d59012

File tree

1 file changed

+41
-0
lines changed

1 file changed

+41
-0
lines changed

libs/ssl/ssl.c

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -234,6 +234,46 @@ DEFINE_PRIM(_I32, ssl_send, TSSL _BYTES _I32 _I32);
234234
DEFINE_PRIM(_I32, ssl_recv_char, TSSL);
235235
DEFINE_PRIM(_I32, ssl_recv, TSSL _BYTES _I32 _I32);
236236

237+
static int verify_callback(void* param, mbedtls_x509_crt *crt, int depth, uint32_t *flags) {
238+
if(depth == 0) {
239+
HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL);
240+
if(store == NULL) {
241+
// handle error
242+
}
243+
PCCERT_CONTEXT primary_context = {0};
244+
if(!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING, crt->raw.p, crt->raw.len, CERT_STORE_ADD_ALWAYS, &primary_context)) {
245+
return MBEDTLS_ERR_X509_FATAL_ERROR;
246+
}
247+
while(crt->next) {
248+
crt = crt->next;
249+
PCCERT_CONTEXT ctx = {0};
250+
if (!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING, crt->raw.p, crt->raw.len, CERT_STORE_ADD_ALWAYS, &ctx))
251+
{
252+
return MBEDTLS_ERR_X509_FATAL_ERROR;
253+
}
254+
CertFreeCertificateContext(ctx);
255+
}
256+
PCCERT_CHAIN_CONTEXT chain_context = {0};
257+
PCERT_CHAIN_PARA parameters = {0};
258+
if(!CertGetCertificateChain(NULL, primary_context, NULL, store, parameters, 0, NULL, &chain_context)) {
259+
return MBEDTLS_ERR_X509_FATAL_ERROR;
260+
}
261+
PCERT_CHAIN_POLICY_PARA policy_parameters = {0};
262+
CERT_CHAIN_POLICY_STATUS policy_status = {0};
263+
if(!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, chain_context, policy_parameters, &policy_status)) {
264+
return MBEDTLS_ERR_X509_FATAL_ERROR;
265+
}
266+
if(policy_status.dwError != 0) {
267+
// TODO: properly map errors
268+
*flags |= MBEDTLS_X509_BADCERT_OTHER;
269+
}
270+
CertFreeCertificateChain(chain_context);
271+
CertFreeCertificateContext(primary_context);
272+
CertCloseStore(store, 0);
273+
}
274+
return 0;
275+
}
276+
237277
HL_PRIM mbedtls_ssl_config *HL_NAME(conf_new)(bool server) {
238278
int ret;
239279
mbedtls_ssl_config *conf;
@@ -245,6 +285,7 @@ HL_PRIM mbedtls_ssl_config *HL_NAME(conf_new)(bool server) {
245285
ssl_error(ret);
246286
return NULL;
247287
}
288+
mbedtls_ssl_conf_verify(conf, verify_callback, NULL);
248289
mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &ctr_drbg);
249290
return conf;
250291
}

0 commit comments

Comments
 (0)
X Tutup