Головна сторінка Огляд Довідка
Увійти
hp
/
godot
Слідкувати 1
Зірка 1
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Дерево: 1504c96112
Гілки Теги
godot
/
thirdparty
/
opus
/
wincerts.c

wincerts.c 6.1 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 
  1. /********************************************************************
    2. 

  2.  *                                                                  *
    3. 

  3.  * THIS FILE IS PART OF THE libopusfile SOFTWARE CODEC SOURCE CODE. *
    4. 

  4.  * USE, DISTRIBUTION AND REPRODUCTION OF THIS LIBRARY SOURCE IS     *
    5. 

  5.  * GOVERNED BY A BSD-STYLE SOURCE LICENSE INCLUDED WITH THIS SOURCE *
    6. 

  6.  * IN 'COPYING'. PLEASE READ THESE TERMS BEFORE DISTRIBUTING.       *
    7. 

  7.  *                                                                  *
    8. 

  8.  * THE libopusfile SOURCE CODE IS (C) COPYRIGHT 2013                *
    9. 

  9.  * by the Xiph.Org Foundation and contributors http://www.xiph.org/ *
    10. 

  10.  *                                                                  *
    11. 

  11.  ********************************************************************/
    12. 

  12. 

  13. /*This should really be part of OpenSSL, but there's been a patch [1] sitting
    14. 

  14.    in their bugtracker for over two years that implements this, without any
    15. 

  15.    action, so I'm giving up and re-implementing it locally.
    16. 

  16. 

  17.   [1] <http://rt.openssl.org/Ticket/Display.html?id=2158>*/
    18. 

  18. 

  19. #ifdef HAVE_CONFIG_H
    20. 

  20. #include "config.h"
    21. 

  21. #endif
    22. 

  22. 

  23. #include "internal.h"
    24. 

  24. #if defined(OP_ENABLE_HTTP)&&defined(_WIN32)
    25. 

  25. /*You must include windows.h before wincrypt.h and x509.h.*/
    26. 

  26. # define WIN32_LEAN_AND_MEAN
    27. 

  27. # define WIN32_EXTRA_LEAN
    28. 

  28. # include <windows.h>
    29. 

  29. /*You must include wincrypt.h before x509.h, too, or X509_NAME doesn't get
    30. 

  30.    defined properly.*/
    31. 

  31. # include <wincrypt.h>
    32. 

  32. # include <openssl/ssl.h>
    33. 

  33. # include <openssl/err.h>
    34. 

  34. # include <openssl/x509.h>
    35. 

  35. 

  36. static int op_capi_new(X509_LOOKUP *_lu){
    37. 

  37.   HCERTSTORE h_store;
    38. 

  38.   h_store=CertOpenStore(CERT_STORE_PROV_SYSTEM_A,0,0,
    39. 

  39.    CERT_STORE_OPEN_EXISTING_FLAG|CERT_STORE_READONLY_FLAG|
    40. 

  40.    CERT_SYSTEM_STORE_CURRENT_USER|CERT_STORE_SHARE_CONTEXT_FLAG,"ROOT");
    41. 

  41.   if(h_store!=NULL){
    42. 

  42.     _lu->method_data=(char *)h_store;
    43. 

  43.     return 1;
    44. 

  44.   }
    45. 

  45.   return 0;
    46. 

  46. }
    47. 

  47. 

  48. static void op_capi_free(X509_LOOKUP *_lu){
    49. 

  49.   HCERTSTORE h_store;
    50. 

  50.   h_store=(HCERTSTORE)_lu->method_data;
    51. 

  51. # if defined(OP_ENABLE_ASSERTIONS)
    52. 

  52.   OP_ALWAYS_TRUE(CertCloseStore(h_store,CERT_CLOSE_STORE_CHECK_FLAG));
    53. 

  53. # else
    54. 

  54.   CertCloseStore(h_store,0);
    55. 

  55. # endif
    56. 

  56. }
    57. 

  57. 

  58. static int op_capi_retrieve_by_subject(X509_LOOKUP *_lu,int _type,
    59. 

  59.  X509_NAME *_name,X509_OBJECT *_ret){
    60. 

  60.   X509_OBJECT *obj;
    61. 

  61.   CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
    62. 

  62.   obj=X509_OBJECT_retrieve_by_subject(_lu->store_ctx->objs,_type,_name);
    63. 

  63.   CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
    64. 

  64.   if(obj!=NULL){
    65. 

  65.     _ret->type=obj->type;
    66. 

  66.     memcpy(&_ret->data,&obj->data,sizeof(_ret->data));
    67. 

  67.     return 1;
    68. 

  68.   }
    69. 

  69.   return 0;
    70. 

  70. }
    71. 

  71. 

  72. static int op_capi_get_by_subject(X509_LOOKUP *_lu,int _type,X509_NAME *_name,
    73. 

  73.  X509_OBJECT *_ret){
    74. 

  74.   HCERTSTORE h_store;
    75. 

  75.   if(_name==NULL)return 0;
    76. 

  76.   if(_name->bytes==NULL||_name->bytes->length<=0||_name->modified){
    77. 

  77.     if(i2d_X509_NAME(_name,NULL)<0)return 0;
    78. 

  78.     OP_ASSERT(_name->bytes->length>0);
    79. 

  79.   }
    80. 

  80.   h_store=(HCERTSTORE)_lu->method_data;
    81. 

  81.   switch(_type){
    82. 

  82.     case X509_LU_X509:{
    83. 

  83.       CERT_NAME_BLOB  find_para;
    84. 

  84.       PCCERT_CONTEXT  cert;
    85. 

  85.       X509           *x;
    86. 

  86.       int             ret;
    87. 

  87.       /*Although X509_NAME contains a canon_enc field, that "canonical" [1]
    88. 

  88.          encoding was just made up by OpenSSL.
    89. 

  89.         It doesn't correspond to any actual standard, and since it drops the
    90. 

  90.          initial sequence header, won't be recognized by the Crypto API.
    91. 

  91.         The assumption here is that CertFindCertificateInStore() will allow any
    92. 

  92.          appropriate variations in the encoding when it does its comparison.
    93. 

  93.         This is, however, emphatically not true under Wine, which just compares
    94. 

  94.          the encodings with memcmp().
    95. 

  95.         Most of the time things work anyway, though, and there isn't really
    96. 

  96.          anything we can do to make the situation better.
    97. 

  97. 

  98.         [1] A "canonical form" is defined as the one where, if you locked 10
    99. 

  99.          mathematicians in a room and asked them to come up with a
    100. 

  100.          representation for something, it's the answer that 9 of them would
    101. 

  101.          give you back.
    102. 

  102.         I don't think OpenSSL's encoding qualifies.*/
    103. 

  103.       find_para.cbData=_name->bytes->length;
    104. 

  104.       find_para.pbData=(unsigned char *)_name->bytes->data;
    105. 

  105.       cert=CertFindCertificateInStore(h_store,X509_ASN_ENCODING,0,
    106. 

  106.        CERT_FIND_SUBJECT_NAME,&find_para,NULL);
    107. 

  107.       if(cert==NULL)return 0;
    108. 

  108.       x=d2i_X509(NULL,(const unsigned char **)&cert->pbCertEncoded,
    109. 

  109.        cert->cbCertEncoded);
    110. 

  110.       CertFreeCertificateContext(cert);
    111. 

  111.       if(x==NULL)return 0;
    112. 

  112.       ret=X509_STORE_add_cert(_lu->store_ctx,x);
    113. 

  113.       X509_free(x);
    114. 

  114.       if(ret)return op_capi_retrieve_by_subject(_lu,_type,_name,_ret);
    115. 

  115.     }break;
    116. 

  116.     case X509_LU_CRL:{
    117. 

  117.       CERT_INFO      cert_info;
    118. 

  118.       CERT_CONTEXT   find_para;
    119. 

  119.       PCCRL_CONTEXT  crl;
    120. 

  120.       X509_CRL      *x;
    121. 

  121.       int            ret;
    122. 

  122.       ret=op_capi_retrieve_by_subject(_lu,_type,_name,_ret);
    123. 

  123.       if(ret>0)return ret;
    124. 

  124.       memset(&cert_info,0,sizeof(cert_info));
    125. 

  125.       cert_info.Issuer.cbData=_name->bytes->length;
    126. 

  126.       cert_info.Issuer.pbData=(unsigned char *)_name->bytes->data;
    127. 

  127.       memset(&find_para,0,sizeof(find_para));
    128. 

  128.       find_para.pCertInfo=&cert_info;
    129. 

  129.       crl=CertFindCRLInStore(h_store,0,0,CRL_FIND_ISSUED_BY,&find_para,NULL);
    130. 

  130.       if(crl==NULL)return 0;
    131. 

  131.       x=d2i_X509_CRL(NULL,(const unsigned char **)&crl->pbCrlEncoded,
    132. 

  132.        crl->cbCrlEncoded);
    133. 

  133.       CertFreeCRLContext(crl);
    134. 

  134.       if(x==NULL)return 0;
    135. 

  135.       ret=X509_STORE_add_crl(_lu->store_ctx,x);
    136. 

  136.       X509_CRL_free(x);
    137. 

  137.       if(ret)return op_capi_retrieve_by_subject(_lu,_type,_name,_ret);
    138. 

  138.     }break;
    139. 

  139.   }
    140. 

  140.   return 0;
    141. 

  141. }
    142. 

  142. 

  143. /*This is not const because OpenSSL doesn't allow it, even though it won't
    144. 

  144.    write to it.*/
    145. 

  145. static X509_LOOKUP_METHOD X509_LOOKUP_CAPI={
    146. 

  146.   "Load Crypto API store into cache",
    147. 

  147.   op_capi_new,
    148. 

  148.   op_capi_free,
    149. 

  149.   NULL,
    150. 

  150.   NULL,
    151. 

  151.   NULL,
    152. 

  152.   op_capi_get_by_subject,
    153. 

  153.   NULL,
    154. 

  154.   NULL,
    155. 

  155.   NULL
    156. 

  156. };
    157. 

  157. 

  158. int SSL_CTX_set_default_verify_paths_win32(SSL_CTX *_ssl_ctx){
    159. 

  159.   X509_STORE  *store;
    160. 

  160.   X509_LOOKUP *lu;
    161. 

  161.   /*We intentionally do not add the normal default paths, as they are usually
    162. 

  162.      wrong, and are just asking to be used as an exploit vector.*/
    163. 

  163.   store=SSL_CTX_get_cert_store(_ssl_ctx);
    164. 

  164.   OP_ASSERT(store!=NULL);
    165. 

  165.   lu=X509_STORE_add_lookup(store,&X509_LOOKUP_CAPI);
    166. 

  166.   if(lu==NULL)return 0;
    167. 

  167.   ERR_clear_error();
    168. 

  168.   return 1;
    169. 

  169. }
    170. 

  170. 

  171. #endif
    172. 

  172.