int curl_win32_ascii_to_idn(const char *in, char **out)
{
int ret = 0;
wchar_t *in_w = Curl_convert_UTF8_to_wchar(in);
if(in_w) {
wchar_t unicode[IDN_MAX_LENGTH];
int chars = IdnToUnicode(0, in_w, wcslen(in_w)+1, unicode, IDN_MAX_LENGTH);
free(in_w);
if(chars) {
*out = Curl_convert_wchar_to_UTF8(unicode);
if(*out)
ret = 1; /* success */
}
}
return ret;
}
int curl_win32_idn_to_ascii(const char *in, char **out)
{
int ret = 0;
wchar_t *in_w = Curl_convert_UTF8_to_wchar(in);
if(in_w) {
wchar_t punycode[IDN_MAX_LENGTH];
int chars = IdnToAscii(0, in_w, -1, punycode, IDN_MAX_LENGTH);
free(in_w);
if(chars) {
*out = Curl_convert_wchar_to_UTF8(punycode);
if(*out)
ret = 1; /* success */
}
}
return ret;
}
int curl_win32_ascii_to_idn(const char *in, size_t in_len, char **out_utf8)
{
(void)in_len; /* unused */
if(in) {
WCHAR unicode[IDN_MAX_LENGTH];
if(IdnToUnicode(0, (wchar_t *)in, -1, unicode, IDN_MAX_LENGTH) == 0) {
wprintf(L"ERROR %d converting to Punycode\n", GetLastError());
return 0;
}
else {
*out_utf8 = Curl_convert_wchar_to_UTF8(unicode);
if(!*out_utf8)
return 0;
}
}
return 1;
}
int curl_win32_idn_to_ascii(const char *in, char **out)
{
wchar_t *in_w = Curl_convert_UTF8_to_wchar(in);
if(in_w) {
wchar_t punycode[IDN_MAX_LENGTH];
if(IdnToAscii(0, in_w, -1, punycode, IDN_MAX_LENGTH) == 0) {
wprintf(L"ERROR %d converting to Punycode\n", GetLastError());
free(in_w);
return 0;
}
free(in_w);
*out = Curl_convert_wchar_to_UTF8(punycode);
if(!*out)
return 0;
}
return 1;
}
static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
{
SECURITY_STATUS status;
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode result = CURLE_OK;
CERT_CONTEXT *pCertContextServer = NULL;
const CERT_CHAIN_CONTEXT *pChainContext = NULL;
status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle,
SECPKG_ATTR_REMOTE_CERT_CONTEXT,
&pCertContextServer);
if((status != SEC_E_OK) || (pCertContextServer == NULL)) {
failf(data, "schannel: Failed to read remote certificate context: %s",
Curl_sspi_strerror(conn, status));
result = CURLE_PEER_FAILED_VERIFICATION;
}
if(result == CURLE_OK) {
CERT_CHAIN_PARA ChainPara;
memset(&ChainPara, 0, sizeof(ChainPara));
ChainPara.cbSize = sizeof(ChainPara);
if(!CertGetCertificateChain(NULL,
pCertContextServer,
NULL,
pCertContextServer->hCertStore,
&ChainPara,
0,
NULL,
&pChainContext)) {
failf(data, "schannel: CertGetCertificateChain failed: %s",
Curl_sspi_strerror(conn, GetLastError()));
pChainContext = NULL;
result = CURLE_PEER_FAILED_VERIFICATION;
}
if(result == CURLE_OK) {
CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
DWORD dwTrustErrorMask = ~(CERT_TRUST_IS_NOT_TIME_NESTED|
CERT_TRUST_REVOCATION_STATUS_UNKNOWN);
dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
if(dwTrustErrorMask) {
if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
failf(data, "schannel: CertGetCertificateChain trust error"
" CERT_TRUST_IS_PARTIAL_CHAIN");
if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
failf(data, "schannel: CertGetCertificateChain trust error"
" CERT_TRUST_IS_UNTRUSTED_ROOT");
if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
failf(data, "schannel: CertGetCertificateChain trust error"
" CERT_TRUST_IS_NOT_TIME_VALID");
failf(data, "schannel: CertGetCertificateChain error mask: 0x%08x",
dwTrustErrorMask);
result = CURLE_PEER_FAILED_VERIFICATION;
}
}
}
if(result == CURLE_OK) {
if(data->set.ssl.verifyhost == 1) {
infof(data, "warning: ignoring unsupported value (1) ssl.verifyhost\n");
}
else if(data->set.ssl.verifyhost == 2) {
WCHAR cert_hostname[128];
WCHAR *hostname = Curl_convert_UTF8_to_wchar(conn->host.name);
DWORD len;
len = CertGetNameStringW(pCertContextServer,
CERT_NAME_DNS_TYPE,
0,
NULL,
cert_hostname,
128);
if(len > 0 && cert_hostname[0] == '*') {
/* this is a wildcard cert. try matching the last len - 1 chars */
int hostname_len = strlen(conn->host.name);
if(wcsicmp(cert_hostname + 1, hostname + hostname_len - len + 2) != 0)
result = CURLE_PEER_FAILED_VERIFICATION;
}
else if(len == 0 || wcsicmp(hostname, cert_hostname) != 0) {
result = CURLE_PEER_FAILED_VERIFICATION;
}
if(result == CURLE_PEER_FAILED_VERIFICATION) {
const char *_cert_hostname;
_cert_hostname = Curl_convert_wchar_to_UTF8(cert_hostname);
failf(data, "schannel: CertGetNameString() certificate hostname "
"(%s) did not match connection (%s)",
_cert_hostname, conn->host.name);
Curl_safefree((void *)_cert_hostname);
}
Curl_safefree(hostname);
}
}
if(pChainContext)
CertFreeCertificateChain(pChainContext);
if(pCertContextServer)
CertFreeCertificateContext(pCertContextServer);
return result;
}
