From fa7296cde16ca4a25f13d3f6c0d1dfde8a40e46c Mon Sep 17 00:00:00 2001 From: Joshua Yelon Date: Fri, 18 Mar 2022 21:52:45 -0400 Subject: [PATCH] Certificate verification now works on windows using windows CA store --- luprex/core/Makefile | 2 +- luprex/core/cpp/driver-common.cpp | 2 ++ luprex/core/cpp/driver-mingw.cpp | 28 ++++++++++++++++++++++++++++ luprex/core/cpp/eng-tests.cpp | 4 ++-- 4 files changed, 33 insertions(+), 3 deletions(-) diff --git a/luprex/core/Makefile b/luprex/core/Makefile index 1d8ea952..e2c8d3bf 100644 --- a/luprex/core/Makefile +++ b/luprex/core/Makefile @@ -4,7 +4,7 @@ ifeq ($(OS),mingw) LIBS=-L../mingwlib -lssl -lcrypto -lws2_32 -lcrypt32 -lcryptui INCS=-I../mingwlib LUAFLAGS=-DLUA_COMPAT_ALL - OPT=-g -O1 + OPT=-g -O0 DRIVER=driver-mingw else ifeq ($(OS),linux) EXE=main diff --git a/luprex/core/cpp/driver-common.cpp b/luprex/core/cpp/driver-common.cpp index 5c888f41..602c816b 100644 --- a/luprex/core/cpp/driver-common.cpp +++ b/luprex/core/cpp/driver-common.cpp @@ -64,6 +64,8 @@ static std::string ssl_errors_string(bool lastonly = true) const char *file, *data, *func; int line, flags; + // ERR_print_errors_fp(stderr); + // exit(1); while (true) { unsigned long code = ERR_get_error_all(&file, &line, &func, &data, &flags); diff --git a/luprex/core/cpp/driver-mingw.cpp b/luprex/core/cpp/driver-mingw.cpp index 65a48c16..4526beed 100644 --- a/luprex/core/cpp/driver-mingw.cpp +++ b/luprex/core/cpp/driver-mingw.cpp @@ -184,6 +184,10 @@ static int socket_close(SOCKET socket) { } static int socket_poll(struct pollfd *pollvec, int pollcount, int mstimeout, std::string &err) { + if (pollcount == 0) { + if (mstimeout > 0) Sleep(mstimeout); + return 0; + } int status = WSAPoll(pollvec, pollcount, mstimeout); if (status < 0) { err = strerror_str(WSAGetLastError()); @@ -235,6 +239,29 @@ static int console_read(char *bytes, int nbytes) { } } +static void load_root_certs(SSL_CTX *ctx) { + HCERTSTORE hStore = CertOpenSystemStoreW(0, L"ROOT"); + PCCERT_CONTEXT pContext = NULL; + X509 *x509; + X509_STORE *store = SSL_CTX_get_cert_store(ctx); + + if (!hStore) { + fprintf(stderr, "Cannot open system certificate store.\n"); + exit(1); + } + + while ((pContext = CertEnumCertificatesInStore(hStore, pContext))) { + const unsigned char *encoded_cert = pContext->pbCertEncoded; + x509 = d2i_X509(NULL, &encoded_cert, pContext->cbCertEncoded); + if (x509) { + X509_STORE_add_cert(store, x509); + X509_free(x509); + } + } + + CertCloseStore(hStore, 0); +} + static void ssl_ctx_use_dummycert(SSL_CTX *ctx); static SSL_CTX *new_ssl_server_context() { @@ -250,6 +277,7 @@ static SSL_CTX *new_ssl_client_context(int verify) { SSL_CTX *ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + if (verify == SSL_VERIFY_PEER) load_root_certs(ctx); SSL_CTX_set_verify(ctx, verify, nullptr); return ctx; } diff --git a/luprex/core/cpp/eng-tests.cpp b/luprex/core/cpp/eng-tests.cpp index 62a38b94..f21186a7 100644 --- a/luprex/core/cpp/eng-tests.cpp +++ b/luprex/core/cpp/eng-tests.cpp @@ -35,8 +35,8 @@ class DriverWebServerTest : public DrivenEngine { public: eng::vector channels_; virtual void event_init(int argc, char *argv[]) { - SharedChannel ch = new_outgoing_channel("stanford.edu:80"); - ch->out()->write_bytes("GET http://stanford.edu/index.html HTTP/1.1\n\n"); + SharedChannel ch = new_outgoing_channel("cert:stanford.edu:443"); + ch->out()->write_bytes("GET https://stanford.edu/xbanankjdsh.html HTTP/1.1\n\n"); channels_.emplace_back(std::move(ch)); }