On Tue, 2009-09-08 at 16:33 -0700, Juan Lang wrote: > Hi Frank, > > On Tue, Sep 8, 2009 at 4:15 PM, Frank Gruman<fgatw...@verizon.net> wrote: > > Looking at chain.c, line 1886-1902 I can see the switch-case statement > > where this would have been handled. The problem I ran into while trying > > to keep up with the code was figuring out what the verify_* methods are > > trying to do. > > > > I'd really like to see this work and may have some spare cycles to help > > out. The problem is that I don't understand everything happening in > > these methods - can I get some pointers to what is happening or what > > should happen in the yet to be created verify_ssl_policy() method? > > The short answer is, if you don't care about the validity of the > certificates you're trying to connect to, you can hack this function > to return TRUE rather than FALSE. This is an awful hack, however, and > can't be accepted into the Wine tree, but if all you care about is to > get the darn thing to work, it might be enough for you. > > The longer answer is the generic Wine answer: what should happen is > whatever Windows does. To find out what Windows does, you need to > write tests for it. Have a look at dlls/crypt32/tests/chain.c for a > start. You'll want to mimic the existing tests, and try with > different SSL_EXTRA_CERT_CHAIN_POLICY_PARA values. > > Since that's not very specific, here's a slightly more directed > answer: the as-yet-unwritten verify_ssl_policy() should call > verify_base_policy() first. If it succeeds, it should verify that the > certificate matches the intended use. At a minimum, if the > SSL_EXTRA_CERT_CHAIN_POLICY_PARA is specified, you need to verify that > its pwszServerName matches the subject name in the certificate. Be > careful not to introduce the embedded NULL character vulnerability > (see e.g. CVE-2009-2417.) There are probably more checks needed, > either in verify_base_policy or in verify_ssl_policy, e.g. checking > the key usage extension. RFC3280 is a good guide for the kinds of > checks that need to be done. > > Intimidated yet? That's why I haven't gotten around to it myself: > it's not a quick fix, and I haven't had a lot of free time. But if > you have the time to do it right, by all means have a go! > --Juan
Only slightly daunted. But I will give it a go. It won't be over night, but I think I can, I think I can, I think I can... Thanks for the pointers on where to look and start. Regards, Frank
