Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[eval] Fix ssl cert verification failures on clean windows environments #11838

Merged
merged 10 commits into from
Nov 25, 2024
Merged

[eval] Fix ssl cert verification failures on clean windows environments #11838

merged 10 commits into from
Nov 25, 2024

Commits on Nov 25, 2024

  1. Use windows api to verify ssl certs 

    Taken from:
Apprentice-Alchemist/hashlink@4d59012
    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    febae0a View commit details
    Browse the repository at this point in the history

  2. Handle error if cert store fails to open

    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    5d61189 View commit details
    Browse the repository at this point in the history

  3. Fix mscv warnings about invalid arguments 

    Warning	C6387	'parameters' could be '0':  this does not adhere to the specification for the function 'CertGetCertificateChain'.

Warning	C6387	'policy_parameters' could be '0':  this does not adhere to the specification for the function 'CertVerifyCertificateChainPolicy'.

This also fixes an "incorrect parameter" runtime error.
    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    9281c6a View commit details
    Browse the repository at this point in the history

  4. Clear errors if certificate loading succeeded

    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    1a293cf View commit details
    Browse the repository at this point in the history

  5. Perform checks for all calls of verify_callback 

    We need to do this every time, because if any callback call returns a
non zero flags then the entire verification fails, see:
https://github.com/Mbed-TLS/mbedtls/blob/3aefa5b705846c5d4466ae8747160ae9e5054ea8/library/x509_crt.c#L3031

We don't need to loop through the chain, since mbedtls already loops
through and calls the callback on every certificate in the chain.
    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    d8ad7da View commit details
    Browse the repository at this point in the history

  6. Free handles on certificate verification errors

    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    13f2061 View commit details
    Browse the repository at this point in the history

  7. Replace existing certificates if they exist 

    This avoids duplicate certificates in the store
    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    cb339c9 View commit details
    Browse the repository at this point in the history

  8. Propagate CN_MISMATCH ssl cert error 

    The windows api functions won't check this automatically for us without
further modifications, so it's easiest to just respect mbedtls'
judgement and propagate this error.
    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    e94350e View commit details
    Browse the repository at this point in the history

  9. Clarify comment regarding error mapping

    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    5eeaab9 View commit details
    Browse the repository at this point in the history

  10. Skip verification callback if no errors were found

    @tobil4sk
    tobil4sk committed Nov 25, 2024
    Configuration menu
    Copy the full SHA
    6b84ade View commit details
    Browse the repository at this point in the history