schannel: disable manual verify if APIs not available

.. because original MinGW and old compilers do not have the Windows API
definitions needed to support manual verification.

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 9a20b8eff0305f1c36d16818ed3db38d0d48306b..e00bde2ca88a117ab09f9f590f2a5fcb9d7cdb03 100644 (file)
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -307,10 +307,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
 #endif
 
 #ifdef _WIN32_WCE
+#ifdef HAS_MANUAL_VERIFY_API
   /* certificate validation on CE doesn't seem to work right; we'll
    * do it following a more manual process. */
   BACKEND->use_manual_cred_validation = true;
 #else
+#error "compiler too old to support requisite manual cert verify for Win CE"
+#endif
+#else
+#ifdef HAS_MANUAL_VERIFY_API
   if(SSL_CONN_CONFIG(CAfile)) {
     if(Curl_verify_windows_version(6, 1, PLATFORM_WINNT,
                                    VERSION_GREATER_THAN_EQUAL)) {
@@ -324,6 +329,12 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
   }
   else
     BACKEND->use_manual_cred_validation = false;
+#else
+  if(SSL_CONN_CONFIG(CAfile)) {
+    failf(data, "schannel: CA cert support not built in");
+    return CURLE_NOT_BUILT_IN;
+  }
+#endif
 #endif
 
   BACKEND->cred = NULL;
@@ -349,9 +360,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
     schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
 
     if(conn->ssl_config.verifypeer) {
+#ifdef HAS_MANUAL_VERIFY_API
       if(BACKEND->use_manual_cred_validation)
         schannel_cred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
       else
+#endif
         schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION;
 
       /* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */
@@ -892,9 +905,11 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
     }
   }
 
+#ifdef HAS_MANUAL_VERIFY_API
   if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
     return verify_certificate(conn, sockindex);
   }
+#endif
 
   return CURLE_OK;
 }

diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index 4476900270dfc87a191cd653e7760f0515796363..aa44e8e89b424a23454b8513a04945ad629c96be 100644 (file)
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -38,6 +38,19 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex);
 
 /* structs to expose only in schannel.c and schannel_verify.c */
 #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
+
+#ifdef __MINGW32__
+#include <_mingw.h>
+#ifdef __MINGW64_VERSION_MAJOR
+#define HAS_MANUAL_VERIFY_API
+#endif
+#else
+#include <wincrypt.h>
+#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
+#define HAS_MANUAL_VERIFY_API
+#endif
+#endif
+
 struct curl_schannel_cred {
   CredHandle cred_handle;
   TimeStamp time_stamp;
@@ -66,7 +79,9 @@ struct ssl_backend_data {
   bool recv_sspi_close_notify; /* true if connection closed by close_notify */
   bool recv_connection_closed; /* true if connection closed, regardless how */
   bool use_alpn; /* true if ALPN is used for this connection */
+#ifdef HAS_MANUAL_VERIFY_API
   bool use_manual_cred_validation; /* true if manual cred validation is used */
+#endif
 };
 #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
 

diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c
index db187dd6bfdb8bcaf7c05ed0ebbf4e90dbcdf737..552b1afe9fc697dcacdf5b8950810846f8cbb74c 100644 (file)
--- a/lib/vtls/schannel_verify.c
+++ b/lib/vtls/schannel_verify.c
@@ -29,15 +29,17 @@
 
 #include "curl_setup.h"
 
-#ifdef USE_SCHANNEL
-
-#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
-
 #ifndef USE_WINDOWS_SSPI
 #  error "Can't compile SCHANNEL support without SSPI."
 #endif
 
+#ifdef USE_SCHANNEL
+
+#define EXPOSE_SCHANNEL_INTERNAL_STRUCTS
 #include "schannel.h"
+
+#ifdef HAS_MANUAL_VERIFY_API
+
 #include "vtls.h"
 #include "sendf.h"
 #include "strerror.h"
@@ -548,4 +550,5 @@ CURLcode verify_certificate(struct connectdata *conn, int sockindex)
   return result;
 }
 
+#endif /* HAS_MANUAL_VERIFY_API */
 #endif /* USE_SCHANNEL */