summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIhor Karpenko <ihor.karpenko@gmail.com>2018-08-23 14:18:17 +0300
committerDaniel Stenberg <daniel@haxx.se>2018-08-24 09:03:28 +0200
commit6b6c2b8d57a69a256f7a727784876d8cc37aa669 (patch)
tree39db8395d778abc99f63aea437432d31d7e709c6
parent8f3c3cd08a5b252002a4abfb19780850fc51040e (diff)
downloadcurl-6b6c2b8d57a69a256f7a727784876d8cc37aa669.tar.gz
schannel: client certificate store opening fix
1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) while opening certificate store would be sufficient in this scenario and less-demanding in sense of required user credentials ( for example, IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore call without any of flags mentioned above ), 2) as 'cert_store_name' is a DWORD, attempt to format its value like a string ( in "Failed to open cert store" error message ) will throw null pointer exception 3) adding GetLastError(), in my opinion, will make error message more useful. Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html Closes #2909
-rw-r--r--lib/vtls/schannel.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index ebd1c1c04..8f6c301d1 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -602,12 +602,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
return result;
}
- cert_store = CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0,
- (HCRYPTPROV)NULL,
- cert_store_name, cert_store_path);
+ cert_store =
+ CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0,
+ (HCRYPTPROV)NULL,
+ CERT_STORE_OPEN_EXISTING_FLAG | cert_store_name,
+ cert_store_path);
if(!cert_store) {
- failf(data, "schannel: Failed to open cert store %s %s",
- cert_store_name, cert_store_path);
+ failf(data, "schannel: Failed to open cert store %x %s, "
+ "last error is %x",
+ cert_store_name, cert_store_path, GetLastError());
Curl_unicodefree(cert_path);
return CURLE_SSL_CONNECT_ERROR;
}