[RAPPS]

add support for SSL certificate pinning

svn path=/trunk/; revision=69401

reactos/base/applications/rapps/CMakeLists.txt

@@ -16,6 +16,7 @@ list(APPEND SOURCE
     winmain.c
     rapps.h)
 
+add_definitions(-DUSE_CERT_PINNING)
 file(GLOB_RECURSE rapps_rc_deps res/*.*)
 add_rc_deps(rapps.rc ${rapps_rc_deps})
 add_executable(rapps ${SOURCE} rapps.rc)

reactos/base/applications/rapps/lang/bg-BG.rc

@@ -201,4 +201,5 @@ BEGIN
     IDS_INFORMATION "Сведения"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Премахването на данните за приложението от регистъра е невъзможно!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/cs-CZ.rc

@@ -202,4 +202,5 @@ BEGIN
     IDS_INFORMATION "Informace"
     IDS_UNABLE_TO_DOWNLOAD "Soubor se nepodařilo stáhnout! Adresa nenalezena!"
     IDS_UNABLE_TO_REMOVE "Nepodařilo se odstranit data programu z registru!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."
 END

reactos/base/applications/rapps/lang/de-DE.rc

@@ -197,4 +197,5 @@ BEGIN
     IDS_INFORMATION "Informationen"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Konnte die Daten nicht aus der Registry löschen!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."
 END

reactos/base/applications/rapps/lang/en-US.rc

@@ -197,4 +197,5 @@ BEGIN
     IDS_INFORMATION "Information"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Unable to remove data on the program from the registry!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."
 END

reactos/base/applications/rapps/lang/es-ES.rc

@@ -200,4 +200,5 @@ BEGIN
     IDS_INFORMATION "Información"
     IDS_UNABLE_TO_DOWNLOAD "No se pudo descargar el paquete. No se ha encontrado la dirección de Internet."
     IDS_UNABLE_TO_REMOVE "No se pudieron borrar del Registro los datos de instalación del programa."
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/fr-FR.rc

@@ -197,4 +197,5 @@ BEGIN
     IDS_INFORMATION "Information"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Impossible de supprimer les données du programme du registre !"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/he-IL.rc

@@ -199,4 +199,5 @@ BEGIN
     IDS_INFORMATION "מידע"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Unable to remove data on the program from the registry!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/it-IT.rc

@@ -197,4 +197,5 @@ BEGIN
     IDS_INFORMATION "Informazioni"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Impossibile cancellare i dati dal registry!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/ja-JP.rc

@@ -197,4 +197,5 @@ BEGIN
     IDS_INFORMATION "情報"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "レジストリからこのプログラムに関するデータを削除できません!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/no-NO.rc

@@ -197,4 +197,5 @@ BEGIN
     IDS_INFORMATION "Information"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Unable to remove data on the program from the registry!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/pl-PL.rc

@@ -205,4 +205,5 @@ BEGIN
     IDS_INFORMATION "Informacja"
     IDS_UNABLE_TO_DOWNLOAD "Nie można pobrać pakietu! Nie znaleziono adresu!"
     IDS_UNABLE_TO_REMOVE "Nie można było usunąć wpisu z rejestru!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/pt-BR.rc

@@ -199,4 +199,5 @@ BEGIN
     IDS_INFORMATION "Informações"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Não foi possível remover as informações do programa do registro!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/ro-RO.rc

@@ -203,4 +203,5 @@ BEGIN
     IDS_INFORMATION "Informație"
     IDS_UNABLE_TO_DOWNLOAD "Pachetul nu poate fi descărcat! Adresa nu este găsită!"
     IDS_UNABLE_TO_REMOVE "Nu se pot elimina datele din registru pentru acest program!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/ru-RU.rc

@@ -197,4 +197,5 @@ BEGIN
     IDS_INFORMATION "Информация"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Не удалось удалить данные о программе из реестра!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/sk-SK.rc

@@ -202,4 +202,5 @@ BEGIN
     IDS_INFORMATION "Informácie"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Nie je možné odstrániť z registrov údaje o programe!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/sq-AL.rc

@@ -201,4 +201,5 @@ BEGIN
     IDS_INFORMATION "Informacione"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "E pamundur te fshihen informacionet e programit nga regjistri!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/sv-SE.rc

@@ -204,4 +204,5 @@ BEGIN
     IDS_INFORMATION "Information"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Det gick ej att ta bort programmets data från registret!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/tr-TR.rc

@@ -199,4 +199,5 @@ BEGIN
     IDS_INFORMATION "Bilgi"
     IDS_UNABLE_TO_DOWNLOAD "Paket indirilemez! Adres bulunamadı!"
     IDS_UNABLE_TO_REMOVE "İzlencenin girişi değer defterinden silinemiyor."
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/uk-UA.rc

@@ -205,4 +205,5 @@ BEGIN
     IDS_INFORMATION "Інформація"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "Не вдалося видалити дані про програму з реєстру!"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/zh-CN.rc

@@ -200,4 +200,5 @@ BEGIN
     IDS_INFORMATION "信息"
     IDS_UNABLE_TO_DOWNLOAD "无法下载该软件包 ！找不到网络的地址 ！"
     IDS_UNABLE_TO_REMOVE "无法从注册表删除该程序的数据！"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/lang/zh-TW.rc

@@ -199,4 +199,5 @@ BEGIN
     IDS_INFORMATION "資訊"
     IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!"
     IDS_UNABLE_TO_REMOVE "無法從登錄檔刪除該程式的資料！"
+    IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed."    
 END

reactos/base/applications/rapps/loaddlg.c

@@ -201,6 +201,58 @@ CreateDl(HWND Dlg, BOOL *pbCancelled)
     return (IBindStatusCallback*) This;
 }
 
+#ifdef USE_CERT_PINNING
+static BOOL CertIsValid(HINTERNET hInternet, LPWSTR lpszHostName)
+{
+    HINTERNET hConnect;
+    HINTERNET hRequest;
+    DWORD certInfoLength;
+    BOOL Ret = FALSE;
+    INTERNET_CERTIFICATE_INFOW certInfo;
+
+    hConnect = InternetConnectW(hInternet, lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, 0); 
+    if (hConnect)
+    {
+        hRequest = HttpOpenRequestW(hConnect, L"HEAD", NULL, NULL, NULL, NULL, INTERNET_FLAG_SECURE, 0);
+        if (hRequest != NULL)
+        {  
+            Ret = HttpSendRequestW(hRequest, L"", 0, NULL, 0);
+            if (Ret) 
+            { 
+                certInfoLength = sizeof(INTERNET_CERTIFICATE_INFOW);
+                Ret = InternetQueryOptionW(hRequest,
+                                           INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT,
+                                           &certInfo,
+                                           &certInfoLength);
+                if (Ret)
+                {
+                    if (certInfo.lpszEncryptionAlgName) 
+                        LocalFree(certInfo.lpszEncryptionAlgName);
+                    if (certInfo.lpszIssuerInfo)
+                    {
+                        if (strcmp((LPSTR)certInfo.lpszIssuerInfo, CERT_ISSUER_INFO) != 0)
+                            Ret = FALSE;
+                        LocalFree(certInfo.lpszIssuerInfo);
+                    }
+                    if (certInfo.lpszProtocolName) 
+                        LocalFree(certInfo.lpszProtocolName);
+                    if (certInfo.lpszSignatureAlgName) 
+                        LocalFree(certInfo.lpszSignatureAlgName);
+                    if (certInfo.lpszSubjectInfo) 
+                    {
+                        if (strcmp((LPSTR)certInfo.lpszSubjectInfo, CERT_SUBJECT_INFO) != 0)
+                            Ret = FALSE;
+                        LocalFree(certInfo.lpszSubjectInfo);
+                    }
+                }
+            }
+            InternetCloseHandle(hRequest);
+        }
+    }
+    return Ret;
+}
+#endif
+
 static
 DWORD WINAPI
 ThreadFunc(LPVOID Context)
@@ -307,6 +359,8 @@ ThreadFunc(LPVOID Context)
     
     urlComponents.dwSchemeLength = urlLength*sizeof(WCHAR);
     urlComponents.lpszScheme = malloc(urlComponents.dwSchemeLength);
+    urlComponents.dwHostNameLength = urlLength*sizeof(WCHAR);
+    urlComponents.lpszHostName = malloc(urlComponents.dwHostNameLength);
     
     if(!InternetCrackUrlW(AppInfo->szUrlDownload, urlLength+1, ICU_DECODE | ICU_ESCAPE, &urlComponents))
         goto end;
@@ -317,7 +371,21 @@ ThreadFunc(LPVOID Context)
     if(urlComponents.nScheme == INTERNET_SCHEME_FTP)
         dwContentLen = FtpGetFileSize(hFile, &dwStatus);
 
+#ifdef USE_CERT_PINNING
+    if ((urlComponents.nScheme == INTERNET_SCHEME_HTTPS) && (!CertIsValid(hOpen, urlComponents.lpszHostName)))
+    {
+        WCHAR szMsgText[MAX_STR_LEN];
+
+        if (!LoadStringW(hInst, IDS_CERT_DOES_NOT_MATCH, szMsgText, sizeof(szMsgText) / sizeof(WCHAR)))
+            goto end;
+
+        MessageBoxW(hMainWnd, szMsgText, NULL, MB_OK | MB_ICONERROR);
+        goto end;
+    }
+#endif
+
     free(urlComponents.lpszScheme);
+    free(urlComponents.lpszHostName);
 
     hOut = CreateFileW(path, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0, NULL);
 

reactos/base/applications/rapps/rapps.h

@@ -26,6 +26,11 @@
 
 #include "resource.h"
 
+#ifdef USE_CERT_PINNING
+  #define CERT_ISSUER_INFO "BE\r\nGlobalSign nv-sa\r\nGlobalSign Domain Validation CA - SHA256 - G2"
+  #define CERT_SUBJECT_INFO "Domain Control Validated\r\n*.reactos.org"
+#endif
+
 #define APPLICATION_DATABASE_URL L"https://svn.reactos.org/packages/rappmgr.cab"
 
 #define SPLIT_WIDTH 4

reactos/base/applications/rapps/resource.h

@@ -96,6 +96,7 @@
 #define IDS_INFORMATION          117
 #define IDS_UNABLE_TO_REMOVE     118
 #define IDS_UNABLE_TO_DOWNLOAD   119
+#define IDS_CERT_DOES_NOT_MATCH  120
 
 /* Tooltips */
 #define IDS_TOOLTIP_INSTALL      200