From 58125df4b504a0b99e30596b2277c0f8c01155e4 Mon Sep 17 00:00:00 2001 From: Christoph von Wittich Date: Mon, 28 Sep 2015 14:09:09 +0000 Subject: [PATCH] [RAPPS] add support for SSL certificate pinning svn path=/trunk/; revision=69401 --- .../base/applications/rapps/CMakeLists.txt | 1 + reactos/base/applications/rapps/lang/bg-BG.rc | 1 + reactos/base/applications/rapps/lang/cs-CZ.rc | 1 + reactos/base/applications/rapps/lang/de-DE.rc | 1 + reactos/base/applications/rapps/lang/en-US.rc | 1 + reactos/base/applications/rapps/lang/es-ES.rc | 1 + reactos/base/applications/rapps/lang/fr-FR.rc | 1 + reactos/base/applications/rapps/lang/he-IL.rc | 1 + reactos/base/applications/rapps/lang/it-IT.rc | 1 + reactos/base/applications/rapps/lang/ja-JP.rc | 1 + reactos/base/applications/rapps/lang/no-NO.rc | 1 + reactos/base/applications/rapps/lang/pl-PL.rc | 1 + reactos/base/applications/rapps/lang/pt-BR.rc | 1 + reactos/base/applications/rapps/lang/ro-RO.rc | 1 + reactos/base/applications/rapps/lang/ru-RU.rc | 1 + reactos/base/applications/rapps/lang/sk-SK.rc | 1 + reactos/base/applications/rapps/lang/sq-AL.rc | 1 + reactos/base/applications/rapps/lang/sv-SE.rc | 1 + reactos/base/applications/rapps/lang/tr-TR.rc | 1 + reactos/base/applications/rapps/lang/uk-UA.rc | 1 + reactos/base/applications/rapps/lang/zh-CN.rc | 1 + reactos/base/applications/rapps/lang/zh-TW.rc | 1 + reactos/base/applications/rapps/loaddlg.c | 68 +++++++++++++++++++ reactos/base/applications/rapps/rapps.h | 5 ++ reactos/base/applications/rapps/resource.h | 1 + 25 files changed, 96 insertions(+) diff --git a/reactos/base/applications/rapps/CMakeLists.txt b/reactos/base/applications/rapps/CMakeLists.txt index 4b00ada21ee..9eadaeb24b7 100644 --- a/reactos/base/applications/rapps/CMakeLists.txt +++ b/reactos/base/applications/rapps/CMakeLists.txt @@ -16,6 +16,7 @@ list(APPEND SOURCE winmain.c rapps.h) +add_definitions(-DUSE_CERT_PINNING) file(GLOB_RECURSE rapps_rc_deps res/*.*) add_rc_deps(rapps.rc ${rapps_rc_deps}) add_executable(rapps ${SOURCE} rapps.rc) diff --git a/reactos/base/applications/rapps/lang/bg-BG.rc b/reactos/base/applications/rapps/lang/bg-BG.rc index 7a6f50791df..89054e3bdc2 100644 --- a/reactos/base/applications/rapps/lang/bg-BG.rc +++ b/reactos/base/applications/rapps/lang/bg-BG.rc @@ -201,4 +201,5 @@ BEGIN IDS_INFORMATION "Сведения" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Премахването на данните за приложението от регистъра е невъзможно!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/cs-CZ.rc b/reactos/base/applications/rapps/lang/cs-CZ.rc index c9861c8a4b7..5d58e158013 100644 --- a/reactos/base/applications/rapps/lang/cs-CZ.rc +++ b/reactos/base/applications/rapps/lang/cs-CZ.rc @@ -202,4 +202,5 @@ BEGIN IDS_INFORMATION "Informace" IDS_UNABLE_TO_DOWNLOAD "Soubor se nepodařilo stáhnout! Adresa nenalezena!" IDS_UNABLE_TO_REMOVE "Nepodařilo se odstranit data programu z registru!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/de-DE.rc b/reactos/base/applications/rapps/lang/de-DE.rc index 936f7147c2f..dd294749663 100644 --- a/reactos/base/applications/rapps/lang/de-DE.rc +++ b/reactos/base/applications/rapps/lang/de-DE.rc @@ -197,4 +197,5 @@ BEGIN IDS_INFORMATION "Informationen" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Konnte die Daten nicht aus der Registry löschen!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/en-US.rc b/reactos/base/applications/rapps/lang/en-US.rc index 4ccc42f5212..8964f06a9f9 100644 --- a/reactos/base/applications/rapps/lang/en-US.rc +++ b/reactos/base/applications/rapps/lang/en-US.rc @@ -197,4 +197,5 @@ BEGIN IDS_INFORMATION "Information" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Unable to remove data on the program from the registry!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/es-ES.rc b/reactos/base/applications/rapps/lang/es-ES.rc index 7791062a79e..50f9b5126c4 100644 --- a/reactos/base/applications/rapps/lang/es-ES.rc +++ b/reactos/base/applications/rapps/lang/es-ES.rc @@ -200,4 +200,5 @@ BEGIN IDS_INFORMATION "Información" IDS_UNABLE_TO_DOWNLOAD "No se pudo descargar el paquete. No se ha encontrado la dirección de Internet." IDS_UNABLE_TO_REMOVE "No se pudieron borrar del Registro los datos de instalación del programa." + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/fr-FR.rc b/reactos/base/applications/rapps/lang/fr-FR.rc index e1d1bccfab3..04a15ded49d 100644 --- a/reactos/base/applications/rapps/lang/fr-FR.rc +++ b/reactos/base/applications/rapps/lang/fr-FR.rc @@ -197,4 +197,5 @@ BEGIN IDS_INFORMATION "Information" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Impossible de supprimer les données du programme du registre !" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/he-IL.rc b/reactos/base/applications/rapps/lang/he-IL.rc index bc5b194816b..4800181b210 100644 --- a/reactos/base/applications/rapps/lang/he-IL.rc +++ b/reactos/base/applications/rapps/lang/he-IL.rc @@ -199,4 +199,5 @@ BEGIN IDS_INFORMATION "מידע" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Unable to remove data on the program from the registry!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/it-IT.rc b/reactos/base/applications/rapps/lang/it-IT.rc index b1173013be6..bf4b3ff1f32 100644 --- a/reactos/base/applications/rapps/lang/it-IT.rc +++ b/reactos/base/applications/rapps/lang/it-IT.rc @@ -197,4 +197,5 @@ BEGIN IDS_INFORMATION "Informazioni" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Impossibile cancellare i dati dal registry!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/ja-JP.rc b/reactos/base/applications/rapps/lang/ja-JP.rc index 886a1f65314..a1991016b9e 100644 --- a/reactos/base/applications/rapps/lang/ja-JP.rc +++ b/reactos/base/applications/rapps/lang/ja-JP.rc @@ -197,4 +197,5 @@ BEGIN IDS_INFORMATION "情報" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "レジストリからこのプログラムに関するデータを削除できません!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/no-NO.rc b/reactos/base/applications/rapps/lang/no-NO.rc index 91aebe93ffc..832ba2c5f9a 100644 --- a/reactos/base/applications/rapps/lang/no-NO.rc +++ b/reactos/base/applications/rapps/lang/no-NO.rc @@ -197,4 +197,5 @@ BEGIN IDS_INFORMATION "Information" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Unable to remove data on the program from the registry!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/pl-PL.rc b/reactos/base/applications/rapps/lang/pl-PL.rc index efafbf88a6c..caac85fd7d6 100644 --- a/reactos/base/applications/rapps/lang/pl-PL.rc +++ b/reactos/base/applications/rapps/lang/pl-PL.rc @@ -205,4 +205,5 @@ BEGIN IDS_INFORMATION "Informacja" IDS_UNABLE_TO_DOWNLOAD "Nie można pobrać pakietu! Nie znaleziono adresu!" IDS_UNABLE_TO_REMOVE "Nie można było usunąć wpisu z rejestru!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/pt-BR.rc b/reactos/base/applications/rapps/lang/pt-BR.rc index f30faee0511..7ecd5e92119 100644 --- a/reactos/base/applications/rapps/lang/pt-BR.rc +++ b/reactos/base/applications/rapps/lang/pt-BR.rc @@ -199,4 +199,5 @@ BEGIN IDS_INFORMATION "Informações" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Não foi possível remover as informações do programa do registro!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/ro-RO.rc b/reactos/base/applications/rapps/lang/ro-RO.rc index 1000e418bda..b6f608264cf 100644 --- a/reactos/base/applications/rapps/lang/ro-RO.rc +++ b/reactos/base/applications/rapps/lang/ro-RO.rc @@ -203,4 +203,5 @@ BEGIN IDS_INFORMATION "Informație" IDS_UNABLE_TO_DOWNLOAD "Pachetul nu poate fi descărcat! Adresa nu este găsită!" IDS_UNABLE_TO_REMOVE "Nu se pot elimina datele din registru pentru acest program!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/ru-RU.rc b/reactos/base/applications/rapps/lang/ru-RU.rc index 212164f80dd..0b61c44876e 100644 --- a/reactos/base/applications/rapps/lang/ru-RU.rc +++ b/reactos/base/applications/rapps/lang/ru-RU.rc @@ -197,4 +197,5 @@ BEGIN IDS_INFORMATION "Информация" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Не удалось удалить данные о программе из реестра!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/sk-SK.rc b/reactos/base/applications/rapps/lang/sk-SK.rc index a7518aea010..85ffe101b04 100644 --- a/reactos/base/applications/rapps/lang/sk-SK.rc +++ b/reactos/base/applications/rapps/lang/sk-SK.rc @@ -202,4 +202,5 @@ BEGIN IDS_INFORMATION "Informácie" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Nie je možné odstrániť z registrov údaje o programe!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/sq-AL.rc b/reactos/base/applications/rapps/lang/sq-AL.rc index ce62e755ad6..76671659a97 100644 --- a/reactos/base/applications/rapps/lang/sq-AL.rc +++ b/reactos/base/applications/rapps/lang/sq-AL.rc @@ -201,4 +201,5 @@ BEGIN IDS_INFORMATION "Informacione" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "E pamundur te fshihen informacionet e programit nga regjistri!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/sv-SE.rc b/reactos/base/applications/rapps/lang/sv-SE.rc index 996b0e301e6..dd44ba54a7b 100644 --- a/reactos/base/applications/rapps/lang/sv-SE.rc +++ b/reactos/base/applications/rapps/lang/sv-SE.rc @@ -204,4 +204,5 @@ BEGIN IDS_INFORMATION "Information" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Det gick ej att ta bort programmets data från registret!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/tr-TR.rc b/reactos/base/applications/rapps/lang/tr-TR.rc index 6144e21da5a..b07af6c26f3 100644 --- a/reactos/base/applications/rapps/lang/tr-TR.rc +++ b/reactos/base/applications/rapps/lang/tr-TR.rc @@ -199,4 +199,5 @@ BEGIN IDS_INFORMATION "Bilgi" IDS_UNABLE_TO_DOWNLOAD "Paket indirilemez! Adres bulunamadı!" IDS_UNABLE_TO_REMOVE "İzlencenin girişi değer defterinden silinemiyor." + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/uk-UA.rc b/reactos/base/applications/rapps/lang/uk-UA.rc index 9f394325fb7..1b8591a54f7 100644 --- a/reactos/base/applications/rapps/lang/uk-UA.rc +++ b/reactos/base/applications/rapps/lang/uk-UA.rc @@ -205,4 +205,5 @@ BEGIN IDS_INFORMATION "Інформація" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "Не вдалося видалити дані про програму з реєстру!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/zh-CN.rc b/reactos/base/applications/rapps/lang/zh-CN.rc index d8aa057372b..362e4dc6cd3 100644 --- a/reactos/base/applications/rapps/lang/zh-CN.rc +++ b/reactos/base/applications/rapps/lang/zh-CN.rc @@ -200,4 +200,5 @@ BEGIN IDS_INFORMATION "信息" IDS_UNABLE_TO_DOWNLOAD "无法下载该软件包 !找不到网络的地址 !" IDS_UNABLE_TO_REMOVE "无法从注册表删除该程序的数据!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/lang/zh-TW.rc b/reactos/base/applications/rapps/lang/zh-TW.rc index 332490a55cc..ff6b33f3ec0 100644 --- a/reactos/base/applications/rapps/lang/zh-TW.rc +++ b/reactos/base/applications/rapps/lang/zh-TW.rc @@ -199,4 +199,5 @@ BEGIN IDS_INFORMATION "資訊" IDS_UNABLE_TO_DOWNLOAD "Unable to download the package! Address not found!" IDS_UNABLE_TO_REMOVE "無法從登錄檔刪除該程式的資料!" + IDS_CERT_DOES_NOT_MATCH "SSL certificate verification failed." END diff --git a/reactos/base/applications/rapps/loaddlg.c b/reactos/base/applications/rapps/loaddlg.c index a3784cdd36a..7c4372b6628 100644 --- a/reactos/base/applications/rapps/loaddlg.c +++ b/reactos/base/applications/rapps/loaddlg.c @@ -201,6 +201,58 @@ CreateDl(HWND Dlg, BOOL *pbCancelled) return (IBindStatusCallback*) This; } +#ifdef USE_CERT_PINNING +static BOOL CertIsValid(HINTERNET hInternet, LPWSTR lpszHostName) +{ + HINTERNET hConnect; + HINTERNET hRequest; + DWORD certInfoLength; + BOOL Ret = FALSE; + INTERNET_CERTIFICATE_INFOW certInfo; + + hConnect = InternetConnectW(hInternet, lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, 0); + if (hConnect) + { + hRequest = HttpOpenRequestW(hConnect, L"HEAD", NULL, NULL, NULL, NULL, INTERNET_FLAG_SECURE, 0); + if (hRequest != NULL) + { + Ret = HttpSendRequestW(hRequest, L"", 0, NULL, 0); + if (Ret) + { + certInfoLength = sizeof(INTERNET_CERTIFICATE_INFOW); + Ret = InternetQueryOptionW(hRequest, + INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT, + &certInfo, + &certInfoLength); + if (Ret) + { + if (certInfo.lpszEncryptionAlgName) + LocalFree(certInfo.lpszEncryptionAlgName); + if (certInfo.lpszIssuerInfo) + { + if (strcmp((LPSTR)certInfo.lpszIssuerInfo, CERT_ISSUER_INFO) != 0) + Ret = FALSE; + LocalFree(certInfo.lpszIssuerInfo); + } + if (certInfo.lpszProtocolName) + LocalFree(certInfo.lpszProtocolName); + if (certInfo.lpszSignatureAlgName) + LocalFree(certInfo.lpszSignatureAlgName); + if (certInfo.lpszSubjectInfo) + { + if (strcmp((LPSTR)certInfo.lpszSubjectInfo, CERT_SUBJECT_INFO) != 0) + Ret = FALSE; + LocalFree(certInfo.lpszSubjectInfo); + } + } + } + InternetCloseHandle(hRequest); + } + } + return Ret; +} +#endif + static DWORD WINAPI ThreadFunc(LPVOID Context) @@ -307,6 +359,8 @@ ThreadFunc(LPVOID Context) urlComponents.dwSchemeLength = urlLength*sizeof(WCHAR); urlComponents.lpszScheme = malloc(urlComponents.dwSchemeLength); + urlComponents.dwHostNameLength = urlLength*sizeof(WCHAR); + urlComponents.lpszHostName = malloc(urlComponents.dwHostNameLength); if(!InternetCrackUrlW(AppInfo->szUrlDownload, urlLength+1, ICU_DECODE | ICU_ESCAPE, &urlComponents)) goto end; @@ -317,7 +371,21 @@ ThreadFunc(LPVOID Context) if(urlComponents.nScheme == INTERNET_SCHEME_FTP) dwContentLen = FtpGetFileSize(hFile, &dwStatus); +#ifdef USE_CERT_PINNING + if ((urlComponents.nScheme == INTERNET_SCHEME_HTTPS) && (!CertIsValid(hOpen, urlComponents.lpszHostName))) + { + WCHAR szMsgText[MAX_STR_LEN]; + + if (!LoadStringW(hInst, IDS_CERT_DOES_NOT_MATCH, szMsgText, sizeof(szMsgText) / sizeof(WCHAR))) + goto end; + + MessageBoxW(hMainWnd, szMsgText, NULL, MB_OK | MB_ICONERROR); + goto end; + } +#endif + free(urlComponents.lpszScheme); + free(urlComponents.lpszHostName); hOut = CreateFileW(path, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0, NULL); diff --git a/reactos/base/applications/rapps/rapps.h b/reactos/base/applications/rapps/rapps.h index be7794b3a1c..69ab27c8f34 100644 --- a/reactos/base/applications/rapps/rapps.h +++ b/reactos/base/applications/rapps/rapps.h @@ -26,6 +26,11 @@ #include "resource.h" +#ifdef USE_CERT_PINNING + #define CERT_ISSUER_INFO "BE\r\nGlobalSign nv-sa\r\nGlobalSign Domain Validation CA - SHA256 - G2" + #define CERT_SUBJECT_INFO "Domain Control Validated\r\n*.reactos.org" +#endif + #define APPLICATION_DATABASE_URL L"https://svn.reactos.org/packages/rappmgr.cab" #define SPLIT_WIDTH 4 diff --git a/reactos/base/applications/rapps/resource.h b/reactos/base/applications/rapps/resource.h index 7565aa03bf1..3cfb2b8caee 100644 --- a/reactos/base/applications/rapps/resource.h +++ b/reactos/base/applications/rapps/resource.h @@ -96,6 +96,7 @@ #define IDS_INFORMATION 117 #define IDS_UNABLE_TO_REMOVE 118 #define IDS_UNABLE_TO_DOWNLOAD 119 +#define IDS_CERT_DOES_NOT_MATCH 120 /* Tooltips */ #define IDS_TOOLTIP_INSTALL 200