I have been using wine for various tools and utilities at work and home for some time now. Recently I tried to use wine to run the VMware Infrastructure Client and ran into bug 18337 (http://bugs.winehq.org/show_bug.cgi?id=18337).
I am pasting my comments on that bug here to avoid repetition (http://bugs.winehq.org/show_bug.cgi?id=18337#c4).
<paste> So - I looked through the code (current git @1.1.29) and compared to the 1.0 release (because of comment 1) and did not see that CERT_CHAIN_POLICY_SSL was ever implemented.
Looking at chain.c, line 1886-1902 I can see the switch-case statement where this would have been handled. The problem I ran into while trying to keep up with the code was figuring out what the verify_* methods are trying to do.
I'd really like to see this work and may have some spare cycles to help out. The problem is that I don't understand everything happening in these methods - can I get some pointers to what is happening or what should happen in the yet to be created verify_ssl_policy() method? </paste>
Regards, Frank
On Tue, 2009-09-08 at 19:15 -0400, Frank Gruman wrote:
I have been using wine for various tools and utilities at work and home for some time now. Recently I tried to use wine to run the VMware Infrastructure Client and ran into bug 18337 (http://bugs.winehq.org/show_bug.cgi?id=18337).
I am pasting my comments on that bug here to avoid repetition (http://bugs.winehq.org/show_bug.cgi?id=18337#c4).
<paste> So - I looked through the code (current git @1.1.29) and compared to the 1.0 release (because of comment 1) and did not see that CERT_CHAIN_POLICY_SSL was ever implemented.
Looking at chain.c, line 1886-1902 I can see the switch-case statement where this would have been handled. The problem I ran into while trying to keep up with the code was figuring out what the verify_* methods are trying to do.
I'd really like to see this work and may have some spare cycles to help out. The problem is that I don't understand everything happening in these methods - can I get some pointers to what is happening or what should happen in the yet to be created verify_ssl_policy() method?
</paste>
Regards, Frank
BAH!! Apologies for pasting the wrong content into the subject line - meant to insert a more meaningful subject.
Regards, Frank
Hi Frank,
On Tue, Sep 8, 2009 at 4:15 PM, Frank Grumanfgatwork@verizon.net wrote:
Looking at chain.c, line 1886-1902 I can see the switch-case statement where this would have been handled. The problem I ran into while trying to keep up with the code was figuring out what the verify_* methods are trying to do.
I'd really like to see this work and may have some spare cycles to help out. The problem is that I don't understand everything happening in these methods - can I get some pointers to what is happening or what should happen in the yet to be created verify_ssl_policy() method?
The short answer is, if you don't care about the validity of the certificates you're trying to connect to, you can hack this function to return TRUE rather than FALSE. This is an awful hack, however, and can't be accepted into the Wine tree, but if all you care about is to get the darn thing to work, it might be enough for you.
The longer answer is the generic Wine answer: what should happen is whatever Windows does. To find out what Windows does, you need to write tests for it. Have a look at dlls/crypt32/tests/chain.c for a start. You'll want to mimic the existing tests, and try with different SSL_EXTRA_CERT_CHAIN_POLICY_PARA values.
Since that's not very specific, here's a slightly more directed answer: the as-yet-unwritten verify_ssl_policy() should call verify_base_policy() first. If it succeeds, it should verify that the certificate matches the intended use. At a minimum, if the SSL_EXTRA_CERT_CHAIN_POLICY_PARA is specified, you need to verify that its pwszServerName matches the subject name in the certificate. Be careful not to introduce the embedded NULL character vulnerability (see e.g. CVE-2009-2417.) There are probably more checks needed, either in verify_base_policy or in verify_ssl_policy, e.g. checking the key usage extension. RFC3280 is a good guide for the kinds of checks that need to be done.
Intimidated yet? That's why I haven't gotten around to it myself: it's not a quick fix, and I haven't had a lot of free time. But if you have the time to do it right, by all means have a go! --Juan
On Tue, 2009-09-08 at 16:33 -0700, Juan Lang wrote:
Hi Frank,
On Tue, Sep 8, 2009 at 4:15 PM, Frank Grumanfgatwork@verizon.net wrote:
Looking at chain.c, line 1886-1902 I can see the switch-case statement where this would have been handled. The problem I ran into while trying to keep up with the code was figuring out what the verify_* methods are trying to do.
I'd really like to see this work and may have some spare cycles to help out. The problem is that I don't understand everything happening in these methods - can I get some pointers to what is happening or what should happen in the yet to be created verify_ssl_policy() method?
The short answer is, if you don't care about the validity of the certificates you're trying to connect to, you can hack this function to return TRUE rather than FALSE. This is an awful hack, however, and can't be accepted into the Wine tree, but if all you care about is to get the darn thing to work, it might be enough for you.
The longer answer is the generic Wine answer: what should happen is whatever Windows does. To find out what Windows does, you need to write tests for it. Have a look at dlls/crypt32/tests/chain.c for a start. You'll want to mimic the existing tests, and try with different SSL_EXTRA_CERT_CHAIN_POLICY_PARA values.
Since that's not very specific, here's a slightly more directed answer: the as-yet-unwritten verify_ssl_policy() should call verify_base_policy() first. If it succeeds, it should verify that the certificate matches the intended use. At a minimum, if the SSL_EXTRA_CERT_CHAIN_POLICY_PARA is specified, you need to verify that its pwszServerName matches the subject name in the certificate. Be careful not to introduce the embedded NULL character vulnerability (see e.g. CVE-2009-2417.) There are probably more checks needed, either in verify_base_policy or in verify_ssl_policy, e.g. checking the key usage extension. RFC3280 is a good guide for the kinds of checks that need to be done.
Intimidated yet? That's why I haven't gotten around to it myself: it's not a quick fix, and I haven't had a lot of free time. But if you have the time to do it right, by all means have a go! --Juan
Only slightly daunted. But I will give it a go. It won't be over night, but I think I can, I think I can, I think I can...
Thanks for the pointers on where to look and start.
Regards, Frank