From: Ihor Karpenko Date: Thu, 23 Aug 2018 11:18:17 +0000 (+0300) Subject: schannel: client certificate store opening fix X-Git-Tag: curl-7_61_1~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b6c2b8d57a69a256f7a727784876d8cc37aa669;p=thirdparty%2Fcurl.git schannel: client certificate store opening fix 1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) while opening certificate store would be sufficient in this scenario and less-demanding in sense of required user credentials ( for example, IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore call without any of flags mentioned above ), 2) as 'cert_store_name' is a DWORD, attempt to format its value like a string ( in "Failed to open cert store" error message ) will throw null pointer exception 3) adding GetLastError(), in my opinion, will make error message more useful. Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html Closes #2909 --- diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index ebd1c1c042..8f6c301d11 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -602,12 +602,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) return result; } - cert_store = CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0, - (HCRYPTPROV)NULL, - cert_store_name, cert_store_path); + cert_store = + CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0, + (HCRYPTPROV)NULL, + CERT_STORE_OPEN_EXISTING_FLAG | cert_store_name, + cert_store_path); if(!cert_store) { - failf(data, "schannel: Failed to open cert store %s %s", - cert_store_name, cert_store_path); + failf(data, "schannel: Failed to open cert store %x %s, " + "last error is %x", + cert_store_name, cert_store_path, GetLastError()); Curl_unicodefree(cert_path); return CURLE_SSL_CONNECT_ERROR; }