https://git.reactos.org/?p=reactos.git;a=commitdiff;h=c8b2c4c94d7830ffd924133dfa548e3fea7169b9
commit c8b2c4c94d7830ffd924133dfa548e3fea7169b9
Author: Whindmar Saksit <whinds...@proton.me>
AuthorDate: Tue Jan 21 13:06:55 2025 +0100
Commit: GitHub <nore...@github.com>
CommitDate: Tue Jan 21 13:06:55 2025 +0100
[RAPPS] Check Let's Encrypt issuer prefix (#7650)
---
base/applications/rapps/loaddlg.cpp | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/base/applications/rapps/loaddlg.cpp
b/base/applications/rapps/loaddlg.cpp
index 7e926c3399f..c0ca9d135dc 100644
--- a/base/applications/rapps/loaddlg.cpp
+++ b/base/applications/rapps/loaddlg.cpp
@@ -52,10 +52,23 @@
#include "unattended.h"
#ifdef USE_CERT_PINNING
+#define CERT_ISSUER_INFO_PREFIX "US\r\nLet's Encrypt\r\nR"
#define CERT_ISSUER_INFO_OLD "US\r\nLet's Encrypt\r\nR3"
#define CERT_ISSUER_INFO_NEW "US\r\nLet's Encrypt\r\nR11"
#define CERT_SUBJECT_INFO "rapps.reactos.org"
+
+static bool
+IsTrustedPinnedCert(LPCSTR Subject, LPCSTR Issuer)
+{
+ if (strcmp(Subject, CERT_SUBJECT_INFO))
+ return false;
+#ifdef CERT_ISSUER_INFO_PREFIX
+ return Issuer == StrStrA(Issuer, CERT_ISSUER_INFO_PREFIX);
+#else
+ return !strcmp(Issuer, CERT_ISSUER_INFO_OLD) || !strcmp(Issuer,
CERT_ISSUER_INFO_NEW);
#endif
+}
+#endif // USE_CERT_PINNING
enum DownloadType
{
@@ -917,14 +930,10 @@ CDownloadManager::ThreadFunc(LPVOID param)
szMsgText.LoadStringW(IDS_UNABLE_TO_QUERY_CERT);
bAskQuestion = true;
}
- else
+ else if (!IsTrustedPinnedCert(subjectName, issuerName))
{
- if (strcmp(subjectName, CERT_SUBJECT_INFO) ||
- (strcmp(issuerName, CERT_ISSUER_INFO_OLD) &&
strcmp(issuerName, CERT_ISSUER_INFO_NEW)))
- {
- szMsgText.Format(IDS_MISMATCH_CERT_INFO, (char
*)subjectName, (const char *)issuerName);
- bAskQuestion = true;
- }
+ szMsgText.Format(IDS_MISMATCH_CERT_INFO, (LPCSTR)subjectName,
(LPCSTR)issuerName);
+ bAskQuestion = true;
}
if (bAskQuestion)
