Bug fix: Potential failure when opening unencrypted HTTP/WebDAV conne…

…ction Caused by Bug 2034 Source commit: b93f34c4e00ed58793e788815e55ddf0b07707f9
winscp · Aug 17, 2023 · 9ffd61b · 9ffd61b
1 parent efcbd08
commit 9ffd61b
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 22 deletions.
diff --git a/source/core/Http.cpp b/source/core/Http.cpp
@@ -73,11 +73,7 @@ void THttp::SendRequest(const char * Method, const UnicodeString & Request)
 
       if (IsTls)
       {
-        SetNeonTlsInit(NeonSession, InitSslSession);
-
-        ne_ssl_set_verify(NeonSession, NeonServerSSLCallback, this);
-
-        ne_ssl_trust_default_ca(NeonSession);
+        InitNeonTls(NeonSession, InitSslSession, NeonServerSSLCallback, this, NULL);
       }
 
       ne_request_s * NeonRequest = ne_request_create(NeonSession, Method, StrToNeon(Uri));

diff --git a/source/core/NeonIntf.cpp b/source/core/NeonIntf.cpp
@@ -110,15 +110,6 @@ void InitNeonSession(ne_session * Session, TProxyMethod ProxyMethod, const Unico
 
   ne_redirect_register(Session);
   ne_set_useragent(Session, StrToNeon(FORMAT(L"%s/%s", (AppNameString(), Configuration->Version))));
-  UnicodeString CertificateStorage = Configuration->CertificateStorageExpanded;
-  if (!CertificateStorage.IsEmpty())
-  {
-    ne_ssl_set_certificates_storage(Session, StrToNeon(CertificateStorage));
-    if (Terminal != NULL)
-    {
-      Terminal->LogEvent(FORMAT(L"Using certificate store \"%s\"", (CertificateStorage)));
-    }
-  }
 
   if (Terminal != NULL)
   {
@@ -260,11 +251,33 @@ void ne_init_ssl_session(struct ssl_st * Ssl, ne_session * Session)
 //---------------------------------------------------------------------------
 void SetNeonTlsInit(ne_session * Session, TNeonTlsInit OnNeonTlsInit)
 {
+  // As the OnNeonTlsInit always only calls SetupSsl, we can simplify this with one shared implementation
   TMethod & Method = *(TMethod*)&OnNeonTlsInit;
   ne_set_session_private(Session, SESSION_TLS_INIT_KEY, Method.Code);
   ne_set_session_private(Session, SESSION_TLS_INIT_DATA_KEY, Method.Data);
 }
 //---------------------------------------------------------------------------
+void InitNeonTls(
+  ne_session * Session, TNeonTlsInit OnNeonTlsInit, ne_ssl_verify_fn VerifyCallback, void * VerifyContext,
+  TTerminal * Terminal)
+{
+  UnicodeString CertificateStorage = Configuration->CertificateStorageExpanded;
+  if (!CertificateStorage.IsEmpty())
+  {
+    ne_ssl_set_certificates_storage(Session, StrToNeon(CertificateStorage));
+    if (Terminal != NULL)
+    {
+      Terminal->LogEvent(FORMAT(L"Using certificate store \"%s\"", (CertificateStorage)));
+    }
+  }
+
+  SetNeonTlsInit(Session, OnNeonTlsInit);
+
+  ne_ssl_set_verify(Session, VerifyCallback, VerifyContext);
+
+  ne_ssl_trust_default_ca(Session);
+}
+//---------------------------------------------------------------------------
 AnsiString NeonExportCertificate(const ne_ssl_certificate * Certificate)
 {
   char * AsciiCert = ne_ssl_cert_export(Certificate);

diff --git a/source/core/NeonIntf.h b/source/core/NeonIntf.h
@@ -38,6 +38,9 @@ UnicodeString GetNeonRedirectUrl(ne_session * Session);
 void CheckRedirectLoop(const UnicodeString & RedirectUrl, TStrings * AttemptedUrls);
 typedef void (__closure* TNeonTlsInit)(struct ssl_st * Ssl, ne_session * Session);
 void SetNeonTlsInit(ne_session * Session, TNeonTlsInit OnNeonTlsInit);
+void InitNeonTls(
+  ne_session * Session, TNeonTlsInit OnNeonTlsInit, ne_ssl_verify_fn VerifyCallback, void * VerifyContext,
+  TTerminal * Terminal);
 AnsiString NeonExportCertificate(const ne_ssl_certificate * Certificate);
 bool NeonWindowsValidateCertificate(int & Failures, const AnsiString & AsciiCert, UnicodeString & Error);
 bool NeonWindowsValidateCertificateWithMessage(TNeonCertificateData & Data, UnicodeString & Message);

diff --git a/source/core/WebDAVFileSystem.cpp b/source/core/WebDAVFileSystem.cpp
@@ -306,15 +306,8 @@ void TWebDAVFileSystem::NeonClientOpenSessionInternal(UnicodeString & CorrectedU
 //---------------------------------------------------------------------------
 void __fastcall TWebDAVFileSystem::SetSessionTls(TSessionContext * SessionContext, ne_session_s * Session, bool Aux)
 {
-  SetNeonTlsInit(Session, InitSslSession);
-
-  // When the CA certificate or server certificate has
-  // verification problems, neon will call our verify function before
-  // outright rejection of the connection.
   ne_ssl_verify_fn Callback = Aux ? NeonServerSSLCallbackAux : NeonServerSSLCallbackMain;
-  ne_ssl_set_verify(Session, Callback, SessionContext);
-
-  ne_ssl_trust_default_ca(Session);
+  InitNeonTls(Session, InitSslSession, Callback, SessionContext, FTerminal);
 }
 //---------------------------------------------------------------------------
 void __fastcall TWebDAVFileSystem::InitSession(TSessionContext * SessionContext, ne_session_s * Session)