Juan Lang : wininet: Don't make use of OpenSSL's security checks, as crypt32 also verifies certificate chain.
Alexandre Julliard
julliard at winehq.org
Thu Dec 2 16:30:50 CST 2010
Module: wine
Branch: stable
Commit: 9e7a96f5100e94034f7aa0866b9560ab397a95e7
URL: http://source.winehq.org/git/wine.git/?a=commit;h=9e7a96f5100e94034f7aa0866b9560ab397a95e7
Author: Juan Lang <juan.lang at gmail.com>
Date: Tue Sep 28 16:14:21 2010 -0700
wininet: Don't make use of OpenSSL's security checks, as crypt32 also verifies certificate chain.
(cherry picked from commit 3e51313e37b2062dee2b4a5ee06b8d981728ff99)
---
dlls/wininet/netconnection.c | 66 +++++++++++++++++++-----------------------
1 files changed, 30 insertions(+), 36 deletions(-)
diff --git a/dlls/wininet/netconnection.c b/dlls/wininet/netconnection.c
index abd7415..07786d3 100644
--- a/dlls/wininet/netconnection.c
+++ b/dlls/wininet/netconnection.c
@@ -285,55 +285,49 @@ static int netconn_secure_verify(int preverify_ok, X509_STORE_CTX *ctx)
SSL *ssl;
WCHAR *server;
BOOL ret = FALSE;
+ HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+ CERT_STORE_CREATE_NEW_FLAG, NULL);
ssl = pX509_STORE_CTX_get_ex_data(ctx,
pSSL_get_ex_data_X509_STORE_CTX_idx());
server = pSSL_get_ex_data(ssl, hostname_idx);
- if (preverify_ok)
+ if (store)
{
- HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
- CERT_STORE_CREATE_NEW_FLAG, NULL);
+ X509 *cert;
+ int i;
+ PCCERT_CONTEXT endCert = NULL;
- if (store)
+ ret = TRUE;
+ for (i = 0; ret && i < psk_num((struct stack_st *)ctx->chain); i++)
{
- X509 *cert;
- int i;
- PCCERT_CONTEXT endCert = NULL;
+ PCCERT_CONTEXT context;
- ret = TRUE;
- for (i = 0; ret && i < psk_num((struct stack_st *)ctx->chain); i++)
+ cert = (X509 *)psk_value((struct stack_st *)ctx->chain, i);
+ if ((context = X509_to_cert_context(cert)))
{
- PCCERT_CONTEXT context;
-
- cert = (X509 *)psk_value((struct stack_st *)ctx->chain, i);
- if ((context = X509_to_cert_context(cert)))
- {
- if (i == 0)
- ret = CertAddCertificateContextToStore(store, context,
- CERT_STORE_ADD_ALWAYS, &endCert);
- else
- ret = CertAddCertificateContextToStore(store, context,
- CERT_STORE_ADD_ALWAYS, NULL);
- CertFreeCertificateContext(context);
- }
+ if (i == 0)
+ ret = CertAddCertificateContextToStore(store, context,
+ CERT_STORE_ADD_ALWAYS, &endCert);
+ else
+ ret = CertAddCertificateContextToStore(store, context,
+ CERT_STORE_ADD_ALWAYS, NULL);
+ CertFreeCertificateContext(context);
}
- if (!endCert) ret = FALSE;
- if (ret)
- {
- DWORD_PTR err = netconn_verify_cert(endCert, store, server);
+ }
+ if (!endCert) ret = FALSE;
+ if (ret)
+ {
+ DWORD_PTR err = netconn_verify_cert(endCert, store, server);
- if (err)
- {
- pSSL_set_ex_data(ssl, error_idx, (void *)err);
- ret = FALSE;
- }
+ if (err)
+ {
+ pSSL_set_ex_data(ssl, error_idx, (void *)err);
+ ret = FALSE;
}
- CertFreeCertificateContext(endCert);
- CertCloseStore(store, 0);
}
- } else
- pSSL_set_ex_data(ssl, error_idx, (void *)ERROR_INTERNET_SEC_CERT_ERRORS);
-
+ CertFreeCertificateContext(endCert);
+ CertCloseStore(store, 0);
+ }
return ret;
}
More information about the wine-cvs
mailing list