Juan Lang : crypt32: Honor more SECURITY_FLAG_IGNORE flags when verifying the SSL policy.
Alexandre Julliard
julliard at winehq.org
Thu Sep 30 11:23:35 CDT 2010
Module: wine
Branch: master
Commit: d74c4f7c15d5da99d223a49810d6ad7a8b60ae86
URL: http://source.winehq.org/git/wine.git/?a=commit;h=d74c4f7c15d5da99d223a49810d6ad7a8b60ae86
Author: Juan Lang <juan.lang at gmail.com>
Date: Wed Sep 29 13:42:27 2010 -0700
crypt32: Honor more SECURITY_FLAG_IGNORE flags when verifying the SSL policy.
---
dlls/crypt32/chain.c | 17 ++++++++++++-----
dlls/crypt32/tests/chain.c | 10 ++--------
2 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 36ed1f3..fe6093d 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -3285,6 +3285,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
{
+ HTTPSPolicyCallbackData *sslPara = NULL;
+ DWORD checks = 0;
+
+ if (pPolicyPara)
+ sslPara = pPolicyPara->pvExtraPolicyPara;
+ if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
+ checks = sslPara->fdwChecks;
pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
if (pChainContext->TrustStatus.dwErrorStatus &
CERT_TRUST_IS_NOT_SIGNATURE_VALID)
@@ -3295,7 +3302,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
&pPolicyStatus->lElementIndex);
}
else if (pChainContext->TrustStatus.dwErrorStatus &
- CERT_TRUST_IS_UNTRUSTED_ROOT)
+ CERT_TRUST_IS_UNTRUSTED_ROOT &&
+ !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
{
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
find_element_with_error(pChainContext,
@@ -3312,7 +3320,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
pPolicyStatus->lElementIndex = -1;
}
else if (pChainContext->TrustStatus.dwErrorStatus &
- CERT_TRUST_IS_NOT_TIME_VALID)
+ CERT_TRUST_IS_NOT_TIME_VALID &&
+ !(checks & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID))
{
pPolicyStatus->dwError = CERT_E_EXPIRED;
find_element_with_error(pChainContext,
@@ -3327,13 +3336,11 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
if (!pPolicyStatus->dwError && pPolicyPara &&
pPolicyPara->cbSize >= sizeof(CERT_CHAIN_POLICY_PARA))
{
- HTTPSPolicyCallbackData *sslPara = pPolicyPara->pvExtraPolicyPara;
-
if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
{
if (sslPara->dwAuthType == AUTHTYPE_SERVER &&
sslPara->pwszServerName &&
- !(sslPara->fdwChecks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
+ !(checks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
{
PCCERT_CONTEXT cert;
PCERT_EXTENSION altNameExt;
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index 5d24ac7..b3fd1c4 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -3790,7 +3790,7 @@ static const ChainPolicyCheck sslPolicyCheck[] = {
static const ChainPolicyCheck ignoredUnknownCAPolicyCheck = {
{ sizeof(chain0) / sizeof(chain0[0]), chain0 },
- { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, 0
};
static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
@@ -3798,11 +3798,6 @@ static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
{ 0, CERT_E_EXPIRED, 0, 0, NULL}, NULL, 0
};
-static const ChainPolicyCheck googlePolicyCheckWithMatchingNameIgnoringExpired = {
- { sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
-};
-
static const ChainPolicyCheck googlePolicyCheckWithMatchingName = {
{ sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
{ 0, 0, -1, -1, NULL}, NULL, 0
@@ -4157,8 +4152,7 @@ static void check_ssl_policy(void)
*/
sslPolicyPara.fdwChecks = SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, NULL,
- &googlePolicyCheckWithMatchingNameIgnoringExpired, 0, &oct2007,
- &policyPara);
+ &googlePolicyCheckWithMatchingName, 0, &oct2007, &policyPara);
sslPolicyPara.fdwChecks = 0;
/* And again, but checking the Google chain at a good date */
sslPolicyPara.pwszServerName = google_dot_com;
More information about the wine-cvs
mailing list