Ilia Mirkin : crypt32: Also check CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG.
Alexandre Julliard
julliard at winehq.org
Fri Feb 7 15:41:07 CST 2020
Module: wine
Branch: master
Commit: 5011815d6236c14769c28c2391ac9fd2bfd82c7e
URL: https://source.winehq.org/git/wine.git/?a=commit;h=5011815d6236c14769c28c2391ac9fd2bfd82c7e
Author: Ilia Mirkin <imirkin at alum.mit.edu>
Date: Thu Jan 23 20:01:24 2020 -0500
crypt32: Also check CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG.
It appears that the untrusted root check should be skipped if this flag
is set even if the ExtraPolicyPara one is not set.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=48495
Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/crypt32/chain.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 396a563c04..935fd6e344 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -3455,10 +3455,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
{
HTTPSPolicyCallbackData *sslPara = NULL;
- DWORD checks = 0;
+ DWORD checks = 0, baseChecks = 0;
if (pPolicyPara)
+ {
+ baseChecks = pPolicyPara->dwFlags;
sslPara = pPolicyPara->pvExtraPolicyPara;
+ }
if (TRACE_ON(chain))
dump_ssl_extra_chain_policy_para(sslPara);
if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
@@ -3474,7 +3477,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
}
else if (pChainContext->TrustStatus.dwErrorStatus &
CERT_TRUST_IS_UNTRUSTED_ROOT &&
- !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
+ !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA) &&
+ !(baseChecks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
{
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
find_element_with_error(pChainContext,
More information about the wine-cvs
mailing list