[PATCH 2/2] crypt32: also check CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG
Ilia Mirkin
imirkin at alum.mit.edu
Wed Jan 22 09:45:24 CST 2020
It appears that the untrusted root check should be skipped if this flag
is set even if the ExtraPolicyPara one is not set.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=48495
Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
---
dlls/crypt32/chain.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 396a563c04..935fd6e344 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -3455,10 +3455,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
{
HTTPSPolicyCallbackData *sslPara = NULL;
- DWORD checks = 0;
+ DWORD checks = 0, baseChecks = 0;
if (pPolicyPara)
+ {
+ baseChecks = pPolicyPara->dwFlags;
sslPara = pPolicyPara->pvExtraPolicyPara;
+ }
if (TRACE_ON(chain))
dump_ssl_extra_chain_policy_para(sslPara);
if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
@@ -3474,7 +3477,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
}
else if (pChainContext->TrustStatus.dwErrorStatus &
CERT_TRUST_IS_UNTRUSTED_ROOT &&
- !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
+ !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA) &&
+ !(baseChecks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
{
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
find_element_with_error(pChainContext,
--
2.24.1
More information about the wine-devel
mailing list