wininet: Don't perform revocation checks when verifying a certificate.
Hans Leidekker
hans at codeweavers.com
Tue Dec 11 02:45:55 CST 2012
https://testbot.winehq.org/JobDetails.pl?Key=23300 is a test which shows that
revocation checks fail for the certificate on outlook.com when passed straight
to CertVerifyRevocation. The reason is that a CRL link specified in the
certificate does not resolve.
https://testbot.winehq.org/JobDetails.pl?Key=23301 is a test which makes
a secure connection to outlook.com from wininet and shows that this succeeds.
My conclusion is that native wininet doesn't perform revocation checks.
---
dlls/wininet/netconnection.c | 34 +++-------------------------------
1 file changed, 3 insertions(+), 31 deletions(-)
diff --git a/dlls/wininet/netconnection.c b/dlls/wininet/netconnection.c
index a792a92..e7a3274 100644
--- a/dlls/wininet/netconnection.c
+++ b/dlls/wininet/netconnection.c
@@ -222,25 +222,19 @@ static DWORD netconn_verify_cert(netconn_t *conn, PCCERT_CONTEXT cert, HCERTSTOR
PCCERT_CHAIN_CONTEXT chain;
char oid_server_auth[] = szOID_PKIX_KP_SERVER_AUTH;
char *server_auth[] = { oid_server_auth };
- DWORD err = ERROR_SUCCESS, chainFlags = 0, errors;
+ DWORD err = ERROR_SUCCESS, errors;
static const DWORD supportedErrors =
CERT_TRUST_IS_NOT_TIME_VALID |
CERT_TRUST_IS_UNTRUSTED_ROOT |
CERT_TRUST_IS_PARTIAL_CHAIN |
- CERT_TRUST_IS_OFFLINE_REVOCATION |
- CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
- CERT_TRUST_IS_REVOKED |
CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
TRACE("verifying %s\n", debugstr_w(conn->server->name));
chainPara.RequestedUsage.Usage.cUsageIdentifier = 1;
chainPara.RequestedUsage.Usage.rgpszUsageIdentifier = server_auth;
- if (!(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION))
- chainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
-
- if (!(ret = CertGetCertificateChain(NULL, cert, NULL, store, &chainPara, chainFlags, NULL, &chain))) {
+ if (!(ret = CertGetCertificateChain(NULL, cert, NULL, store, &chainPara, 0, NULL, &chain))) {
TRACE("failed\n");
return GetLastError();
}
@@ -249,7 +243,7 @@ static DWORD netconn_verify_cert(netconn_t *conn, PCCERT_CONTEXT cert, HCERTSTOR
do {
/* This seems strange, but that's what tests show */
- if(errors & (CERT_TRUST_IS_PARTIAL_CHAIN|CERT_TRUST_IS_OFFLINE_REVOCATION)) {
+ if(errors & CERT_TRUST_IS_PARTIAL_CHAIN) {
WARN("ERROR_INTERNET_SEC_CERT_REV_FAILED\n");
err = ERROR_INTERNET_SEC_CERT_REV_FAILED;
if(conn->mask_errors)
@@ -300,28 +294,6 @@ static DWORD netconn_verify_cert(netconn_t *conn, PCCERT_CONTEXT cert, HCERTSTOR
errors &= ~CERT_TRUST_IS_PARTIAL_CHAIN;
}
- if(errors & (CERT_TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN)) {
- WARN("CERT_TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN\n");
- if(!(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION)) {
- err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_CERT_NO_REV;
- if(!conn->mask_errors)
- break;
- conn->security_flags |= _SECURITY_FLAG_CERT_REV_FAILED;
- }
- errors &= ~(CERT_TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN);
- }
-
- if(errors & CERT_TRUST_IS_REVOKED) {
- WARN("CERT_TRUST_IS_REVOKED\n");
- if(!(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION)) {
- err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_CERT_REVOKED;
- if(!conn->mask_errors)
- break;
- WARN("TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN, unknown error flags\n");
- }
- errors &= ~CERT_TRUST_IS_REVOKED;
- }
-
if(errors & CERT_TRUST_IS_NOT_VALID_FOR_USAGE) {
WARN("CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
if(!(conn->security_flags & SECURITY_FLAG_IGNORE_WRONG_USAGE)) {
--
1.7.10.4
More information about the wine-patches
mailing list