Module: wine Branch: master Commit: ee2e9cc339784a9dfbed920cb692b811f7faad9b URL: http://source.winehq.org/git/wine.git/?a=commit;h=ee2e9cc339784a9dfbed920cb6...
Author: Juan Lang juan.lang@gmail.com Date: Wed Sep 29 08:24:07 2010 -0700
winhttp: Verify SSL policy of chains whose errors were ignored.
---
dlls/winhttp/net.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/dlls/winhttp/net.c b/dlls/winhttp/net.c index 398c0b7..4812979 100644 --- a/dlls/winhttp/net.c +++ b/dlls/winhttp/net.c @@ -308,12 +308,19 @@ static DWORD netconn_verify_cert( PCCERT_CONTEXT cert, HCERTSTORE store, else if (chain->TrustStatus.dwErrorStatus & ~supportedErrors) err = ERROR_WINHTTP_SECURE_INVALID_CERT; } - else + if (!err) { CERT_CHAIN_POLICY_PARA policyPara; SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslExtraPolicyPara; CERT_CHAIN_POLICY_STATUS policyStatus; + CERT_CHAIN_CONTEXT chainCopy;
+ /* Clear chain->TrustStatus.dwErrorStatus so + * CertVerifyCertificateChainPolicy will verify additional checks + * rather than stopping with an existing, ignored error. + */ + memcpy(&chainCopy, chain, sizeof(chainCopy)); + chainCopy.TrustStatus.dwErrorStatus = 0; sslExtraPolicyPara.u.cbSize = sizeof(sslExtraPolicyPara); sslExtraPolicyPara.dwAuthType = AUTHTYPE_SERVER; sslExtraPolicyPara.pwszServerName = server; @@ -321,7 +328,7 @@ static DWORD netconn_verify_cert( PCCERT_CONTEXT cert, HCERTSTORE store, policyPara.dwFlags = 0; policyPara.pvExtraPolicyPara = &sslExtraPolicyPara; ret = CertVerifyCertificateChainPolicy( CERT_CHAIN_POLICY_SSL, - chain, &policyPara, + &chainCopy, &policyPara, &policyStatus ); /* Any error in the policy status indicates that the * policy couldn't be verified.