Juan Lang : wininet: Don't make use of OpenSSL's security checks, as crypt32 also verifies certificate chain. - wine-commits

30 Sep 2010

Module: wine
Branch: master
Commit: 3e51313e37b2062dee2b4a5ee06b8d981728ff99
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=3e51313e37b2062dee2b4a5ee0...
Author: Juan Lang juan.lang@gmail.com
Date:   Tue Sep 28 16:14:21 2010 -0700
wininet: Don't make use of OpenSSL's security checks, as crypt32 also verifies certificate chain.
---
dlls/wininet/netconnection.c |   66 +++++++++++++++++++-----------------------
 1 files changed, 30 insertions(+), 36 deletions(-)

diff --git a/dlls/wininet/netconnection.c b/dlls/wininet/netconnection.c
index 54ca51b..6edc9ea 100644
--- a/dlls/wininet/netconnection.c
+++ b/dlls/wininet/netconnection.c
@@ -290,55 +290,49 @@ static int netconn_secure_verify(int preverify_ok, X509_STORE_CTX *ctx)
     SSL *ssl;
     WCHAR *server;
     BOOL ret = FALSE;
+    HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+        CERT_STORE_CREATE_NEW_FLAG, NULL);
ssl = pX509_STORE_CTX_get_ex_data(ctx,
         pSSL_get_ex_data_X509_STORE_CTX_idx());
     server = pSSL_get_ex_data(ssl, hostname_idx);
-    if (preverify_ok)
+    if (store)
     {
-        HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
-            CERT_STORE_CREATE_NEW_FLAG, NULL);
+        X509 *cert;
+        int i;
+        PCCERT_CONTEXT endCert = NULL;
-        if (store)
+        ret = TRUE;
+        for (i = 0; ret && i < psk_num((struct stack_st *)ctx->chain); i++)
         {
-            X509 *cert;
-            int i;
-            PCCERT_CONTEXT endCert = NULL;
+            PCCERT_CONTEXT context;
-            ret = TRUE;
-            for (i = 0; ret && i < psk_num((struct stack_st *)ctx->chain); i++)
+            cert = (X509 *)psk_value((struct stack_st *)ctx->chain, i);
+            if ((context = X509_to_cert_context(cert)))
             {
-                PCCERT_CONTEXT context;
-
-                cert = (X509 *)psk_value((struct stack_st *)ctx->chain, i);
-                if ((context = X509_to_cert_context(cert)))
-                {
-                    if (i == 0)
-                        ret = CertAddCertificateContextToStore(store, context,
-                            CERT_STORE_ADD_ALWAYS, &endCert);
-                    else
-                        ret = CertAddCertificateContextToStore(store, context,
-                            CERT_STORE_ADD_ALWAYS, NULL);
-                    CertFreeCertificateContext(context);
-                }
+                if (i == 0)
+                    ret = CertAddCertificateContextToStore(store, context,
+                        CERT_STORE_ADD_ALWAYS, &endCert);
+                else
+                    ret = CertAddCertificateContextToStore(store, context,
+                        CERT_STORE_ADD_ALWAYS, NULL);
+                CertFreeCertificateContext(context);
             }
-            if (!endCert) ret = FALSE;
-            if (ret)
-            {
-                DWORD_PTR err = netconn_verify_cert(endCert, store, server);
+        }
+        if (!endCert) ret = FALSE;
+        if (ret)
+        {
+            DWORD_PTR err = netconn_verify_cert(endCert, store, server);
-                if (err)
-                {
-                    pSSL_set_ex_data(ssl, error_idx, (void *)err);
-                    ret = FALSE;
-                }
+            if (err)
+            {
+                pSSL_set_ex_data(ssl, error_idx, (void *)err);
+                ret = FALSE;
             }
-            CertFreeCertificateContext(endCert);
-            CertCloseStore(store, 0);
         }
-    } else
-        pSSL_set_ex_data(ssl, error_idx, (void *)ERROR_INTERNET_SEC_CERT_ERRORS);
-
+        CertFreeCertificateContext(endCert);
+        CertCloseStore(store, 0);
+    }
     return ret;
 }

    