Module: wine Branch: master Commit: d74c4f7c15d5da99d223a49810d6ad7a8b60ae86 URL: http://source.winehq.org/git/wine.git/?a=commit;h=d74c4f7c15d5da99d223a49810...

Author: Juan Lang juan.lang@gmail.com Date: Wed Sep 29 13:42:27 2010 -0700

crypt32: Honor more SECURITY_FLAG_IGNORE flags when verifying the SSL policy.

---

dlls/crypt32/chain.c | 17 ++++++++++++----- dlls/crypt32/tests/chain.c | 10 ++-------- 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index 36ed1f3..fe6093d 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -3285,6 +3285,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus) { + HTTPSPolicyCallbackData *sslPara = NULL; + DWORD checks = 0; + + if (pPolicyPara) + sslPara = pPolicyPara->pvExtraPolicyPara; + if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData)) + checks = sslPara->fdwChecks; pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1; if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID) @@ -3295,7 +3302,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID, &pPolicyStatus->lElementIndex); } else if (pChainContext->TrustStatus.dwErrorStatus & - CERT_TRUST_IS_UNTRUSTED_ROOT) + CERT_TRUST_IS_UNTRUSTED_ROOT && + !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA)) { pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT; find_element_with_error(pChainContext, @@ -3312,7 +3320,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID, pPolicyStatus->lElementIndex = -1; } else if (pChainContext->TrustStatus.dwErrorStatus & - CERT_TRUST_IS_NOT_TIME_VALID) + CERT_TRUST_IS_NOT_TIME_VALID && + !(checks & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID)) { pPolicyStatus->dwError = CERT_E_EXPIRED; find_element_with_error(pChainContext, @@ -3327,13 +3336,11 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID, if (!pPolicyStatus->dwError && pPolicyPara && pPolicyPara->cbSize >= sizeof(CERT_CHAIN_POLICY_PARA)) { - HTTPSPolicyCallbackData *sslPara = pPolicyPara->pvExtraPolicyPara; - if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData)) { if (sslPara->dwAuthType == AUTHTYPE_SERVER && sslPara->pwszServerName && - !(sslPara->fdwChecks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID)) + !(checks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID)) { PCCERT_CONTEXT cert; PCERT_EXTENSION altNameExt; diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c index 5d24ac7..b3fd1c4 100644 --- a/dlls/crypt32/tests/chain.c +++ b/dlls/crypt32/tests/chain.c @@ -3790,7 +3790,7 @@ static const ChainPolicyCheck sslPolicyCheck[] = {

static const ChainPolicyCheck ignoredUnknownCAPolicyCheck = { { sizeof(chain0) / sizeof(chain0[0]), chain0 }, - { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR + { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, 0 };

static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = { @@ -3798,11 +3798,6 @@ static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = { { 0, CERT_E_EXPIRED, 0, 0, NULL}, NULL, 0 };

-static const ChainPolicyCheck googlePolicyCheckWithMatchingNameIgnoringExpired = { - { sizeof(googleChain) / sizeof(googleChain[0]), googleChain }, - { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR -}; - static const ChainPolicyCheck googlePolicyCheckWithMatchingName = { { sizeof(googleChain) / sizeof(googleChain[0]), googleChain }, { 0, 0, -1, -1, NULL}, NULL, 0 @@ -4157,8 +4152,7 @@ static void check_ssl_policy(void) */ sslPolicyPara.fdwChecks = SECURITY_FLAG_IGNORE_CERT_DATE_INVALID; checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, NULL, - &googlePolicyCheckWithMatchingNameIgnoringExpired, 0, &oct2007, - &policyPara); + &googlePolicyCheckWithMatchingName, 0, &oct2007, &policyPara); sslPolicyPara.fdwChecks = 0; /* And again, but checking the Google chain at a good date */ sslPolicyPara.pwszServerName = google_dot_com;