crypt32: Also check CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG.

It appears that the untrusted root check should be skipped if this flag is set even if the ExtraPolicyPara one is not set. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=48495Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

crypt32: Also check CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG.
5011815d · Ilia Mirkin · Alexandre Julliard · cdec2413 · 5011815d
Commit 5011815d authored Jan 23, 2020 by Ilia Mirkin Committed by Alexandre Julliard Feb 06, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

chain.c dlls/crypt32/chain.c +6 -2

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -3455,10 +3455,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
 PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 {
    HTTPSPolicyCallbackData *sslPara = NULL;
-    DWORD checks = 0;
+    DWORD checks = 0, baseChecks = 0;

    if (pPolicyPara)
+    {
+        baseChecks = pPolicyPara->dwFlags;
        sslPara = pPolicyPara->pvExtraPolicyPara;
+    }
    if (TRACE_ON(chain))
        dump_ssl_extra_chain_policy_para(sslPara);
    if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
@@ -3474,7 +3477,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
    }
    else if (pChainContext->TrustStatus.dwErrorStatus &
     CERT_TRUST_IS_UNTRUSTED_ROOT &&
-     !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
+     !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA) &&
+     !(baseChecks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
    {
        pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
        find_element_with_error(pChainContext,