crypt32: Check revocation failures when verifying the SSL policy.

be3a5e36 · Juan Lang · Alexandre Julliard · da11d66b · be3a5e36
Commit be3a5e36 authored Sep 29, 2010 by Juan Lang Committed by Alexandre Julliard Sep 30, 2010
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

chain.c dlls/crypt32/chain.c +17 -0

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -3337,6 +3337,23 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
         CERT_TRUST_IS_NOT_VALID_FOR_USAGE, &pPolicyStatus->lChainIndex,
         &pPolicyStatus->lElementIndex);
    }
+    else if (pChainContext->TrustStatus.dwErrorStatus &
+     CERT_TRUST_IS_REVOKED && !(checks & SECURITY_FLAG_IGNORE_REVOCATION))
+    {
+        pPolicyStatus->dwError = CERT_E_REVOKED;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_REVOKED, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
+    else if (pChainContext->TrustStatus.dwErrorStatus &
+     CERT_TRUST_IS_OFFLINE_REVOCATION &&
+     !(checks & SECURITY_FLAG_IGNORE_REVOCATION))
+    {
+        pPolicyStatus->dwError = CERT_E_REVOCATION_FAILURE;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_OFFLINE_REVOCATION, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
    else
        pPolicyStatus->dwError = NO_ERROR;
    /* We only need bother checking whether the name in the end certificate