crypt32: Honor more SECURITY_FLAG_IGNORE flags when verifying the SSL policy.

d74c4f7c · Juan Lang · Alexandre Julliard · 54429016 · d74c4f7c · d74c4f7c
Commit d74c4f7c authored Sep 29, 2010 by Juan Lang Committed by Alexandre Julliard Sep 30, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 13 deletions

chain.c dlls/crypt32/chain.c +12 -5

chain.c dlls/crypt32/tests/chain.c +2 -8

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -3285,6 +3285,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
 PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
 PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 {
+    HTTPSPolicyCallbackData *sslPara = NULL;
+    DWORD checks = 0;
+
+    if (pPolicyPara)
+        sslPara = pPolicyPara->pvExtraPolicyPara;
+    if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
+        checks = sslPara->fdwChecks;
    pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
    if (pChainContext->TrustStatus.dwErrorStatus &
     CERT_TRUST_IS_NOT_SIGNATURE_VALID)
@@ -3295,7 +3302,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
         &pPolicyStatus->lElementIndex);
    }
    else if (pChainContext->TrustStatus.dwErrorStatus &
-     CERT_TRUST_IS_UNTRUSTED_ROOT)
+     CERT_TRUST_IS_UNTRUSTED_ROOT &&
+     !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
    {
        pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
        find_element_with_error(pChainContext,
@@ -3312,7 +3320,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
        pPolicyStatus->lElementIndex = -1;
    }
    else if (pChainContext->TrustStatus.dwErrorStatus &
-     CERT_TRUST_IS_NOT_TIME_VALID)
+     CERT_TRUST_IS_NOT_TIME_VALID &&
+     !(checks & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID))
    {
        pPolicyStatus->dwError = CERT_E_EXPIRED;
        find_element_with_error(pChainContext,
@@ -3327,13 +3336,11 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
    if (!pPolicyStatus->dwError && pPolicyPara &&
     pPolicyPara->cbSize >= sizeof(CERT_CHAIN_POLICY_PARA))
    {
-        HTTPSPolicyCallbackData *sslPara = pPolicyPara->pvExtraPolicyPara;
-
        if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
        {
            if (sslPara->dwAuthType == AUTHTYPE_SERVER &&
             sslPara->pwszServerName &&
-             !(sslPara->fdwChecks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
+             !(checks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
            {
                PCCERT_CONTEXT cert;
                PCERT_EXTENSION altNameExt;

--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -3790,7 +3790,7 @@ static const ChainPolicyCheck sslPolicyCheck[] = {

 static const ChainPolicyCheck ignoredUnknownCAPolicyCheck = {
 { sizeof(chain0) / sizeof(chain0[0]), chain0 },
- { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, 0
 };

 static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
@@ -3798,11 +3798,6 @@ static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
 { 0, CERT_E_EXPIRED, 0, 0, NULL}, NULL, 0
 };

-static const ChainPolicyCheck googlePolicyCheckWithMatchingNameIgnoringExpired = {
- { sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
-};
-
 static const ChainPolicyCheck googlePolicyCheckWithMatchingName = {
 { sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
 { 0, 0, -1, -1, NULL}, NULL, 0
@@ -4157,8 +4152,7 @@ static void check_ssl_policy(void)
     */
    sslPolicyPara.fdwChecks = SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
    checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, NULL,
-     &googlePolicyCheckWithMatchingNameIgnoringExpired, 0, &oct2007,
-     &policyPara);
+     &googlePolicyCheckWithMatchingName, 0, &oct2007, &policyPara);
    sslPolicyPara.fdwChecks = 0;
    /* And again, but checking the Google chain at a good date */
    sslPolicyPara.pwszServerName = google_dot_com;