mirror of
https://github.com/reactos/wine.git
synced 2024-11-25 12:49:45 +00:00
crypt32: Honor more SECURITY_FLAG_IGNORE flags when verifying the SSL policy.
This commit is contained in:
parent
54429016eb
commit
d74c4f7c15
@ -3285,6 +3285,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
|
||||
PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
|
||||
PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
|
||||
{
|
||||
HTTPSPolicyCallbackData *sslPara = NULL;
|
||||
DWORD checks = 0;
|
||||
|
||||
if (pPolicyPara)
|
||||
sslPara = pPolicyPara->pvExtraPolicyPara;
|
||||
if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
|
||||
checks = sslPara->fdwChecks;
|
||||
pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
|
||||
if (pChainContext->TrustStatus.dwErrorStatus &
|
||||
CERT_TRUST_IS_NOT_SIGNATURE_VALID)
|
||||
@ -3295,7 +3302,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
|
||||
&pPolicyStatus->lElementIndex);
|
||||
}
|
||||
else if (pChainContext->TrustStatus.dwErrorStatus &
|
||||
CERT_TRUST_IS_UNTRUSTED_ROOT)
|
||||
CERT_TRUST_IS_UNTRUSTED_ROOT &&
|
||||
!(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
|
||||
{
|
||||
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
|
||||
find_element_with_error(pChainContext,
|
||||
@ -3312,7 +3320,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
|
||||
pPolicyStatus->lElementIndex = -1;
|
||||
}
|
||||
else if (pChainContext->TrustStatus.dwErrorStatus &
|
||||
CERT_TRUST_IS_NOT_TIME_VALID)
|
||||
CERT_TRUST_IS_NOT_TIME_VALID &&
|
||||
!(checks & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID))
|
||||
{
|
||||
pPolicyStatus->dwError = CERT_E_EXPIRED;
|
||||
find_element_with_error(pChainContext,
|
||||
@ -3327,13 +3336,11 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
|
||||
if (!pPolicyStatus->dwError && pPolicyPara &&
|
||||
pPolicyPara->cbSize >= sizeof(CERT_CHAIN_POLICY_PARA))
|
||||
{
|
||||
HTTPSPolicyCallbackData *sslPara = pPolicyPara->pvExtraPolicyPara;
|
||||
|
||||
if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
|
||||
{
|
||||
if (sslPara->dwAuthType == AUTHTYPE_SERVER &&
|
||||
sslPara->pwszServerName &&
|
||||
!(sslPara->fdwChecks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
|
||||
!(checks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
|
||||
{
|
||||
PCCERT_CONTEXT cert;
|
||||
PCERT_EXTENSION altNameExt;
|
||||
|
@ -3790,7 +3790,7 @@ static const ChainPolicyCheck sslPolicyCheck[] = {
|
||||
|
||||
static const ChainPolicyCheck ignoredUnknownCAPolicyCheck = {
|
||||
{ sizeof(chain0) / sizeof(chain0[0]), chain0 },
|
||||
{ 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
|
||||
{ 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, 0
|
||||
};
|
||||
|
||||
static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
|
||||
@ -3798,11 +3798,6 @@ static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
|
||||
{ 0, CERT_E_EXPIRED, 0, 0, NULL}, NULL, 0
|
||||
};
|
||||
|
||||
static const ChainPolicyCheck googlePolicyCheckWithMatchingNameIgnoringExpired = {
|
||||
{ sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
|
||||
{ 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
|
||||
};
|
||||
|
||||
static const ChainPolicyCheck googlePolicyCheckWithMatchingName = {
|
||||
{ sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
|
||||
{ 0, 0, -1, -1, NULL}, NULL, 0
|
||||
@ -4157,8 +4152,7 @@ static void check_ssl_policy(void)
|
||||
*/
|
||||
sslPolicyPara.fdwChecks = SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
|
||||
checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, NULL,
|
||||
&googlePolicyCheckWithMatchingNameIgnoringExpired, 0, &oct2007,
|
||||
&policyPara);
|
||||
&googlePolicyCheckWithMatchingName, 0, &oct2007, &policyPara);
|
||||
sslPolicyPara.fdwChecks = 0;
|
||||
/* And again, but checking the Google chain at a good date */
|
||||
sslPolicyPara.pwszServerName = google_dot_com;
|
||||
|
Loading…
Reference in New Issue
Block a user