From 18e46df9d1097983b7f769c3d49c70207e33f9ac Mon Sep 17 00:00:00 2001 From: Zebediah Figura Date: Thu, 15 Jul 2021 11:25:20 -0500 Subject: [PATCH] cryptnet: Set dwIndex in CertDllVerifyRevocation(). Signed-off-by: Zebediah Figura Signed-off-by: Alexandre Julliard --- dlls/cryptnet/cryptnet_main.c | 114 +++++++++++++--------------------- 1 file changed, 42 insertions(+), 72 deletions(-) diff --git a/dlls/cryptnet/cryptnet_main.c b/dlls/cryptnet/cryptnet_main.c index f667c655e46..06c468bd655 100644 --- a/dlls/cryptnet/cryptnet_main.c +++ b/dlls/cryptnet/cryptnet_main.c @@ -1514,33 +1514,22 @@ BOOL WINAPI CryptRetrieveObjectByUrlW(LPCWSTR pszURL, LPCSTR pszObjectOid, return ret; } -static DWORD verify_cert_revocation_with_crl_online(PCCERT_CONTEXT cert, - PCCRL_CONTEXT crl, DWORD index, FILETIME *pTime, - PCERT_REVOCATION_STATUS pRevStatus) +static DWORD verify_cert_revocation_with_crl_online(const CERT_CONTEXT *cert, + const CRL_CONTEXT *crl, FILETIME *pTime, CERT_REVOCATION_STATUS *pRevStatus) { - DWORD error; PCRL_ENTRY entry = NULL; CertFindCertificateInCRL(cert, crl, 0, NULL, &entry); if (entry) - { - error = CRYPT_E_REVOKED; - pRevStatus->dwIndex = index; - } - else - { - /* Since the CRL was retrieved for the cert being checked, then it's - * guaranteed to be fresh, and the cert is not revoked. - */ - error = ERROR_SUCCESS; - } - return error; + return CRYPT_E_REVOKED; + + /* Since the CRL was retrieved for the cert being checked, then it's + * guaranteed to be fresh, and the cert is not revoked. */ + return ERROR_SUCCESS; } -static DWORD verify_cert_revocation_from_dist_points_ext( - const CRYPT_DATA_BLOB *value, PCCERT_CONTEXT cert, DWORD index, - FILETIME *pTime, DWORD dwFlags, const CERT_REVOCATION_PARA *pRevPara, - PCERT_REVOCATION_STATUS pRevStatus) +static DWORD verify_cert_revocation_from_dist_points_ext(const CRYPT_DATA_BLOB *value, const CERT_CONTEXT *cert, + FILETIME *pTime, DWORD dwFlags, const CERT_REVOCATION_PARA *pRevPara, CERT_REVOCATION_STATUS *pRevStatus) { DWORD error = ERROR_SUCCESS, cbUrlArray; @@ -1578,17 +1567,13 @@ static DWORD verify_cert_revocation_from_dist_points_ext( NULL, NULL, NULL, NULL); if (ret) { - error = verify_cert_revocation_with_crl_online(cert, crl, - index, pTime, pRevStatus); + error = verify_cert_revocation_with_crl_online(cert, crl, pTime, pRevStatus); if (!error && timeout) { DWORD time = GetTickCount(); if ((int)(endTime - time) <= 0) - { error = ERROR_TIMEOUT; - pRevStatus->dwIndex = index; - } else timeout = endTime - time; } @@ -1600,23 +1585,15 @@ static DWORD verify_cert_revocation_from_dist_points_ext( CryptMemFree(urlArray); } else - { error = ERROR_OUTOFMEMORY; - pRevStatus->dwIndex = index; - } } else - { error = GetLastError(); - pRevStatus->dwIndex = index; - } return error; } -static DWORD verify_cert_revocation_from_aia_ext( - const CRYPT_DATA_BLOB *value, PCCERT_CONTEXT cert, DWORD index, - FILETIME *pTime, DWORD dwFlags, PCERT_REVOCATION_PARA pRevPara, - PCERT_REVOCATION_STATUS pRevStatus) +static DWORD verify_cert_revocation_from_aia_ext(const CRYPT_DATA_BLOB *value, const CERT_CONTEXT *cert, + FILETIME *pTime, DWORD dwFlags, CERT_REVOCATION_PARA *pRevPara, CERT_REVOCATION_STATUS *pRevStatus) { BOOL ret; DWORD error, size; @@ -1650,10 +1627,9 @@ static DWORD verify_cert_revocation_from_aia_ext( } static DWORD verify_cert_revocation_with_crl_offline(PCCERT_CONTEXT cert, - PCCRL_CONTEXT crl, DWORD index, FILETIME *pTime, - PCERT_REVOCATION_STATUS pRevStatus) + const CRL_CONTEXT *crl, FILETIME *pTime, CERT_REVOCATION_STATUS *pRevStatus) { - DWORD error; + PCRL_ENTRY entry = NULL; LONG valid; valid = CompareFileTime(pTime, &crl->pCrlInfo->ThisUpdate); @@ -1663,46 +1639,38 @@ static DWORD verify_cert_revocation_with_crl_offline(PCCERT_CONTEXT cert, * way to know whether the certificate was revoked. */ TRACE("CRL not old enough\n"); - error = CRYPT_E_REVOCATION_OFFLINE; + return CRYPT_E_REVOCATION_OFFLINE; } - else - { - PCRL_ENTRY entry = NULL; - CertFindCertificateInCRL(cert, crl, 0, NULL, &entry); - if (entry) - { - error = CRYPT_E_REVOKED; - pRevStatus->dwIndex = index; - } - else - { - /* Since the CRL was not retrieved for the cert being checked, - * there's no guarantee it's fresh, so the cert *might* be okay, - * but it's safer not to guess. - */ - TRACE("certificate not found\n"); - error = CRYPT_E_REVOCATION_OFFLINE; - } - } - return error; + CertFindCertificateInCRL(cert, crl, 0, NULL, &entry); + if (entry) + return CRYPT_E_REVOKED; + + /* Since the CRL was not retrieved for the cert being checked, there's no + * guarantee it's fresh, so the cert *might* be okay, but it's safer not to + * guess. */ + TRACE("certificate not found\n"); + return CRYPT_E_REVOCATION_OFFLINE; } -static DWORD verify_cert_revocation(PCCERT_CONTEXT cert, DWORD index, - FILETIME *pTime, DWORD dwFlags, PCERT_REVOCATION_PARA pRevPara, - PCERT_REVOCATION_STATUS pRevStatus) +static DWORD verify_cert_revocation(const CERT_CONTEXT *cert, FILETIME *pTime, + DWORD dwFlags, CERT_REVOCATION_PARA *pRevPara, CERT_REVOCATION_STATUS *pRevStatus) { DWORD error = ERROR_SUCCESS; PCERT_EXTENSION ext; if ((ext = CertFindExtension(szOID_CRL_DIST_POINTS, cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension))) + { error = verify_cert_revocation_from_dist_points_ext(&ext->Value, cert, - index, pTime, dwFlags, pRevPara, pRevStatus); + pTime, dwFlags, pRevPara, pRevStatus); + } else if ((ext = CertFindExtension(szOID_AUTHORITY_INFO_ACCESS, cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension))) - error = verify_cert_revocation_from_aia_ext(&ext->Value, cert, - index, pTime, dwFlags, pRevPara, pRevStatus); + { + error = verify_cert_revocation_from_aia_ext(&ext->Value, cert, pTime, + dwFlags, pRevPara, pRevStatus); + } else { if (pRevPara && pRevPara->hCrlStore && pRevPara->pIssuerCert) @@ -1753,15 +1721,13 @@ static DWORD verify_cert_revocation(PCCERT_CONTEXT cert, DWORD index, } if (crl) { - error = verify_cert_revocation_with_crl_offline(cert, crl, - index, pTime, pRevStatus); + error = verify_cert_revocation_with_crl_offline(cert, crl, pTime, pRevStatus); CertFreeCRLContext(crl); } else { TRACE("no CRL found\n"); error = CRYPT_E_NO_REVOCATION_CHECK; - pRevStatus->dwIndex = index; } } else @@ -1773,7 +1739,6 @@ static DWORD verify_cert_revocation(PCCERT_CONTEXT cert, DWORD index, else if (!pRevPara->pIssuerCert) WARN("no dist points/aia extension and no issuer\n"); error = CRYPT_E_NO_REVOCATION_CHECK; - pRevStatus->dwIndex = index; } } return error; @@ -1833,9 +1798,14 @@ BOOL WINAPI CertDllVerifyRevocation(DWORD dwEncodingType, DWORD dwRevType, error = CRYPT_E_NO_REVOCATION_CHECK; else { - for (i = 0; !error && i < cContext; i++) - error = verify_cert_revocation(rgpvContext[i], i, pTime, dwFlags, - pRevPara, pRevStatus); + for (i = 0; i < cContext; i++) + { + if ((error = verify_cert_revocation(rgpvContext[i], pTime, dwFlags, pRevPara, pRevStatus))) + { + pRevStatus->dwIndex = i; + break; + } + } } if (error) {