wininet: Don't make use of OpenSSL's security checks, as crypt32 also verifies certificate chain.

2010-09-28 16:14:21 -07:00 · 2010-09-28 16:14:21 -07:00 · 3e51313e37
parent 9387810dab
commit 3e51313e37
1 changed files with 31 additions and 37 deletions
--- a/dlls/wininet/netconnection.c
+++ b/dlls/wininet/netconnection.c
@ -290,55 +290,49 @@ static int netconn_secure_verify(int preverify_ok, X509_STORE_CTX *ctx)
    SSL *ssl;
    WCHAR *server;
    BOOL ret = FALSE;
+    HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+        CERT_STORE_CREATE_NEW_FLAG, NULL);

    ssl = pX509_STORE_CTX_get_ex_data(ctx,
        pSSL_get_ex_data_X509_STORE_CTX_idx());
    server = pSSL_get_ex_data(ssl, hostname_idx);
-    if (preverify_ok)
+    if (store)
    {
-        HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
-            CERT_STORE_CREATE_NEW_FLAG, NULL);
+        X509 *cert;
+        int i;
+        PCCERT_CONTEXT endCert = NULL;

-        if (store)
+        ret = TRUE;
+        for (i = 0; ret && i < psk_num((struct stack_st *)ctx->chain); i++)
        {
-            X509 *cert;
-            int i;
-            PCCERT_CONTEXT endCert = NULL;
+            PCCERT_CONTEXT context;

-            ret = TRUE;
-            for (i = 0; ret && i < psk_num((struct stack_st *)ctx->chain); i++)
+            cert = (X509 *)psk_value((struct stack_st *)ctx->chain, i);
+            if ((context = X509_to_cert_context(cert)))
            {
-                PCCERT_CONTEXT context;
-
-                cert = (X509 *)psk_value((struct stack_st *)ctx->chain, i);
-                if ((context = X509_to_cert_context(cert)))
-                {
-                    if (i == 0)
-                        ret = CertAddCertificateContextToStore(store, context,
-                            CERT_STORE_ADD_ALWAYS, &endCert);
-                    else
-                        ret = CertAddCertificateContextToStore(store, context,
-                            CERT_STORE_ADD_ALWAYS, NULL);
-                    CertFreeCertificateContext(context);
-                }
+                if (i == 0)
+                    ret = CertAddCertificateContextToStore(store, context,
+                        CERT_STORE_ADD_ALWAYS, &endCert);
+                else
+                    ret = CertAddCertificateContextToStore(store, context,
+                        CERT_STORE_ADD_ALWAYS, NULL);
+                CertFreeCertificateContext(context);
            }
-            if (!endCert) ret = FALSE;
-            if (ret)
-            {
-                DWORD_PTR err = netconn_verify_cert(endCert, store, server);
-
-                if (err)
-                {
-                    pSSL_set_ex_data(ssl, error_idx, (void *)err);
-                    ret = FALSE;
-                }
-            }
-            CertFreeCertificateContext(endCert);
-            CertCloseStore(store, 0);
        }
-    } else
-        pSSL_set_ex_data(ssl, error_idx, (void *)ERROR_INTERNET_SEC_CERT_ERRORS);
+        if (!endCert) ret = FALSE;
+        if (ret)
+        {
+            DWORD_PTR err = netconn_verify_cert(endCert, store, server);

+            if (err)
+            {
+                pSSL_set_ex_data(ssl, error_idx, (void *)err);
+                ret = FALSE;
+            }
+        }
+        CertFreeCertificateContext(endCert);
+        CertCloseStore(store, 0);
+    }
    return ret;
 }