ReceiveTempSMS/Sweden-Number
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

wininet: Don't perform revocation checks when verifying a certificate.

Browse Source
This commit is contained in:
Hans Leidekker 2012-12-11 09:45:55 +01:00 committed by Alexandre Julliard
parent 441780b2f1
commit 59247cf9db
1 changed files with 3 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
dlls/wininet/netconnection.c
View File

@ -222,25 +222,19 @@ static DWORD netconn_verify_cert(netconn_t *conn, PCCERT_CONTEXT cert, HCERTSTOR
PCCERT_CHAIN_CONTEXT chain; PCCERT_CHAIN_CONTEXT chain;
char oid_server_auth[] = szOID_PKIX_KP_SERVER_AUTH; char oid_server_auth[] = szOID_PKIX_KP_SERVER_AUTH;
char *server_auth[] = { oid_server_auth }; char *server_auth[] = { oid_server_auth };
DWORD err = ERROR_SUCCESS, chainFlags = 0, errors; DWORD err = ERROR_SUCCESS, errors;
static const DWORD supportedErrors = static const DWORD supportedErrors =
CERT_TRUST_IS_NOT_TIME_VALID | CERT_TRUST_IS_NOT_TIME_VALID |
CERT_TRUST_IS_UNTRUSTED_ROOT | CERT_TRUST_IS_UNTRUSTED_ROOT |
CERT_TRUST_IS_PARTIAL_CHAIN | CERT_TRUST_IS_PARTIAL_CHAIN |
CERT_TRUST_IS_OFFLINE_REVOCATION |
CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
CERT_TRUST_IS_REVOKED |
CERT_TRUST_IS_NOT_VALID_FOR_USAGE; CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
TRACE("verifying %s\n", debugstr_w(conn->server->name)); TRACE("verifying %s\n", debugstr_w(conn->server->name));
chainPara.RequestedUsage.Usage.cUsageIdentifier = 1; chainPara.RequestedUsage.Usage.cUsageIdentifier = 1;
chainPara.RequestedUsage.Usage.rgpszUsageIdentifier = server_auth; chainPara.RequestedUsage.Usage.rgpszUsageIdentifier = server_auth;
if (!(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION)) if (!(ret = CertGetCertificateChain(NULL, cert, NULL, store, &chainPara, 0, NULL, &chain))) {
chainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
if (!(ret = CertGetCertificateChain(NULL, cert, NULL, store, &chainPara, chainFlags, NULL, &chain))) {
TRACE("failed\n"); TRACE("failed\n");
return GetLastError(); return GetLastError();
} }
@ -249,7 +243,7 @@ static DWORD netconn_verify_cert(netconn_t *conn, PCCERT_CONTEXT cert, HCERTSTOR
do { do {
/* This seems strange, but that's what tests show */ /* This seems strange, but that's what tests show */
if(errors & (CERT_TRUST_IS_PARTIAL_CHAIN|CERT_TRUST_IS_OFFLINE_REVOCATION)) { if(errors & CERT_TRUST_IS_PARTIAL_CHAIN) {
WARN("ERROR_INTERNET_SEC_CERT_REV_FAILED\n"); WARN("ERROR_INTERNET_SEC_CERT_REV_FAILED\n");
err = ERROR_INTERNET_SEC_CERT_REV_FAILED; err = ERROR_INTERNET_SEC_CERT_REV_FAILED;
if(conn->mask_errors) if(conn->mask_errors)
@ -300,28 +294,6 @@ static DWORD netconn_verify_cert(netconn_t *conn, PCCERT_CONTEXT cert, HCERTSTOR
errors &= ~CERT_TRUST_IS_PARTIAL_CHAIN; errors &= ~CERT_TRUST_IS_PARTIAL_CHAIN;
} }
if(errors & (CERT_TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN)) {
WARN("CERT_TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN\n");
if(!(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION)) {
err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_CERT_NO_REV;
if(!conn->mask_errors)
break;
conn->security_flags |= _SECURITY_FLAG_CERT_REV_FAILED;
}
errors &= ~(CERT_TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN);
}
if(errors & CERT_TRUST_IS_REVOKED) {
WARN("CERT_TRUST_IS_REVOKED\n");
if(!(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION)) {
err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_CERT_REVOKED;
if(!conn->mask_errors)
break;
WARN("TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN, unknown error flags\n");
}
errors &= ~CERT_TRUST_IS_REVOKED;
}
if(errors & CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { if(errors & CERT_TRUST_IS_NOT_VALID_FOR_USAGE) {
WARN("CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n"); WARN("CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
if(!(conn->security_flags & SECURITY_FLAG_IGNORE_WRONG_USAGE)) { if(!(conn->security_flags & SECURITY_FLAG_IGNORE_WRONG_USAGE)) {