crypt32: Honor more SECURITY_FLAG_IGNORE flags when verifying the SSL policy.

dlls/crypt32/chain.c

@@ -3285,6 +3285,13 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 {
+    HTTPSPolicyCallbackData *sslPara = NULL;
+    DWORD checks = 0;
+
+    if (pPolicyPara)
+        sslPara = pPolicyPara->pvExtraPolicyPara;
+    if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
+        checks = sslPara->fdwChecks;
     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
     if (pChainContext->TrustStatus.dwErrorStatus &
      CERT_TRUST_IS_NOT_SIGNATURE_VALID)
@@ -3295,7 +3302,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
          &pPolicyStatus->lElementIndex);
     }
     else if (pChainContext->TrustStatus.dwErrorStatus &
-     CERT_TRUST_IS_UNTRUSTED_ROOT)
+     CERT_TRUST_IS_UNTRUSTED_ROOT &&
+     !(checks & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
     {
         pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
         find_element_with_error(pChainContext,
@@ -3312,7 +3320,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
         pPolicyStatus->lElementIndex = -1;
     }
     else if (pChainContext->TrustStatus.dwErrorStatus &
-     CERT_TRUST_IS_NOT_TIME_VALID)
+     CERT_TRUST_IS_NOT_TIME_VALID &&
+     !(checks & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID))
     {
         pPolicyStatus->dwError = CERT_E_EXPIRED;
         find_element_with_error(pChainContext,
@@ -3327,13 +3336,11 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
     if (!pPolicyStatus->dwError && pPolicyPara &&
      pPolicyPara->cbSize >= sizeof(CERT_CHAIN_POLICY_PARA))
     {
-        HTTPSPolicyCallbackData *sslPara = pPolicyPara->pvExtraPolicyPara;
-
         if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
         {
             if (sslPara->dwAuthType == AUTHTYPE_SERVER &&
              sslPara->pwszServerName &&
-             !(sslPara->fdwChecks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
+             !(checks & SECURITY_FLAG_IGNORE_CERT_CN_INVALID))
             {
                 PCCERT_CONTEXT cert;
                 PCERT_EXTENSION altNameExt;

dlls/crypt32/tests/chain.c

@@ -3790,7 +3790,7 @@ static const ChainPolicyCheck sslPolicyCheck[] = {
 
 static const ChainPolicyCheck ignoredUnknownCAPolicyCheck = {
  { sizeof(chain0) / sizeof(chain0[0]), chain0 },
- { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, 0
 };
 
 static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
@@ -3798,11 +3798,6 @@ static const ChainPolicyCheck googlePolicyCheckWithMatchingNameExpired = {
  { 0, CERT_E_EXPIRED, 0, 0, NULL}, NULL, 0
 };
 
-static const ChainPolicyCheck googlePolicyCheckWithMatchingNameIgnoringExpired = {
- { sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
-};
-
 static const ChainPolicyCheck googlePolicyCheckWithMatchingName = {
  { sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
  { 0, 0, -1, -1, NULL}, NULL, 0
@@ -4157,8 +4152,7 @@ static void check_ssl_policy(void)
      */
     sslPolicyPara.fdwChecks = SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
     checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, NULL,
-     &googlePolicyCheckWithMatchingNameIgnoringExpired, 0, &oct2007,
-     &policyPara);
+     &googlePolicyCheckWithMatchingName, 0, &oct2007, &policyPara);
     sslPolicyPara.fdwChecks = 0;
     /* And again, but checking the Google chain at a good date */
     sslPolicyPara.pwszServerName = google_dot_com;