You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by hw...@apache.org on 2010/06/10 13:54:20 UTC

svn commit: r953288 - in /subversion/branches/1.6.x: ./ STATUS subversion/libsvn_subr/win32_crypto.c

Author: hwright
Date: Thu Jun 10 11:54:19 2010
New Revision: 953288

URL: http://svn.apache.org/viewvc?rev=953288&view=rev
Log:
Merge r898048 from trunk:

 * r898048
   Extend the Windows only, crypto api verification of server certificates
   to check for certificate revocation. Also simplify the code by making
   Windows do the chain verification instead of just taking an intermediate
   result.
   Justification:
     It's better to be safe, when we are talking about SSL.
   Votes:
     +1: rhuijben, steveking, cmpilato

Modified:
    subversion/branches/1.6.x/   (props changed)
    subversion/branches/1.6.x/STATUS
    subversion/branches/1.6.x/subversion/libsvn_subr/win32_crypto.c

Propchange: subversion/branches/1.6.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jun 10 11:54:19 2010
@@ -72,4 +72,4 @@
 /subversion/branches/tc_url_rev:874351-874483
 /subversion/branches/tree-conflicts:868291-873154
 /subversion/branches/tree-conflicts-notify:873926-874008
-/subversion/trunk:875965,875968,876004,876012,876017,876019,876022,876024,876032,876041-876042,876048,876051,876055-876056,876059,876083,876091,876097,876101,876104,876109,876123-876125,876129,876132,876138,876160,876167,876175,876180,876185,876205,876223-876225,876230,876233,876245,876252,876256,876283,876287,876312,876326-876327,876330,876366,876372,876374,876376,876383,876386,876442,876456-876457,876462-876464,876467,876469,876480,876486,876495-876497,876516-876518,876524,876526,876583,876601,876614,876628,876633,876641,876659,876687,876689,876705,876715,876726,876760,876763,876794,876804,876815-876816,876821,876825,876837,876840-876841,876843,876849,876857-876858,876862,876873,876890,876897,876905,876908,876925,876931,876934,876948-876949,876953,876987,876993,877011,877014,877016,877028-877029,877038,877119,877127,877146,877157,877191,877195,877203,877211,877230,877234,877237,877243,877249,877259,877261,877304,877319,877407,877437,877441-877442,877453,877459,877472,87754
 4,877553,877565,877568,877573,877593,877595,877597,877601,877612,877665,877667,877681,877692,877696,877701,877720,877730,877784,877793,877797,877809,877815,877819,877821,877842,877848,877853,877867,877869,877873,877901,877909,877916,877931,877942,877953,877964,877968,877970,877981-877982,878005,878013,878015,878020,878046,878053,878062,878074,878080,878089,878091,878093,878095,878127,878129,878131,878142,878173-878176,878216,878240,878242,878255,878269,878272,878279,878296-878297,878303,878321,878335,878338,878341,878343,878353,878364,878367-878368,878385,878399,878423,878426,878447,878462,878484,878491,878498,878532,878595,878646,878659,878673,878682-878683,878690-878691,878693,878723,878760-878761,878873,878875,878877,878879,878905,878910-878911,878915-878916,878924-878925,878946,878949,878955,878960,878970,878981,879001,879033,879056,879074,879076,879081-879082,879093,879105,879126,879148,879170,879198-879199,879201,879271,879293,879357,879375-879376,879403,879631,879635-
 879636,879688,879709-879711,879747,879954,879961,880082,880095,880105,880162,880226,880274-880275,880370,880450,880461,880474,880525-880526,880552,881905,884842,886164,886197,888715,888979,889081,889840,891672,892050,892085,895514,895653,896522,896915,898963,899826,899828,900797,901304,901752,902093,904301,904394,904594,905303,905326,906256,906305,906587,908980-908981,917640,918211,922516,923389,923391,926151,926167,927323,927328,931209,931211,931392,931568,932942,933299,935992,935996,937610,944635,951753
+/subversion/trunk:875965,875968,876004,876012,876017,876019,876022,876024,876032,876041-876042,876048,876051,876055-876056,876059,876083,876091,876097,876101,876104,876109,876123-876125,876129,876132,876138,876160,876167,876175,876180,876185,876205,876223-876225,876230,876233,876245,876252,876256,876283,876287,876312,876326-876327,876330,876366,876372,876374,876376,876383,876386,876442,876456-876457,876462-876464,876467,876469,876480,876486,876495-876497,876516-876518,876524,876526,876583,876601,876614,876628,876633,876641,876659,876687,876689,876705,876715,876726,876760,876763,876794,876804,876815-876816,876821,876825,876837,876840-876841,876843,876849,876857-876858,876862,876873,876890,876897,876905,876908,876925,876931,876934,876948-876949,876953,876987,876993,877011,877014,877016,877028-877029,877038,877119,877127,877146,877157,877191,877195,877203,877211,877230,877234,877237,877243,877249,877259,877261,877304,877319,877407,877437,877441-877442,877453,877459,877472,87754
 4,877553,877565,877568,877573,877593,877595,877597,877601,877612,877665,877667,877681,877692,877696,877701,877720,877730,877784,877793,877797,877809,877815,877819,877821,877842,877848,877853,877867,877869,877873,877901,877909,877916,877931,877942,877953,877964,877968,877970,877981-877982,878005,878013,878015,878020,878046,878053,878062,878074,878080,878089,878091,878093,878095,878127,878129,878131,878142,878173-878176,878216,878240,878242,878255,878269,878272,878279,878296-878297,878303,878321,878335,878338,878341,878343,878353,878364,878367-878368,878385,878399,878423,878426,878447,878462,878484,878491,878498,878532,878595,878646,878659,878673,878682-878683,878690-878691,878693,878723,878760-878761,878873,878875,878877,878879,878905,878910-878911,878915-878916,878924-878925,878946,878949,878955,878960,878970,878981,879001,879033,879056,879074,879076,879081-879082,879093,879105,879126,879148,879170,879198-879199,879201,879271,879293,879357,879375-879376,879403,879631,879635-
 879636,879688,879709-879711,879747,879954,879961,880082,880095,880105,880162,880226,880274-880275,880370,880450,880461,880474,880525-880526,880552,881905,884842,886164,886197,888715,888979,889081,889840,891672,892050,892085,895514,895653,896522,896915,898048,898963,899826,899828,900797,901304,901752,902093,904301,904394,904594,905303,905326,906256,906305,906587,908980-908981,917640,918211,922516,923389,923391,926151,926167,927323,927328,931209,931211,931392,931568,932942,933299,935992,935996,937610,944635,951753

Modified: subversion/branches/1.6.x/STATUS
URL: http://svn.apache.org/viewvc/subversion/branches/1.6.x/STATUS?rev=953288&r1=953287&r2=953288&view=diff
==============================================================================
--- subversion/branches/1.6.x/STATUS (original)
+++ subversion/branches/1.6.x/STATUS Thu Jun 10 11:54:19 2010
@@ -270,14 +270,3 @@ Approved changes:
      running apache or svnserve.
    Votes:
      +1: rhuijben, steveking, cmpilato
-
- * r898048
-   Extend the Windows only, crypto api verification of server certificates
-   to check for certificate revocation. Also simplify the code by making
-   Windows do the chain verification instead of just taking an intermediate
-   result.
-   Justification:
-     It's better to be safe, when we are talking about SSL.
-   Votes:
-     +1: rhuijben, steveking, cmpilato
-

Modified: subversion/branches/1.6.x/subversion/libsvn_subr/win32_crypto.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.6.x/subversion/libsvn_subr/win32_crypto.c?rev=953288&r1=953287&r2=953288&view=diff
==============================================================================
--- subversion/branches/1.6.x/subversion/libsvn_subr/win32_crypto.c (original)
+++ subversion/branches/1.6.x/subversion/libsvn_subr/win32_crypto.c Thu Jun 10 11:54:19 2010
@@ -351,14 +351,28 @@ windows_validate_certificate(svn_boolean
       chain_para.cbSize = sizeof(chain_para);
 
       if (CertGetCertificateChain(NULL, cert_context, NULL, NULL, &chain_para,
-                                  CERT_CHAIN_CACHE_END_CERT,
+                                  CERT_CHAIN_CACHE_END_CERT |
+                                  CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
                                   NULL, &chain_context))
         {
-          if (chain_context->rgpChain[0]->TrustStatus.dwErrorStatus
-              == CERT_TRUST_NO_ERROR)
+          CERT_CHAIN_POLICY_PARA policy_para;
+          CERT_CHAIN_POLICY_STATUS policy_status;
+
+          policy_para.cbSize = sizeof(policy_para);
+          policy_para.dwFlags = 0;
+          policy_para.pvExtraPolicyPara = NULL;
+
+          policy_status.cbSize = sizeof(policy_status);
+
+          if (CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL,
+                                               chain_context, &policy_para,
+                                               &policy_status))
             {
-              /* Windows think the certificate is valid. */
-              *ok_p = TRUE;
+              if (policy_status.dwError == S_OK)
+                {
+                  /* Windows thinks the certificate is valid. */
+                  *ok_p = TRUE;
+                }
             }
 
           CertFreeCertificateChain(chain_context);