From cb341f37175b4a79d3a2f3fc5709a43d11d08d07 Mon Sep 17 00:00:00 2001
From: Juan Lang <juan.lang@gmail.com>
Date: Wed, 8 Oct 2008 14:18:55 -0700
Subject: [PATCH] crypt32: Fix error handling for cyclic chains.

---
 dlls/crypt32/chain.c       | 11 ++++++++++-
 dlls/crypt32/tests/chain.c |  5 ++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 534d6ae3d66..d086fe6558a 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -251,7 +251,7 @@ static void CRYPT_CheckSimpleChainForCycles(PCERT_SIMPLE_CHAIN chain)
     if (cyclicCertIndex)
     {
         chain->rgpElement[cyclicCertIndex]->TrustStatus.dwErrorStatus
-         |= CERT_TRUST_IS_CYCLIC;
+         |= CERT_TRUST_IS_CYCLIC | CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
         /* Release remaining certs */
         for (i = cyclicCertIndex + 1; i < chain->cElement; i++)
             CRYPT_FreeChainElement(chain->rgpElement[i]);
@@ -766,6 +766,15 @@ static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine,
                 constraints.dwPathLenConstraint--;
             }
         }
+        if (CRYPT_IsSimpleChainCyclic(chain))
+        {
+            /* If the chain is cyclic, then the path length constraints
+             * are violated, because the chain is infinitely long.
+             */
+            pathLengthConstraintViolated = TRUE;
+            chain->TrustStatus.dwErrorStatus |=
+             CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
+        }
         /* FIXME: check valid usages */
         CRYPT_CombineTrustStatus(&chain->TrustStatus,
          &chain->rgpElement[i]->TrustStatus);
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index 1a107029c48..eb8db2cbd52 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -1521,7 +1521,7 @@ static ChainCheck chainCheck[] = {
      { CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT |
        CERT_TRUST_INVALID_BASIC_CONSTRAINTS | CERT_TRUST_IS_CYCLIC, 0 },
      1, simpleStatus9 },
-   TODO_ERROR | TODO_INFO },
+   TODO_INFO },
  { { sizeof(chain10) / sizeof(chain10[0]), chain10 },
    { { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
      { CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus10 }, 0 },
@@ -1743,8 +1743,7 @@ static ChainPolicyCheck basicConstraintsPolicyCheck[] = {
    { 0, TRUST_E_BASIC_CONSTRAINTS, 0, 1, NULL },
    TODO_ERROR | TODO_CHAINS | TODO_ELEMENTS },
  { { sizeof(chain9) / sizeof(chain9[0]), chain9 },
-   { 0, TRUST_E_BASIC_CONSTRAINTS, 0, 1, NULL },
-   TODO_ERROR | TODO_CHAINS | TODO_ELEMENTS },
+   { 0, TRUST_E_BASIC_CONSTRAINTS, 0, 1, NULL }, 0 },
  { { sizeof(chain10) / sizeof(chain10[0]), chain10 },
    { 0, 0, -1, -1, NULL }, 0 },
  { { sizeof(chain11) / sizeof(chain11[0]), chain11 },