Juan Lang : crypt32: Accept any matching dNSName in a subject alternate name.

Fri Nov 13 09:37:05 CST 2009

Module: wine
Branch: master
Commit: 21ecc84620aa37fa005048a1b52a0890bb6e7fdc
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=21ecc84620aa37fa005048a1b52a0890bb6e7fdc

Author: Juan Lang <juan.lang at gmail.com>
Date:   Thu Nov 12 12:26:05 2009 -0800

crypt32: Accept any matching dNSName in a subject alternate name.

---

 dlls/crypt32/chain.c       |   11 ++++++++---
 dlls/crypt32/tests/chain.c |    7 +------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 805447d..eb6d757 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -2373,16 +2373,21 @@ static BOOL match_dns_to_subject_alt_name(PCERT_EXTENSION ext,
      &subjectName, &size))
     {
         DWORD i;
-        BOOL found = FALSE;
 
-        for (i = 0; !found && i < subjectName->cAltEntry; i++)
+        /* RFC 5280 states that multiple instances of each name type may exist,
+         * in section 4.2.1.6:
+         * "Multiple name forms, and multiple instances of each name form,
+         *  MAY be included."
+         * It doesn't specify the behavior in such cases, but common usage is
+         * to accept a certificate if any name matches.
+         */
+        for (i = 0; !matches && i < subjectName->cAltEntry; i++)
         {
             if (subjectName->rgAltEntry[i].dwAltNameChoice ==
              CERT_ALT_NAME_DNS_NAME)
             {
                 TRACE_(chain)("dNSName: %s\n", debugstr_w(
                  subjectName->rgAltEntry[i].u.pwszDNSName));
-                found = TRUE;
                 if (!strcmpiW(server_name,
                  subjectName->rgAltEntry[i].u.pwszDNSName))
                     matches = TRUE;
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index 323f062..1da1993 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -3688,11 +3688,6 @@ static const ChainPolicyCheck stanfordPolicyCheckWithMatchingName = {
  { 0, 0, -1, -1, NULL}, NULL, 0
 };
 
-static const ChainPolicyCheck stanfordPolicyCheckWithMatchingNameTodo = {
- { sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
-};
-
 static const ChainPolicyCheck stanfordPolicyCheckWithoutMatchingName = {
  { sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain },
  { 0, CERT_E_CN_NO_MATCH, 0, 0, NULL}, NULL, 0
@@ -4022,7 +4017,7 @@ static void check_ssl_policy(void)
     /* With "www.cs.stanford.edu": match */
     sslPolicyPara.pwszServerName = www_dot_cs_dot_stanford_dot_edu;
     checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL,
-     &stanfordPolicyCheckWithMatchingNameTodo, 0, &oct2009, &policyPara);
+     &stanfordPolicyCheckWithMatchingName, 0, &oct2009, &policyPara);
     /* With "a.cs.stanford.edu": no match */
     sslPolicyPara.pwszServerName = a_dot_cs_dot_stanford_dot_edu;
     checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL,


