Juan Lang : crypt32: Accept any matching dNSName in a subject alternate name.
Alexandre Julliard
julliard at winehq.org
Fri Nov 13 09:37:05 CST 2009
Module: wine
Branch: master
Commit: 21ecc84620aa37fa005048a1b52a0890bb6e7fdc
URL: http://source.winehq.org/git/wine.git/?a=commit;h=21ecc84620aa37fa005048a1b52a0890bb6e7fdc
Author: Juan Lang <juan.lang at gmail.com>
Date: Thu Nov 12 12:26:05 2009 -0800
crypt32: Accept any matching dNSName in a subject alternate name.
---
dlls/crypt32/chain.c | 11 ++++++++---
dlls/crypt32/tests/chain.c | 7 +------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 805447d..eb6d757 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -2373,16 +2373,21 @@ static BOOL match_dns_to_subject_alt_name(PCERT_EXTENSION ext,
&subjectName, &size))
{
DWORD i;
- BOOL found = FALSE;
- for (i = 0; !found && i < subjectName->cAltEntry; i++)
+ /* RFC 5280 states that multiple instances of each name type may exist,
+ * in section 4.2.1.6:
+ * "Multiple name forms, and multiple instances of each name form,
+ * MAY be included."
+ * It doesn't specify the behavior in such cases, but common usage is
+ * to accept a certificate if any name matches.
+ */
+ for (i = 0; !matches && i < subjectName->cAltEntry; i++)
{
if (subjectName->rgAltEntry[i].dwAltNameChoice ==
CERT_ALT_NAME_DNS_NAME)
{
TRACE_(chain)("dNSName: %s\n", debugstr_w(
subjectName->rgAltEntry[i].u.pwszDNSName));
- found = TRUE;
if (!strcmpiW(server_name,
subjectName->rgAltEntry[i].u.pwszDNSName))
matches = TRUE;
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index 323f062..1da1993 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -3688,11 +3688,6 @@ static const ChainPolicyCheck stanfordPolicyCheckWithMatchingName = {
{ 0, 0, -1, -1, NULL}, NULL, 0
};
-static const ChainPolicyCheck stanfordPolicyCheckWithMatchingNameTodo = {
- { sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
-};
-
static const ChainPolicyCheck stanfordPolicyCheckWithoutMatchingName = {
{ sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain },
{ 0, CERT_E_CN_NO_MATCH, 0, 0, NULL}, NULL, 0
@@ -4022,7 +4017,7 @@ static void check_ssl_policy(void)
/* With "www.cs.stanford.edu": match */
sslPolicyPara.pwszServerName = www_dot_cs_dot_stanford_dot_edu;
checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL,
- &stanfordPolicyCheckWithMatchingNameTodo, 0, &oct2009, &policyPara);
+ &stanfordPolicyCheckWithMatchingName, 0, &oct2009, &policyPara);
/* With "a.cs.stanford.edu": no match */
sslPolicyPara.pwszServerName = a_dot_cs_dot_stanford_dot_edu;
checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL,
More information about the wine-cvs
mailing list