crypt32: Only accept trailing NULLs in a certificate common name.
Juan Lang
juan.lang at gmail.com
Tue Jan 31 11:04:57 CST 2012
Sorry I didn't spot this earlier. Without this, someone who registers
a certificate common name with an embedded NULL, like
"codeweavers.com\0.badguy", could fool crypt32 into accepting it for a
domain it isn't registered to, codeweavers.com in my example.
--Juan
-------------- next part --------------
From c885d651b898a300fc5a4b13d92a034499222fc8 Mon Sep 17 00:00:00 2001
From: Juan Lang <juan.lang at gmail.com>
Date: Tue, 31 Jan 2012 08:59:36 -0800
Subject: [PATCH 2/2] Only accept trailing NULLs in a certificate common name.
---
dlls/crypt32/chain.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 748c7ce..d112673 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -3163,10 +3163,6 @@ static BOOL match_domain_component(LPCWSTR allowed_component, DWORD allowed_len,
*see_wildcard = FALSE;
- /* permit server_len to be one byte short if allowed_component is NULL terminated */
- if(allowed_component[allowed_len-1] == 0)
- allowed_len--;
-
if (server_len < allowed_len)
{
WARN_(chain)("domain component %s too short for %s\n",
@@ -3226,6 +3222,13 @@ static BOOL match_common_name(LPCWSTR server_name, const CERT_RDN_ATTR *nameAttr
TRACE_(chain)("CN = %s\n", debugstr_wn(allowed_component, allowed_len));
+ /* Remove trailing NULLs from the allowed name; while they shouldn't appear
+ * in a certificate in the first place, they sometimes do, and they should
+ * be ignored.
+ */
+ while (allowed_len && allowed_component[allowed_len - 1] == 0)
+ allowed_len--;
+
/* From RFC 2818 (HTTP over TLS), section 3.1:
* "Names may contain the wildcard character * which is considered to match
* any single domain name component or component fragment. E.g.,
--
1.7.7.3
More information about the wine-patches
mailing list