Juan Lang : crypt32: If a hostname in a URI or rfc822 name constraint doesn 't begin with '.', a match must be exact.
Alexandre Julliard
julliard at winehq.org
Tue Nov 17 09:28:16 CST 2009
Module: wine
Branch: master
Commit: b74ef17efc1a35a6593113d57069d880e001705e
URL: http://source.winehq.org/git/wine.git/?a=commit;h=b74ef17efc1a35a6593113d57069d880e001705e
Author: Juan Lang <juan.lang at gmail.com>
Date: Fri Nov 13 17:51:55 2009 -0800
crypt32: If a hostname in a URI or rfc822 name constraint doesn't begin with '.', a match must be exact.
---
dlls/crypt32/chain.c | 39 +++++++++++++++++++++++++++++++++++++--
1 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 0fd9df7..9b09e61 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -506,6 +506,41 @@ static BOOL CRYPT_CheckBasicConstraintsForCA(PCertificateChainEngine engine,
return validBasicConstraints;
}
+static BOOL domain_name_matches(LPCWSTR constraint, LPCWSTR name)
+{
+ BOOL match;
+
+ /* RFC 5280, section 4.2.1.10:
+ * "For URIs, the constraint applies to the host part of the name...
+ * When the constraint begins with a period, it MAY be expanded with one
+ * or more labels. That is, the constraint ".example.com" is satisfied by
+ * both host.example.com and my.host.example.com. However, the constraint
+ * ".example.com" is not satisfied by "example.com". When the constraint
+ * does not begin with a period, it specifies a host."
+ * and for email addresses,
+ * "To indicate all Internet mail addresses on a particular host, the
+ * constraint is specified as the host name. For example, the constraint
+ * "example.com" is satisfied by any mail address at the host
+ * "example.com". To specify any address within a domain, the constraint
+ * is specified with a leading period (as with URIs)."
+ */
+ if (constraint[0] == '.')
+ {
+ /* Must be strictly greater than, a name can't begin with '.' */
+ if (lstrlenW(name) > lstrlenW(constraint))
+ match = !lstrcmpiW(name + lstrlenW(name) - lstrlenW(constraint),
+ constraint);
+ else
+ {
+ /* name is too short, no match */
+ match = FALSE;
+ }
+ }
+ else
+ match = !lstrcmpiW(name, constraint);
+ return match;
+}
+
static BOOL url_matches(LPCWSTR constraint, LPCWSTR name,
DWORD *trustErrorStatus)
{
@@ -567,7 +602,7 @@ static BOOL url_matches(LPCWSTR constraint, LPCWSTR name,
else
hostname = name;
if (hostname)
- match = !lstrcmpiW(constraint, hostname);
+ match = domain_name_matches(constraint, hostname);
}
return match;
}
@@ -589,7 +624,7 @@ static BOOL rfc822_name_matches(LPCWSTR constraint, LPCWSTR name,
else
{
if ((at = strchrW(name, '@')))
- match = url_matches(constraint, at + 1, trustErrorStatus);
+ match = domain_name_matches(constraint, at + 1);
else
match = !lstrcmpiW(constraint, name);
}
More information about the wine-cvs
mailing list