Juan Lang : crypt32: Only apply a name constraint if the name form is present.

Module: wine Branch: master Commit: a98dad4f93daf1bb8a10fbe7e776bd4c8b7b381d URL: http://source.winehq.org/git/wine.git/?a=commit;h=a98dad4f93daf1bb8a10fbe7e7...

Author: Juan Lang juan.lang@gmail.com Date: Tue Nov 17 12:06:18 2009 -0800

crypt32: Only apply a name constraint if the name form is present.

---

dlls/crypt32/chain.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index 704d974..8c7ad5b 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -743,12 +743,14 @@ static BOOL directory_name_matches(const CERT_NAME_BLOB *constraint, }

static BOOL alt_name_matches(const CERT_ALT_NAME_ENTRY *name, - const CERT_ALT_NAME_ENTRY *constraint, DWORD *trustErrorStatus) + const CERT_ALT_NAME_ENTRY *constraint, DWORD *trustErrorStatus, BOOL *present) { BOOL match = FALSE;

if (name->dwAltNameChoice == constraint->dwAltNameChoice) { + if (present) + *present = TRUE; switch (constraint->dwAltNameChoice) { case CERT_ALT_NAME_RFC822_NAME: @@ -778,6 +780,8 @@ static BOOL alt_name_matches(const CERT_ALT_NAME_ENTRY *name, CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT; } } + else if (present) + *present = FALSE; return match; }

@@ -789,19 +793,21 @@ static BOOL alt_name_matches_excluded_name(const CERT_ALT_NAME_ENTRY *name,

for (i = 0; !match && i < nameConstraints->cExcludedSubtree; i++) match = alt_name_matches(name, - &nameConstraints->rgExcludedSubtree[i].Base, trustErrorStatus); + &nameConstraints->rgExcludedSubtree[i].Base, trustErrorStatus, NULL); return match; }

static BOOL alt_name_matches_permitted_name(const CERT_ALT_NAME_ENTRY *name, - const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus) + const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus, + BOOL *present) { DWORD i; BOOL match = FALSE;

for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++) match = alt_name_matches(name, - &nameConstraints->rgPermittedSubtree[i].Base, trustErrorStatus); + &nameConstraints->rgPermittedSubtree[i].Base, trustErrorStatus, + present); return match; }

@@ -837,14 +843,23 @@ static void CRYPT_CheckNameConstraints(

for (i = 0; i < subjectName->cAltEntry; i++) { + BOOL nameFormPresent; + + /* A name constraint only applies if the name form is present. + * From RFC 5280, section 4.2.1.10: + * "Restrictions apply only when the specified name form is + * present. If no name of the type is in the certificate, + * the certificate is acceptable." + */ if (alt_name_matches_excluded_name( &subjectName->rgAltEntry[i], nameConstraints, trustErrorStatus)) *trustErrorStatus |= CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT; + nameFormPresent = FALSE; if (!alt_name_matches_permitted_name( &subjectName->rgAltEntry[i], nameConstraints, - trustErrorStatus)) + trustErrorStatus, &nameFormPresent) && nameFormPresent) *trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT; }