Juan Lang : crypt32: Accept any matching dNSName in a subject alternate name.

Module: wine Branch: master Commit: 21ecc84620aa37fa005048a1b52a0890bb6e7fdc URL: http://source.winehq.org/git/wine.git/?a=commit;h=21ecc84620aa37fa005048a1b5...

Author: Juan Lang juan.lang@gmail.com Date: Thu Nov 12 12:26:05 2009 -0800

crypt32: Accept any matching dNSName in a subject alternate name.

---

dlls/crypt32/chain.c | 11 ++++++++--- dlls/crypt32/tests/chain.c | 7 +------ 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index 805447d..eb6d757 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -2373,16 +2373,21 @@ static BOOL match_dns_to_subject_alt_name(PCERT_EXTENSION ext, &subjectName, &size)) { DWORD i; - BOOL found = FALSE;

- for (i = 0; !found && i < subjectName->cAltEntry; i++) + /* RFC 5280 states that multiple instances of each name type may exist, + * in section 4.2.1.6: + * "Multiple name forms, and multiple instances of each name form, + * MAY be included." + * It doesn't specify the behavior in such cases, but common usage is + * to accept a certificate if any name matches. + */ + for (i = 0; !matches && i < subjectName->cAltEntry; i++) { if (subjectName->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME) { TRACE_(chain)("dNSName: %s\n", debugstr_w( subjectName->rgAltEntry[i].u.pwszDNSName)); - found = TRUE; if (!strcmpiW(server_name, subjectName->rgAltEntry[i].u.pwszDNSName)) matches = TRUE; diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c index 323f062..1da1993 100644 --- a/dlls/crypt32/tests/chain.c +++ b/dlls/crypt32/tests/chain.c @@ -3688,11 +3688,6 @@ static const ChainPolicyCheck stanfordPolicyCheckWithMatchingName = { { 0, 0, -1, -1, NULL}, NULL, 0 };

-static const ChainPolicyCheck stanfordPolicyCheckWithMatchingNameTodo = { - { sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain }, - { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR -}; - static const ChainPolicyCheck stanfordPolicyCheckWithoutMatchingName = { { sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain }, { 0, CERT_E_CN_NO_MATCH, 0, 0, NULL}, NULL, 0 @@ -4022,7 +4017,7 @@ static void check_ssl_policy(void) /* With "www.cs.stanford.edu": match */ sslPolicyPara.pwszServerName = www_dot_cs_dot_stanford_dot_edu; checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, - &stanfordPolicyCheckWithMatchingNameTodo, 0, &oct2009, &policyPara); + &stanfordPolicyCheckWithMatchingName, 0, &oct2009, &policyPara); /* With "a.cs.stanford.edu": no match */ sslPolicyPara.pwszServerName = a_dot_cs_dot_stanford_dot_edu; checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL,