crypt32: Accept any matching dNSName in a subject alternate name.

21ecc846 · Juan Lang · Alexandre Julliard · 95a14def · 21ecc846 · 21ecc846
Commit 21ecc846 authored Nov 12, 2009 by Juan Lang Committed by Alexandre Julliard Nov 13, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 9 deletions

chain.c dlls/crypt32/chain.c +8 -3

chain.c dlls/crypt32/tests/chain.c +1 -6

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -2373,16 +2373,21 @@ static BOOL match_dns_to_subject_alt_name(PCERT_EXTENSION ext,
     &subjectName, &size))
    {
        DWORD i;
-        BOOL found = FALSE;

-        for (i = 0; !found && i < subjectName->cAltEntry; i++)
+        /* RFC 5280 states that multiple instances of each name type may exist,
+         * in section 4.2.1.6:
+         * "Multiple name forms, and multiple instances of each name form,
+         *  MAY be included."
+         * It doesn't specify the behavior in such cases, but common usage is
+         * to accept a certificate if any name matches.
+         */
+        for (i = 0; !matches && i < subjectName->cAltEntry; i++)
        {
            if (subjectName->rgAltEntry[i].dwAltNameChoice ==
             CERT_ALT_NAME_DNS_NAME)
            {
                TRACE_(chain)("dNSName: %s\n", debugstr_w(
                 subjectName->rgAltEntry[i].u.pwszDNSName));
-                found = TRUE;
                if (!strcmpiW(server_name,
                 subjectName->rgAltEntry[i].u.pwszDNSName))
                    matches = TRUE;

--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -3688,11 +3688,6 @@ static const ChainPolicyCheck stanfordPolicyCheckWithMatchingName = {
 { 0, 0, -1, -1, NULL}, NULL, 0
 };

-static const ChainPolicyCheck stanfordPolicyCheckWithMatchingNameTodo = {
- { sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
-};
-
 static const ChainPolicyCheck stanfordPolicyCheckWithoutMatchingName = {
 { sizeof(stanfordChain) / sizeof(stanfordChain[0]), stanfordChain },
 { 0, CERT_E_CN_NO_MATCH, 0, 0, NULL}, NULL, 0
@@ -4022,7 +4017,7 @@ static void check_ssl_policy(void)
    /* With "www.cs.stanford.edu": match */
    sslPolicyPara.pwszServerName = www_dot_cs_dot_stanford_dot_edu;
    checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL,
-     &stanfordPolicyCheckWithMatchingNameTodo, 0, &oct2009, &policyPara);
+     &stanfordPolicyCheckWithMatchingName, 0, &oct2009, &policyPara);
    /* With "a.cs.stanford.edu": no match */
    sslPolicyPara.pwszServerName = a_dot_cs_dot_stanford_dot_edu;
    checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL,