crypt32: Support IPv6 addresses in name constraint comparison.
This commit is contained in:
parent
bcb4bc6be3
commit
24399bd359
|
@ -548,9 +548,13 @@ static BOOL ip_address_matches(const CRYPT_DATA_BLOB *constraint,
|
|||
TRACE("(%d, %p), (%d, %p)\n", constraint->cbData, constraint->pbData,
|
||||
name->cbData, name->pbData);
|
||||
|
||||
if (constraint->cbData != sizeof(DWORD) * 2)
|
||||
/* RFC5280, section 4.2.1.10, iPAddress syntax: either 8 or 32 bytes, for
|
||||
* IPv4 or IPv6 addresses, respectively.
|
||||
*/
|
||||
if (constraint->cbData != sizeof(DWORD) * 2 && constraint->cbData != 32)
|
||||
*trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
|
||||
else if (name->cbData == sizeof(DWORD))
|
||||
else if (name->cbData == sizeof(DWORD) &&
|
||||
constraint->cbData == sizeof(DWORD) * 2)
|
||||
{
|
||||
DWORD subnet, mask, addr;
|
||||
|
||||
|
@ -562,6 +566,19 @@ static BOOL ip_address_matches(const CRYPT_DATA_BLOB *constraint,
|
|||
*/
|
||||
match = (subnet & mask) == (addr & mask);
|
||||
}
|
||||
else if (name->cbData == 16 && constraint->cbData == 32)
|
||||
{
|
||||
const BYTE *subnet, *mask, *addr;
|
||||
DWORD i;
|
||||
|
||||
subnet = constraint->pbData;
|
||||
mask = constraint->pbData + 16;
|
||||
addr = name->pbData;
|
||||
match = TRUE;
|
||||
for (i = 0; match && i < 16; i++)
|
||||
if ((subnet[i] & mask[i]) != (addr[i] & mask[i]))
|
||||
match = FALSE;
|
||||
}
|
||||
/* else: name is wrong size, no match */
|
||||
|
||||
return match;
|
||||
|
|
Loading…
Reference in New Issue