From c464875a6d7465fddb14239f7b35bb4ca099019e Mon Sep 17 00:00:00 2001
From: Juan Lang <juan.lang@gmail.com>
Date: Tue, 17 Nov 2009 13:57:25 -0800
Subject: [PATCH] crypt32: Accept a certificate if its name matches any
 permitted subtree of a name constraint.

---
 dlls/crypt32/chain.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index a5b414190b1..72f5e24cc21 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -987,18 +987,21 @@ static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
             *trustErrorStatus |=
              CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
     }
-    for (i = 0; i < nameConstraints->cPermittedSubtree; i++)
+    if (nameConstraints->cPermittedSubtree)
     {
-        CERT_ALT_NAME_ENTRY *constraint =
-         &nameConstraints->rgPermittedSubtree[i].Base;
+        BOOL match = FALSE;
 
-        if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
+        for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
         {
-            if (!directory_name_matches(&constraint->u.DirectoryName,
-             subjectName))
-                *trustErrorStatus |=
-                 CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
+            CERT_ALT_NAME_ENTRY *constraint =
+             &nameConstraints->rgPermittedSubtree[i].Base;
+
+            if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
+                match = directory_name_matches(&constraint->u.DirectoryName,
+                 subjectName);
         }
+        if (!match)
+            *trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
     }
 }