diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2013-09-08 19:26:59 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2013-09-08 21:25:10 +0100 |
| commit | 5117d50b7ecf9e7eedde15d5f5a88c473bff6773 (patch) | |
| tree | b52e747259c524c4f332b2623a26291ef9e7a956 /crypto/x509 | |
| parent | 593605d3ec53ad61b8abe038a89bc763d89a354e (diff) | |
Partial path fix.
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
(cherry picked from commit 52073b76753815ef1dcc3ab3f9dba75803f717f4)
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index d4820c0076..f5bcec352a 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -759,20 +759,17 @@ static int check_trust(X509_STORE_CTX *ctx) */ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + X509 *mx; if (ctx->last_untrusted < sk_X509_num(ctx->chain)) return X509_TRUST_TRUSTED; - if (sk_X509_num(ctx->chain) == 1) + x = sk_X509_value(ctx->chain, 0); + mx = lookup_cert_match(ctx, x); + if (mx) { - X509 *mx; - x = sk_X509_value(ctx->chain, 0); - mx = lookup_cert_match(ctx, x); - if (mx) - { - (void)sk_X509_set(ctx->chain, 0, mx); - X509_free(x); - ctx->last_untrusted = 0; - return X509_TRUST_TRUSTED; - } + (void)sk_X509_set(ctx->chain, 0, mx); + X509_free(x); + ctx->last_untrusted = 0; + return X509_TRUST_TRUSTED; } } |