diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2013-09-08 19:26:59 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2013-09-08 19:26:59 +0100 |
| commit | 52073b76753815ef1dcc3ab3f9dba75803f717f4 (patch) | |
| tree | 678eedc2468194d38aacebd90daf2bf6be589103 /crypto/x509 | |
| parent | a6e7d1c0e3dbe3b1269814844594d47be9006de1 (diff) | |
| download | openssl-52073b76753815ef1dcc3ab3f9dba75803f717f4.tar.gz | |
Partial path fix.
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index fe7ca83ae7..eaab34737e 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -787,20 +787,17 @@ static int check_trust(X509_STORE_CTX *ctx) */ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + X509 *mx; if (ctx->last_untrusted < sk_X509_num(ctx->chain)) return X509_TRUST_TRUSTED; - if (sk_X509_num(ctx->chain) == 1) + x = sk_X509_value(ctx->chain, 0); + mx = lookup_cert_match(ctx, x); + if (mx) { - X509 *mx; - x = sk_X509_value(ctx->chain, 0); - mx = lookup_cert_match(ctx, x); - if (mx) - { - (void)sk_X509_set(ctx->chain, 0, mx); - X509_free(x); - ctx->last_untrusted = 0; - return X509_TRUST_TRUSTED; - } + (void)sk_X509_set(ctx->chain, 0, mx); + X509_free(x); + ctx->last_untrusted = 0; + return X509_TRUST_TRUSTED; } } |