From 52073b76753815ef1dcc3ab3f9dba75803f717f4 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 8 Sep 2013 19:26:59 +0100
Subject: Partial path fix.

When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
---
 crypto/x509/x509_vfy.c | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

(limited to 'crypto/x509')

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index fe7ca83ae7..eaab34737e 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -787,20 +787,17 @@ static int check_trust(X509_STORE_CTX *ctx)
 	 */
 	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
 		{
+		X509 *mx;
 		if (ctx->last_untrusted < sk_X509_num(ctx->chain))
 			return X509_TRUST_TRUSTED;
-		if (sk_X509_num(ctx->chain) == 1)
+		x = sk_X509_value(ctx->chain, 0);
+		mx = lookup_cert_match(ctx, x);
+		if (mx)
 			{
-			X509 *mx;
-			x = sk_X509_value(ctx->chain, 0);
-			mx = lookup_cert_match(ctx, x);
-			if (mx)
-				{
-				(void)sk_X509_set(ctx->chain, 0, mx);
-				X509_free(x);
-				ctx->last_untrusted = 0;
-				return X509_TRUST_TRUSTED;
-				}
+			(void)sk_X509_set(ctx->chain, 0, mx);
+			X509_free(x);
+			ctx->last_untrusted = 0;
+			return X509_TRUST_TRUSTED;
 			}
 		}
 
-- 
cgit v1.2.3