Remove /* foo.c */ comments

[oweals/openssl.git] / crypto / x509 / x509_trs.c

diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 27ee47590dab89d09091b65e7b82d22752f13b75..58e7d54339854d6c367a858a0c669996715d26d9 100644 (file)
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -1,4 +1,3 @@
-/* x509_trs.c */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 1999.
@@ -116,8 +115,7 @@ int X509_check_trust(X509 *x, int id, int flags)
 {
     X509_TRUST *pt;
     int idx;
-    if (id == -1)
-        return 1;
+
     /* We get this as a default value */
     if (id == 0) {
         int rv;
@@ -313,6 +311,21 @@ static int obj_trust(int id, X509 *x, int flags)
             if (OBJ_obj2nid(obj) == id)
                 return X509_TRUST_TRUSTED;
         }
+        /*
+         * Reject when explicit trust EKU are set and none match.
+         *
+         * Returning untrusted is enough for for full chains that end in
+         * self-signed roots, because when explicit trust is specified it
+         * suppresses the default blanket trust of self-signed objects.
+         *
+         * But for partial chains, this is not enough, because absent a similar
+         * trust-self-signed policy, non matching EKUs are indistinguishable
+         * from lack of EKU constraints.
+         *
+         * Therefore, failure to match any trusted purpose must trigger an
+         * explicit reject.
+         */
+        return X509_TRUST_REJECTED;
     }
     return X509_TRUST_UNTRUSTED;
 }