Partial path fix.

When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index fe7ca83ae7b20ccd512ef14533ecf36275295acb..eaab34737e51e812373261781f38cfcd3de01b78 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -787,20 +787,17 @@ static int check_trust(X509_STORE_CTX *ctx)
         */
        if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
                {
+               X509 *mx;
                if (ctx->last_untrusted < sk_X509_num(ctx->chain))
                        return X509_TRUST_TRUSTED;
-               if (sk_X509_num(ctx->chain) == 1)
+               x = sk_X509_value(ctx->chain, 0);
+               mx = lookup_cert_match(ctx, x);
+               if (mx)
                        {
-                       X509 *mx;
-                       x = sk_X509_value(ctx->chain, 0);
-                       mx = lookup_cert_match(ctx, x);
-                       if (mx)
-                               {
-                               (void)sk_X509_set(ctx->chain, 0, mx);
-                               X509_free(x);
-                               ctx->last_untrusted = 0;
-                               return X509_TRUST_TRUSTED;
-                               }
+                       (void)sk_X509_set(ctx->chain, 0, mx);
+                       X509_free(x);
+                       ctx->last_untrusted = 0;
+                       return X509_TRUST_TRUSTED;
                        }
                }