From: Dr. Stephen Henson Date: Sun, 8 Sep 2013 18:26:59 +0000 (+0100) Subject: Partial path fix. X-Git-Tag: master-post-reformat~1192 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=52073b76753815ef1dcc3ab3f9dba75803f717f4;p=oweals%2Fopenssl.git Partial path fix. When verifying a partial path always check to see if the EE certificate is explicitly trusted: the path could contain other untrusted certificates. --- diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index fe7ca83ae7..eaab34737e 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -787,20 +787,17 @@ static int check_trust(X509_STORE_CTX *ctx) */ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + X509 *mx; if (ctx->last_untrusted < sk_X509_num(ctx->chain)) return X509_TRUST_TRUSTED; - if (sk_X509_num(ctx->chain) == 1) + x = sk_X509_value(ctx->chain, 0); + mx = lookup_cert_match(ctx, x); + if (mx) { - X509 *mx; - x = sk_X509_value(ctx->chain, 0); - mx = lookup_cert_match(ctx, x); - if (mx) - { - (void)sk_X509_set(ctx->chain, 0, mx); - X509_free(x); - ctx->last_untrusted = 0; - return X509_TRUST_TRUSTED; - } + (void)sk_X509_set(ctx->chain, 0, mx); + X509_free(x); + ctx->last_untrusted = 0; + return X509_TRUST_TRUSTED; } }