From 47daa155a31b0a54ce09ad2ed4d55fad74096dab Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 24 Mar 2015 16:21:21 +0000 Subject: [PATCH] Fix verify algorithm. Disable loop checking when we retry verification with an alternative path. This fixes the case where an intermediate CA is explicitly trusted and part of the untrusted certificate list. By disabling loop checking for this case the untrusted CA can be replaced by the explicitly trusted case and verification will succeed. Signed-off-by: Matt Caswell (cherry picked from commit e5991ec528b1c339062440811e2641f5ea2b328b) Reviewed-by: Rich Salz --- crypto/x509/x509_vfy.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f3e9c56b09..c0f6a5dfff 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -370,8 +370,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx) && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { while (j-- > 1) { + STACK_OF(X509) *chtmp = ctx->chain; xtmp2 = sk_X509_value(ctx->chain, j - 1); + /* + * Temporarily set chain to NULL so we don't discount + * duplicates: the same certificate could be an untrusted + * CA found in the trusted store. + */ + ctx->chain = NULL; ok = ctx->get_issuer(&xtmp, ctx, xtmp2); + ctx->chain = chtmp; if (ok < 0) goto end; /* Check if we found an alternate chain */ -- 2.25.1