From 54a0076e94dc411e3569bb069dd6d53f95787575 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 19 Dec 2012 15:01:32 +0000
Subject: [PATCH] Check chain is not NULL before assuming we have a validated
 chain. The modification to the OCSP helper purpose breaks normal OCSP
 verification. It is no longer needed now we can trust partial chains.

---
 crypto/ocsp/ocsp_vfy.c  | 2 +-
 crypto/x509v3/v3_purp.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 2f7f59c59a..f7cd36beb7 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -109,7 +109,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
 		 * (If the signer is a root certificate, X509_verify_cert()
 		 * would fail anyway!)
 		 */
-		if (chain == certs) goto verified_chain;
+		if (chain && chain == certs) goto verified_chain;
 
 		/* If we trust some "other" certificates, allow partial
 		 * chains (because some of them might be
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index b1eeaf9cf1..0774cbf827 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -87,7 +87,7 @@ static X509_PURPOSE xstandard[] = {
 	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
 	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
 	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
-	{X509_PURPOSE_OCSP_HELPER, X509_TRUST_OCSP_SIGN, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
+	{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
 	{X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
 };
 
-- 
2.25.1