From bdcadca24e65ac3cd59a75bf748b22c46ec98fdc Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Thu, 14 Jan 2016 14:34:50 -0500 Subject: [PATCH] Fix last-resort depth 0 check when the chain has multiple certificates Reviewed-by: Rich Salz --- crypto/x509/x509_vfy.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c395acc012..24ca9e347d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -580,7 +580,11 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) int num = sk_X509_num(ctx->chain); int trust; - if (DANETLS_HAS_TA(dane) && num_untrusted > 0) { + /* + * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2) + * match, we're done, otherwise we'll merely record the match depth. + */ + if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) { switch (trust = check_dane_issuer(ctx, num_untrusted)) { case X509_TRUST_TRUSTED: case X509_TRUST_REJECTED: @@ -614,12 +618,13 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) return X509_TRUST_UNTRUSTED; } - if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + if (num_untrusted > num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { /* * Last-resort call with no new trusted certificates, check the leaf * for a direct trust store match. */ - x = sk_X509_value(ctx->chain, 0); + i = 0; + x = sk_X509_value(ctx->chain, i); mx = lookup_cert_match(ctx, x); if (!mx) return X509_TRUST_UNTRUSTED; @@ -2894,7 +2899,7 @@ static int build_chain(X509_STORE_CTX *ctx) trust = check_dane_pkeys(ctx); if (trust == X509_TRUST_UNTRUSTED && sk_X509_num(ctx->chain) == ctx->num_untrusted) - trust = check_trust(ctx, 1); + trust = check_trust(ctx, ctx->num_untrusted+1); } switch (trust) { -- 2.25.1