mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Partial path fix.

Browse Source 
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
(cherry picked from commit 52073b7675)
This commit is contained in:
Dr. Stephen Henson 2013-09-08 19:26:59 +01:00
parent 593605d3ec
commit 5117d50b7e
1 changed files with 8 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
crypto/x509/x509_vfy.c
View File

@ -759,20 +759,17 @@ static int check_trust(X509_STORE_CTX *ctx)
*/
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
{
X509 *mx;
if (ctx->last_untrusted < sk_X509_num(ctx->chain))
return X509_TRUST_TRUSTED;
if (sk_X509_num(ctx->chain) == 1)
x = sk_X509_value(ctx->chain, 0);
mx = lookup_cert_match(ctx, x);
if (mx)
{
X509 *mx;
x = sk_X509_value(ctx->chain, 0);
mx = lookup_cert_match(ctx, x);
if (mx)
{
(void)sk_X509_set(ctx->chain, 0, mx);
X509_free(x);
ctx->last_untrusted = 0;
return X509_TRUST_TRUSTED;
}
(void)sk_X509_set(ctx->chain, 0, mx);
X509_free(x);
ctx->last_untrusted = 0;
return X509_TRUST_TRUSTED;
}
}