Skip to content

Commit

Permalink
Partial path fix.
Browse files Browse the repository at this point in the history 
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
  • Loading branch information
@snhenson
snhenson committed Sep 8, 2013
1 parent a6e7d1c commit 52073b7
Showing 1 changed file with 8 additions and 11 deletions.
19 changes: 8 additions & 11 deletions crypto/x509/x509_vfy.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -787,20 +787,17 @@ static int check_trust(X509_STORE_CTX *ctx)
*/
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
{
X509 *mx;
if (ctx->last_untrusted < sk_X509_num(ctx->chain))
return X509_TRUST_TRUSTED;
if (sk_X509_num(ctx->chain) == 1)
x = sk_X509_value(ctx->chain, 0);
mx = lookup_cert_match(ctx, x);
if (mx)
{
X509 *mx;
x = sk_X509_value(ctx->chain, 0);
mx = lookup_cert_match(ctx, x);
if (mx)
{
(void)sk_X509_set(ctx->chain, 0, mx);
X509_free(x);
ctx->last_untrusted = 0;
return X509_TRUST_TRUSTED;
}
(void)sk_X509_set(ctx->chain, 0, mx);
X509_free(x);
ctx->last_untrusted = 0;
return X509_TRUST_TRUSTED;
}
}

Expand Down

0 comments on commit 52073b7

Please sign in to comment.