PR: 2606

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 70011fd73316cce7e79591b97919a0b055aae962..18048da68c7fea7bd53ead71a5a4fed4be9a77d4 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -215,6 +215,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                /* If we are self signed, we break */
                if (cert_self_signed(x))
                        break;
+               /* If asked see if we can find issuer in trusted store first */
+               if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+                       {
+                       ok = ctx->get_issuer(&xtmp, ctx, x);
+                       if (ok < 0)
+                               return ok;
+                       /* If successful for now free up cert so it
+                        * will be picked up again later.
+                        */
+                       if (ok > 0)
+                               {
+                               X509_free(xtmp);
+                               break;
+                               }
+                       }
 
                /* If we were passed a cert chain, use it first */
                if (ctx->untrusted != NULL)
@@ -424,6 +439,21 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 {
        int ret;
        ret = X509_check_issued(issuer, x);
+       if (ret == X509_V_OK)
+               {
+               int i;
+               X509 *ch;
+               for (i = 0; i < sk_X509_num(ctx->chain); i++)
+                       {
+                       ch = sk_X509_value(ctx->chain, i);
+                       if (ch == issuer || !X509_cmp(ch, issuer))
+                               {
+                               ret = X509_V_ERR_PATH_LOOP;
+                               break;
+                               }
+                       }
+               }
+
        if (ret == X509_V_OK)
                return 1;
        /* If we haven't asked for issuer errors don't set ctx */
@@ -715,6 +745,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        x = sk_X509_value(ctx->chain, cnum);
        ctx->current_cert = x;
        ctx->current_issuer = NULL;
+       ctx->current_crl_score = 0;
        ctx->current_reasons = 0;
        while (ctx->current_reasons != CRLDP_ALL_REASONS)
                {
@@ -1743,7 +1774,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
        atm.length=sizeof(buff2);
        atm.data=(unsigned char *)buff2;
 
-       if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+       if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
                return 0;
 
        if (ctm->type == V_ASN1_UTCTIME)
@@ -2027,6 +2058,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
        ctx->error_depth=0;
        ctx->current_cert=NULL;
        ctx->current_issuer=NULL;
+       ctx->current_crl=NULL;
+       ctx->current_crl_score=0;
+       ctx->current_reasons=0;
        ctx->tree = NULL;
        ctx->parent = NULL;
 
@@ -2046,7 +2080,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
        if (store)
                ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
        else
-               ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+               ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
 
        if (store)
                {