Fix verify algorithm.
[openssl.git] / crypto / x509 / x509_vfy.c
index bb6e1ce9af990c8a83716e1d73efa9c53a5dd9c7..61f02b58a646700bd11841738f55f603de96dbaa 100644 (file)
@@ -365,8 +365,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
             && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
             && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
             while (j-- > 1) {
+                STACK_OF(X509) *chtmp = ctx->chain;
                 xtmp2 = sk_X509_value(ctx->chain, j - 1);
+                /*
+                 * Temporarily set chain to NULL so we don't discount
+                 * duplicates: the same certificate could be an untrusted
+                 * CA found in the trusted store.
+                 */
+                ctx->chain = NULL;
                 ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
+                ctx->chain = chtmp;
                 if (ok < 0)
                     goto end;
                 /* Check if we found an alternate chain */