/*
* If it's not explicitly trusted then check if there is an alternative
* chain that could be used. We only do this if we haven't already
- * checked via TRUSTED_FIRST
+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
+ * chain checking
*/
retry = 0;
if (i != X509_TRUST_TRUSTED
- && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) {
+ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
while (j-- > 1) {
+ STACK_OF(X509) *chtmp = ctx->chain;
xtmp2 = sk_X509_value(ctx->chain, j - 1);
+ /*
+ * Temporarily set chain to NULL so we don't discount
+ * duplicates: the same certificate could be an untrusted
+ * CA found in the trusted store.
+ */
+ ctx->chain = NULL;
ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
+ ctx->chain = chtmp;
if (ok < 0)
goto end;
/* Check if we found an alternate chain */
}
if (!EVP_PKEY_missing_parameters(ktmp))
break;
- else {
- EVP_PKEY_free(ktmp);
- ktmp = NULL;
- }
+ EVP_PKEY_free(ktmp);
+ ktmp = NULL;
}
if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
X509_STORE_CTX *X509_STORE_CTX_new(void)
{
X509_STORE_CTX *ctx;
- ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
+
+ ctx = OPENSSL_malloc(sizeof(X509_STORE_CTX));
if (!ctx) {
X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
projects / openssl.git / blobdiff