#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
-#include "vpm_int.h"
+#include "x509_lcl.h"
/* CRL score values */
/* If explicitly rejected error */
if (i == X509_TRUST_REJECTED)
goto end;
- /* If not explicitly trusted then indicate error */
- if (i != X509_TRUST_TRUSTED)
+ /* If not explicitly trusted then indicate error unless it's
+ * a single self signed certificate in which case we've indicated
+ * an error already and set bad_chain == 1
+ */
+ if (i != X509_TRUST_TRUSTED && !bad_chain)
{
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
{
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int ret;
+ if (x == issuer)
+ return cert_self_signed(x);
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK)
{
X509_VERIFY_PARAM *vpm = ctx->param;
X509_VERIFY_PARAM_ID *id = vpm->id;
X509 *x = ctx->cert;
- if (id->host && !X509_check_host(x, id->host, id->hostlen, 0))
+ if (id->host && !X509_check_host(x, id->host, id->hostlen,
+ id->hostflags))
{
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
return 0;
xs=xi;
else
{
- if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN && n == 0)
+ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
{
xs = xi;
goto check_cert;