For self signed root only indicate one error.

author Dr. Stephen Henson <steve@openssl.org>

Mon, 3 Mar 2014 23:33:51 +0000 (23:33 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Mon, 3 Mar 2014 23:36:46 +0000 (23:36 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Mon, 3 Mar 2014 23:33:51 +0000 (23:33 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Mon, 3 Mar 2014 23:36:46 +0000 (23:36 +0000)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index 869a4f29e8573aeba6181eaba4d95c7e15d34438..32b07a0306de76cb556baa92ac50d739d6839c60 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -366,8 +366,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         /* If explicitly rejected error */
         if (i == X509_TRUST_REJECTED)
                 goto end;
         /* If explicitly rejected error */
         if (i == X509_TRUST_REJECTED)
                 goto end;
-       /* If not explicitly trusted then indicate error */
-       if (i != X509_TRUST_TRUSTED)
+       /* If not explicitly trusted then indicate error unless it's
+        * a single self signed certificate in which case we've indicated
+        * an error already and set bad_chain == 1
+        */
+       if (i != X509_TRUST_TRUSTED && !bad_chain)
                 {
                 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
                         {
                 {
                 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
                         {
author	Dr. Stephen Henson <steve@openssl.org>
	Mon, 3 Mar 2014 23:33:51 +0000 (23:33 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Mon, 3 Mar 2014 23:36:46 +0000 (23:36 +0000)