Include TA in checks/callback with partial chains.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 14 Feb 2014 15:07:01 +0000 (15:07 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 14 Feb 2014 15:07:01 +0000 (15:07 +0000)
When a chain is complete and ends in a trusted root checks are also
performed on the TA and the callback notified with ok==1. For
consistency do the same for chains where the TA is not self signed.

crypto/x509/x509_vfy.c

index 8129fa0..869a4f2 100644 (file)
@@ -1755,7 +1755,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                xs=xi;
        else
                {
-               if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN && n == 0)
+               if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
                        {
                        xs = xi;
                        goto check_cert;