Partial path fix.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 8 Sep 2013 18:26:59 +0000 (19:26 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Sun, 8 Sep 2013 18:26:59 +0000 (19:26 +0100)
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.

crypto/x509/x509_vfy.c

index fe7ca83..eaab347 100644 (file)
@@ -787,20 +787,17 @@ static int check_trust(X509_STORE_CTX *ctx)
         */
        if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
                {
+               X509 *mx;
                if (ctx->last_untrusted < sk_X509_num(ctx->chain))
                        return X509_TRUST_TRUSTED;
-               if (sk_X509_num(ctx->chain) == 1)
+               x = sk_X509_value(ctx->chain, 0);
+               mx = lookup_cert_match(ctx, x);
+               if (mx)
                        {
-                       X509 *mx;
-                       x = sk_X509_value(ctx->chain, 0);
-                       mx = lookup_cert_match(ctx, x);
-                       if (mx)
-                               {
-                               (void)sk_X509_set(ctx->chain, 0, mx);
-                               X509_free(x);
-                               ctx->last_untrusted = 0;
-                               return X509_TRUST_TRUSTED;
-                               }
+                       (void)sk_X509_set(ctx->chain, 0, mx);
+                       X509_free(x);
+                       ctx->last_untrusted = 0;
+                       return X509_TRUST_TRUSTED;
                        }
                }