generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix verify algorithm.

Browse Source 
Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e5991ec528b1c339062440811e2641f5ea2b328b)

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-03-24 16:21:21 +00:00 committed by Matt Caswell
parent be856c0391
commit 47daa155a3
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
crypto/x509/x509_vfy.c
View File

@ -370,8 +370,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
&& !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
&& !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
while (j-- > 1) {
STACK_OF(X509) *chtmp = ctx->chain;
xtmp2 = sk_X509_value(ctx->chain, j - 1);
/*
* Temporarily set chain to NULL so we don't discount
* duplicates: the same certificate could be an untrusted
* CA found in the trusted store.
*/
ctx->chain = NULL;
ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
ctx->chain = chtmp;
if (ok < 0)
goto end;
/* Check if we found an alternate chain */