Fix verify algorithm.

Disable loop checking when we retry verification with an alternative path. This fixes the case where an intermediate CA is explicitly trusted and part of the untrusted certificate list. By disabling loop checking for this case the untrusted CA can be replaced by the explicitly trusted case and verification will succeed. Reviewed-by: N Matt Caswell <matt@openssl.org>

Fix verify algorithm.
Disable loop checking when we retry verification with an alternative path. This fixes the case where an intermediate CA is explicitly trusted and part of the untrusted certificate list. By disabling loop checking for this case the untrusted CA can be replaced by the explicitly trusted case and verification will succeed. Reviewed-by: N Matt Caswell <matt@openssl.org>
e5991ec5 · Dr. Stephen Henson · 2e430277 · e5991ec5
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +8 -0

未找到文件。
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -365,8 +365,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
            && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
            && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
            while (j-- > 1) {
+                STACK_OF(X509) *chtmp = ctx->chain;
                xtmp2 = sk_X509_value(ctx->chain, j - 1);
+                /*
+                 * Temporarily set chain to NULL so we don't discount
+                 * duplicates: the same certificate could be an untrusted
+                 * CA found in the trusted store.
+                 */
+                ctx->chain = NULL;
                ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
+                ctx->chain = chtmp;
                if (ok < 0)
                    goto end;
                /* Check if we found an alternate chain */