summaryrefslogtreecommitdiff
path: root/lib/libcrypto/x509/x509_verify.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libcrypto/x509/x509_verify.c')
-rw-r--r--lib/libcrypto/x509/x509_verify.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index dd053ad8122..9073dda31d0 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.40 2021/08/18 15:10:46 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
@@ -312,7 +312,7 @@ static int
x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
struct x509_verify_chain *chain, size_t depth)
{
- int ret = 0;
+ int ret = 0, trust;
if (ctx->xsc == NULL)
return 1;
@@ -330,6 +330,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
ctx->xsc->error = X509_V_OK;
ctx->xsc->error_depth = 0;
+ trust = x509_vfy_check_trust(ctx->xsc);
+ if (trust == X509_TRUST_REJECTED)
+ goto err;
+
if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1))
goto err;
@@ -354,6 +358,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
if (!x509_vfy_check_policy(ctx->xsc))
goto err;
+ if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) &&
+ trust != X509_TRUST_TRUSTED)
+ goto err;
+
ret = 1;
err:
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-26 22:06:23 +0000