]> granicus.if.org Git - openssl/commitdiff
Check chain is not NULL before assuming we have a validated chain.
authorDr. Stephen Henson <steve@openssl.org>
Sat, 15 Dec 2012 02:58:00 +0000 (02:58 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 15 Dec 2012 02:58:00 +0000 (02:58 +0000)
The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.

crypto/ocsp/ocsp_vfy.c
crypto/x509v3/v3_purp.c

index 2f7f59c59acb4c7af9f6ef5efe4b87f1eff15ef6..f7cd36beb7fd5cdb65dc0c6486a42bad3f79cdfc 100644 (file)
@@ -109,7 +109,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                 * (If the signer is a root certificate, X509_verify_cert()
                 * would fail anyway!)
                 */
-               if (chain == certs) goto verified_chain;
+               if (chain && chain == certs) goto verified_chain;
 
                /* If we trust some "other" certificates, allow partial
                 * chains (because some of them might be
index 9b19b362b9b0b5e40ce70dd16c0089d1a3356117..6c40c7dfc318e4b46fc20d38581ad3656e344b5e 100644 (file)
@@ -87,7 +87,7 @@ static X509_PURPOSE xstandard[] = {
        {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
        {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
        {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
-       {X509_PURPOSE_OCSP_HELPER, X509_TRUST_OCSP_SIGN, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
+       {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
        {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
 };