summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index dd053ad812..9073dda31d 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.40 2021/08/18 15:10:46 beck Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -312,7 +312,7 @@ static int
312x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, 312x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
313 struct x509_verify_chain *chain, size_t depth) 313 struct x509_verify_chain *chain, size_t depth)
314{ 314{
315 int ret = 0; 315 int ret = 0, trust;
316 316
317 if (ctx->xsc == NULL) 317 if (ctx->xsc == NULL)
318 return 1; 318 return 1;
@@ -330,6 +330,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
330 ctx->xsc->error = X509_V_OK; 330 ctx->xsc->error = X509_V_OK;
331 ctx->xsc->error_depth = 0; 331 ctx->xsc->error_depth = 0;
332 332
333 trust = x509_vfy_check_trust(ctx->xsc);
334 if (trust == X509_TRUST_REJECTED)
335 goto err;
336
333 if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1)) 337 if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1))
334 goto err; 338 goto err;
335 339
@@ -354,6 +358,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
354 if (!x509_vfy_check_policy(ctx->xsc)) 358 if (!x509_vfy_check_policy(ctx->xsc))
355 goto err; 359 goto err;
356 360
361 if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) &&
362 trust != X509_TRUST_TRUSTED)
363 goto err;
364
357 ret = 1; 365 ret = 1;
358 366
359 err: 367 err:
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-01 12:19:50 +0000