From e9754726d236b74476cd0be5fa60acfef0c7024f Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 15 Dec 2012 02:58:00 +0000 Subject: Check chain is not NULL before assuming we have a validated chain. The modification to the OCSP helper purpose breaks normal OCSP verification. It is no longer needed now we can trust partial chains. --- crypto/ocsp/ocsp_vfy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'crypto/ocsp/ocsp_vfy.c') diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 2f7f59c59a..f7cd36beb7 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -109,7 +109,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, * (If the signer is a root certificate, X509_verify_cert() * would fail anyway!) */ - if (chain == certs) goto verified_chain; + if (chain && chain == certs) goto verified_chain; /* If we trust some "other" certificates, allow partial * chains (because some of them might be -- cgit v1.2.1