Fix OCSP_basic_verify() cert chain construction in case the

OCSP_BASICRESP bs contains no certificates.

From David von Oheimb (OpenSSL 121738d1)

ok beck

diff --git a/lib/libcrypto/ocsp/ocsp_vfy.c b/lib/libcrypto/ocsp/ocsp_vfy.c
index 0ba906e..f3b4103 100644 (file)
--- a/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.18 2021/11/24 19:29:19 tb Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.19 2021/11/24 19:33:24 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -119,8 +119,11 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
                                        goto end;
                                }
                        }
-               } else
+               } else if (certs != NULL) {
+                       untrusted = certs;
+               } else {
                        untrusted = bs->certs;
+               }
                init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
                if (!init_res) {
                        ret = -1;