From 2b1ad87fb7a4dca3f0c181fc0d3cc322c1cbe326 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 24 Nov 2021 19:33:24 +0000 Subject: [PATCH] Fix OCSP_basic_verify() cert chain construction in case the OCSP_BASICRESP bs contains no certificates. From David von Oheimb (OpenSSL 121738d1) ok beck --- lib/libcrypto/ocsp/ocsp_vfy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/ocsp/ocsp_vfy.c b/lib/libcrypto/ocsp/ocsp_vfy.c index 0ba906efb1c..f3b41032d8a 100644 --- a/lib/libcrypto/ocsp/ocsp_vfy.c +++ b/lib/libcrypto/ocsp/ocsp_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_vfy.c,v 1.18 2021/11/24 19:29:19 tb Exp $ */ +/* $OpenBSD: ocsp_vfy.c,v 1.19 2021/11/24 19:33:24 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -119,8 +119,11 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, goto end; } } - } else + } else if (certs != NULL) { + untrusted = certs; + } else { untrusted = bs->certs; + } init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); if (!init_res) { ret = -1; -- 2.20.1