From: Nikos Mavrogiannopoulos Date: Sun, 7 Mar 2010 09:33:07 +0000 (+0100) Subject: Removed artificial constrained that prevented end-user certificates, X-Git-Tag: gnutls_2_9_10~57 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fe2189bf85e8a5d494cd3ee63280aeeedd5503e5;p=thirdparty%2Fgnutls.git Removed artificial constrained that prevented end-user certificates, being added to the trusted list, treated as trusted. Suggestion and patch by Tomas Mraz. --- diff --git a/lib/x509/verify.c b/lib/x509/verify.c index b1fb97c78c..a464596ac6 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -440,10 +440,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, * one of the certs we trust and all the certs after that i.e. if * cert chain is A signed-by B signed-by C signed-by D (signed-by * self-signed E but already removed above), and we trust B, remove - * B, C and D. We must leave the first cert on chain. */ - if (clist_size > 1 && !(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) + * B, C and D. */ + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) { - for (i = 1; i < clist_size; i++) + for (i = 0; i < clist_size; i++) { int j; @@ -460,6 +460,11 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, } } + if (clist_size == 0) + /* The certificate is already present in the trusted certificate list. + * Nothing to verify. */ + return status; + /* Verify the last certificate in the certificate path * against the trusted CA certificate list. *