From bc07c3a1f0403ea65a5c4f52583569c82385dc07 Mon Sep 17 00:00:00 2001 From: Nicholas Wilson Date: Wed, 13 May 2015 10:40:30 +0100 Subject: [PATCH] fix minor bug in path_cnt checks If the top certificate occurs twice in trust_ca (for example) it would not be good for the second instance to be checked with check_path_cnt reduced twice! --- library/x509_crt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index fe9e552d2..b94f21322 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1771,7 +1771,7 @@ static int x509_crt_verify_top( void *p_vrfy ) { int ret; - int ca_flags = 0, check_path_cnt = path_cnt + 1; + int ca_flags = 0, check_path_cnt; unsigned char hash[POLARSSL_MD_MAX_SIZE]; const md_info_t *md_info; @@ -1802,8 +1802,10 @@ static int x509_crt_verify_top( if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 ) continue; + check_path_cnt = path_cnt + 1; + /* - * Reduce path_len to check against if top of the chain is + * Reduce check_path_cnt to check against if top of the chain is * the same as the trusted CA */ if( child->subject_raw.len == trust_ca->subject_raw.len &&