diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-11-25 00:38:04 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-12-02 19:34:20 -0500 |
commit | 72ea4b8de29bd29dcc44b3d3a73660fe4d1bba40 (patch) | |
tree | b44ac0cff9cdf4b23979a5849b293b2aa7f2fe00 /crypto/x509 | |
parent | 9fa506681c842bf9b27ddf4ea8579c4695be3bfa (diff) |
Restore last-resort expired untrusted intermediate issuers
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_vfy.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9fbef116be..ebc4424005 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -308,16 +308,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; + X509 *issuer, *rv = NULL; for (i = 0; i < sk_X509_num(sk); i++) { - X509 *issuer = sk_X509_value(sk, i); - - if (!ctx->check_issued(ctx, x, issuer)) - continue; - if (x509_check_cert_time(ctx, issuer, -1)) - return issuer; + issuer = sk_X509_value(sk, i); + if (ctx->check_issued(ctx, x, issuer)) { + rv = issuer; + if (x509_check_cert_time(ctx, rv, -1)) + break; + } } - return NULL; + return rv; } /* Given a possible certificate and issuer check them */ |