Restore last-resort expired untrusted intermediate issuers

Reviewed-by: Matt Caswell <matt@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-11-25 00:38:04 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-12-02 19:34:20 -0500
commit: 72ea4b8de29bd29dcc44b3d3a73660fe4d1bba40 (patch)
tree: b44ac0cff9cdf4b23979a5849b293b2aa7f2fe00 /crypto/x509
parent: 9fa506681c842bf9b27ddf4ea8579c4695be3bfa (diff)
1 files changed, 8 insertions, 7 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9fbef116be..ebc4424005 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -308,16 +308,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
     int i;
+    X509 *issuer, *rv = NULL;
 
     for (i = 0; i < sk_X509_num(sk); i++) {
-        X509 *issuer = sk_X509_value(sk, i);
-
-        if (!ctx->check_issued(ctx, x, issuer))
-            continue;
-        if (x509_check_cert_time(ctx, issuer, -1))
-            return issuer;
+        issuer = sk_X509_value(sk, i);
+        if (ctx->check_issued(ctx, x, issuer)) {
+            rv = issuer;
+            if (x509_check_cert_time(ctx, rv, -1))
+                break;
+        }
     }
-    return NULL;
+    return rv;
 }
 
 /* Given a possible certificate and issuer check them */
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-11-25 00:38:04 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-12-02 19:34:20 -0500
commit	72ea4b8de29bd29dcc44b3d3a73660fe4d1bba40 (patch)
tree	b44ac0cff9cdf4b23979a5849b293b2aa7f2fe00 /crypto/x509
parent	9fa506681c842bf9b27ddf4ea8579c4695be3bfa (diff)