diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-11-25 00:38:04 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-12-02 19:37:45 -0500 |
commit | c53f7355b93885d1f12237f94b363ad747f03dad (patch) | |
tree | 0db1b3c0d39f2ae81dcae11d7a1659211c495baf /crypto/x509/x509_vfy.c | |
parent | ef2bf0f57c2282d3b4fd47138052d0ab9a8f2b6a (diff) | |
download | openssl-c53f7355b93885d1f12237f94b363ad747f03dad.tar.gz |
Restore last-resort expired untrusted intermediate issuers
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'crypto/x509/x509_vfy.c')
-rw-r--r-- | crypto/x509/x509_vfy.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9fbef116be..ebc4424005 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -308,16 +308,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; + X509 *issuer, *rv = NULL; for (i = 0; i < sk_X509_num(sk); i++) { - X509 *issuer = sk_X509_value(sk, i); - - if (!ctx->check_issued(ctx, x, issuer)) - continue; - if (x509_check_cert_time(ctx, issuer, -1)) - return issuer; + issuer = sk_X509_value(sk, i); + if (ctx->check_issued(ctx, x, issuer)) { + rv = issuer; + if (x509_check_cert_time(ctx, rv, -1)) + break; + } } - return NULL; + return rv; } /* Given a possible certificate and issuer check them */ |