diff options
author | Viktor Dukhovni <viktor1dane@dukhovni.org> | 2015-12-15 17:35:26 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2015-12-16 21:48:31 +0000 |
commit | f92c55222fcc678d28110ec58df998c16e98c84a (patch) | |
tree | 9f7188a21f2bca924b0a14960f56ca5ef1b8a544 /src | |
parent | aaba7d03433c179562e515bfb68ff2069ff626d8 (diff) |
DANE: When PKIX-EE matches don't clobber depth by trying PKIX-TA
Diffstat (limited to 'src')
-rw-r--r-- | src/src/dane-openssl.c | 41 |
1 files changed, 20 insertions, 21 deletions
diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index ed2b2f5af..50a2e8aa5 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -936,31 +936,30 @@ else */ if (leaf_rrs) matched = match(leaf_rrs, xn, 0); - if (issuer_rrs) - { - for (n = chain_length-1; !matched && n >= 0; --n) - { - xn = sk_X509_value(ctx->chain, n); - if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK) - matched = match(issuer_rrs, xn, n); - } - } - if (!matched) + if (!matched && issuer_rrs) + for (n = chain_length-1; !matched && n >= 0; --n) { - ctx->current_cert = cert; - ctx->error_depth = 0; - X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED); - if (!cb(0, ctx)) - return 0; - } - else - { - dane->mdpth = n; - dane->match = xn; - X509_up_ref(xn); + xn = sk_X509_value(ctx->chain, n); + if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK) + matched = match(issuer_rrs, xn, n); } + + if (!matched) + { + ctx->current_cert = cert; + ctx->error_depth = 0; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED); + if (!cb(0, ctx)) + return 0; } + else + { + dane->mdpth = n; + dane->match = xn; + X509_up_ref(xn); + } + } return ctx->verify(ctx); } |