DANE: When PKIX-EE matches don't clobber depth by trying PKIX-TA

1 files changed, 20 insertions, 21 deletions

diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index ed2b2f5af..50a2e8aa5 100644
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -936,31 +936,30 @@ else
    */
   if (leaf_rrs)
     matched = match(leaf_rrs, xn, 0);
-    if (issuer_rrs)
-      {
-      for (n = chain_length-1; !matched && n >= 0; --n)
-	{
-	xn = sk_X509_value(ctx->chain, n);
-	if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
-	  matched = match(issuer_rrs, xn, n);
-	}
-      }
 
-    if (!matched)
+  if (!matched && issuer_rrs)
+    for (n = chain_length-1; !matched && n >= 0; --n)
       {
-      ctx->current_cert = cert;
-      ctx->error_depth = 0;
-      X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
-      if (!cb(0, ctx))
-	return 0;
-      }
-    else
-      {
-      dane->mdpth = n;
-      dane->match = xn;
-      X509_up_ref(xn);
+      xn = sk_X509_value(ctx->chain, n);
+      if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
+	matched = match(issuer_rrs, xn, n);
       }
+
+  if (!matched)
+    {
+    ctx->current_cert = cert;
+    ctx->error_depth = 0;
+    X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
+    if (!cb(0, ctx))
+      return 0;
     }
+  else
+    {
+    dane->mdpth = n;
+    dane->match = xn;
+    X509_up_ref(xn);
+    }
+  }
 
 return ctx->verify(ctx);
 }