From f92c55222fcc678d28110ec58df998c16e98c84a Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Tue, 15 Dec 2015 17:35:26 +0000 Subject: [PATCH] DANE: When PKIX-EE matches don't clobber depth by trying PKIX-TA --- src/src/dane-openssl.c | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index ed2b2f5af..50a2e8aa5 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -936,31 +936,30 @@ else */ if (leaf_rrs) matched = match(leaf_rrs, xn, 0); - if (issuer_rrs) - { - for (n = chain_length-1; !matched && n >= 0; --n) - { - xn = sk_X509_value(ctx->chain, n); - if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK) - matched = match(issuer_rrs, xn, n); - } - } - if (!matched) + if (!matched && issuer_rrs) + for (n = chain_length-1; !matched && n >= 0; --n) { - ctx->current_cert = cert; - ctx->error_depth = 0; - X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED); - if (!cb(0, ctx)) - return 0; - } - else - { - dane->mdpth = n; - dane->match = xn; - X509_up_ref(xn); + xn = sk_X509_value(ctx->chain, n); + if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK) + matched = match(issuer_rrs, xn, n); } + + if (!matched) + { + ctx->current_cert = cert; + ctx->error_depth = 0; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED); + if (!cb(0, ctx)) + return 0; } + else + { + dane->mdpth = n; + dane->match = xn; + X509_up_ref(xn); + } + } return ctx->verify(ctx); } -- 2.25.1