DANE: When PKIX-EE matches don't clobber depth by trying PKIX-TA

diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index ed2b2f5af8e759a397112981aabf96244f24d8c7..50a2e8aa5ebef706f016a3475f5b90fdd7f669ea 100644 (file)
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -936,31 +936,30 @@ else
    */
   if (leaf_rrs)
     matched = match(leaf_rrs, xn, 0);
-    if (issuer_rrs)
-      {
-      for (n = chain_length-1; !matched && n >= 0; --n)
-       {
-       xn = sk_X509_value(ctx->chain, n);
-       if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
-         matched = match(issuer_rrs, xn, n);
-       }
-      }
 
-    if (!matched)
+  if (!matched && issuer_rrs)
+    for (n = chain_length-1; !matched && n >= 0; --n)
       {
-      ctx->current_cert = cert;
-      ctx->error_depth = 0;
-      X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
-      if (!cb(0, ctx))
-       return 0;
-      }
-    else
-      {
-      dane->mdpth = n;
-      dane->match = xn;
-      X509_up_ref(xn);
+      xn = sk_X509_value(ctx->chain, n);
+      if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
+       matched = match(issuer_rrs, xn, n);
       }
+
+  if (!matched)
+    {
+    ctx->current_cert = cert;
+    ctx->error_depth = 0;
+    X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
+    if (!cb(0, ctx))
+      return 0;
     }
+  else
+    {
+    dane->mdpth = n;
+    dane->match = xn;
+    X509_up_ref(xn);
+    }
+  }
 
 return ctx->verify(ctx);
 }