git://git.exim.org
/
users
/
heiko
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
aaba7d0
)
DANE: When PKIX-EE matches don't clobber depth by trying PKIX-TA
author
Viktor Dukhovni
<viktor1dane@dukhovni.org>
Tue, 15 Dec 2015 17:35:26 +0000
(17:35 +0000)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Wed, 16 Dec 2015 21:48:31 +0000
(21:48 +0000)
src/src/dane-openssl.c
patch
|
blob
|
history
diff --git
a/src/src/dane-openssl.c
b/src/src/dane-openssl.c
index ed2b2f5af8e759a397112981aabf96244f24d8c7..50a2e8aa5ebef706f016a3475f5b90fdd7f669ea 100644
(file)
--- a/
src/src/dane-openssl.c
+++ b/
src/src/dane-openssl.c
@@
-936,31
+936,30
@@
else
*/
if (leaf_rrs)
matched = match(leaf_rrs, xn, 0);
*/
if (leaf_rrs)
matched = match(leaf_rrs, xn, 0);
- if (issuer_rrs)
- {
- for (n = chain_length-1; !matched && n >= 0; --n)
- {
- xn = sk_X509_value(ctx->chain, n);
- if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
- matched = match(issuer_rrs, xn, n);
- }
- }
- if (!matched)
+ if (!matched && issuer_rrs)
+ for (n = chain_length-1; !matched && n >= 0; --n)
{
{
- ctx->current_cert = cert;
- ctx->error_depth = 0;
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
- if (!cb(0, ctx))
- return 0;
- }
- else
- {
- dane->mdpth = n;
- dane->match = xn;
- X509_up_ref(xn);
+ xn = sk_X509_value(ctx->chain, n);
+ if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
+ matched = match(issuer_rrs, xn, n);
}
}
+
+ if (!matched)
+ {
+ ctx->current_cert = cert;
+ ctx->error_depth = 0;
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
+ if (!cb(0, ctx))
+ return 0;
}
}
+ else
+ {
+ dane->mdpth = n;
+ dane->match = xn;
+ X509_up_ref(xn);
+ }
+ }
return ctx->verify(ctx);
}
return ctx->verify(ctx);
}