Restore last-resort expired untrusted intermediate issuers

Reviewed-by: N Matt Caswell <matt@openssl.org>

Restore last-resort expired untrusted intermediate issuers
Reviewed-by: N Matt Caswell <matt@openssl.org>
c53f7355 · Viktor Dukhovni · ef2bf0f5 · c53f7355
隐藏空白更改
内联并排

Showing with 8 addition and 7 deletion

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +8 -7

未找到文件。
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -308,16 +308,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
    int i;
+    X509 *issuer, *rv = NULL;

    for (i = 0; i < sk_X509_num(sk); i++) {
-        X509 *issuer = sk_X509_value(sk, i);
-
-        if (!ctx->check_issued(ctx, x, issuer))
-            continue;
-        if (x509_check_cert_time(ctx, issuer, -1))
-            return issuer;
+        issuer = sk_X509_value(sk, i);
+        if (ctx->check_issued(ctx, x, issuer)) {
+            rv = issuer;
+            if (x509_check_cert_time(ctx, rv, -1))
+                break;
+        }
    }
-    return NULL;
+    return rv;
 }

 /* Given a possible certificate and issuer check them */