aboutsummaryrefslogtreecommitdiff
path: root/crypto/x509/x509_vfy.c
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2021-02-16 19:54:02 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2021-02-16 19:54:02 +0000
commit4f55bd5321b72491d4eff396e4928e9ab0706735 (patch)
tree46adf486ba58f712ebd071b5d2dbeda04c45833b /crypto/x509/x509_vfy.c
parentc25134eb4f5842c16f8f372a1e28849794d70883 (diff)
downloadsrc-4f55bd5321b72491d4eff396e4928e9ab0706735.tar.gz
src-4f55bd5321b72491d4eff396e4928e9ab0706735.zip
Import OpenSSL 1.1.1j.vendor/openssl/1.1.1j
Diffstat (limited to 'crypto/x509/x509_vfy.c')
-rw-r--r--crypto/x509/x509_vfy.c15
1 files changed, 6 insertions, 9 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 730a0160ff0a..0c71b2e8b4ad 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -323,9 +323,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
}
/*
- * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x.
- * The issuer must not be the same as x and must not yet be in ctx->chain, where the
- * exceptional case x is self-issued and ctx->chain has just one element is allowed.
+ * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
+ * The issuer must not yet be in ctx->chain, where the exceptional case
+ * that x is self-issued and ctx->chain has just one element is allowed.
+ * Prefer the first one that is not expired, else take the last expired one.
*/
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
@@ -334,11 +335,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
- /*
- * Below check 'issuer != x' is an optimization and safety precaution:
- * Candidate issuer cert cannot be the same as the subject cert 'x'.
- */
- if (issuer != x && ctx->check_issued(ctx, x, issuer)
+ if (ctx->check_issued(ctx, x, issuer)
&& (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
|| !sk_X509_contains(ctx->chain, issuer))) {
rv = issuer;