mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

Cosmetic polish for last-resort depth 0 check

Browse Source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-01-14 15:03:15 -05:00
parent 56afc18714
commit 497ecc0d7d
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
crypto/x509/x509_vfy.c
View File

@ -618,7 +618,7 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
return X509_TRUST_UNTRUSTED;
}
if (num_untrusted > num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
/*
* Last-resort call with no new trusted certificates, check the leaf
* for a direct trust store match.
@ -2894,12 +2894,12 @@ static int build_chain(X509_STORE_CTX *ctx)
* Last chance to make a trusted chain, either bare DANE-TA public-key
* signers, or else direct leaf PKIX trust.
*/
if (sk_X509_num(ctx->chain) <= depth) {
num = sk_X509_num(ctx->chain);
if (num <= depth) {
if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))
trust = check_dane_pkeys(ctx);
if (trust == X509_TRUST_UNTRUSTED &&
sk_X509_num(ctx->chain) == ctx->num_untrusted)
trust = check_trust(ctx, ctx->num_untrusted+1);
if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)
trust = check_trust(ctx, num);
}
switch (trust) {