{
SSL_DANE *dane = ctx->dane;
int num = sk_X509_num(ctx->chain);
- X509 *curr = sk_X509_value(ctx->chain, num - 1); /* current end of chain */
STACK_OF(X509) *sk_untrusted = NULL;
unsigned int search;
int may_trusted = 0;
max_depth = ctx->param->depth + 1;
while (search != 0) {
- X509 *issuer = NULL;
+ X509 *curr, *issuer = NULL;
num = sk_X509_num(ctx->chain);
ctx->error_depth = num - 1;
* trusted matching issuer. Otherwise, grow the chain.
*/
if (!self_signed) {
- curr = issuer;
- if (!sk_X509_push(ctx->chain, curr)) {
+ if (!sk_X509_push(ctx->chain, issuer)) {
X509_free(issuer);
goto memerr;
}
X509_free(curr);
ctx->num_untrusted = --num;
(void)sk_X509_set(ctx->chain, num, issuer);
- curr = issuer;
- /* no need to update self_signed */
}
}
goto int_err;
++ctx->num_untrusted;
- curr = issuer;
/* Check for DANE-TA trust of the topmost untrusted certificate. */
trust = check_dane_issuer(ctx, ctx->num_untrusted - 1);
CB_FAIL_IF(DANETLS_ENABLED(dane)
&& (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0),
ctx, NULL, num - 1, X509_V_ERR_DANE_NO_MATCH);
- if (X509_self_signed(curr, 0))
+ if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0))
return verify_cb_cert(ctx, NULL, num - 1,
- sk_X509_num(ctx->chain) == 1
+ num == 1
? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
return verify_cb_cert(ctx, NULL, num - 1,