/* If we are self signed, we break */
if (cert_self_signed(x))
break;
+ /* If asked see if we can find issuer in trusted store first */
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+ {
+ ok = ctx->get_issuer(&xtmp, ctx, x);
+ if (ok < 0)
+ return ok;
+ /* If successful for now free up cert so it
+ * will be picked up again later.
+ */
+ if (ok > 0)
+ {
+ X509_free(xtmp);
+ break;
+ }
+ }
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL)
{
int ret;
ret = X509_check_issued(issuer, x);
+ if (ret == X509_V_OK)
+ {
+ int i;
+ X509 *ch;
+ for (i = 0; i < sk_X509_num(ctx->chain); i++)
+ {
+ ch = sk_X509_value(ctx->chain, i);
+ if (ch == issuer || !X509_cmp(ch, issuer))
+ {
+ ret = X509_V_ERR_PATH_LOOP;
+ break;
+ }
+ }
+ }
+
if (ret == X509_V_OK)
return 1;
/* If we haven't asked for issuer errors don't set ctx */
x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
ctx->current_issuer = NULL;
+ ctx->current_crl_score = 0;
ctx->current_reasons = 0;
while (ctx->current_reasons != CRLDP_ALL_REASONS)
{
atm.length=sizeof(buff2);
atm.data=(unsigned char *)buff2;
- if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+ if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
return 0;
if (ctm->type == V_ASN1_UTCTIME)
ctx->error_depth=0;
ctx->current_cert=NULL;
ctx->current_issuer=NULL;
+ ctx->current_crl=NULL;
+ ctx->current_crl_score=0;
+ ctx->current_reasons=0;
ctx->tree = NULL;
ctx->parent = NULL;
if (store)
ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
else
- ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+ ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
if (store)
{