X509_verify(cert, t->spki) <= 0)
continue;
- /* Clear PKIX-?? matches that failed to panned out to a full chain */
+ /* Clear any PKIX-?? matches that failed to extend to a full chain */
X509_free(dane->mcert);
dane->mcert = NULL;
return 0;
ctx->current_cert = cert;
ctx->error_depth = 0;
- ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+ ctx->error = X509_V_ERR_DANE_NO_MATCH;
return ctx->verify_cb(0, ctx);
}
ctx->error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
else if (DANETLS_ENABLED(dane) &&
(!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))
- ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+ ctx->error = X509_V_ERR_DANE_NO_MATCH;
else if (ss && sk_X509_num(ctx->chain) == 1)
ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
else if (ss)
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
else
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
- if (DANETLS_ENABLED(dane))
- dane_reset(dane);
return ctx->verify_cb(0, ctx);
}
}