Restore last-resort expired untrusted intermediate issuers

Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9fbef116be2c2d46f0948110bb4a336b7c12ce82..ebc442400501c3ee28852dcda048c2ac617e120f 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -308,16 +308,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
     int i;
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
     int i;

+    X509 *issuer, *rv = NULL;

 
     for (i = 0; i < sk_X509_num(sk); i++) {
 
     for (i = 0; i < sk_X509_num(sk); i++) {

-        X509 *issuer = sk_X509_value(sk, i);
-
-        if (!ctx->check_issued(ctx, x, issuer))
-            continue;
-        if (x509_check_cert_time(ctx, issuer, -1))
-            return issuer;
+        issuer = sk_X509_value(sk, i);
+        if (ctx->check_issued(ctx, x, issuer)) {
+            rv = issuer;
+            if (x509_check_cert_time(ctx, rv, -1))
+                break;
+        }

     }
     }

-    return NULL;
+    return rv;

 }
 
 /* Given a possible certificate and issuer check them */
 }
 
 /* Given a possible certificate and issuer check them */