search the intermediates only after searching the root certs, clarify

this in the comments. helps avoid annoying situations with the legacy callback ok jsing@
author: beck <> 2021-01-08 03:23:56 +0000
committer: beck <> 2021-01-08 03:23:56 +0000
commit: 0927cefc062ffd2f8e4d64cb7d301c41144813e0 (patch)
tree: cd781fec30c728f821a125b8b678d5e63eecbff6 /src
parent: bcb15b6a03bc19d4fe146ce1d46e5554233232e9 (diff)
download: openbsd-0927cefc062ffd2f8e4d64cb7d301c41144813e0.tar.gz
openbsd-0927cefc062ffd2f8e4d64cb7d301c41144813e0.tar.bz2
openbsd-0927cefc062ffd2f8e4d64cb7d301c41144813e0.zip
1 files changed, 15 insertions, 11 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 0297fac145..b19b5373c5 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: x509_verify.c,v 1.27 2021/01/05 16:53:10 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.28 2021/01/08 03:23:56 beck Exp $ */
 /*
- * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -501,6 +501,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
                            X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
        }
+        /* Check to see if we have a trusted root issuer. */
        for (i = 0; i < sk_X509_num(ctx->roots); i++) {
                candidate = sk_X509_value(ctx->roots, i);
                if (x509_verify_potential_parent(ctx, candidate, cert)) {
@@ -508,15 +509,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
                            cert_md, 1, candidate, current_chain);
                }
        }
-        if (ctx->intermediates != NULL) {
+        /* Check for legacy mode roots */
-                for (i = 0; i < sk_X509_num(ctx->intermediates); i++) {
-                        candidate = sk_X509_value(ctx->intermediates, i);
-                        if (x509_verify_potential_parent(ctx, candidate, cert)) {
-                                x509_verify_consider_candidate(ctx, cert,
-                                    cert_md, 0, candidate, current_chain);
-                        }
-                }
-        }
        if (ctx->xsc != NULL) {
                if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) {
                        x509_verify_cert_error(ctx, cert, depth,
@@ -532,6 +525,17 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
                }
        }
+        /* Check intermediates after checking roots */
+        if (ctx->intermediates != NULL) {
+                for (i = 0; i < sk_X509_num(ctx->intermediates); i++) {
+                        candidate = sk_X509_value(ctx->intermediates, i);
+                        if (x509_verify_potential_parent(ctx, candidate, cert)) {
+                                x509_verify_consider_candidate(ctx, cert,
+                                    cert_md, 0, candidate, current_chain);
+                        }
+                }
+        }
        if (ctx->chains_count > count) {
                if (ctx->xsc != NULL) {
                        ctx->xsc->error = X509_V_OK;
author	beck <>	2021-01-08 03:23:56 +0000
committer	beck <>	2021-01-08 03:23:56 +0000
commit	0927cefc062ffd2f8e4d64cb7d301c41144813e0 (patch)
tree	cd781fec30c728f821a125b8b678d5e63eecbff6 /src
parent	bcb15b6a03bc19d4fe146ce1d46e5554233232e9 (diff)
download	openbsd-0927cefc062ffd2f8e4d64cb7d301c41144813e0.tar.gz openbsd-0927cefc062ffd2f8e4d64cb7d301c41144813e0.tar.bz2 openbsd-0927cefc062ffd2f8e4d64cb7d301c41144813e0.zip