1 files changed, 18 insertions, 5 deletions

diff --git a/src/lib/libssl/src/crypto/x509/x509_lu.c b/src/lib/libssl/src/crypto/x509/x509_lu.c
index 8d3e4f4dce..b522c88c25 100644
--- a/src/lib/libssl/src/crypto/x509/x509_lu.c
+++ b/src/lib/libssl/src/crypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.16 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.17 2014/07/11 12:52:41 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,6 +62,7 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "x509_lcl.h"
 
 X509_LOOKUP *
 X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
@@ -632,6 +633,8 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
         X509_NAME *xn;
         X509_OBJECT obj, *pobj;
         int i, ok, idx, ret;
+
+        *issuer = NULL;
         xn = X509_get_issuer_name(x);
         ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
         if (ok != X509_LU_X509) {
@@ -649,8 +652,10 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
         }
         /* If certificate matches all OK */
         if (ctx->check_issued(ctx, x, obj.data.x509)) {
-                *issuer = obj.data.x509;
-                return 1;
+                if (x509_check_cert_time(ctx, obj.data.x509, 1)) {
+                        *issuer = obj.data.x509;
+                        return 1;
+                }
         }
         X509_OBJECT_free_contents(&obj);
 
@@ -670,13 +675,21 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
                                 break;
                         if (ctx->check_issued(ctx, x, pobj->data.x509)) {
                                 *issuer = pobj->data.x509;
-                                X509_OBJECT_up_ref_count(pobj);
                                 ret = 1;
-                                break;
+                                /*
+                                 * If times check, exit with match,
+                                 * otherwise keep looking. Leave last
+                                 * match in issuer so we return nearest
+                                 * match if no certificate time is OK.
+                                 */
+                                if (x509_check_cert_time(ctx, *issuer, 1))
+                                        break;
                         }
                 }
         }
         CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        if (*issuer)
+                CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
         return ret;
 }