From f7a941809fd72aa44a2d525fb2e61ee97b2b3d7c Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 6 Nov 2021 12:27:05 +0000
Subject: In X509_STORE_get1_issuer() do not call the verify callback from
 x509_check_cert_time(). Matches a change made in OpenSSL 70dd3c65.

ok jsing
---
 src/lib/libcrypto/x509/x509_lu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 1a8c079fde..c47e8f9dd1 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.49 2021/11/06 07:18:18 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.50 2021/11/06 12:27:05 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -697,7 +697,7 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 		return 0;
 	/* If certificate matches all OK */
 	if (ctx->check_issued(ctx, x, obj.data.x509)) {
-		if (x509_check_cert_time(ctx, obj.data.x509, 1)) {
+		if (x509_check_cert_time(ctx, obj.data.x509, -1)) {
 			*issuer = obj.data.x509;
 			return 1;
 		}
@@ -730,7 +730,7 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 				 * match in issuer so we return nearest
 				 * match if no certificate time is OK.
 				 */
-				if (x509_check_cert_time(ctx, *issuer, 1))
+				if (x509_check_cert_time(ctx, *issuer, -1))
 					break;
 			}
 		}
-- 
cgit v1.2.3-55-g6feb