From 0927cefc062ffd2f8e4d64cb7d301c41144813e0 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Fri, 8 Jan 2021 03:23:56 +0000
Subject: search the intermediates only after searching the root certs, clarify
 this in the comments. helps avoid annoying situations with the legacy
 callback

ok jsing@
---
 src/lib/libcrypto/x509/x509_verify.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 0297fac145..b19b5373c5 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: x509_verify.c,v 1.27 2021/01/05 16:53:10 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.28 2021/01/08 03:23:56 beck Exp $ */
 /*
- * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -501,6 +501,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 			    X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
 	}
 
+	/* Check to see if we have a trusted root issuer. */
 	for (i = 0; i < sk_X509_num(ctx->roots); i++) {
 		candidate = sk_X509_value(ctx->roots, i);
 		if (x509_verify_potential_parent(ctx, candidate, cert)) {
@@ -508,15 +509,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 			    cert_md, 1, candidate, current_chain);
 		}
 	}
-	if (ctx->intermediates != NULL) {
-		for (i = 0; i < sk_X509_num(ctx->intermediates); i++) {
-			candidate = sk_X509_value(ctx->intermediates, i);
-			if (x509_verify_potential_parent(ctx, candidate, cert)) {
-				x509_verify_consider_candidate(ctx, cert,
-				    cert_md, 0, candidate, current_chain);
-			}
-		}
-	}
+	/* Check for legacy mode roots */
 	if (ctx->xsc != NULL) {
 		if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) {
 			x509_verify_cert_error(ctx, cert, depth,
@@ -532,6 +525,17 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 		}
 	}
 
+	/* Check intermediates after checking roots */
+	if (ctx->intermediates != NULL) {
+		for (i = 0; i < sk_X509_num(ctx->intermediates); i++) {
+			candidate = sk_X509_value(ctx->intermediates, i);
+			if (x509_verify_potential_parent(ctx, candidate, cert)) {
+				x509_verify_consider_candidate(ctx, cert,
+				    cert_md, 0, candidate, current_chain);
+			}
+		}
+	}
+
 	if (ctx->chains_count > count) {
 		if (ctx->xsc != NULL) {
 			ctx->xsc->error = X509_V_OK;
-- 
cgit v1.2.3-55-g6feb