From 63642776b13d11edbf0ba898b8a34563365d9411 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 Jul 2017 23:57:11 +0200 Subject: [PATCH] Let verify_top() handle only the parent It felt wrong for it to call the vrfy callback on two certs. --- library/x509_crt.c | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index bae12c0cb..5a41ee51c 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2017,6 +2017,7 @@ static int x509_crt_verify_top( (void) self_cnt; ((void) ca_crl); (void) profile; + (void) child; /* Check time-validity of the parent */ if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) @@ -2034,13 +2035,6 @@ static int x509_crt_verify_top( } } - /* Call callback on child */ - if( NULL != f_vrfy ) - { - if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) - return( ret ); - } - *flags |= ca_flags; return( 0 ); @@ -2132,14 +2126,16 @@ static int x509_crt_verify_child( if( parent_is_trusted ) { - return( x509_crt_verify_top( child, parent, ca_crl, profile, - path_cnt, self_cnt, flags, f_vrfy, p_vrfy ) ); + ret = x509_crt_verify_top( child, parent, ca_crl, profile, + path_cnt, self_cnt, &parent_flags, f_vrfy, p_vrfy ); + } + else + { + /* verify the rest of the chain starting from parent */ + ret = x509_crt_verify_child( parent, trust_ca, ca_crl, + profile, path_cnt + 1, self_cnt, &parent_flags, + f_vrfy, p_vrfy ); } - - /* verify the rest of the chain starting from parent */ - ret = x509_crt_verify_child( parent, trust_ca, ca_crl, - profile, path_cnt + 1, self_cnt, &parent_flags, - f_vrfy, p_vrfy ); if( ret != 0 ) return( ret );