Back out previous change to "verify" app, it was a kludge.

Defer RFC 3779 path validation until after the CRL checks. svn path=/openssl/trunk/apps/verify.c; revision=172
author: Rob Austein <sra@hactrn.net> 2006-08-17 14:59:23 +0000
committer: Rob Austein <sra@hactrn.net> 2006-08-17 14:59:23 +0000
commit: 7fc13d574c89c5e7af75fea61a2733b96561bd77 (patch)
tree: 42f8af18fcd91d018e6ec104c8304ebc0b16b7b9 /openssl/trunk/crypto/x509
parent: 32f586a877a4cac40b1ff6b0281408f5eb42237a (diff)
1 files changed, 6 insertions, 5 deletions
diff --git a/openssl/trunk/crypto/x509/x509_vfy.c b/openssl/trunk/crypto/x509/x509_vfy.c
index 713109b5..ecee8164 100644
--- a/openssl/trunk/crypto/x509/x509_vfy.c
+++ b/openssl/trunk/crypto/x509/x509_vfy.c
@@ -312,6 +312,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		ok=internal_verify(ctx);
 	if(!ok) goto end;
 
+	/* RFC 3779 path validation, now that CRL check has been done */
+	ok = v3_asid_validate_path(ctx);
+	if (!ok) goto end;
+	ok = v3_addr_validate_path(ctx);
+	if (!ok) goto end;
+
 	/* If we get this far evaluate policies */
 	if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
 		ok = ctx->check_policy(ctx);
@@ -518,11 +524,6 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 		else
 			must_be_ca = 1;
 		}
-	/* RFC 3779 path validation */
-	ok = v3_asid_validate_path(ctx);
-	if (!ok) goto end;
-	ok = v3_addr_validate_path(ctx);
-	if (!ok) goto end;
 	ok = 1;
  end:
 	return ok;
author	Rob Austein <sra@hactrn.net>	2006-08-17 14:59:23 +0000
committer	Rob Austein <sra@hactrn.net>	2006-08-17 14:59:23 +0000
commit	7fc13d574c89c5e7af75fea61a2733b96561bd77 (patch)
tree	42f8af18fcd91d018e6ec104c8304ebc0b16b7b9 /openssl/trunk/crypto/x509
parent	32f586a877a4cac40b1ff6b0281408f5eb42237a (diff)