diff options
Diffstat (limited to 'openssl')
| -rw-r--r-- | openssl/trunk/apps/verify.c | 1 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509/x509_vfy.c | 11 |
2 files changed, 6 insertions, 6 deletions
diff --git a/openssl/trunk/apps/verify.c b/openssl/trunk/apps/verify.c index 57396563..9ff32cb0 100644 --- a/openssl/trunk/apps/verify.c +++ b/openssl/trunk/apps/verify.c @@ -355,7 +355,6 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; - if (ctx->error == X509_V_ERR_UNNESTED_RESOURCE) ok=1; if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY) policies_print(NULL, ctx); diff --git a/openssl/trunk/crypto/x509/x509_vfy.c b/openssl/trunk/crypto/x509/x509_vfy.c index 713109b5..ecee8164 100644 --- a/openssl/trunk/crypto/x509/x509_vfy.c +++ b/openssl/trunk/crypto/x509/x509_vfy.c @@ -312,6 +312,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ok=internal_verify(ctx); if(!ok) goto end; + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); + if (!ok) goto end; + ok = v3_addr_validate_path(ctx); + if (!ok) goto end; + /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); @@ -518,11 +524,6 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) else must_be_ca = 1; } - /* RFC 3779 path validation */ - ok = v3_asid_validate_path(ctx); - if (!ok) goto end; - ok = v3_addr_validate_path(ctx); - if (!ok) goto end; ok = 1; end: return ok; |