From 7fc13d574c89c5e7af75fea61a2733b96561bd77 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 17 Aug 2006 14:59:23 +0000 Subject: Back out previous change to "verify" app, it was a kludge. Defer RFC 3779 path validation until after the CRL checks. svn path=/openssl/trunk/apps/verify.c; revision=172 --- openssl/trunk/crypto/x509/x509_vfy.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'openssl/trunk/crypto') diff --git a/openssl/trunk/crypto/x509/x509_vfy.c b/openssl/trunk/crypto/x509/x509_vfy.c index 713109b5..ecee8164 100644 --- a/openssl/trunk/crypto/x509/x509_vfy.c +++ b/openssl/trunk/crypto/x509/x509_vfy.c @@ -312,6 +312,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ok=internal_verify(ctx); if(!ok) goto end; + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); + if (!ok) goto end; + ok = v3_addr_validate_path(ctx); + if (!ok) goto end; + /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); @@ -518,11 +524,6 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) else must_be_ca = 1; } - /* RFC 3779 path validation */ - ok = v3_asid_validate_path(ctx); - if (!ok) goto end; - ok = v3_addr_validate_path(ctx); - if (!ok) goto end; ok = 1; end: return ok; -- cgit v1.2.3