may_trusted = 1;
}
- /*
- * Shallow-copy the stack of untrusted certificates (with TLS, this is
- * typically the content of the peer's certificate message) so can make
- * multiple passes over it, while free to remove elements as we go.
- */
- if ((sk_untrusted = sk_X509_dup(ctx->untrusted)) == NULL)
+ /* Initialize empty untrusted stack. */
+ if ((sk_untrusted = sk_X509_new_null()) == NULL)
goto memerr;
/*
- * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add
- * them to our working copy of the untrusted certificate stack.
+ * If we got any "Cert(0) Full(0)" trust anchors from DNS, *prepend* them
+ * to our working copy of the untrusted certificate stack.
*/
if (DANETLS_ENABLED(dane) && dane->certs != NULL
&& !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT))
goto memerr;
+ /*
+ * Shallow-copy the stack of untrusted certificates (with TLS, this is
+ * typically the content of the peer's certificate message) so we can make
+ * multiple passes over it, while free to remove elements as we go.
+ */
+ if (!X509_add_certs(sk_untrusted, ctx->untrusted, X509_ADD_FLAG_DEFAULT))
+ goto memerr;
+
/*
* Still absurdly large, but arithmetically safe, a lower hard upper bound
* might be reasonable.
projects / thirdparty / openssl.git / commitdiff
