x509: correct argument of gnutls_verify_output_function

This is a leftover of 52e78f1e.  We need to call
gnutls_verify_output_function with the replaced CA cert instead of the
original cert.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index bab223ceca9bc982c0cd910a4197b0cd50168698..ee9bdd57f5db136d0663e91bbec313a4a7a33bec 100644 (file)
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1224,12 +1224,13 @@ _gnutls_pkcs11_verify_crt_status(gnutls_x509_trust_list_t tlist,
                if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
 
                        status |= check_ca_sanity(trusted_cert, now, flags);
-                       gnutls_x509_crt_deinit(trusted_cert);
 
                        if (func)
-                               func(certificate_list[i],
+                               func(trusted_cert,
                                     certificate_list[i], NULL, status);
 
+                       gnutls_x509_crt_deinit(trusted_cert);
+
                        if (status != 0) {
                                return gnutls_assert_val(status);
                        }