From f975fe27469ca9bf06e4f752b39da6cbc32f3bc9 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Wed, 20 May 2020 13:45:57 +0200
Subject: [PATCH] Abort on first possible certificate validation error

Only retry certificate validation if the purpose was wrong.

(cherry picked from commit de619e9964684eced5fb3108de81440b979aace0)
---
 libfreerdp/crypto/crypto.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
index 636ac1fa2..841468339 100644
--- a/libfreerdp/crypto/crypto.c
+++ b/libfreerdp/crypto/crypto.c
@@ -856,7 +856,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
 
 	for (i = 0; i < ARRAYSIZE(purposes); i++)
 	{
-		int rc = -1;
+		int err = -1, rc = -1;
 		int purpose = purposes[i];
 		csc = X509_STORE_CTX_new();
 
@@ -869,6 +869,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
 		X509_STORE_CTX_set_verify_cb(csc, verify_cb);
 
 		rc = X509_verify_cert(csc);
+		err = X509_STORE_CTX_get_error(csc);
 	skip:
 		X509_STORE_CTX_free(csc);
 		if (rc == 1)
@@ -876,6 +877,8 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
 			status = TRUE;
 			break;
 		}
+		else if (err != X509_V_ERR_INVALID_PURPOSE)
+			break;
 	}
 
 	X509_STORE_free(cert_ctx);