If x509_verify() fails, ensure that the error is also set on the store

context. This is what is returned in SSL_get_verify_result(). Spotted and initial diff from jeremy; discussed with jsing ok beck
author: tb <> 2020-10-26 11:59:16 +0000
committer: tb <> 2020-10-26 11:59:16 +0000
commit: acc40c0c32e41953f34429d329083e63e46ac95c (patch)
tree: 899040da01b8003eb24fe512628bb9f06ad2ae0a
parent: ef3888e731f73ae5de684f0d5688b7d1d3400121 (diff)
download: openbsd-acc40c0c32e41953f34429d329083e63e46ac95c.tar.gz
openbsd-acc40c0c32e41953f34429d329083e63e46ac95c.tar.bz2
openbsd-acc40c0c32e41953f34429d329083e63e46ac95c.zip
1 files changed, 15 insertions, 10 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index fdde098df7..74316cb941 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.14 2020/10/26 11:56:36 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.15 2020/10/26 11:59:16 tb Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -858,13 +858,13 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
        if (ctx->roots == NULL || ctx->max_depth == 0) {
                ctx->error = X509_V_ERR_INVALID_CALL;
-                return 0;
+                goto err;
        }
        if (ctx->xsc != NULL) {
                if (leaf != NULL || name != NULL) {
                        ctx->error = X509_V_ERR_INVALID_CALL;
-                        return 0;
+                        goto err;
                }
                leaf = ctx->xsc->cert;
@@ -877,34 +877,34 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
                 */
                if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) {
                        ctx->error = X509_V_ERR_OUT_OF_MEM;
-                        return 0;
+                        goto err;
                }
                if (!X509_up_ref(leaf)) {
                        ctx->error = X509_V_ERR_OUT_OF_MEM;
-                        return 0;
+                        goto err;
                }
                if (!sk_X509_push(ctx->xsc->chain, leaf)) {
                        X509_free(leaf);
                        ctx->error = X509_V_ERR_OUT_OF_MEM;
-                        return 0;
+                        goto err;
                }
                ctx->xsc->error_depth = 0;
                ctx->xsc->current_cert = leaf;
        }
        if (!x509_verify_cert_valid(ctx, leaf, NULL))
-                return 0;
+                goto err;
        if (!x509_verify_cert_hostname(ctx, leaf, name))
-                return 0;
+                goto err;
        if ((current_chain = x509_verify_chain_new()) == NULL) {
                ctx->error = X509_V_ERR_OUT_OF_MEM;
-                return 0;
+                goto err;
        }
        if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) {
                x509_verify_chain_free(current_chain);
-                return 0;
+                goto err;
        }
        if (x509_verify_ctx_cert_is_root(ctx, leaf))
                x509_verify_ctx_add_chain(ctx, current_chain);
@@ -930,4 +930,9 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
                return ctx->xsc->verify_cb(ctx->chains_count, ctx->xsc);
        }
        return (ctx->chains_count);
+ err:
+        if (ctx->xsc != NULL)
+                ctx->xsc->error = ctx->error;
+        return 0;
 }
author	tb <>	2020-10-26 11:59:16 +0000
committer	tb <>	2020-10-26 11:59:16 +0000
commit	acc40c0c32e41953f34429d329083e63e46ac95c (patch)
tree	899040da01b8003eb24fe512628bb9f06ad2ae0a
parent	ef3888e731f73ae5de684f0d5688b7d1d3400121 (diff)
download	openbsd-acc40c0c32e41953f34429d329083e63e46ac95c.tar.gz openbsd-acc40c0c32e41953f34429d329083e63e46ac95c.tar.bz2 openbsd-acc40c0c32e41953f34429d329083e63e46ac95c.zip