diff options
| author | beck <> | 2021-08-30 08:59:33 +0000 |
|---|---|---|
| committer | beck <> | 2021-08-30 08:59:33 +0000 |
| commit | 128cd60e8913a5432c5f2cd611f876aaf30cc54a (patch) | |
| tree | 2510ed05c30c1bcf9cdac6215e2c866cea062d73 | |
| parent | 4e50a8d4146b751db152850becadcd0a15593980 (diff) | |
| download | openbsd-128cd60e8913a5432c5f2cd611f876aaf30cc54a.tar.gz openbsd-128cd60e8913a5432c5f2cd611f876aaf30cc54a.tar.bz2 openbsd-128cd60e8913a5432c5f2cd611f876aaf30cc54a.zip | |
Revert previous change that changed our default return for unable to
find leaf cert issuers. This breaks perl and ruby regress, as noticed
by tb that "we tried this before".
Jan's regress that cares about 21 vs 20 needs to change
ok tb@
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 16 |
1 files changed, 5 insertions, 11 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 51108bbe72..39371ef038 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.47 2021/08/30 08:59:33 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -132,11 +132,8 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, | |||
| 132 | * We've just added the issuer for the previous certificate, | 132 | * We've just added the issuer for the previous certificate, |
| 133 | * clear its error if appropriate. | 133 | * clear its error if appropriate. |
| 134 | */ | 134 | */ |
| 135 | if (idx > 1 && | 135 | if (idx > 1 && chain->cert_errors[idx - 1] == |
| 136 | (chain->cert_errors[idx - 1] == | 136 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) |
| 137 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || | ||
| 138 | chain->cert_errors[idx - 1] == | ||
| 139 | X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) | ||
| 140 | chain->cert_errors[idx - 1] = X509_V_OK; | 137 | chain->cert_errors[idx - 1] = X509_V_OK; |
| 141 | 138 | ||
| 142 | return 1; | 139 | return 1; |
| @@ -409,9 +406,7 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, | |||
| 409 | 406 | ||
| 410 | /* Clear a get issuer failure for a root certificate. */ | 407 | /* Clear a get issuer failure for a root certificate. */ |
| 411 | if (chain->cert_errors[depth] == | 408 | if (chain->cert_errors[depth] == |
| 412 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || | 409 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) |
| 413 | chain->cert_errors[depth] == | ||
| 414 | X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) | ||
| 415 | chain->cert_errors[depth] = X509_V_OK; | 410 | chain->cert_errors[depth] = X509_V_OK; |
| 416 | 411 | ||
| 417 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) | 412 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) |
| @@ -601,8 +596,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 601 | return; | 596 | return; |
| 602 | 597 | ||
| 603 | count = ctx->chains_count; | 598 | count = ctx->chains_count; |
| 604 | ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : | 599 | ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; |
| 605 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | ||
| 606 | ctx->error_depth = depth; | 600 | ctx->error_depth = depth; |
| 607 | if (ctx->xsc != NULL) { | 601 | if (ctx->xsc != NULL) { |
| 608 | /* | 602 | /* |