Revert previous change that forced consistency between return value and

error code, since this breaks the documented API. Under certain circumstances this will result in incorrect successful certiticate verification (where a user supplied callback always returns 1, and later code checks the error code to potentially abort post verification)
author: beck <> 2017-04-28 23:03:58 +0000
committer: beck <> 2017-04-28 23:03:58 +0000
commit: 5a18a8b528471ac0ae619a87a6421a9bc82fe614 (patch)
tree: 02bb5bafaab90ca6699776666acd5125c8b56244
parent: 0e8cbd9898a13fec69ddf5721cdf1137fe077ca5 (diff)
download: openbsd-5a18a8b528471ac0ae619a87a6421a9bc82fe614.tar.gz
openbsd-5a18a8b528471ac0ae619a87a6421a9bc82fe614.tar.bz2
openbsd-5a18a8b528471ac0ae619a87a6421a9bc82fe614.zip
1 files changed, 2 insertions, 10 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 8c2f5b66db..0d01301446 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.63 2017/04/28 22:46:40 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.64 2017/04/28 23:03:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
        /* Safety net, error returns must set ctx->error */
        if (ok <= 0 && ctx->error == X509_V_OK)
                ctx->error = X509_V_ERR_UNSPECIFIED;
+        return ok;
-        /*
-         * Safety net, if user provided verify callback indicates sucess
-         * make sure they have set error to X509_V_OK
-         */
-        if (ctx->verify_cb != null_callback && ok == 1)
-                ctx->error = X509_V_OK;
-        return(ctx->error == X509_V_OK);
 }
 /* Given a STACK_OF(X509) find the issuer of cert (if any)
author	beck <>	2017-04-28 23:03:58 +0000
committer	beck <>	2017-04-28 23:03:58 +0000
commit	5a18a8b528471ac0ae619a87a6421a9bc82fe614 (patch)
tree	02bb5bafaab90ca6699776666acd5125c8b56244
parent	0e8cbd9898a13fec69ddf5721cdf1137fe077ca5 (diff)
download	openbsd-5a18a8b528471ac0ae619a87a6421a9bc82fe614.tar.gz openbsd-5a18a8b528471ac0ae619a87a6421a9bc82fe614.tar.bz2 openbsd-5a18a8b528471ac0ae619a87a6421a9bc82fe614.zip

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 8c2f5b66db..0d01301446 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.63 2017/04/28 22:46:40 beck Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.64 2017/04/28 23:03:58 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
541	/* Safety net, error returns must set ctx->error */	541	/* Safety net, error returns must set ctx->error */
542	if (ok <= 0 && ctx->error == X509_V_OK)	542	if (ok <= 0 && ctx->error == X509_V_OK)
543	ctx->error = X509_V_ERR_UNSPECIFIED;	543	ctx->error = X509_V_ERR_UNSPECIFIED;
544		544	return ok;
545	/*
546	* Safety net, if user provided verify callback indicates sucess
547	* make sure they have set error to X509_V_OK
548	*/
549	if (ctx->verify_cb != null_callback && ok == 1)
550	ctx->error = X509_V_OK;
551
552	return(ctx->error == X509_V_OK);
553	}	545	}
554		546
555	/* Given a STACK_OF(X509) find the issuer of cert (if any)	547	/* Given a STACK_OF(X509) find the issuer of cert (if any)