Revert previous - the original code was correct since X509_verify_cert()

should not have changed the X509_STORE_CTX error value on success and it
was initialised to X509_V_OK by X509_STORE_CTX_init(). Other software also
depends on this behaviour.

Previously X509_verify_cert() was mishandling the X509_STORE_CTX error
value when validating alternate chains. This has been fixed and further
changes now explicitly ensure that the error value will be set to X509_V_OK
if X509_verify_cert() returns success.

1 files changed, 5 insertions, 5 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 53a8506622..e192942b6b 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.54 2017/01/02 22:03:56 tedu Exp $ */
+/* $OpenBSD: tls.c,v 1.55 2017/01/03 17:13:41 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -369,19 +369,19 @@ static int
 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
 {
         struct tls *ctx = arg;
-        int x509_err, rv;
+        int x509_err;
 
         if (ctx->config->verify_cert == 0)
                 return (1);
 
-        if ((rv = X509_verify_cert(x509_ctx)) < 0) {
+        if ((X509_verify_cert(x509_ctx)) < 0) {
                 tls_set_errorx(ctx, "X509 verify cert failed");
                 return (0);
         }
-        if (rv == 1)
-                return 1;
 
         x509_err = X509_STORE_CTX_get_error(x509_ctx);
+        if (x509_err == X509_V_OK)
+                return (1);
 
         tls_set_errorx(ctx, "certificate verification failed: %s",
             X509_verify_cert_error_string(x509_err));