summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2021-08-30 06:51:36 +0000
committerbeck <>2021-08-30 06:51:36 +0000
commite0c2d897b0129c94326b52a6000f35dc5458eee7 (patch)
tree4c24dae3f380d35eec3fa93d5f2b791bd195edac
parentb107f33a109e9b33061c906a9df402295f24b822 (diff)
downloadopenbsd-e0c2d897b0129c94326b52a6000f35dc5458eee7.tar.gz
openbsd-e0c2d897b0129c94326b52a6000f35dc5458eee7.tar.bz2
openbsd-e0c2d897b0129c94326b52a6000f35dc5458eee7.zip
Fix Jan's regress in openssl/x509 to do what it says it does,
then fix the only thing it still has complaints about which is that we don't return the leaf version of the error code when we can't verify the leaf (as opposed to the rest of the chain) ok jan@ tb@
Diffstat
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c16
-rw-r--r--src/regress/usr.bin/openssl/x509/Makefile12
2 files changed, 15 insertions, 13 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 051a04c1be..51108bbe72 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.45 2021/08/29 17:13:15 beck Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -132,8 +132,11 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
132 * We've just added the issuer for the previous certificate, 132 * We've just added the issuer for the previous certificate,
133 * clear its error if appropriate. 133 * clear its error if appropriate.
134 */ 134 */
135 if (idx > 1 && chain->cert_errors[idx - 1] == 135 if (idx > 1 &&
136 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 136 (chain->cert_errors[idx - 1] ==
137 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
138 chain->cert_errors[idx - 1] ==
139 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
137 chain->cert_errors[idx - 1] = X509_V_OK; 140 chain->cert_errors[idx - 1] = X509_V_OK;
138 141
139 return 1; 142 return 1;
@@ -406,7 +409,9 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
406 409
407 /* Clear a get issuer failure for a root certificate. */ 410 /* Clear a get issuer failure for a root certificate. */
408 if (chain->cert_errors[depth] == 411 if (chain->cert_errors[depth] ==
409 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 412 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
413 chain->cert_errors[depth] ==
414 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
410 chain->cert_errors[depth] = X509_V_OK; 415 chain->cert_errors[depth] = X509_V_OK;
411 416
412 if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) 417 if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
@@ -596,7 +601,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
596 return; 601 return;
597 602
598 count = ctx->chains_count; 603 count = ctx->chains_count;
599 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 604 ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE :
605 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
600 ctx->error_depth = depth; 606 ctx->error_depth = depth;
601 if (ctx->xsc != NULL) { 607 if (ctx->xsc != NULL) {
602 /* 608 /*
diff --git a/src/regress/usr.bin/openssl/x509/Makefile b/src/regress/usr.bin/openssl/x509/Makefile
index e091b7b0d5..b022974dcb 100644
--- a/src/regress/usr.bin/openssl/x509/Makefile
+++ b/src/regress/usr.bin/openssl/x509/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.7 2021/08/29 15:52:47 tb Exp $ 1# $OpenBSD: Makefile,v 1.8 2021/08/30 06:51:36 beck Exp $
2 2
3# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de> 3# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
4# 4#
@@ -42,10 +42,6 @@ REGRESS_TARGETS += test-alternative-chain
42REGRESS_CLEANUP = cleanup-ssl 42REGRESS_CLEANUP = cleanup-ssl
43REGRESS_SETUP_ONCE = create-libressl-test-certs 43REGRESS_SETUP_ONCE = create-libressl-test-certs
44 44
45REGRESS_EXPECTED_FAILURES += test-inlabel-wildcard-cert-no-CA-client
46REGRESS_EXPECTED_FAILURES += test-unusual-wildcard-cert-no-CA-client
47REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-no-CA-client
48REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-CA-client
49 45
50create-libressl-test-certs: create-libressl-test-certs.pl 46create-libressl-test-certs: create-libressl-test-certs.pl
51 ${PERL} ${.CURDIR}/$@.pl 47 ${PERL} ${.CURDIR}/$@.pl
@@ -92,14 +88,14 @@ test-common-wildcard-cert-no-CA-client:
92test-common-wildcard-cert-CA-client: 88test-common-wildcard-cert-CA-client:
93 # common wildcard cert, CA given to client 89 # common wildcard cert, CA given to client
94 # start server 90 # start server
95 ${OPENSSL} s_server -quiet -naccept 1 -cert server-unusual-wildcard.pem \ 91 ${OPENSSL} s_server -quiet -naccept 1 -cert server-common-wildcard.pem \
96 -key server-unusual-wildcard.pem & \ 92 -key server-common-wildcard.pem & \
97 timeout=$$(($$(date +%s) + 5)); \ 93 timeout=$$(($$(date +%s) + 5)); \
98 while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \ 94 while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
99 do test $$(date +%s) -lt $$timeout || exit 1; done 95 do test $$(date +%s) -lt $$timeout || exit 1; done
100 # start client 96 # start client
101 echo Q | ${OPENSSL} s_client -CAfile caR.pem \ 97 echo Q | ${OPENSSL} s_client -CAfile caR.pem \
102 | grep "Verify return code: 21" 98 | grep "Verify return code: 0"
103 99
104test-verify-unusual-wildcard-cert: 100test-verify-unusual-wildcard-cert:
105 # openssl verify, unusual wildcard cert 101 # openssl verify, unusual wildcard cert
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 15:17:53 +0000