Add a bunch of workarond in the verifier to support partial chains and

the saving of the first error case so that the "autochain" craziness from
openssl will work with the new verifier. This should allow the new verification
code to work with a bunch of the autochain using cases in some software.
(and should allow us to stop using the legacy verifier with autochain)

ok tb@

1 files changed, 4 insertions, 1 deletions

diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index fe40351228..7160053a8a 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.7 2021/03/12 15:53:38 tb Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.8 2021/07/10 15:52:59 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -65,6 +65,9 @@ struct x509_verify_chain {
 struct x509_verify_ctx {
         X509_STORE_CTX *xsc;
         struct x509_verify_chain **chains;      /* Validated chains */
+        STACK_OF(X509) *saved_error_chain;
+        int saved_error;
+        int saved_error_depth;
         size_t chains_count;
         int dump_chain;                 /* Dump current chain without erroring */
         STACK_OF(X509) *roots;          /* Trusted roots for this validation */