Call the callback on success in new verifier in a compatible way

when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
author: beck <> 2021-09-03 08:58:53 +0000
committer: beck <> 2021-09-03 08:58:53 +0000
commit: 994245ef52a1aae31fcfe4b4f477541af4815037 (patch)
tree: 9c46aa8dc9877d0ff22a6819eece4485287e26be /src/lib/libcrypto/x509/x509_vfy.c
parent: 85941777b4cebd473c07bdc6a1b63738e4b65fa3 (diff)
download: openbsd-994245ef52a1aae31fcfe4b4f477541af4815037.tar.gz
openbsd-994245ef52a1aae31fcfe4b4f477541af4815037.tar.bz2
openbsd-994245ef52a1aae31fcfe4b4f477541af4815037.zip
1 files changed, 17 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index a161b330ae..2f69017e96 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.88 2021/08/28 15:22:42 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.89 2021/09/03 08:58:53 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1879,7 +1879,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
 }
 static int
-internal_verify(X509_STORE_CTX *ctx)
+x509_vfy_internal_verify(X509_STORE_CTX *ctx, int chain_verified)
 {
        int n = sk_X509_num(ctx->chain) - 1;
        X509 *xi = sk_X509_value(ctx->chain, n);
@@ -1915,8 +1915,8 @@ internal_verify(X509_STORE_CTX *ctx)
                 * certificate and its depth (rather than the depth of
                 * the subject).
                 */
-                if (xs != xi ||
+                if (!chain_verified && ( xs != xi ||
-                    (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
+                    (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
                        EVP_PKEY *pkey;
                        if ((pkey = X509_get_pubkey(xi)) == NULL) {
                                if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
@@ -1933,7 +1933,7 @@ internal_verify(X509_STORE_CTX *ctx)
                }
 check_cert:
                /* Calls verify callback as needed */
-                if (!x509_check_cert_time(ctx, xs, n))
+                if (!chain_verified && !x509_check_cert_time(ctx, xs, n))
                        return 0;
                /*
@@ -1954,6 +1954,18 @@ check_cert:
        return 1;
 }
+static int
+internal_verify(X509_STORE_CTX *ctx)
+{
+        return x509_vfy_internal_verify(ctx, 0);
+}
+int
+x509_vfy_callback_indicate_success(X509_STORE_CTX *ctx)
+{
+        return x509_vfy_internal_verify(ctx, 1);
+}
 int
 X509_cmp_current_time(const ASN1_TIME *ctm)
 {
author	beck <>	2021-09-03 08:58:53 +0000
committer	beck <>	2021-09-03 08:58:53 +0000
commit	994245ef52a1aae31fcfe4b4f477541af4815037 (patch)
tree	9c46aa8dc9877d0ff22a6819eece4485287e26be /src/lib/libcrypto/x509/x509_vfy.c
parent	85941777b4cebd473c07bdc6a1b63738e4b65fa3 (diff)
download	openbsd-994245ef52a1aae31fcfe4b4f477541af4815037.tar.gz openbsd-994245ef52a1aae31fcfe4b4f477541af4815037.tar.bz2 openbsd-994245ef52a1aae31fcfe4b4f477541af4815037.zip