If x509_verify() fails, ensure that the error is also set on the store

context. This is what is returned in SSL_get_verify_result(). Spotted and initial diff from jeremy; discussed with jsing ok beck
author: tb <> 2020-10-26 11:59:16 +0000
committer: tb <> 2020-10-26 11:59:16 +0000
commit: 5035742c50e7ba71002226f107cc1ba6ae270c99 (patch)
tree: 899040da01b8003eb24fe512628bb9f06ad2ae0a /src/lib
parent: f61b97d9dd62e878e271aa54b64879e8942a182f (diff)
download: openbsd-5035742c50e7ba71002226f107cc1ba6ae270c99.tar.gz
openbsd-5035742c50e7ba71002226f107cc1ba6ae270c99.tar.bz2
openbsd-5035742c50e7ba71002226f107cc1ba6ae270c99.zip
1 files changed, 15 insertions, 10 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index fdde098df7..74316cb941 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.14 2020/10/26 11:56:36 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.15 2020/10/26 11:59:16 tb Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -858,13 +858,13 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
        if (ctx->roots == NULL || ctx->max_depth == 0) {
                ctx->error = X509_V_ERR_INVALID_CALL;
-                return 0;
+                goto err;
        }
        if (ctx->xsc != NULL) {
                if (leaf != NULL || name != NULL) {
                        ctx->error = X509_V_ERR_INVALID_CALL;
-                        return 0;
+                        goto err;
                }
                leaf = ctx->xsc->cert;
@@ -877,34 +877,34 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
                 */
                if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) {
                        ctx->error = X509_V_ERR_OUT_OF_MEM;
-                        return 0;
+                        goto err;
                }
                if (!X509_up_ref(leaf)) {
                        ctx->error = X509_V_ERR_OUT_OF_MEM;
-                        return 0;
+                        goto err;
                }
                if (!sk_X509_push(ctx->xsc->chain, leaf)) {
                        X509_free(leaf);
                        ctx->error = X509_V_ERR_OUT_OF_MEM;
-                        return 0;
+                        goto err;
                }
                ctx->xsc->error_depth = 0;
                ctx->xsc->current_cert = leaf;
        }
        if (!x509_verify_cert_valid(ctx, leaf, NULL))
-                return 0;
+                goto err;
        if (!x509_verify_cert_hostname(ctx, leaf, name))
-                return 0;
+                goto err;
        if ((current_chain = x509_verify_chain_new()) == NULL) {
                ctx->error = X509_V_ERR_OUT_OF_MEM;
-                return 0;
+                goto err;
        }
        if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) {
                x509_verify_chain_free(current_chain);
-                return 0;
+                goto err;
        }
        if (x509_verify_ctx_cert_is_root(ctx, leaf))
                x509_verify_ctx_add_chain(ctx, current_chain);
@@ -930,4 +930,9 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
                return ctx->xsc->verify_cb(ctx->chains_count, ctx->xsc);
        }
        return (ctx->chains_count);
+ err:
+        if (ctx->xsc != NULL)
+                ctx->xsc->error = ctx->error;
+        return 0;
 }
author	tb <>	2020-10-26 11:59:16 +0000
committer	tb <>	2020-10-26 11:59:16 +0000
commit	5035742c50e7ba71002226f107cc1ba6ae270c99 (patch)
tree	899040da01b8003eb24fe512628bb9f06ad2ae0a /src/lib
parent	f61b97d9dd62e878e271aa54b64879e8942a182f (diff)
download	openbsd-5035742c50e7ba71002226f107cc1ba6ae270c99.tar.gz openbsd-5035742c50e7ba71002226f107cc1ba6ae270c99.tar.bz2 openbsd-5035742c50e7ba71002226f107cc1ba6ae270c99.zip