When calling the legacy callback, ensure we catch the case where it

has decided to change a succeess to a failure and change the error code.

Fixes a regression in the openssl-ruby tests which expect to test this
functionality.

ok tb@

1 files changed, 5 insertions, 2 deletions

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 2ec53f6fc8..e49fbdee48 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.48 2021/09/03 08:58:53 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -1205,8 +1205,11 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
                          * verified chain. The callback could still tell us to
                          * fail.
                          */
-                        if(!x509_vfy_callback_indicate_success(ctx->xsc))
+                        if(!x509_vfy_callback_indicate_success(ctx->xsc)) {
+                                /* The callback can change the error code */
+                                ctx->error = ctx->xsc->error;
                                 goto err;
+                        }
                 } else {
                         /*
                          * We had a failure, indicate the failure, but