diff options
| author | beck <> | 2021-08-30 06:51:36 +0000 |
|---|---|---|
| committer | beck <> | 2021-08-30 06:51:36 +0000 |
| commit | e0c2d897b0129c94326b52a6000f35dc5458eee7 (patch) | |
| tree | 4c24dae3f380d35eec3fa93d5f2b791bd195edac /src/lib | |
| parent | b107f33a109e9b33061c906a9df402295f24b822 (diff) | |
| download | openbsd-e0c2d897b0129c94326b52a6000f35dc5458eee7.tar.gz openbsd-e0c2d897b0129c94326b52a6000f35dc5458eee7.tar.bz2 openbsd-e0c2d897b0129c94326b52a6000f35dc5458eee7.zip | |
Fix Jan's regress in openssl/x509 to do what it says it does,
then fix the only thing it still has complaints about which
is that we don't return the leaf version of the error code
when we can't verify the leaf (as opposed to the rest of the chain)
ok jan@ tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 051a04c1be..51108bbe72 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.45 2021/08/29 17:13:15 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -132,8 +132,11 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, | |||
| 132 | * We've just added the issuer for the previous certificate, | 132 | * We've just added the issuer for the previous certificate, |
| 133 | * clear its error if appropriate. | 133 | * clear its error if appropriate. |
| 134 | */ | 134 | */ |
| 135 | if (idx > 1 && chain->cert_errors[idx - 1] == | 135 | if (idx > 1 && |
| 136 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) | 136 | (chain->cert_errors[idx - 1] == |
| 137 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || | ||
| 138 | chain->cert_errors[idx - 1] == | ||
| 139 | X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) | ||
| 137 | chain->cert_errors[idx - 1] = X509_V_OK; | 140 | chain->cert_errors[idx - 1] = X509_V_OK; |
| 138 | 141 | ||
| 139 | return 1; | 142 | return 1; |
| @@ -406,7 +409,9 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, | |||
| 406 | 409 | ||
| 407 | /* Clear a get issuer failure for a root certificate. */ | 410 | /* Clear a get issuer failure for a root certificate. */ |
| 408 | if (chain->cert_errors[depth] == | 411 | if (chain->cert_errors[depth] == |
| 409 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) | 412 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || |
| 413 | chain->cert_errors[depth] == | ||
| 414 | X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) | ||
| 410 | chain->cert_errors[depth] = X509_V_OK; | 415 | chain->cert_errors[depth] = X509_V_OK; |
| 411 | 416 | ||
| 412 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) | 417 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) |
| @@ -596,7 +601,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 596 | return; | 601 | return; |
| 597 | 602 | ||
| 598 | count = ctx->chains_count; | 603 | count = ctx->chains_count; |
| 599 | ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | 604 | ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : |
| 605 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | ||
| 600 | ctx->error_depth = depth; | 606 | ctx->error_depth = depth; |
| 601 | if (ctx->xsc != NULL) { | 607 | if (ctx->xsc != NULL) { |
| 602 | /* | 608 | /* |