Fix shadowed verify_error in s_server by removing the unused global.

's_time -verify 1' will now actually verify the peer certificate.

ok beck@

4 files changed, 8 insertions, 10 deletions

diff --git a/src/usr.bin/openssl/s_apps.h b/src/usr.bin/openssl/s_apps.h
index 177ec87ae4..cd0a057845 100644
--- a/src/usr.bin/openssl/s_apps.h
+++ b/src/usr.bin/openssl/s_apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_apps.h,v 1.2 2015/04/14 12:56:36 jsing Exp $ */
+/* $OpenBSD: s_apps.h,v 1.3 2015/09/10 06:36:45 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -116,7 +116,6 @@
 #define PROTOCOL        "tcp"
 
 extern int verify_depth;
-extern int verify_error;
 extern int verify_return_error;
 
 int do_server(int port, int type, int *ret,
diff --git a/src/usr.bin/openssl/s_cb.c b/src/usr.bin/openssl/s_cb.c
index 3bead8236a..596884ff16 100644
--- a/src/usr.bin/openssl/s_cb.c
+++ b/src/usr.bin/openssl/s_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_cb.c,v 1.4 2015/07/20 21:52:07 doug Exp $ */
+/* $OpenBSD: s_cb.c,v 1.5 2015/09/10 06:36:45 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -129,7 +129,6 @@
 #define COOKIE_SECRET_LENGTH    16
 
 int verify_depth = 0;
-int verify_error = X509_V_OK;
 int verify_return_error = 0;
 unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
 int cookie_initialized = 0;
@@ -157,10 +156,8 @@ verify_callback(int ok, X509_STORE_CTX * ctx)
                 if (verify_depth >= depth) {
                         if (!verify_return_error)
                                 ok = 1;
-                        verify_error = X509_V_OK;
                 } else {
                         ok = 0;
-                        verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
                 }
         }
         switch (err) {
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index dcda13f46c..14ba563409 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.16 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: s_client.c,v 1.17 2015/09/10 06:36:45 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -390,7 +390,6 @@ s_client_main(int argc, char **argv)
                 goto end;
         }
         verify_depth = 0;
-        verify_error = X509_V_OK;
         c_nbio = 0;
 
         argc--;
diff --git a/src/usr.bin/openssl/s_time.c b/src/usr.bin/openssl/s_time.c
index 87a0a20382..ee4e584bd9 100644
--- a/src/usr.bin/openssl/s_time.c
+++ b/src/usr.bin/openssl/s_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_time.c,v 1.9 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: s_time.c,v 1.10 2015/09/10 06:36:45 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -256,7 +256,6 @@ s_time_main(int argc, char **argv)
         s_time_meth = SSLv23_client_method();
 
         verify_depth = 0;
-        verify_error = X509_V_OK;
 
         memset(&s_time_config, 0, sizeof(s_time_config));
 
@@ -299,6 +298,8 @@ s_time_main(int argc, char **argv)
                 }
         }
 
+        SSL_CTX_set_verify(tm_ctx, s_time_config.verify, NULL);
+
         if (!set_cert_stuff(tm_ctx, s_time_config.certfile,
             s_time_config.keyfile))
                 goto end;
@@ -491,6 +492,7 @@ doConnection(SSL * scon)
         struct pollfd pfd[1];
         SSL *serverCon;
         BIO *conn;
+        long verify_error;
         int i;
 
         if ((conn = BIO_new(BIO_s_connect())) == NULL)
@@ -524,6 +526,7 @@ doConnection(SSL * scon)
         }
         if (i <= 0) {
                 BIO_printf(bio_err, "ERROR\n");
+                verify_error = SSL_get_verify_result(serverCon);
                 if (verify_error != X509_V_OK)
                         BIO_printf(bio_err, "verify error:%s\n",
                             X509_verify_cert_error_string(verify_error));