1 files changed, 22 insertions, 20 deletions
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index e4443148ce..937f350a3a 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.9 2020/10/26 11:48:39 tb Exp $ */
+/* $OpenBSD: verify.c,v 1.10 2020/11/03 18:39:18 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -364,45 +364,47 @@ verify_main(int argc, char **argv)
 }
 static int
-check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
+check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain,
-    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls)
+    STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls)
 {
        X509 *x = NULL;
+        X509_STORE_CTX *csc = NULL;
+        const char *certfile = (file == NULL) ? "stdin" : file;
+        int verify_err;
        int i = 0, ret = 0;
-        X509_STORE_CTX *csc;
        x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file");
        if (x == NULL)
                goto end;
-        fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
-        csc = X509_STORE_CTX_new();
+        fprintf(stdout, "%s: ", certfile);
-        if (csc == NULL) {
-                ERR_print_errors(bio_err);
+        if ((csc = X509_STORE_CTX_new()) == NULL)
                goto end;
-        }
        X509_STORE_set_flags(ctx, vflags);
-        if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
+        if (!X509_STORE_CTX_init(csc, ctx, x, uchain))
-                ERR_print_errors(bio_err);
                goto end;
-        }
        if (tchain)
                X509_STORE_CTX_trusted_stack(csc, tchain);
        if (crls)
                X509_STORE_CTX_set0_crls(csc, crls);
-        i = X509_verify_cert(csc);
-        X509_STORE_CTX_free(csc);
-        ret = 0;
+        i = X509_verify_cert(csc);
+        verify_err = X509_STORE_CTX_get_error(csc);
- end:
+        if (i > 0 && verify_err == X509_V_OK) {
-        if (i > 0) {
                fprintf(stdout, "OK\n");
                ret = 1;
-        } else
+        } else {
+                fprintf(stdout, "%s: verification failed: %d (%s)\n", certfile,
+                    verify_err, X509_verify_cert_error_string(verify_err));
+        }
+ end:
+        if (i <= 0)
                ERR_print_errors(bio_err);
-        if (x != NULL)
+        X509_free(x);
-                X509_free(x);
+        X509_STORE_CTX_free(csc);
        return (ret);
 }

diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c index e4443148ce..937f350a3a 100644 --- a/src/usr.bin/openssl/verify.c +++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: verify.c,v 1.9 2020/10/26 11:48:39 tb Exp $ */	1	/* $OpenBSD: verify.c,v 1.10 2020/11/03 18:39:18 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -364,45 +364,47 @@ verify_main(int argc, char **argv)
364	}	364	}
365		365
366	static int	366	static int
367	check(X509_STORE * ctx, char file, STACK_OF(X509) uchain,	367	check(X509_STORE ctx, char file, STACK_OF(X509) *uchain,
368	STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls)	368	STACK_OF(X509) tchain, STACK_OF(X509_CRL) crls)
369	{	369	{
370	X509 *x = NULL;	370	X509 *x = NULL;
		371	X509_STORE_CTX *csc = NULL;
		372	const char *certfile = (file == NULL) ? "stdin" : file;
		373	int verify_err;
371	int i = 0, ret = 0;	374	int i = 0, ret = 0;
372	X509_STORE_CTX *csc;
373		375
374	x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file");	376	x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file");
375	if (x == NULL)	377	if (x == NULL)
376	goto end;	378	goto end;
377	fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
378		379
379	csc = X509_STORE_CTX_new();	380	fprintf(stdout, "%s: ", certfile);
380	if (csc == NULL) {	381
381	ERR_print_errors(bio_err);	382	if ((csc = X509_STORE_CTX_new()) == NULL)
382	goto end;	383	goto end;
383	}
384	X509_STORE_set_flags(ctx, vflags);	384	X509_STORE_set_flags(ctx, vflags);
385	if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {	385	if (!X509_STORE_CTX_init(csc, ctx, x, uchain))
386	ERR_print_errors(bio_err);
387	goto end;	386	goto end;
388	}
389	if (tchain)	387	if (tchain)
390	X509_STORE_CTX_trusted_stack(csc, tchain);	388	X509_STORE_CTX_trusted_stack(csc, tchain);
391	if (crls)	389	if (crls)
392	X509_STORE_CTX_set0_crls(csc, crls);	390	X509_STORE_CTX_set0_crls(csc, crls);
393	i = X509_verify_cert(csc);
394	X509_STORE_CTX_free(csc);
395		391
396	ret = 0;	392	i = X509_verify_cert(csc);
		393	verify_err = X509_STORE_CTX_get_error(csc);
397		394
398	end:	395	if (i > 0 && verify_err == X509_V_OK) {
399	if (i > 0) {
400	fprintf(stdout, "OK\n");	396	fprintf(stdout, "OK\n");
401	ret = 1;	397	ret = 1;
402	} else	398	} else {
		399	fprintf(stdout, "%s: verification failed: %d (%s)\n", certfile,
		400	verify_err, X509_verify_cert_error_string(verify_err));
		401	}
		402
		403	end:
		404	if (i <= 0)
403	ERR_print_errors(bio_err);	405	ERR_print_errors(bio_err);
404	if (x != NULL)	406	X509_free(x);
405	X509_free(x);	407	X509_STORE_CTX_free(csc);
406		408
407	return (ret);	409	return (ret);
408	}	410	}