diff options
Diffstat (limited to 'src/lib/libcrypto')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 051a04c1be..51108bbe72 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.45 2021/08/29 17:13:15 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -132,8 +132,11 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, | |||
| 132 | * We've just added the issuer for the previous certificate, | 132 | * We've just added the issuer for the previous certificate, |
| 133 | * clear its error if appropriate. | 133 | * clear its error if appropriate. |
| 134 | */ | 134 | */ |
| 135 | if (idx > 1 && chain->cert_errors[idx - 1] == | 135 | if (idx > 1 && |
| 136 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) | 136 | (chain->cert_errors[idx - 1] == |
| 137 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || | ||
| 138 | chain->cert_errors[idx - 1] == | ||
| 139 | X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) | ||
| 137 | chain->cert_errors[idx - 1] = X509_V_OK; | 140 | chain->cert_errors[idx - 1] = X509_V_OK; |
| 138 | 141 | ||
| 139 | return 1; | 142 | return 1; |
| @@ -406,7 +409,9 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, | |||
| 406 | 409 | ||
| 407 | /* Clear a get issuer failure for a root certificate. */ | 410 | /* Clear a get issuer failure for a root certificate. */ |
| 408 | if (chain->cert_errors[depth] == | 411 | if (chain->cert_errors[depth] == |
| 409 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) | 412 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || |
| 413 | chain->cert_errors[depth] == | ||
| 414 | X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) | ||
| 410 | chain->cert_errors[depth] = X509_V_OK; | 415 | chain->cert_errors[depth] = X509_V_OK; |
| 411 | 416 | ||
| 412 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) | 417 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) |
| @@ -596,7 +601,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 596 | return; | 601 | return; |
| 597 | 602 | ||
| 598 | count = ctx->chains_count; | 603 | count = ctx->chains_count; |
| 599 | ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | 604 | ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : |
| 605 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | ||
| 600 | ctx->error_depth = depth; | 606 | ctx->error_depth = depth; |
| 601 | if (ctx->xsc != NULL) { | 607 | if (ctx->xsc != NULL) { |
| 602 | /* | 608 | /* |