1 files changed, 14 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index c76a5e103e..5f048bee4f 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.19 2020/11/11 18:49:34 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.20 2020/11/15 17:54:49 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -477,6 +477,19 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
        count = ctx->chains_count;
        ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
        ctx->error_depth = depth;
+        if (ctx->xsc != NULL) {
+                /*
+                 * Long ago experiments at Muppet labs resulted in a
+                 * situation where software not only sees these errors
+                 * but forced developers to expect them in certain cases.
+                 * so we must mimic this awfulness for the legacy case.
+                 */
+                if (cert->ex_flags & EXFLAG_SS)
+                        ctx->error = (depth == 0) ?
+                            X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+                            X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+        }
        for (i = 0; i < sk_X509_num(ctx->roots); i++) {
                candidate = sk_X509_value(ctx->roots, i);

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index c76a5e103e..5f048bee4f 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_verify.c,v 1.19 2020/11/11 18:49:34 jsing Exp $ */	1	/* $OpenBSD: x509_verify.c,v 1.20 2020/11/15 17:54:49 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -477,6 +477,19 @@ x509_verify_build_chains(struct x509_verify_ctx ctx, X509 cert,
477	count = ctx->chains_count;	477	count = ctx->chains_count;
478	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;	478	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
479	ctx->error_depth = depth;	479	ctx->error_depth = depth;
		480	if (ctx->xsc != NULL) {
		481	/*
		482	* Long ago experiments at Muppet labs resulted in a
		483	* situation where software not only sees these errors
		484	* but forced developers to expect them in certain cases.
		485	* so we must mimic this awfulness for the legacy case.
		486	*/
		487	if (cert->ex_flags & EXFLAG_SS)
		488	ctx->error = (depth == 0) ?
		489	X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
		490	X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
		491
		492	}
480		493
481	for (i = 0; i < sk_X509_num(ctx->roots); i++) {	494	for (i = 0; i < sk_X509_num(ctx->roots); i++) {
482	candidate = sk_X509_value(ctx->roots, i);	495	candidate = sk_X509_value(ctx->roots, i);