2 files changed, 15 insertions, 13 deletions

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 051a04c1be..51108bbe72 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.45 2021/08/29 17:13:15 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -132,8 +132,11 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
          * We've just added the issuer for the previous certificate,
          * clear its error if appropriate.
          */
-        if (idx > 1 && chain->cert_errors[idx - 1] ==
-            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+        if (idx > 1 &&
+            (chain->cert_errors[idx - 1] ==
+            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+            chain->cert_errors[idx - 1] ==
+            X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
                 chain->cert_errors[idx - 1] = X509_V_OK;
 
         return 1;
@@ -406,7 +409,9 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
 
         /* Clear a get issuer failure for a root certificate. */
         if (chain->cert_errors[depth] ==
-            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+            chain->cert_errors[depth] ==
+            X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
                 chain->cert_errors[depth] = X509_V_OK;
 
         if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
@@ -596,7 +601,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
                 return;
 
         count = ctx->chains_count;
-        ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+        ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE :
+            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
         ctx->error_depth = depth;
         if (ctx->xsc != NULL) {
                 /*
diff --git a/src/regress/usr.bin/openssl/x509/Makefile b/src/regress/usr.bin/openssl/x509/Makefile
index e091b7b0d5..b022974dcb 100644
--- a/src/regress/usr.bin/openssl/x509/Makefile
+++ b/src/regress/usr.bin/openssl/x509/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.7 2021/08/29 15:52:47 tb Exp $
+# $OpenBSD: Makefile,v 1.8 2021/08/30 06:51:36 beck Exp $
 
 # Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
 #
@@ -42,10 +42,6 @@ REGRESS_TARGETS +=	test-alternative-chain
 REGRESS_CLEANUP =       cleanup-ssl
 REGRESS_SETUP_ONCE =    create-libressl-test-certs
 
-REGRESS_EXPECTED_FAILURES +=    test-inlabel-wildcard-cert-no-CA-client
-REGRESS_EXPECTED_FAILURES +=    test-unusual-wildcard-cert-no-CA-client
-REGRESS_EXPECTED_FAILURES +=    test-common-wildcard-cert-no-CA-client
-REGRESS_EXPECTED_FAILURES +=    test-common-wildcard-cert-CA-client
 
 create-libressl-test-certs: create-libressl-test-certs.pl
         ${PERL} ${.CURDIR}/$@.pl
@@ -92,14 +88,14 @@ test-common-wildcard-cert-no-CA-client:
 test-common-wildcard-cert-CA-client:
         # common wildcard cert, CA given to client
         # start server
-        ${OPENSSL} s_server -quiet -naccept 1 -cert server-unusual-wildcard.pem \
-            -key server-unusual-wildcard.pem & \
+        ${OPENSSL} s_server -quiet -naccept 1 -cert server-common-wildcard.pem \
+            -key server-common-wildcard.pem & \
             timeout=$$(($$(date +%s) + 5)); \
             while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
                 do test $$(date +%s) -lt $$timeout || exit 1; done
         # start client
         echo Q | ${OPENSSL} s_client -CAfile caR.pem \
-            | grep "Verify return code: 21"
+            | grep "Verify return code: 0"
 
 test-verify-unusual-wildcard-cert:
         # openssl verify, unusual wildcard cert