From 96c75ee2b11e9696094f297147e12a22be999847 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 8 Feb 2025 01:01:31 +0000
Subject: x509_verify: missing verify error on cached signature mismatch

If a signature mismatch is cached, the same error should be passed to the
verify callback as if the mismatch was detected by doing the calculation,
rather than falling back to the "unable to find the issuer cert locally".

ok beck
---
 src/lib/libcrypto/x509/x509_verify.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index d3534879b8..5dcec27542 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.70 2024/06/07 06:21:40 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.71 2025/02/08 01:01:31 tb Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -539,8 +539,11 @@ x509_verify_parent_signature(X509 *parent, X509 *child, int *error)
 	int ret = 0;
 
 	/* Use cached value if we have it */
-	if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0)
+	if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0) {
+		if (cached == 0)
+			*error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
 		return cached;
+	}
 
 	/* Check signature. Did parent sign child? */
 	if ((pkey = X509_get_pubkey(parent)) == NULL) {
-- 
cgit v1.2.3-55-g6feb