From 5652b8a711562263678662d609ce7925015bce4d Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Mon, 2 Jan 2017 22:03:56 +0000
Subject: fix cert verify. a cert with an alt chain may verify but leave an
 error in the context. don't look for errors in case of success. fixes
 spurious verify errors. guilty change tracked and fix tested by sthen

---
 src/lib/libtls/tls.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 6937afe3b8..53a8506622 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.53 2016/12/26 16:20:58 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.54 2017/01/02 22:03:56 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -369,19 +369,19 @@ static int
 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
 {
 	struct tls *ctx = arg;
-	int x509_err;
+	int x509_err, rv;
 
 	if (ctx->config->verify_cert == 0)
 		return (1);
 
-	if ((X509_verify_cert(x509_ctx)) < 0) {
+	if ((rv = X509_verify_cert(x509_ctx)) < 0) {
 		tls_set_errorx(ctx, "X509 verify cert failed");
 		return (0);
 	}
+	if (rv == 1)
+		return 1;
 
 	x509_err = X509_STORE_CTX_get_error(x509_ctx);
-	if (x509_err == X509_V_OK)
-		return (1);
 
 	tls_set_errorx(ctx, "certificate verification failed: %s",
 	    X509_verify_cert_error_string(x509_err));
-- 
cgit v1.2.3-55-g6feb