From 6024e76ee2a1f06ab19a72b9a40a78aa7265d0a5 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 9 Jan 2021 03:51:42 +0000
Subject: Set chain on xsc on chain build failure.

Prior to calling the callback, ensure that the current (invalid and likely
incomplete) chain is set on the xsc. Some things (like auto chain) depend
on this functionality.

ok beck@
---
 src/lib/libcrypto/x509/x509_verify.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index d343706ea1..cf0d7fb559 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.29 2021/01/09 03:01:03 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.30 2021/01/09 03:51:42 jsing Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -555,6 +555,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 		if (depth == 0 &&
 		    ctx->error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 			ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+		if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0))
+			return;
 		(void) x509_verify_cert_error(ctx, cert, depth,
 		    ctx->error, 0);
 	}
-- 
cgit v1.2.3-55-g6feb