From 6070037b9b7f8d391060efcb8e1123ff682da427 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 3 Jan 2017 17:13:41 +0000 Subject: Revert previous - the original code was correct since X509_verify_cert() should not have changed the X509_STORE_CTX error value on success and it was initialised to X509_V_OK by X509_STORE_CTX_init(). Other software also depends on this behaviour. Previously X509_verify_cert() was mishandling the X509_STORE_CTX error value when validating alternate chains. This has been fixed and further changes now explicitly ensure that the error value will be set to X509_V_OK if X509_verify_cert() returns success. --- src/lib/libtls/tls.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 53a8506622..e192942b6b 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.54 2017/01/02 22:03:56 tedu Exp $ */ +/* $OpenBSD: tls.c,v 1.55 2017/01/03 17:13:41 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -369,19 +369,19 @@ static int tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg) { struct tls *ctx = arg; - int x509_err, rv; + int x509_err; if (ctx->config->verify_cert == 0) return (1); - if ((rv = X509_verify_cert(x509_ctx)) < 0) { + if ((X509_verify_cert(x509_ctx)) < 0) { tls_set_errorx(ctx, "X509 verify cert failed"); return (0); } - if (rv == 1) - return 1; x509_err = X509_STORE_CTX_get_error(x509_ctx); + if (x509_err == X509_V_OK) + return (1); tls_set_errorx(ctx, "certificate verification failed: %s", X509_verify_cert_error_string(x509_err)); -- cgit v1.2.3-55-g6feb