From 76bc9d5fdc23892df18c905a250602f93843ddbc Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Mon, 2 Jan 2017 22:03:56 +0000
Subject: fix cert verify. a cert with an alt chain may verify but leave an
 error in the context. don't look for errors in case of success. fixes
 spurious verify errors. guilty change tracked and fix tested by sthen

---
 src/lib/libtls/tls.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 6937afe3b8..53a8506622 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.53 2016/12/26 16:20:58 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.54 2017/01/02 22:03:56 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -369,19 +369,19 @@ static int
 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
 {
 	struct tls *ctx = arg;
-	int x509_err;
+	int x509_err, rv;
 
 	if (ctx->config->verify_cert == 0)
 		return (1);
 
-	if ((X509_verify_cert(x509_ctx)) < 0) {
+	if ((rv = X509_verify_cert(x509_ctx)) < 0) {
 		tls_set_errorx(ctx, "X509 verify cert failed");
 		return (0);
 	}
+	if (rv == 1)
+		return 1;
 
 	x509_err = X509_STORE_CTX_get_error(x509_ctx);
-	if (x509_err == X509_V_OK)
-		return (1);
 
 	tls_set_errorx(ctx, "certificate verification failed: %s",
 	    X509_verify_cert_error_string(x509_err));
-- 
cgit v1.2.3-55-g6feb