From 8358ac074bd99c2b6335901e7f51b4a82c50dc96 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Mon, 30 Aug 2021 08:59:33 +0000
Subject: Revert previous change that changed our default return for unable to
 find leaf cert issuers.  This breaks perl and ruby regress, as noticed by tb
 that "we tried this before".

Jan's regress that cares about 21 vs 20 needs to change
ok tb@
---
 src/lib/libcrypto/x509/x509_verify.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 51108bbe72..39371ef038 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.47 2021/08/30 08:59:33 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -132,11 +132,8 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
 	 * We've just added the issuer for the previous certificate,
 	 * clear its error if appropriate.
 	 */
-	if (idx > 1 &&
-	    (chain->cert_errors[idx - 1] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-	    chain->cert_errors[idx - 1] ==
-	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+	if (idx > 1 && chain->cert_errors[idx - 1] ==
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[idx - 1] = X509_V_OK;
 
 	return 1;
@@ -409,9 +406,7 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
 
 	/* Clear a get issuer failure for a root certificate. */
 	if (chain->cert_errors[depth] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-	    chain->cert_errors[depth] ==
-	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[depth] = X509_V_OK;
 
 	if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
@@ -601,8 +596,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 		return;
 
 	count = ctx->chains_count;
-	ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE :
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
 	ctx->error_depth = depth;
 	if (ctx->xsc != NULL) {
 		/*
-- 
cgit v1.2.3-55-g6feb