From a29656fa817ab197672f26c0a966b22f6c9d55c4 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 29 Oct 2021 12:11:13 +0000
Subject: Actually error in X509_check_purpose() if x509v3_cache_extensions()
 indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED
 translates to 1, i.e., success. This changes to the intended behavior of
 x509_purp.c r1.3 and matches OpenSSL. This will need various adjustments in
 the documentation.

ok jsing
---
 src/lib/libcrypto/x509/x509_purp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 94e9852fc6..8a5f6704a2 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.10 2021/10/23 11:53:24 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.11 2021/10/29 12:11:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -133,7 +133,7 @@ X509_check_purpose(X509 *x, int id, int ca)
 		x509v3_cache_extensions(x);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 		if (x->ex_flags & EXFLAG_INVALID)
-			return X509_V_ERR_UNSPECIFIED;
+			return -1;
 	}
 	if (id == -1)
 		return 1;
-- 
cgit v1.2.3-55-g6feb