From aa0e235cc622d59a481b0c6ac071a1ccaec2503e Mon Sep 17 00:00:00 2001 From: beck <> Date: Thu, 9 Sep 2021 15:09:43 +0000 Subject: When calling the legacy callback, ensure we catch the case where it has decided to change a succeess to a failure and change the error code. Fixes a regression in the openssl-ruby tests which expect to test this functionality. ok tb@ --- src/lib/libcrypto/x509/x509_verify.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 2ec53f6fc8..e49fbdee48 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.48 2021/09/03 08:58:53 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -1205,8 +1205,11 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) * verified chain. The callback could still tell us to * fail. */ - if(!x509_vfy_callback_indicate_success(ctx->xsc)) + if(!x509_vfy_callback_indicate_success(ctx->xsc)) { + /* The callback can change the error code */ + ctx->error = ctx->xsc->error; goto err; + } } else { /* * We had a failure, indicate the failure, but -- cgit v1.2.3-55-g6feb