From acc40c0c32e41953f34429d329083e63e46ac95c Mon Sep 17 00:00:00 2001
From: tb <>
Date: Mon, 26 Oct 2020 11:59:16 +0000
Subject: If x509_verify() fails, ensure that the error is also set on the
 store context.  This is what is returned in SSL_get_verify_result().

Spotted and initial diff from jeremy; discussed with jsing
ok beck
---
 src/lib/libcrypto/x509/x509_verify.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index fdde098df7..74316cb941 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.14 2020/10/26 11:56:36 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.15 2020/10/26 11:59:16 tb Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -858,13 +858,13 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
 
 	if (ctx->roots == NULL || ctx->max_depth == 0) {
 		ctx->error = X509_V_ERR_INVALID_CALL;
-		return 0;
+		goto err;
 	}
 
 	if (ctx->xsc != NULL) {
 		if (leaf != NULL || name != NULL) {
 			ctx->error = X509_V_ERR_INVALID_CALL;
-			return 0;
+			goto err;
 		}
 		leaf = ctx->xsc->cert;
 
@@ -877,34 +877,34 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
 		 */
 		if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) {
 			ctx->error = X509_V_ERR_OUT_OF_MEM;
-			return 0;
+			goto err;
 		}
 		if (!X509_up_ref(leaf)) {
 			ctx->error = X509_V_ERR_OUT_OF_MEM;
-			return 0;
+			goto err;
 		}
 		if (!sk_X509_push(ctx->xsc->chain, leaf)) {
 			X509_free(leaf);
 			ctx->error = X509_V_ERR_OUT_OF_MEM;
-			return 0;
+			goto err;
 		}
 		ctx->xsc->error_depth = 0;
 		ctx->xsc->current_cert = leaf;
 	}
 
 	if (!x509_verify_cert_valid(ctx, leaf, NULL))
-		return 0;
+		goto err;
 
 	if (!x509_verify_cert_hostname(ctx, leaf, name))
-		return 0;
+		goto err;
 
 	if ((current_chain = x509_verify_chain_new()) == NULL) {
 		ctx->error = X509_V_ERR_OUT_OF_MEM;
-		return 0;
+		goto err;
 	}
 	if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) {
 		x509_verify_chain_free(current_chain);
-		return 0;
+		goto err;
 	}
 	if (x509_verify_ctx_cert_is_root(ctx, leaf))
 		x509_verify_ctx_add_chain(ctx, current_chain);
@@ -930,4 +930,9 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
 		return ctx->xsc->verify_cb(ctx->chains_count, ctx->xsc);
 	}
 	return (ctx->chains_count);
+
+ err:
+	if (ctx->xsc != NULL)
+		ctx->xsc->error = ctx->error;
+	return 0;
 }
-- 
cgit v1.2.3-55-g6feb