From 0ca4c9d221f1ab6d66099fa5e1803a24c8b3331a Mon Sep 17 00:00:00 2001
From: beck <>
Date: Mon, 26 Oct 2020 12:11:47 +0000
Subject: catch unset error when validation fails.

---
 src/regress/lib/libcrypto/x509/bettertls/verify.c | 13 ++++++++++++-
 src/regress/lib/libcrypto/x509/verify.c           |  5 ++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/regress/lib/libcrypto/x509/bettertls/verify.c b/src/regress/lib/libcrypto/x509/bettertls/verify.c
index df4b567d9c..e1d97d42ef 100644
--- a/src/regress/lib/libcrypto/x509/bettertls/verify.c
+++ b/src/regress/lib/libcrypto/x509/bettertls/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.8 2020/10/10 10:19:45 tb Exp $ */
+/* $OpenBSD: verify.c,v 1.9 2020/10/26 12:11:47 beck Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -107,6 +107,7 @@ verify_cert(X509_STORE *store, const char *roots_file, const char *bundle_file,
 	X509_VERIFY_PARAM *param, *paramip;
 	X509 *leaf = NULL;
 	unsigned long flags, flagsip;
+	int verify_err;
 
 	*ip = *dns = 0;
 
@@ -145,6 +146,11 @@ verify_cert(X509_STORE *store, const char *roots_file, const char *bundle_file,
 
 	if (X509_verify_cert(xsc) == 1)
 		*dns = 1;
+	verify_err = X509_STORE_CTX_get_error(xsc);
+	if (verify_err == X509_V_OK && *dns == 0) {
+		fprintf(stderr, "X509_V_OK on failure!\n");
+		*dns = 1;
+	}
 
 	if ((xscip = X509_STORE_CTX_new()) == NULL)
 		errx(1, "X509_STORE_CTX");
@@ -170,6 +176,11 @@ verify_cert(X509_STORE *store, const char *roots_file, const char *bundle_file,
 
 	if (X509_verify_cert(xscip) == 1)
 		*ip = 1;
+	verify_err = X509_STORE_CTX_get_error(xscip);
+	if (verify_err == X509_V_OK && *ip == 0) {
+		fprintf(stderr, "X509_V_OK on failure!\n");
+		*ip = 1;
+	}
 
 	sk_X509_pop_free(roots, X509_free);
 	sk_X509_pop_free(bundle, X509_free);
diff --git a/src/regress/lib/libcrypto/x509/verify.c b/src/regress/lib/libcrypto/x509/verify.c
index f3e883b8ac..added3bd9f 100644
--- a/src/regress/lib/libcrypto/x509/verify.c
+++ b/src/regress/lib/libcrypto/x509/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.3 2020/09/18 14:58:04 tb Exp $ */
+/* $OpenBSD: verify.c,v 1.4 2020/10/26 12:11:47 beck Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -144,6 +144,9 @@ verify_cert(const char *roots_file, const char *bundle_file, int *chains,
 	}
 
 	verify_err = X509_STORE_CTX_get_error(xsc);
+	if (verify_err == 0)
+		errx(1, "Error unset on failure!\n");
+
 	fprintf(stderr, "failed to verify at %d: %s\n",
 	    X509_STORE_CTX_get_error_depth(xsc),
 	    X509_verify_cert_error_string(verify_err));
-- 
cgit v1.2.3-55-g6feb