From 4ebbe06a79dad3a34884066e8d8c340469b2289b Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 3 Nov 2020 18:39:18 +0000
Subject: X509_verify_cert()'s return value is not reliable if the callback
 returns 1. verify.c's cb() ignores a bunch of things to display as much info
 as possible. Thus, check the error code on the store ctx as well, similar to
 OpenSSL commit d9e309a6 (old licence).

This makes openssl verify error on expired certs, at least with the
legacy verify code.

While here, fix a number of style issues, simplify and plug a leak.

ok inoguchi
---
 src/usr.bin/openssl/verify.c | 42 ++++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

(limited to 'src')

diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index e4443148ce..937f350a3a 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.9 2020/10/26 11:48:39 tb Exp $ */
+/* $OpenBSD: verify.c,v 1.10 2020/11/03 18:39:18 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -364,45 +364,47 @@ verify_main(int argc, char **argv)
 }
 
 static int
-check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
-    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls)
+check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain,
+    STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls)
 {
 	X509 *x = NULL;
+	X509_STORE_CTX *csc = NULL;
+	const char *certfile = (file == NULL) ? "stdin" : file;
+	int verify_err;
 	int i = 0, ret = 0;
-	X509_STORE_CTX *csc;
 
 	x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file");
 	if (x == NULL)
 		goto end;
-	fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
 
-	csc = X509_STORE_CTX_new();
-	if (csc == NULL) {
-		ERR_print_errors(bio_err);
+	fprintf(stdout, "%s: ", certfile);
+
+	if ((csc = X509_STORE_CTX_new()) == NULL)
 		goto end;
-	}
 	X509_STORE_set_flags(ctx, vflags);
-	if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
-		ERR_print_errors(bio_err);
+	if (!X509_STORE_CTX_init(csc, ctx, x, uchain))
 		goto end;
-	}
 	if (tchain)
 		X509_STORE_CTX_trusted_stack(csc, tchain);
 	if (crls)
 		X509_STORE_CTX_set0_crls(csc, crls);
-	i = X509_verify_cert(csc);
-	X509_STORE_CTX_free(csc);
 
-	ret = 0;
+	i = X509_verify_cert(csc);
+	verify_err = X509_STORE_CTX_get_error(csc);
 
- end:
-	if (i > 0) {
+	if (i > 0 && verify_err == X509_V_OK) {
 		fprintf(stdout, "OK\n");
 		ret = 1;
-	} else
+	} else {
+		fprintf(stdout, "%s: verification failed: %d (%s)\n", certfile,
+		    verify_err, X509_verify_cert_error_string(verify_err));
+	}
+
+ end:
+	if (i <= 0)
 		ERR_print_errors(bio_err);
-	if (x != NULL)
-		X509_free(x);
+	X509_free(x);
+	X509_STORE_CTX_free(csc);
 
 	return (ret);
 }
-- 
cgit v1.2.3-55-g6feb