From 78cc044a6a433ff4aabe3a52ff5dd5f17b3ca673 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sat, 21 Jan 2017 01:07:25 +0000
Subject: Make return value of X509_verify_cert be consistent with the error
 code, with the caveat that we force V_OK when a user provided callback has us
 returning success. ok inoguchi@ jsing@

---
 src/lib/libcrypto/x509/x509_vfy.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c09a2c362f..d4c61d90f4 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.57 2017/01/20 00:37:40 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.58 2017/01/21 01:07:25 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -546,7 +546,15 @@ X509_verify_cert(X509_STORE_CTX *ctx)
 	/* Safety net, error returns must set ctx->error */
 	if (ok <= 0 && ctx->error == X509_V_OK)
 		ctx->error = X509_V_ERR_UNSPECIFIED;
-	return ok;
+
+	/*
+	 * Safety net, if user provided verify callback indicates sucess
+	 * make sure they have set error to X509_V_OK
+	 */
+	if (ctx->verify_cb != null_callback && ok == 1)
+		ctx->error = X509_V_OK;
+
+	return(ctx->error == X509_V_OK);
 }
 
 /* Given a STACK_OF(X509) find the issuer of cert (if any)
-- 
cgit v1.2.3-55-g6feb