From a0795f9e92251b7807262e7b041deccb801b4c00 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 8 Feb 2025 01:01:31 +0000
Subject: x509_verify: missing verify error on cached signature mismatch

If a signature mismatch is cached, the same error should be passed to the
verify callback as if the mismatch was detected by doing the calculation,
rather than falling back to the "unable to find the issuer cert locally".

ok beck
---
 src/lib/libcrypto/x509/x509_verify.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index d3534879b8..5dcec27542 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.70 2024/06/07 06:21:40 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.71 2025/02/08 01:01:31 tb Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -539,8 +539,11 @@ x509_verify_parent_signature(X509 *parent, X509 *child, int *error)
 	int ret = 0;
 
 	/* Use cached value if we have it */
-	if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0)
+	if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0) {
+		if (cached == 0)
+			*error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
 		return cached;
+	}
 
 	/* Check signature. Did parent sign child? */
 	if ((pkey = X509_get_pubkey(parent)) == NULL) {
-- 
cgit v1.2.3-55-g6feb