From ba862c0cbda35451bd95b10a85c4f0eba1c956f9 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 7 Jan 2017 06:45:24 +0000
Subject: Revert part of r1.54 as there are at least two situations where we
 are still returning ok == 1, with ctx->error not being X509_V_OK. Hopefully
 we can restore this behaviour once these are ironed out.

Discussed with beck@
---
 src/lib/libcrypto/x509/x509_vfy.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index f555941587..df1966e32b 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.54 2017/01/03 05:52:28 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.55 2017/01/07 06:45:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -548,9 +548,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
 	/* Safety net, error returns must set ctx->error */
 	if (ok <= 0 && ctx->error == X509_V_OK)
 		ctx->error = X509_V_ERR_UNSPECIFIED;
-
-	/* Ensure we only return success with ctx->error of X509_V_OK */
-	return (ctx->error == X509_V_OK);
+	return ok;
 }
 
 /* Given a STACK_OF(X509) find the issuer of cert (if any)
-- 
cgit v1.2.3-55-g6feb