diff options
| author |   bcook <bcook@openbsd.org> | 2015-09-10 06:36:45 +0000 |
|---|---|---|
| committer | bcook <bcook@openbsd.org> | 2015-09-10 06:36:45 +0000 |
| commit | 1292f75a708748f81e4d600d1b7d01d6d9674aee (patch) | |
| tree | c657f35b5e797be535a9af4c8a7158c0238b4f4b | |
| parent | only try and reference an ifp in if_get if we actually find one in (diff) | |
| download | wireguard-openbsd-1292f75a708748f81e4d600d1b7d01d6d9674aee.tar.xz wireguard-openbsd-1292f75a708748f81e4d600d1b7d01d6d9674aee.zip | |
Fix shadowed verify_error in s_server by removing the unused global.
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
| -rw-r--r-- | usr.bin/openssl/s_apps.h | 3 | ||||
| -rw-r--r-- | usr.bin/openssl/s_cb.c | 5 | ||||
| -rw-r--r-- | usr.bin/openssl/s_client.c | 3 | ||||
| -rw-r--r-- | usr.bin/openssl/s_time.c | 7 |
4 files changed, 8 insertions, 10 deletions
diff --git a/usr.bin/openssl/s_apps.h b/usr.bin/openssl/s_apps.h index 177ec87ae4a..cd0a0578454 100644 --- a/usr.bin/openssl/s_apps.h +++ b/usr.bin/openssl/s_apps.h @@ -1,4 +1,4 @@ -/* $OpenBSD: s_apps.h,v 1.2 2015/04/14 12:56:36 jsing Exp $ */ +/* $OpenBSD: s_apps.h,v 1.3 2015/09/10 06:36:45 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -116,7 +116,6 @@ #define PROTOCOL "tcp" extern int verify_depth; -extern int verify_error; extern int verify_return_error; int do_server(int port, int type, int *ret, diff --git a/usr.bin/openssl/s_cb.c b/usr.bin/openssl/s_cb.c index 3bead8236a7..596884ff16d 100644 --- a/usr.bin/openssl/s_cb.c +++ b/usr.bin/openssl/s_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_cb.c,v 1.4 2015/07/20 21:52:07 doug Exp $ */ +/* $OpenBSD: s_cb.c,v 1.5 2015/09/10 06:36:45 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -129,7 +129,6 @@ #define COOKIE_SECRET_LENGTH 16 int verify_depth = 0; -int verify_error = X509_V_OK; int verify_return_error = 0; unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; int cookie_initialized = 0; @@ -157,10 +156,8 @@ verify_callback(int ok, X509_STORE_CTX * ctx) if (verify_depth >= depth) { if (!verify_return_error) ok = 1; - verify_error = X509_V_OK; } else { ok = 0; - verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG; } } switch (err) { diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c index dcda13f46c5..14ba5634097 100644 --- a/usr.bin/openssl/s_client.c +++ b/usr.bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.16 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: s_client.c,v 1.17 2015/09/10 06:36:45 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -390,7 +390,6 @@ s_client_main(int argc, char **argv) goto end; } verify_depth = 0; - verify_error = X509_V_OK; c_nbio = 0; argc--; diff --git a/usr.bin/openssl/s_time.c b/usr.bin/openssl/s_time.c index 87a0a203825..ee4e584bd93 100644 --- a/usr.bin/openssl/s_time.c +++ b/usr.bin/openssl/s_time.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_time.c,v 1.9 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: s_time.c,v 1.10 2015/09/10 06:36:45 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -256,7 +256,6 @@ s_time_main(int argc, char **argv) s_time_meth = SSLv23_client_method(); verify_depth = 0; - verify_error = X509_V_OK; memset(&s_time_config, 0, sizeof(s_time_config)); @@ -299,6 +298,8 @@ s_time_main(int argc, char **argv) } } + SSL_CTX_set_verify(tm_ctx, s_time_config.verify, NULL); + if (!set_cert_stuff(tm_ctx, s_time_config.certfile, s_time_config.keyfile)) goto end; @@ -491,6 +492,7 @@ doConnection(SSL * scon) struct pollfd pfd[1]; SSL *serverCon; BIO *conn; + long verify_error; int i; if ((conn = BIO_new(BIO_s_connect())) == NULL) @@ -524,6 +526,7 @@ doConnection(SSL * scon) } if (i <= 0) { BIO_printf(bio_err, "ERROR\n"); + verify_error = SSL_get_verify_result(serverCon); if (verify_error != X509_V_OK) BIO_printf(bio_err, "verify error:%s\n", X509_verify_cert_error_string(verify_error)); |