diff options
| author |   beck <beck@openbsd.org> | 2020-10-26 12:11:47 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2020-10-26 12:11:47 +0000 |
| commit | 28dcb2c620d18f7ed8ac7543447f0927031373eb (patch) | |
| tree | cf9e1d609de8132a3609a9ad12671b672cc44daa | |
| parent | Add a safety net to ensure that we set an error on the store context. (diff) | |
| download | wireguard-openbsd-28dcb2c620d18f7ed8ac7543447f0927031373eb.tar.xz wireguard-openbsd-28dcb2c620d18f7ed8ac7543447f0927031373eb.zip | |
catch unset error when validation fails.
| -rw-r--r-- | regress/lib/libcrypto/x509/bettertls/verify.c | 13 | ||||
| -rw-r--r-- | regress/lib/libcrypto/x509/verify.c | 5 |
2 files changed, 16 insertions, 2 deletions
diff --git a/regress/lib/libcrypto/x509/bettertls/verify.c b/regress/lib/libcrypto/x509/bettertls/verify.c index df4b567d9c6..e1d97d42ef2 100644 --- a/regress/lib/libcrypto/x509/bettertls/verify.c +++ b/regress/lib/libcrypto/x509/bettertls/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.8 2020/10/10 10:19:45 tb Exp $ */ +/* $OpenBSD: verify.c,v 1.9 2020/10/26 12:11:47 beck Exp $ */ /* * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -107,6 +107,7 @@ verify_cert(X509_STORE *store, const char *roots_file, const char *bundle_file, X509_VERIFY_PARAM *param, *paramip; X509 *leaf = NULL; unsigned long flags, flagsip; + int verify_err; *ip = *dns = 0; @@ -145,6 +146,11 @@ verify_cert(X509_STORE *store, const char *roots_file, const char *bundle_file, if (X509_verify_cert(xsc) == 1) *dns = 1; + verify_err = X509_STORE_CTX_get_error(xsc); + if (verify_err == X509_V_OK && *dns == 0) { + fprintf(stderr, "X509_V_OK on failure!\n"); + *dns = 1; + } if ((xscip = X509_STORE_CTX_new()) == NULL) errx(1, "X509_STORE_CTX"); @@ -170,6 +176,11 @@ verify_cert(X509_STORE *store, const char *roots_file, const char *bundle_file, if (X509_verify_cert(xscip) == 1) *ip = 1; + verify_err = X509_STORE_CTX_get_error(xscip); + if (verify_err == X509_V_OK && *ip == 0) { + fprintf(stderr, "X509_V_OK on failure!\n"); + *ip = 1; + } sk_X509_pop_free(roots, X509_free); sk_X509_pop_free(bundle, X509_free); diff --git a/regress/lib/libcrypto/x509/verify.c b/regress/lib/libcrypto/x509/verify.c index f3e883b8acb..added3bd9fd 100644 --- a/regress/lib/libcrypto/x509/verify.c +++ b/regress/lib/libcrypto/x509/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.3 2020/09/18 14:58:04 tb Exp $ */ +/* $OpenBSD: verify.c,v 1.4 2020/10/26 12:11:47 beck Exp $ */ /* * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -144,6 +144,9 @@ verify_cert(const char *roots_file, const char *bundle_file, int *chains, } verify_err = X509_STORE_CTX_get_error(xsc); + if (verify_err == 0) + errx(1, "Error unset on failure!\n"); + fprintf(stderr, "failed to verify at %d: %s\n", X509_STORE_CTX_get_error_depth(xsc), X509_verify_cert_error_string(verify_err)); |