diff options
| author |   jsing <jsing@openbsd.org> | 2021-01-09 03:51:42 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2021-01-09 03:51:42 +0000 |
| commit | 532f0381262850086f2bc3a276cb670cf1628b67 (patch) | |
| tree | 7b41215eb1d0cd6b086d9ac9dbec139f29e43f6f | |
| parent | Bail out early after finding an single chain if we are have been called from (diff) | |
| download | wireguard-openbsd-532f0381262850086f2bc3a276cb670cf1628b67.tar.xz wireguard-openbsd-532f0381262850086f2bc3a276cb670cf1628b67.zip | |
Set chain on xsc on chain build failure.
Prior to calling the callback, ensure that the current (invalid and likely
incomplete) chain is set on the xsc. Some things (like auto chain) depend
on this functionality.
ok beck@
| -rw-r--r-- | lib/libcrypto/x509/x509_verify.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index d343706ea12..cf0d7fb559a 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.29 2021/01/09 03:01:03 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.30 2021/01/09 03:51:42 jsing Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> * @@ -555,6 +555,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, if (depth == 0 && ctx->error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0)) + return; (void) x509_verify_cert_error(ctx, cert, depth, ctx->error, 0); } |