diff options
| author |   tb <tb@openbsd.org> | 2020-10-26 11:59:16 +0000 |
|---|---|---|
| committer | tb <tb@openbsd.org> | 2020-10-26 11:59:16 +0000 |
| commit | b77df7f794a7732fc6ef73dfc9caee1c0f1bb159 (patch) | |
| tree | 24150c9e770bc0ea5558c954690ef2e39e37ff53 | |
| parent | Make sure that x509_vfy_check_id() failure also sets ctx->error, not only (diff) | |
| download | wireguard-openbsd-b77df7f794a7732fc6ef73dfc9caee1c0f1bb159.tar.xz wireguard-openbsd-b77df7f794a7732fc6ef73dfc9caee1c0f1bb159.zip | |
If x509_verify() fails, ensure that the error is also set on the store
context. This is what is returned in SSL_get_verify_result().
Spotted and initial diff from jeremy; discussed with jsing
ok beck
| -rw-r--r-- | lib/libcrypto/x509/x509_verify.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index fdde098df7a..74316cb9411 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.14 2020/10/26 11:56:36 tb Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.15 2020/10/26 11:59:16 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck <beck@openbsd.org> * @@ -858,13 +858,13 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) if (ctx->roots == NULL || ctx->max_depth == 0) { ctx->error = X509_V_ERR_INVALID_CALL; - return 0; + goto err; } if (ctx->xsc != NULL) { if (leaf != NULL || name != NULL) { ctx->error = X509_V_ERR_INVALID_CALL; - return 0; + goto err; } leaf = ctx->xsc->cert; @@ -877,34 +877,34 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) */ if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) { ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } if (!X509_up_ref(leaf)) { ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } if (!sk_X509_push(ctx->xsc->chain, leaf)) { X509_free(leaf); ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } ctx->xsc->error_depth = 0; ctx->xsc->current_cert = leaf; } if (!x509_verify_cert_valid(ctx, leaf, NULL)) - return 0; + goto err; if (!x509_verify_cert_hostname(ctx, leaf, name)) - return 0; + goto err; if ((current_chain = x509_verify_chain_new()) == NULL) { ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) { x509_verify_chain_free(current_chain); - return 0; + goto err; } if (x509_verify_ctx_cert_is_root(ctx, leaf)) x509_verify_ctx_add_chain(ctx, current_chain); @@ -930,4 +930,9 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) return ctx->xsc->verify_cb(ctx->chains_count, ctx->xsc); } return (ctx->chains_count); + + err: + if (ctx->xsc != NULL) + ctx->xsc->error = ctx->error; + return 0; } |