Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in new verifier.

Yet another mostly meaningless error value... Noted by and ok tb@
author: jsing <jsing@openbsd.org> 2021-01-05 16:53:10 +0000
committer: jsing <jsing@openbsd.org> 2021-01-05 16:53:10 +0000
commit: d9d35a87bacb873c57ab43df9c5e4a1105273b79 (patch)
tree: f19b9e97595f04064454841156a3fa9a1459e799
parent: Gracefully handle root certificates being both trusted and untrusted. (diff)
download: wireguard-openbsd-d9d35a87bacb873c57ab43df9c5e4a1105273b79.tar.xz
wireguard-openbsd-d9d35a87bacb873c57ab43df9c5e4a1105273b79.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index a5b41afb859..0297fac1451 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.26 2021/01/05 16:45:59 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.27 2021/01/05 16:53:10 jsing Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -540,6 +540,9 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 			(void) ctx->xsc->verify_cb(1, ctx->xsc);
 		}
 	} else if (ctx->error_depth == depth && !ctx->dump_chain) {
+		if (depth == 0 &&
+		    ctx->error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+			ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
 		(void) x509_verify_cert_error(ctx, cert, depth,
 		    ctx->error, 0);
 	}
author	jsing <jsing@openbsd.org>	2021-01-05 16:53:10 +0000
committer	jsing <jsing@openbsd.org>	2021-01-05 16:53:10 +0000
commit	d9d35a87bacb873c57ab43df9c5e4a1105273b79 (patch)
tree	f19b9e97595f04064454841156a3fa9a1459e799
parent	Gracefully handle root certificates being both trusted and untrusted. (diff)
download	wireguard-openbsd-d9d35a87bacb873c57ab43df9c5e4a1105273b79.tar.xz wireguard-openbsd-d9d35a87bacb873c57ab43df9c5e4a1105273b79.zip