diff options
| author |   beck <beck@openbsd.org> | 2017-01-21 01:07:25 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2017-01-21 01:07:25 +0000 |
| commit | ccaf359a5fea33e40a3b692bdf7c8b3014f2fa15 (patch) | |
| tree | 7837eb463e5204ec169656941c878d886cd17cef /lib | |
| parent | amd64 can build rcrt0.o with the stack-protector (diff) | |
| download | wireguard-openbsd-ccaf359a5fea33e40a3b692bdf7c8b3014f2fa15.tar.xz wireguard-openbsd-ccaf359a5fea33e40a3b692bdf7c8b3014f2fa15.zip | |
Make return value of X509_verify_cert be consistent with the error code,
with the caveat that we force V_OK when a user provided callback has
us returning success.
ok inoguchi@ jsing@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index c09a2c362fa..d4c61d90f4a 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.57 2017/01/20 00:37:40 beck Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.58 2017/01/21 01:07:25 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -546,7 +546,15 @@ X509_verify_cert(X509_STORE_CTX *ctx) /* Safety net, error returns must set ctx->error */ if (ok <= 0 && ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; - return ok; + + /* + * Safety net, if user provided verify callback indicates sucess + * make sure they have set error to X509_V_OK + */ + if (ctx->verify_cb != null_callback && ok == 1) + ctx->error = X509_V_OK; + + return(ctx->error == X509_V_OK); } /* Given a STACK_OF(X509) find the issuer of cert (if any) |