Actually error in X509_check_purpose() if x509v3_cache_extensions()

indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED
translates to 1, i.e., success. This changes to the intended behavior
of x509_purp.c r1.3 and matches OpenSSL. This will need various
adjustments in the documentation.

ok jsing

diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c
index 94e9852..8a5f670 100644 (file)
--- a/lib/libcrypto/x509/x509_purp.c
+++ b/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.10 2021/10/23 11:53:24 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.11 2021/10/29 12:11:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -133,7 +133,7 @@ X509_check_purpose(X509 *x, int id, int ca)
                x509v3_cache_extensions(x);
                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
                if (x->ex_flags & EXFLAG_INVALID)
-                       return X509_V_ERR_UNSPECIFIED;
+                       return -1;
        }
        if (id == -1)
                return 1;