From: beck <beck@openbsd.org>
Date: Fri, 28 Apr 2017 23:03:58 +0000 (+0000)
Subject: Revert previous change that forced consistency between return value and
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2b413b938e13321123e929825cb9ce290f486ab6;p=openbsd

Revert previous change that forced consistency between return value and
error code, since this breaks the documented API. Under certain circumstances
this will result in incorrect successful certiticate verification (where
a user supplied callback always returns 1, and later code checks the error
code to potentially abort post verification)
---

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 8c2f5b66db8..0d01301446b 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.63 2017/04/28 22:46:40 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.64 2017/04/28 23:03:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
 	/* Safety net, error returns must set ctx->error */
 	if (ok <= 0 && ctx->error == X509_V_OK)
 		ctx->error = X509_V_ERR_UNSPECIFIED;
-
-	/*
-	 * Safety net, if user provided verify callback indicates sucess
-	 * make sure they have set error to X509_V_OK
-	 */
-	if (ctx->verify_cb != null_callback && ok == 1)
-		ctx->error = X509_V_OK;
-
-	return(ctx->error == X509_V_OK);
+	return ok;
 }
 
 /* Given a STACK_OF(X509) find the issuer of cert (if any)