From: beck <beck@openbsd.org>
Date: Mon, 30 Aug 2021 08:59:33 +0000 (+0000)
Subject: Revert previous change that changed our default return for unable to
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=50df4f34da8ea3c3f4bd05129ac1c1f426690736;p=openbsd

Revert previous change that changed our default return for unable to
find leaf cert issuers.  This breaks perl and ruby regress, as noticed
by tb that "we tried this before".

Jan's regress that cares about 21 vs 20 needs to change
ok tb@
---

diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index 51108bbe72b..39371ef0384 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.47 2021/08/30 08:59:33 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -132,11 +132,8 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
 	 * We've just added the issuer for the previous certificate,
 	 * clear its error if appropriate.
 	 */
-	if (idx > 1 &&
-	    (chain->cert_errors[idx - 1] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-	    chain->cert_errors[idx - 1] ==
-	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+	if (idx > 1 && chain->cert_errors[idx - 1] ==
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[idx - 1] = X509_V_OK;
 
 	return 1;
@@ -409,9 +406,7 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
 
 	/* Clear a get issuer failure for a root certificate. */
 	if (chain->cert_errors[depth] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-	    chain->cert_errors[depth] ==
-	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[depth] = X509_V_OK;
 
 	if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
@@ -601,8 +596,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 		return;
 
 	count = ctx->chains_count;
-	ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE :
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
 	ctx->error_depth = depth;
 	if (ctx->xsc != NULL) {
 		/*