From: beck Date: Mon, 30 Aug 2021 06:51:36 +0000 (+0000) Subject: Fix Jan's regress in openssl/x509 to do what it says it does, X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=56c12a80fb55fd882113884563092aa2b3b694c5;p=openbsd Fix Jan's regress in openssl/x509 to do what it says it does, then fix the only thing it still has complaints about which is that we don't return the leaf version of the error code when we can't verify the leaf (as opposed to the rest of the chain) ok jan@ tb@ --- diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index 051a04c1be9..51108bbe72b 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.45 2021/08/29 17:13:15 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -132,8 +132,11 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, * We've just added the issuer for the previous certificate, * clear its error if appropriate. */ - if (idx > 1 && chain->cert_errors[idx - 1] == - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + if (idx > 1 && + (chain->cert_errors[idx - 1] == + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || + chain->cert_errors[idx - 1] == + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) chain->cert_errors[idx - 1] = X509_V_OK; return 1; @@ -406,7 +409,9 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, /* Clear a get issuer failure for a root certificate. */ if (chain->cert_errors[depth] == - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || + chain->cert_errors[depth] == + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) chain->cert_errors[depth] = X509_V_OK; if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) @@ -596,7 +601,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, return; count = ctx->chains_count; - ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; ctx->error_depth = depth; if (ctx->xsc != NULL) { /* diff --git a/regress/usr.bin/openssl/x509/Makefile b/regress/usr.bin/openssl/x509/Makefile index e091b7b0d5e..b022974dcb7 100644 --- a/regress/usr.bin/openssl/x509/Makefile +++ b/regress/usr.bin/openssl/x509/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2021/08/29 15:52:47 tb Exp $ +# $OpenBSD: Makefile,v 1.8 2021/08/30 06:51:36 beck Exp $ # Copyright (c) 2021 Jan Klemkow # @@ -42,10 +42,6 @@ REGRESS_TARGETS += test-alternative-chain REGRESS_CLEANUP = cleanup-ssl REGRESS_SETUP_ONCE = create-libressl-test-certs -REGRESS_EXPECTED_FAILURES += test-inlabel-wildcard-cert-no-CA-client -REGRESS_EXPECTED_FAILURES += test-unusual-wildcard-cert-no-CA-client -REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-no-CA-client -REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-CA-client create-libressl-test-certs: create-libressl-test-certs.pl ${PERL} ${.CURDIR}/$@.pl @@ -92,14 +88,14 @@ test-common-wildcard-cert-no-CA-client: test-common-wildcard-cert-CA-client: # common wildcard cert, CA given to client # start server - ${OPENSSL} s_server -quiet -naccept 1 -cert server-unusual-wildcard.pem \ - -key server-unusual-wildcard.pem & \ + ${OPENSSL} s_server -quiet -naccept 1 -cert server-common-wildcard.pem \ + -key server-common-wildcard.pem & \ timeout=$$(($$(date +%s) + 5)); \ while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \ do test $$(date +%s) -lt $$timeout || exit 1; done # start client echo Q | ${OPENSSL} s_client -CAfile caR.pem \ - | grep "Verify return code: 21" + | grep "Verify return code: 0" test-verify-unusual-wildcard-cert: # openssl verify, unusual wildcard cert