From: beck <beck@openbsd.org>
Date: Thu, 9 Sep 2021 15:09:43 +0000 (+0000)
Subject: When calling the legacy callback, ensure we catch the case where it
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=6cf343156dba058ea7a1988fcc62f6bc493da6a1;p=openbsd

When calling the legacy callback, ensure we catch the case where it
has decided to change a succeess to a failure and change the error code.

Fixes a regression in the openssl-ruby tests which expect to test this
functionality.

ok tb@
---

diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index 2ec53f6fc8a..e49fbdee48a 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.48 2021/09/03 08:58:53 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -1205,8 +1205,11 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
 			 * verified chain. The callback could still tell us to
 			 * fail.
 			 */
-			if(!x509_vfy_callback_indicate_success(ctx->xsc))
+			if(!x509_vfy_callback_indicate_success(ctx->xsc)) {
+				/* The callback can change the error code */
+				ctx->error = ctx->xsc->error;
 				goto err;
+			}
 		} else {
 			/*
 			 * We had a failure, indicate the failure, but