From 2b413b938e13321123e929825cb9ce290f486ab6 Mon Sep 17 00:00:00 2001 From: beck Date: Fri, 28 Apr 2017 23:03:58 +0000 Subject: [PATCH] Revert previous change that forced consistency between return value and error code, since this breaks the documented API. Under certain circumstances this will result in incorrect successful certiticate verification (where a user supplied callback always returns 1, and later code checks the error code to potentially abort post verification) --- lib/libcrypto/x509/x509_vfy.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 8c2f5b66db8..0d01301446b 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.63 2017/04/28 22:46:40 beck Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.64 2017/04/28 23:03:58 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx) /* Safety net, error returns must set ctx->error */ if (ok <= 0 && ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; - - /* - * Safety net, if user provided verify callback indicates sucess - * make sure they have set error to X509_V_OK - */ - if (ctx->verify_cb != null_callback && ok == 1) - ctx->error = X509_V_OK; - - return(ctx->error == X509_V_OK); + return ok; } /* Given a STACK_OF(X509) find the issuer of cert (if any) -- 2.20.1