From 50df4f34da8ea3c3f4bd05129ac1c1f426690736 Mon Sep 17 00:00:00 2001
From: beck <beck@openbsd.org>
Date: Mon, 30 Aug 2021 08:59:33 +0000
Subject: [PATCH] Revert previous change that changed our default return for
 unable to find leaf cert issuers.  This breaks perl and ruby regress, as
 noticed by tb that "we tried this before".

Jan's regress that cares about 21 vs 20 needs to change
ok tb@
---
 lib/libcrypto/x509/x509_verify.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index 51108bbe72b..39371ef0384 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.47 2021/08/30 08:59:33 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -132,11 +132,8 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
 	 * We've just added the issuer for the previous certificate,
 	 * clear its error if appropriate.
 	 */
-	if (idx > 1 &&
-	    (chain->cert_errors[idx - 1] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-	    chain->cert_errors[idx - 1] ==
-	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+	if (idx > 1 && chain->cert_errors[idx - 1] ==
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[idx - 1] = X509_V_OK;
 
 	return 1;
@@ -409,9 +406,7 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
 
 	/* Clear a get issuer failure for a root certificate. */
 	if (chain->cert_errors[depth] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-	    chain->cert_errors[depth] ==
-	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[depth] = X509_V_OK;
 
 	if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
@@ -601,8 +596,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 		return;
 
 	count = ctx->chains_count;
-	ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE :
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
 	ctx->error_depth = depth;
 	if (ctx->xsc != NULL) {
 		/*
-- 
2.20.1