From 56c12a80fb55fd882113884563092aa2b3b694c5 Mon Sep 17 00:00:00 2001 From: beck Date: Mon, 30 Aug 2021 06:51:36 +0000 Subject: [PATCH] Fix Jan's regress in openssl/x509 to do what it says it does, then fix the only thing it still has complaints about which is that we don't return the leaf version of the error code when we can't verify the leaf (as opposed to the rest of the chain) ok jan@ tb@ --- lib/libcrypto/x509/x509_verify.c | 16 +++++++++++----- regress/usr.bin/openssl/x509/Makefile | 12 ++++-------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index 051a04c1be9..51108bbe72b 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.45 2021/08/29 17:13:15 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -132,8 +132,11 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, * We've just added the issuer for the previous certificate, * clear its error if appropriate. */ - if (idx > 1 && chain->cert_errors[idx - 1] == - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + if (idx > 1 && + (chain->cert_errors[idx - 1] == + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || + chain->cert_errors[idx - 1] == + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) chain->cert_errors[idx - 1] = X509_V_OK; return 1; @@ -406,7 +409,9 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, /* Clear a get issuer failure for a root certificate. */ if (chain->cert_errors[depth] == - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || + chain->cert_errors[depth] == + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) chain->cert_errors[depth] = X509_V_OK; if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) @@ -596,7 +601,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, return; count = ctx->chains_count; - ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; ctx->error_depth = depth; if (ctx->xsc != NULL) { /* diff --git a/regress/usr.bin/openssl/x509/Makefile b/regress/usr.bin/openssl/x509/Makefile index e091b7b0d5e..b022974dcb7 100644 --- a/regress/usr.bin/openssl/x509/Makefile +++ b/regress/usr.bin/openssl/x509/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2021/08/29 15:52:47 tb Exp $ +# $OpenBSD: Makefile,v 1.8 2021/08/30 06:51:36 beck Exp $ # Copyright (c) 2021 Jan Klemkow # @@ -42,10 +42,6 @@ REGRESS_TARGETS += test-alternative-chain REGRESS_CLEANUP = cleanup-ssl REGRESS_SETUP_ONCE = create-libressl-test-certs -REGRESS_EXPECTED_FAILURES += test-inlabel-wildcard-cert-no-CA-client -REGRESS_EXPECTED_FAILURES += test-unusual-wildcard-cert-no-CA-client -REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-no-CA-client -REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-CA-client create-libressl-test-certs: create-libressl-test-certs.pl ${PERL} ${.CURDIR}/$@.pl @@ -92,14 +88,14 @@ test-common-wildcard-cert-no-CA-client: test-common-wildcard-cert-CA-client: # common wildcard cert, CA given to client # start server - ${OPENSSL} s_server -quiet -naccept 1 -cert server-unusual-wildcard.pem \ - -key server-unusual-wildcard.pem & \ + ${OPENSSL} s_server -quiet -naccept 1 -cert server-common-wildcard.pem \ + -key server-common-wildcard.pem & \ timeout=$$(($$(date +%s) + 5)); \ while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \ do test $$(date +%s) -lt $$timeout || exit 1; done # start client echo Q | ${OPENSSL} s_client -CAfile caR.pem \ - | grep "Verify return code: 21" + | grep "Verify return code: 0" test-verify-unusual-wildcard-cert: # openssl verify, unusual wildcard cert -- 2.20.1