Fix Jan's regress in openssl/x509 to do what it says it does,

then fix the only thing it still has complaints about which
is that we don't return the leaf version of the error code
when we can't verify the leaf (as opposed to the rest of the chain)

ok jan@ tb@

2 files changed, 15 insertions, 13 deletions

diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index 051a04c1be9..51108bbe72b 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.45 2021/08/29 17:13:15 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.46 2021/08/30 06:51:36 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -132,8 +132,11 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
 	 * We've just added the issuer for the previous certificate,
 	 * clear its error if appropriate.
 	 */
-	if (idx > 1 && chain->cert_errors[idx - 1] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+	if (idx > 1 &&
+	    (chain->cert_errors[idx - 1] ==
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+	    chain->cert_errors[idx - 1] ==
+	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
 		chain->cert_errors[idx - 1] = X509_V_OK;
 
 	return 1;
@@ -406,7 +409,9 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
 
 	/* Clear a get issuer failure for a root certificate. */
 	if (chain->cert_errors[depth] ==
-	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+	    chain->cert_errors[depth] ==
+	    X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
 		chain->cert_errors[depth] = X509_V_OK;
 
 	if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
@@ -596,7 +601,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 		return;
 
 	count = ctx->chains_count;
-	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+	ctx->error = depth == 0 ? X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE :
+	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
 	ctx->error_depth = depth;
 	if (ctx->xsc != NULL) {
 		/*
diff --git a/regress/usr.bin/openssl/x509/Makefile b/regress/usr.bin/openssl/x509/Makefile
index e091b7b0d5e..b022974dcb7 100644
--- a/regress/usr.bin/openssl/x509/Makefile
+++ b/regress/usr.bin/openssl/x509/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.7 2021/08/29 15:52:47 tb Exp $
+# $OpenBSD: Makefile,v 1.8 2021/08/30 06:51:36 beck Exp $
 
 # Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
 #
@@ -42,10 +42,6 @@ REGRESS_TARGETS +=	test-alternative-chain
 REGRESS_CLEANUP =	cleanup-ssl
 REGRESS_SETUP_ONCE =	create-libressl-test-certs
 
-REGRESS_EXPECTED_FAILURES +=	test-inlabel-wildcard-cert-no-CA-client
-REGRESS_EXPECTED_FAILURES +=	test-unusual-wildcard-cert-no-CA-client
-REGRESS_EXPECTED_FAILURES +=	test-common-wildcard-cert-no-CA-client
-REGRESS_EXPECTED_FAILURES +=	test-common-wildcard-cert-CA-client
 
 create-libressl-test-certs: create-libressl-test-certs.pl
 	${PERL} ${.CURDIR}/$@.pl
@@ -92,14 +88,14 @@ test-common-wildcard-cert-no-CA-client:
 test-common-wildcard-cert-CA-client:
 	# common wildcard cert, CA given to client
 	# start server
-	${OPENSSL} s_server -quiet -naccept 1 -cert server-unusual-wildcard.pem \
-	    -key server-unusual-wildcard.pem & \
+	${OPENSSL} s_server -quiet -naccept 1 -cert server-common-wildcard.pem \
+	    -key server-common-wildcard.pem & \
 	    timeout=$$(($$(date +%s) + 5)); \
 	    while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
 		do test $$(date +%s) -lt $$timeout || exit 1; done
 	# start client
 	echo Q | ${OPENSSL} s_client -CAfile caR.pem \
-	    | grep "Verify return code: 21"
+	    | grep "Verify return code: 0"
 
 test-verify-unusual-wildcard-cert:
 	# openssl verify, unusual wildcard cert