summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiod Vallat <miod@cvs.openbsd.org>2009-01-14 22:08:54 +0000
committerMiod Vallat <miod@cvs.openbsd.org>2009-01-14 22:08:54 +0000
commit2802fba185086e41e538abae7ba6535f27087bf9 (patch)
tree1061d0303937fcffc6d76ee1bcff09e8df0c16fe
parentfc9b3b555140bd06e6e5b0639d3c3da7b3a4de1d (diff)
pk_verify_chain_standard() expects X509_verify_cert() to always set
ctx->error, but this is not the case if X509_verify_cert() returns -1. ok djm@
-rw-r--r--kerberosV/src/lib/krb5/pkinit.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/kerberosV/src/lib/krb5/pkinit.c b/kerberosV/src/lib/krb5/pkinit.c
index aa3e63bbaca..4fd75bc6f24 100644
--- a/kerberosV/src/lib/krb5/pkinit.c
+++ b/kerberosV/src/lib/krb5/pkinit.c
@@ -1037,7 +1037,9 @@ pk_verify_chain_standard(krb5_context context,
X509_STORE_CTX_init(store_ctx, cert_store, cert, chain);
X509_STORE_CTX_trusted_stack(store_ctx, id->trusted_certs);
- X509_verify_cert(store_ctx);
+ if (X509_verify_cert(store_ctx) < 0) {
+ store_ctx->error = X509_V_ERR_CERT_REJECTED; /* XXX better value? */
+ }
/* the last checked certificate is in store_ctx->current_cert */
krb5_clear_error_string(context);
switch(store_ctx->error) {