diff options
| author | Miod Vallat <miod@cvs.openbsd.org> | 2009-01-14 22:08:54 +0000 |
|---|---|---|
| committer | Miod Vallat <miod@cvs.openbsd.org> | 2009-01-14 22:08:54 +0000 |
| commit | 2802fba185086e41e538abae7ba6535f27087bf9 (patch) | |
| tree | 1061d0303937fcffc6d76ee1bcff09e8df0c16fe /kerberosV | |
| parent | fc9b3b555140bd06e6e5b0639d3c3da7b3a4de1d (diff) | |
pk_verify_chain_standard() expects X509_verify_cert() to always set
ctx->error, but this is not the case if X509_verify_cert() returns -1.
ok djm@
Diffstat (limited to 'kerberosV')
| -rw-r--r-- | kerberosV/src/lib/krb5/pkinit.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/kerberosV/src/lib/krb5/pkinit.c b/kerberosV/src/lib/krb5/pkinit.c index aa3e63bbaca..4fd75bc6f24 100644 --- a/kerberosV/src/lib/krb5/pkinit.c +++ b/kerberosV/src/lib/krb5/pkinit.c @@ -1037,7 +1037,9 @@ pk_verify_chain_standard(krb5_context context, X509_STORE_CTX_init(store_ctx, cert_store, cert, chain); X509_STORE_CTX_trusted_stack(store_ctx, id->trusted_certs); - X509_verify_cert(store_ctx); + if (X509_verify_cert(store_ctx) < 0) { + store_ctx->error = X509_V_ERR_CERT_REJECTED; /* XXX better value? */ + } /* the last checked certificate is in store_ctx->current_cert */ krb5_clear_error_string(context); switch(store_ctx->error) { |