Revert previous change that forced consistency between return value and

error code, since this breaks the documented API. Under certain circumstances
this will result in incorrect successful certiticate verification (where
a user supplied callback always returns 1, and later code checks the error
code to potentially abort post verification)

1 files changed, 2 insertions, 10 deletions

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 8c2f5b66db8..0d01301446b 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.63 2017/04/28 22:46:40 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.64 2017/04/28 23:03:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
 	/* Safety net, error returns must set ctx->error */
 	if (ok <= 0 && ctx->error == X509_V_OK)
 		ctx->error = X509_V_ERR_UNSPECIFIED;
-
-	/*
-	 * Safety net, if user provided verify callback indicates sucess
-	 * make sure they have set error to X509_V_OK
-	 */
-	if (ctx->verify_cb != null_callback && ok == 1)
-		ctx->error = X509_V_OK;
-
-	return(ctx->error == X509_V_OK);
+	return ok;
 }
 
 /* Given a STACK_OF(X509) find the issuer of cert (if any)