Revert previous - the original code was correct since X509_verify_cert()

should not have changed the X509_STORE_CTX error value on success and it
was initialised to X509_V_OK by X509_STORE_CTX_init(). Other software also
depends on this behaviour.

Previously X509_verify_cert() was mishandling the X509_STORE_CTX error
value when validating alternate chains. This has been fixed and further
changes now explicitly ensure that the error value will be set to X509_V_OK
if X509_verify_cert() returns success.

1 files changed, 5 insertions, 5 deletions

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index 53a85066220..e192942b6bb 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.54 2017/01/02 22:03:56 tedu Exp $ */
+/* $OpenBSD: tls.c,v 1.55 2017/01/03 17:13:41 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -369,19 +369,19 @@ static int
 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
 {
 	struct tls *ctx = arg;
-	int x509_err, rv;
+	int x509_err;
 
 	if (ctx->config->verify_cert == 0)
 		return (1);
 
-	if ((rv = X509_verify_cert(x509_ctx)) < 0) {
+	if ((X509_verify_cert(x509_ctx)) < 0) {
 		tls_set_errorx(ctx, "X509 verify cert failed");
 		return (0);
 	}
-	if (rv == 1)
-		return 1;
 
 	x509_err = X509_STORE_CTX_get_error(x509_ctx);
+	if (x509_err == X509_V_OK)
+		return (1);
 
 	tls_set_errorx(ctx, "certificate verification failed: %s",
 	    X509_verify_cert_error_string(x509_err));