diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2020-11-03 18:39:19 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2020-11-03 18:39:19 +0000 |
| commit | f6d982a6d0df28b0d88aa80b65fa4091e35b472d (patch) | |
| tree | 9948e912f49bf1c08209cbca552902e0f4056cad /usr.bin/openssl | |
| parent | 99b92b2a000362ac4f45f79ce5e494370316d11c (diff) | |
X509_verify_cert()'s return value is not reliable if the callback
returns 1. verify.c's cb() ignores a bunch of things to display as
much info as possible. Thus, check the error code on the store ctx
as well, similar to OpenSSL commit d9e309a6 (old licence).
This makes openssl verify error on expired certs, at least with the
legacy verify code.
While here, fix a number of style issues, simplify and plug a leak.
ok inoguchi
Diffstat (limited to 'usr.bin/openssl')
| -rw-r--r-- | usr.bin/openssl/verify.c | 42 |
1 files changed, 22 insertions, 20 deletions
diff --git a/usr.bin/openssl/verify.c b/usr.bin/openssl/verify.c index e4443148ce3..937f350a3ab 100644 --- a/usr.bin/openssl/verify.c +++ b/usr.bin/openssl/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.9 2020/10/26 11:48:39 tb Exp $ */ +/* $OpenBSD: verify.c,v 1.10 2020/11/03 18:39:18 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -364,45 +364,47 @@ verify_main(int argc, char **argv) } static int -check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain, - STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls) +check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, + STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls) { X509 *x = NULL; + X509_STORE_CTX *csc = NULL; + const char *certfile = (file == NULL) ? "stdin" : file; + int verify_err; int i = 0, ret = 0; - X509_STORE_CTX *csc; x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file"); if (x == NULL) goto end; - fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file); - csc = X509_STORE_CTX_new(); - if (csc == NULL) { - ERR_print_errors(bio_err); + fprintf(stdout, "%s: ", certfile); + + if ((csc = X509_STORE_CTX_new()) == NULL) goto end; - } X509_STORE_set_flags(ctx, vflags); - if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { - ERR_print_errors(bio_err); + if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) goto end; - } if (tchain) X509_STORE_CTX_trusted_stack(csc, tchain); if (crls) X509_STORE_CTX_set0_crls(csc, crls); - i = X509_verify_cert(csc); - X509_STORE_CTX_free(csc); - ret = 0; + i = X509_verify_cert(csc); + verify_err = X509_STORE_CTX_get_error(csc); - end: - if (i > 0) { + if (i > 0 && verify_err == X509_V_OK) { fprintf(stdout, "OK\n"); ret = 1; - } else + } else { + fprintf(stdout, "%s: verification failed: %d (%s)\n", certfile, + verify_err, X509_verify_cert_error_string(verify_err)); + } + + end: + if (i <= 0) ERR_print_errors(bio_err); - if (x != NULL) - X509_free(x); + X509_free(x); + X509_STORE_CTX_free(csc); return (ret); } |