diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-11-29 10:33:10 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-11-29 10:33:10 +0000 |
commit | edd8530649dfe26b0230f3e7729f708c3a678b16 (patch) | |
tree | 85597e4143131453f5f743712d63e3f794c5b2e4 /usr.sbin/rpki-client/validate.c | |
parent | 10c503ad994ca0db53d230fc2f4baf6c493f1fe8 (diff) |
Return an error string instead of surpressing the warning in valid_x509.
This way manifests can should a better error message when something fails.
With and OK tb@
Diffstat (limited to 'usr.sbin/rpki-client/validate.c')
-rw-r--r-- | usr.sbin/rpki-client/validate.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index d7623808704..e69503d15ae 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.47 2022/11/26 12:02:37 job Exp $ */ +/* $OpenBSD: validate.c,v 1.48 2022/11/29 10:33:09 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -369,18 +369,20 @@ build_crls(const struct crl *crl, STACK_OF(X509_CRL) **crls) /* * Validate the X509 certificate. If crl is NULL don't check CRL. * Returns 1 for valid certificates, returns 0 if there is a verify error + * and sets *errstr to the error returned by X509_verify_cert_error_string(). */ int valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, - struct crl *crl, int nowarn) + struct crl *crl, const char **errstr) { X509_VERIFY_PARAM *params; ASN1_OBJECT *cp_oid; STACK_OF(X509) *chain; STACK_OF(X509_CRL) *crls = NULL; unsigned long flags; - int c; + int error; + *errstr = NULL; build_chain(a, &chain); build_crls(crl, &crls); @@ -405,9 +407,8 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, X509_STORE_CTX_set0_crls(store_ctx, crls); if (X509_verify_cert(store_ctx) <= 0) { - c = X509_STORE_CTX_get_error(store_ctx); - if (!nowarn || verbose > 1) - warnx("%s: %s", file, X509_verify_cert_error_string(c)); + error = X509_STORE_CTX_get_error(store_ctx); + *errstr = X509_verify_cert_error_string(error); X509_STORE_CTX_cleanup(store_ctx); sk_X509_free(chain); sk_X509_CRL_free(crls); |