[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
       via  9c931841e522943fc226a06947b9959be0d53551 (commit)
      from  37857e9b5258da148e5d3699b6acdf8787417eb2 (commit)


- Log -----------------------------------------------------------------
commit 9c931841e522943fc226a06947b9959be0d53551
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jan 24 12:21:39 2019 +0000

    Fix -verify_return_error in s_client
    
    The "verify_return_error" option in s_client is documented as:
    
     Return verification errors instead of continuing. This will typically
     abort the handshake with a fatal error.
    
    In practice this option was ignored unless also accompanied with the
    "-verify" option. It's unclear what the original intention was. One fix
    could have been to change the documentation to match the actual behaviour.
    However it seems unecessarily complex and unexpected that you should need
    to have both options. Instead the fix implemented here is make the option
    match the documentation so that "-verify" is not also required.
    
    Note that s_server has a similar option where "-verify" (or "-Verify") is
    still required. This makes more sense because those options additionally
    request a certificate from the client. Without a certificate there is no
    possibility of a verification failing, and so "-verify_return_error" doing
    nothing seems ok.
    
    Fixes #8079
    
    Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/8080)
    
    (cherry picked from commit 78021171dbcb05ddab1b5daffbfc62504ea709a4)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_cb.c     | 4 ++--
 apps/s_client.c | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 2d4568f..2208f3d 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -24,7 +24,7 @@
 
 #define COOKIE_SECRET_LENGTH    16
 
-VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
+VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };
 
 #ifndef OPENSSL_NO_SOCK
 static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
     if (!ok) {
         BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
                    X509_verify_cert_error_string(err));
-        if (verify_args.depth >= depth) {
+        if (verify_args.depth < 0 || verify_args.depth >= depth) {
             if (!verify_args.return_error)
                 ok = 1;
             verify_args.error = err;
diff --git a/apps/s_client.c b/apps/s_client.c
index fb2ff47..4eb865a 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1126,6 +1126,7 @@ int s_client_main(int argc, char **argv)
                 goto opthelp;
             break;
         case OPT_VERIFY_RET_ERROR:
+            verify = SSL_VERIFY_PEER;
             verify_args.return_error = 1;
             break;
         case OPT_VERIFY_QUIET: