Revert "Fix missing ok=0 with cert verification."
This reverts commit b0576889fa4c86a8e9cb7e978e7160904fa2c5b4.
This broke x509_test.
Change-Id: Idbb60df9ca0a8ce727931f8e35e99bbd0f08c3c1
Reviewed-on: https://boringssl-review.googlesource.com/7221
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3a0fd6c..602c8fb 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -268,7 +268,6 @@
if (xtmp != NULL) {
if (!sk_X509_push(ctx->chain, xtmp)) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
- ok = 0;
goto end;
}
X509_up_ref(xtmp);
@@ -364,13 +363,11 @@
}
/* we now have our chain, lets check it... */
- int trust = check_trust(ctx);
+ i = check_trust(ctx);
/* If explicitly rejected error */
- if (trust == X509_TRUST_REJECTED) {
- ok = 0;
+ if (i == X509_TRUST_REJECTED)
goto end;
- }
/*
* If it's not explicitly trusted then check if there is an alternative
* chain that could be used. We only do this if we haven't already
@@ -466,10 +463,10 @@
if (!ok)
goto end;
- int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
- ctx->param->flags);
- if (err != X509_V_OK) {
- ctx->error = err;
+ i = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
+ ctx->param->flags);
+ if (i != X509_V_OK) {
+ ctx->error = i;
ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
ok = cb(0, ctx);
if (!ok)
