From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Sat, 9 Jul 2022 09:09:08 +0000 (+0200)
Subject: x509_vfy.c: Revert the core of #14094 regarding chain_build() error reporting
X-Git-Tag: openssl-3.2.0-alpha1~2405
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f00dc4f8c0ef0101368de2adf22495e5e295114;p=thirdparty%2Fopenssl.git

x509_vfy.c: Revert the core of #14094 regarding chain_build() error reporting

The problem of producing to-the-point diagnostics will be fixed in a follow-up PR.
Fixes #18691

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18758)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index df7cb7d5ea8..6a8a834b7d5 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -359,8 +359,6 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
      * SUBJECT_ISSUER_MISMATCH just means 'x' is clearly not issued by 'issuer'.
      * Every other error code likely indicates a real error.
      */
-    if (err != X509_V_ERR_SUBJECT_ISSUER_MISMATCH)
-        ctx->error = err;
     return 0;
 }
 
@@ -3014,7 +3012,6 @@ static int build_chain(X509_STORE_CTX *ctx)
     int alt_untrusted = 0;
     int max_depth;
     int ok = 0;
-    int prev_error = ctx->error;
     int i;
 
     /* Our chain starts with a single untrusted element. */
@@ -3296,8 +3293,6 @@ static int build_chain(X509_STORE_CTX *ctx)
 
     switch (trust) {
     case X509_TRUST_TRUSTED:
-        /* Must restore any previous error value for backward compatibility */
-        ctx->error = prev_error;
         return 1;
     case X509_TRUST_REJECTED:
         /* Callback already issued */