From: Vladimir Kotal Date: Thu, 7 Mar 2024 16:00:07 +0000 (+0100) Subject: apps/req,crl: exit with 1 on verification failure X-Git-Tag: openssl-3.4.0-alpha1~796 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6af739b79ba50bd42ac8934747ab5c8b996f16b6;p=thirdparty%2Fopenssl.git apps/req,crl: exit with 1 on verification failure Fixes #23771 Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/23773) --- diff --git a/CHANGES.md b/CHANGES.md index ddb2ba56a28..559a69f5187 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,6 +28,11 @@ OpenSSL 3.3 ### Changes between 3.2 and 3.3 [xx XXX xxxx] + * The `-verify` option to the `openssl crl` and `openssl req` will make + the program exit with 1 on failure. + + *Vladimír Kotal* + * The BIO_get_new_index() function can only be called 127 times before it reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an error of -1 once it is exhausted. Users may need to reserve using this diff --git a/apps/crl.c b/apps/crl.c index 09aec81cf7e..53ece01594b 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -248,9 +248,10 @@ int crl_main(int argc, char **argv) EVP_PKEY_free(pkey); if (i < 0) goto end; - if (i == 0) + if (i == 0) { BIO_printf(bio_err, "verify failure\n"); - else + goto end; + } else BIO_printf(bio_err, "verify OK\n"); } diff --git a/apps/req.c b/apps/req.c index 00ef231e115..9b85600e104 100644 --- a/apps/req.c +++ b/apps/req.c @@ -918,9 +918,10 @@ int req_main(int argc, char **argv) if (i < 0) goto end; - if (i == 0) + if (i == 0) { BIO_printf(bio_err, "Certificate request self-signature verify failure\n"); - else /* i > 0 */ + goto end; + } else /* i > 0 */ BIO_printf(bio_out, "Certificate request self-signature verify OK\n"); } diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index 7e15f6445a6..f477cfd2362 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -93,7 +93,9 @@ Print out the CRL in text form. =item B<-verify> -Verify the signature in the CRL. +Verify the signature in the CRL. If the verification fails, +the program will immediately exit, i.e. further option processing +(e.g. B<-gendelta>) is skipped. =item B<-noout> diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index c2232006e52..d2de373e2ca 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -148,7 +148,9 @@ Prints out the value of the modulus of the public key contained in the request. =item B<-verify> -Verifies the self-signature on the request. +Verifies the self-signature on the request. If the verification fails, +the program will immediately exit, i.e. further option processing +(e.g. B<-text>) is skipped. =item B<-new>