chain_build(): Call verify_cb_cert() if a preliminary error has become final

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14157)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index d5c09d28f44ebfaefdb87acf41e2a62586ad7df9..83dddeeb3d1db0665c4959f1b58936d4957779ed 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -352,7 +352,7 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
      */
     if (err != X509_V_ERR_SUBJECT_ISSUER_MISMATCH)
         ctx->error = err;
-    return 0; /* Better call verify_cb_cert(ctx, x, ctx->error_depth, err) ? */
+    return 0;
 }
 
 /*
@@ -3282,10 +3282,17 @@ static int build_chain(X509_STORE_CTX *ctx)
         return 0;
     case X509_TRUST_UNTRUSTED:
     default:
-        if (ctx->error != X509_V_OK)
-            /* Callback already issued in most such cases */
-            return 0;
-        num = sk_X509_num(ctx->chain);
+        switch(ctx->error) {
+        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+        case X509_V_ERR_CERT_NOT_YET_VALID:
+        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+            return 0; /* Callback already issued by x509_check_cert_time() */
+        default: /* A preliminary error has become final */
+            return verify_cb_cert(ctx, NULL, num - 1, ctx->error);
+        case X509_V_OK:
+            break;
+        }
         CB_FAIL_IF(num > depth,
                    ctx, NULL, num - 1, X509_V_ERR_CERT_CHAIN_TOO_LONG);
         CB_FAIL_IF(DANETLS_ENABLED(dane)