Make verify return errors.
authorBen Laurie <ben@openssl.org>
Thu, 13 Dec 2012 15:48:42 +0000 (15:48 +0000)
committerBen Laurie <ben@openssl.org>
Thu, 13 Dec 2012 15:48:42 +0000 (15:48 +0000)
CHANGES
Makefile.org
apps/verify.c
test/Makefile

diff --git a/CHANGES b/CHANGES
index 0daec2b..ef8b2bf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
 
+  *) Make openssl verify return errors.
+     [Chris Palmer <palmer@google.com> and Ben Laurie]
+
   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
      the right response is stapled. Also change SSL_get_certificate()
      so it returns the certificate actually sent.
index 55273ea..43d16cb 100644 (file)
@@ -444,7 +444,7 @@ rehash.time: certs apps
                [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
                OPENSSL_DEBUG_MEMORY=on; \
                export OPENSSL OPENSSL_DEBUG_MEMORY; \
-               $(PERL) tools/c_rehash certs) && \
+               $(PERL) tools/c_rehash certs/demo) && \
                touch rehash.time; \
        else :; fi
 
index 0f34b86..893670f 100644 (file)
@@ -222,11 +222,19 @@ int MAIN(int argc, char **argv)
                        goto end;
                }
 
-       if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
+       ret = 0;
+       if (argc < 1)
+               { 
+               if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+                       ret = -1;
+               }
        else
+               {
                for (i=0; i<argc; i++)
-                       check(cert_ctx,argv[i], untrusted, trusted, crls, e);
-       ret=0;
+                       if (1 != check(cert_ctx,argv[i], untrusted, trusted, crls, e))
+                               ret = -1;
+               }
+
 end:
        if (ret == 1) {
                BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@@ -252,7 +260,7 @@ end:
        sk_X509_pop_free(trusted, X509_free);
        sk_X509_CRL_pop_free(crls, X509_CRL_free);
        apps_shutdown();
-       OPENSSL_EXIT(ret);
+       OPENSSL_EXIT(ret < 0 ? 2 : ret);
        }
 
 static int check(X509_STORE *ctx, char *file,
index 09e6848..4c9eabc 100644 (file)
@@ -246,7 +246,7 @@ test_ecdh:
 test_verify:
        @echo "The following command should have some OK's and some failures"
        @echo "There are definitly a few expired certificates"
-       ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs ../certs/*.pem
+       ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem
 
 test_dh:
        @echo "Generate a set of DH parameters"