I was using the 'openssl verify' command on a corrupted pem file.
Although I got the correct response from the console saying it could not
load the certificate, the process terminated with exit code 0, i.e.
regardless of whether the 'openssl verify' command succeeds or not, it
always exits 0.
Further debugging into the source code of 'verify.c', I found the
following code:
int MAIN(int argc, char **argv) )
{
ENGINE *e = NULL;
int i,ret=1, badarg = 0;
.....
.....
if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
else
for (i=0; i<argc; i++)
check(cert_ctx,argv[i], untrusted, trusted, crls, e);
ret=0;
end:
if (ret == 1) {
....
}
.....
}
static int check(X509_STORE *ctx, char *file,
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
STACK_OF(X509_CRL) *crls, ENGINE *e)
{
X509 *x=NULL;
int i=0,ret=0;
.....
....
ret=0;
end:
if (i > 0)
{
fprintf(stdout,"OK\n");
ret=1;
}
.....
}
The 'MAIN' function does not check the return value of check(),
therefore it always returns 0.
Is this a bug?
People can use 'openssl' command in a script and relies on the correct
return value to proceed. This problem can lead to incorrect script
execution.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org