From 6af739b79ba50bd42ac8934747ab5c8b996f16b6 Mon Sep 17 00:00:00 2001
From: Vladimir Kotal <vlada@kotalovi.cz>
Date: Thu, 7 Mar 2024 17:00:07 +0100
Subject: [PATCH] apps/req,crl: exit with 1 on verification failure

Fixes #23771

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23773)
---
 CHANGES.md                  | 5 +++++
 apps/crl.c                  | 5 +++--
 apps/req.c                  | 5 +++--
 doc/man1/openssl-crl.pod.in | 4 +++-
 doc/man1/openssl-req.pod.in | 4 +++-
 5 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index ddb2ba56a2..559a69f518 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,6 +28,11 @@ OpenSSL 3.3
 
 ### Changes between 3.2 and 3.3 [xx XXX xxxx]
 
+ * The `-verify` option to the `openssl crl` and `openssl req` will make
+   the program exit with 1 on failure.
+
+   *Vladimír Kotal*
+
  * The BIO_get_new_index() function can only be called 127 times before it
    reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an
    error of -1 once it is exhausted. Users may need to reserve using this
diff --git a/apps/crl.c b/apps/crl.c
index 09aec81cf7..53ece01594 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -248,9 +248,10 @@ int crl_main(int argc, char **argv)
         EVP_PKEY_free(pkey);
         if (i < 0)
             goto end;
-        if (i == 0)
+        if (i == 0) {
             BIO_printf(bio_err, "verify failure\n");
-        else
+	    goto end;
+        } else
             BIO_printf(bio_err, "verify OK\n");
     }
 
diff --git a/apps/req.c b/apps/req.c
index 00ef231e11..9b85600e10 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -918,9 +918,10 @@ int req_main(int argc, char **argv)
 
         if (i < 0)
             goto end;
-        if (i == 0)
+        if (i == 0) {
             BIO_printf(bio_err, "Certificate request self-signature verify failure\n");
-        else /* i > 0 */
+	    goto end;
+        } else /* i > 0 */
             BIO_printf(bio_out, "Certificate request self-signature verify OK\n");
     }
 
diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in
index 7e15f6445a..f477cfd236 100644
--- a/doc/man1/openssl-crl.pod.in
+++ b/doc/man1/openssl-crl.pod.in
@@ -93,7 +93,9 @@ Print out the CRL in text form.
 
 =item B<-verify>
 
-Verify the signature in the CRL.
+Verify the signature in the CRL. If the verification fails,
+the program will immediately exit, i.e. further option processing
+(e.g. B<-gendelta>) is skipped.
 
 =item B<-noout>
 
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index c2232006e5..d2de373e2c 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -148,7 +148,9 @@ Prints out the value of the modulus of the public key contained in the request.
 
 =item B<-verify>
 
-Verifies the self-signature on the request.
+Verifies the self-signature on the request. If the verification fails,
+the program will immediately exit, i.e. further option processing
+(e.g. B<-text>) is skipped.
 
 =item B<-new>