generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add comment explaining why we don't check a return value

Browse Source 
A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
This commit is contained in:
Matt Caswell 2015-11-11 10:17:22 +00:00
parent d73ca3efa7
commit ae4d0c8d22
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssl/ssl_cert.c
View File

@ -914,6 +914,12 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
return (0); return (0);
} }
/*
* It is valid for the chain not to be complete (because normally we
* don't include the root cert in the chain). Therefore we deliberately
* ignore the error return from this call. We're not actually verifying
* the cert - we're just building as much of the chain as we can
*/
X509_verify_cert(&xs_ctx); X509_verify_cert(&xs_ctx);
/* Don't leave errors in the queue */ /* Don't leave errors in the queue */
ERR_clear_error(); ERR_clear_error();