[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue Nov 17 11:22:52 UTC 2015
The branch master has been updated
via ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc (commit)
from d73ca3efa74bbb620a1e74deb5eec6f3d10203d5 (commit)
- Log -----------------------------------------------------------------
commit ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc
Author: Matt Caswell <matt at openssl.org>
Date: Wed Nov 11 10:17:22 2015 +0000
Add comment explaining why we don't check a return value
A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.
Reviewed-by: Kurt Roeckx <kurt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_cert.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9a373b1..6f9fcdb 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -914,6 +914,12 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
return (0);
}
+ /*
+ * It is valid for the chain not to be complete (because normally we
+ * don't include the root cert in the chain). Therefore we deliberately
+ * ignore the error return from this call. We're not actually verifying
+ * the cert - we're just building as much of the chain as we can
+ */
X509_verify_cert(&xs_ctx);
/* Don't leave errors in the queue */
ERR_clear_error();
More information about the openssl-commits
mailing list