diff options
| author | Matt Caswell <matt@openssl.org> | 2015-11-11 10:17:22 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2015-11-17 11:21:17 +0000 |
| commit | ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc (patch) | |
| tree | 68954bdc43c6de9f4ac5df05ea1f5faecd9a79d1 | |
| parent | d73ca3efa74bbb620a1e74deb5eec6f3d10203d5 (diff) | |
| download | openssl-ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc.zip openssl-ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc.tar.gz openssl-ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc.tar.bz2 | |
Add comment explaining why we don't check a return value
A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
| -rw-r--r-- | ssl/ssl_cert.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 9a373b1..6f9fcdb 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -914,6 +914,12 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); return (0); } + /* + * It is valid for the chain not to be complete (because normally we + * don't include the root cert in the chain). Therefore we deliberately + * ignore the error return from this call. We're not actually verifying + * the cert - we're just building as much of the chain as we can + */ X509_verify_cert(&xs_ctx); /* Don't leave errors in the queue */ ERR_clear_error(); |