Do not display a CT log error message if CT validation is disabled

Reviewed-by: N Emilia Käsper <emilia@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org>

Do not display a CT log error message if CT validation is disabled
Reviewed-by: N Emilia Käsper <emilia@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org>
328f36c5 · Rob Percival · Rich Salz · 60b350a3 · 328f36c5 · 328f36c5
Showing with 14 addition and 15 deletion

apps/apps.c apps/apps.c +1 -5

apps/s_client.c apps/s_client.c +12 -2

doc/ssl/SSL_CTX_set_ctlog_list_file.pod doc/ssl/SSL_CTX_set_ctlog_list_file.pod +0 -3

ssl/ssl_lib.c ssl/ssl_lib.c +1 -5

未找到文件。
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -238,11 +238,7 @@ int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
 int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
 {
    if (path == NULL) {
-        if (SSL_CTX_set_default_ctlog_list_file(ctx) <= 0) {
-            BIO_puts(bio_err, "Failed to load default Certificate Transparency "
-                     "log list\n");
-        }
-        return 1; /* Do not treat failure to load the default as an error */
+        return SSL_CTX_set_default_ctlog_list_file(ctx);
    }

    return SSL_CTX_set_ctlog_list_file(ctx, path);

--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1670,8 +1670,18 @@ int s_client_main(int argc, char **argv)
    }

    if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
-        ERR_print_errors(bio_err);
-        goto end;
+        if (ct_validation != NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        /*
+         * If CT validation is not enabled, the log list isn't needed so don't
+         * show errors or abort. We try to load it regardless because then we
+         * can show the names of the logs any SCTs came from (SCTs may be seen
+         * even with validation disabled).
+         */
+        ERR_clear_error();
    }
 #endif


--- a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
+++ b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
@@ -37,9 +37,6 @@ The expected format of the log list file is:
 These functions will not clear the existing CT log list - it will be appended
 to.

-SSL_CTX_set_default_ctlog_list_file() will not report errors if it fails for
-any reason. Use SSL_CTX_set_ctlog_list_file() if you want errors to be reported.
-
 If an error occurs whilst parsing a particular log entry in the file, that log
 entry will be skipped.


--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4143,11 +4143,7 @@ end:

 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
 {
-    int ret = CTLOG_STORE_load_default_file(ctx->ctlog_store);
-
-    /* Clear any errors if the default file does not exist */
-    ERR_clear_error();
-    return ret;
+    return CTLOG_STORE_load_default_file(ctx->ctlog_store);
 }

 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)