Add comment explaining why we don't check a return value

A call to X509_verify_cert() is used to build a chain of certs for the server to send back to the client. It isn't *actually* used for verifying the cert at all - just building the chain. Therefore the return value is ignored. Reviewed-by: N Kurt Roeckx <kurt@openssl.org>

Add comment explaining why we don't check a return value
A call to X509_verify_cert() is used to build a chain of certs for the server to send back to the client. It isn't *actually* used for verifying the cert at all - just building the chain. Therefore the return value is ignored. Reviewed-by: N Kurt Roeckx <kurt@openssl.org>
ae4d0c8d · Matt Caswell · d73ca3ef · ae4d0c8d
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

ssl/ssl_cert.c ssl/ssl_cert.c +6 -0

未找到文件。
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -914,6 +914,12 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
            SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
            return (0);
        }
+        /*
+         * It is valid for the chain not to be complete (because normally we
+         * don't include the root cert in the chain). Therefore we deliberately
+         * ignore the error return from this call. We're not actually verifying
+         * the cert - we're just building as much of the chain as we can
+         */
        X509_verify_cert(&xs_ctx);
        /* Don't leave errors in the queue */
        ERR_clear_error();