Commit ae4d0c8d authored by Matt Caswell's avatar Matt Caswell
Browse files

Add comment explaining why we don't check a return value 



A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
parent d73ca3ef

ssl/ssl_cert.c

+6 −0
Original line number Diff line number Diff line
@@ -914,6 +914,12 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) 
            SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);

            return (0);

        }

        /*

         * It is valid for the chain not to be complete (because normally we

         * don't include the root cert in the chain). Therefore we deliberately

         * ignore the error return from this call. We're not actually verifying

         * the cert - we're just building as much of the chain as we can

         */

        X509_verify_cert(&xs_ctx);

        /* Don't leave errors in the queue */

        ERR_clear_error();