From 64c222331078311e71d480ecc8c4446146bd38bd Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@chromium.org>
Date: Fri, 20 Jun 2014 12:00:00 -0700
Subject: [PATCH] Update chain building function.

Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can
issue warnings.

(Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
---
 ssl/ssl.h      | 2 ++
 ssl/ssl_cert.c | 7 +++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 1592edf8..d0f058b6 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -742,6 +742,8 @@ struct ssl_session_st
 #define SSL_BUILD_CHAIN_FLAG_CHECK		0x4
 /* Ignore verification errors */
 #define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR	0x8
+/* Clear verification errors from queue */
+#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR	0x10
 
 /* Flags returned by SSL_check_chain */
 /* Certificate can be used with this session */
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 6b19efa1..095235ea 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1393,8 +1393,10 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
 	i = X509_verify_cert(&xs_ctx);
 	if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)
 		{
-		ERR_clear_error();
+		if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR)
+			ERR_clear_error();
 		i = 1;
+		rv = 2;
 		}
 	if (i > 0)
 		chain = X509_STORE_CTX_get1_chain(&xs_ctx);
@@ -1429,7 +1431,8 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
 			}
 		}
 	cpk->chain = chain;
-	rv = 1;
+	if (rv == 0)
+		rv = 1;
 	err:
 	if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)
 		X509_STORE_free(chain_store);