kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update chain building function.

Browse Source 
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can
issue warnings.

(Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
This commit is contained in:
Adam Langley 2014-06-20 12:00:00 -07:00
parent dff7b9e11b
commit 64c2223310
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/ssl.h
View File

@ -742,6 +742,8 @@ struct ssl_session_st
#define SSL_BUILD_CHAIN_FLAG_CHECK 0x4 #define SSL_BUILD_CHAIN_FLAG_CHECK 0x4
/* Ignore verification errors */ /* Ignore verification errors */
#define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8 #define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8
/* Clear verification errors from queue */
#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
/* Flags returned by SSL_check_chain */ /* Flags returned by SSL_check_chain */
/* Certificate can be used with this session */ /* Certificate can be used with this session */

3
ssl/ssl_cert.c
View File

@ -1393,8 +1393,10 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
i = X509_verify_cert(&xs_ctx); i = X509_verify_cert(&xs_ctx);
if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)
{ {
if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR)
ERR_clear_error(); ERR_clear_error();
i = 1; i = 1;
rv = 2;
} }
if (i > 0) if (i > 0)
chain = X509_STORE_CTX_get1_chain(&xs_ctx); chain = X509_STORE_CTX_get1_chain(&xs_ctx);
@ -1429,6 +1431,7 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
} }
} }
cpk->chain = chain; cpk->chain = chain;
if (rv == 0)
rv = 1; rv = 1;
err: err:
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)