kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Better test cert verification happening only once.

Browse Source 
OpenSSL's API has a non-fatal "soft fail" mode (can we get rid of
this?), so we should set the flag even if config->verify_fail is true.

Change-Id: I5a2a3290b9bf45c682f3a629a8b6474b1090fc6e
Reviewed-on: https://boringssl-review.googlesource.com/19684
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2017-08-29 12:50:01 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent e3bb51cb23
commit 8997b2aa57
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssl/test/bssl_shim.cc
View File

@ -115,6 +115,8 @@ struct TestState {
bool custom_verify_ready = false;
std::string msg_callback_text;
bool msg_callback_ok = true;
// cert_verified is true if certificate verification has been driven to
// completion. This tests that the callback is not called again after this.
bool cert_verified = false;
};
@ -716,12 +718,12 @@ static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
return 0;
}
GetTestState(ssl)->cert_verified = true;
if (config->verify_fail) {
store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
return 0;
}
GetTestState(ssl)->cert_verified = true;
return 1;
}
@ -735,11 +737,11 @@ static ssl_verify_result_t CustomVerifyCallback(SSL *ssl, uint8_t *out_alert) {
return ssl_verify_retry;
}
GetTestState(ssl)->cert_verified = true;
if (config->verify_fail) {
return ssl_verify_invalid;
}
GetTestState(ssl)->cert_verified = true;
return ssl_verify_ok;
}