From 8997b2aa574208aef44e1d3c06afb4d554153359 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Tue, 29 Aug 2017 12:50:01 -0400
Subject: [PATCH] Better test cert verification happening only once.

OpenSSL's API has a non-fatal "soft fail" mode (can we get rid of
this?), so we should set the flag even if config->verify_fail is true.

Change-Id: I5a2a3290b9bf45c682f3a629a8b6474b1090fc6e
Reviewed-on: https://boringssl-review.googlesource.com/19684
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 ssl/test/bssl_shim.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 71798326..8daa1056 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -115,6 +115,8 @@ struct TestState {
   bool custom_verify_ready = false;
   std::string msg_callback_text;
   bool msg_callback_ok = true;
+  // cert_verified is true if certificate verification has been driven to
+  // completion. This tests that the callback is not called again after this.
   bool cert_verified = false;
 };
 
@@ -716,12 +718,12 @@ static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
     return 0;
   }
 
+  GetTestState(ssl)->cert_verified = true;
   if (config->verify_fail) {
     store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
     return 0;
   }
 
-  GetTestState(ssl)->cert_verified = true;
   return 1;
 }
 
@@ -735,11 +737,11 @@ static ssl_verify_result_t CustomVerifyCallback(SSL *ssl, uint8_t *out_alert) {
     return ssl_verify_retry;
   }
 
+  GetTestState(ssl)->cert_verified = true;
   if (config->verify_fail) {
     return ssl_verify_invalid;
   }
 
-  GetTestState(ssl)->cert_verified = true;
   return ssl_verify_ok;
 }