kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't have the default value of |verify_result| be X509_V_OK.

Browse Source 
It seems much safer for the default value of |verify_result| to be an
error value.

Change-Id: I372ec19c41d77516ed12d0169969994f7d23ed70
Reviewed-on: https://boringssl-review.googlesource.com/9063
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
Adam Langley 2016-07-18 10:17:16 -07:00 committed by CQ bot account: commit-bot@chromium.org
parent 0d1b0961f9
commit 9498e74a92
4 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ssl/handshake_client.c
View File

@ -1041,8 +1041,6 @@ static int ssl3_get_server_certificate(SSL *ssl) {
X509_free(ssl->s3->new_session->peer); X509_free(ssl->s3->new_session->peer);
ssl->s3->new_session->peer = X509_up_ref(leaf); ssl->s3->new_session->peer = X509_up_ref(leaf);
ssl->s3->new_session->verify_result = ssl->verify_result;
return 1; return 1;
err: err:
@ -1097,12 +1095,13 @@ static int ssl3_verify_server_cert(SSL *ssl) {
int al = ssl_verify_alarm_type(ssl->verify_result); int al = ssl_verify_alarm_type(ssl->verify_result);
ssl3_send_alert(ssl, SSL3_AL_FATAL, al); ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED); OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
} else { return ret;
ret = 1;
ERR_clear_error(); /* but we keep ssl->verify_result */
} }
return ret; /* Otherwise the error is non-fatal, but we keep verify_result. */
ERR_clear_error();
ssl->s3->new_session->verify_result = ssl->verify_result;
return 1;
} }
static int ssl3_get_server_key_exchange(SSL *ssl) { static int ssl3_get_server_key_exchange(SSL *ssl) {

2
ssl/ssl_lib.c
View File

@ -433,7 +433,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
ssl->alpn_client_proto_list_len = ssl->ctx->alpn_client_proto_list_len; ssl->alpn_client_proto_list_len = ssl->ctx->alpn_client_proto_list_len;
} }
ssl->verify_result = X509_V_OK; ssl->verify_result = X509_V_ERR_INVALID_CALL;
ssl->method = ctx->method; ssl->method = ctx->method;
if (!ssl->method->ssl_new(ssl)) { if (!ssl->method->ssl_new(ssl)) {

4
ssl/ssl_session.c
View File

@ -167,7 +167,7 @@ SSL_SESSION *SSL_SESSION_new(void) {
} }
memset(session, 0, sizeof(SSL_SESSION)); memset(session, 0, sizeof(SSL_SESSION));
session->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ session->verify_result = X509_V_ERR_INVALID_CALL;
session->references = 1; session->references = 1;
session->timeout = SSL_DEFAULT_SESSION_TIMEOUT; session->timeout = SSL_DEFAULT_SESSION_TIMEOUT;
session->time = (unsigned long)time(NULL); session->time = (unsigned long)time(NULL);
@ -457,7 +457,7 @@ int ssl_get_new_session(SSL *ssl, int is_server) {
/* The session is marked not resumable until it is completely filled in. */ /* The session is marked not resumable until it is completely filled in. */
session->not_resumable = 1; session->not_resumable = 1;
session->verify_result = X509_V_OK; session->verify_result = X509_V_ERR_INVALID_CALL;
SSL_SESSION_free(ssl->s3->new_session); SSL_SESSION_free(ssl->s3->new_session);
ssl->s3->new_session = session; ssl->s3->new_session = session;

2
ssl/test/runner/runner.go
View File

@ -3400,6 +3400,7 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
flags: []string{ flags: []string{
"-verify-peer", "-verify-peer",
}, },
resumeSession: vers.version != VersionTLS13,
}) })
tests = append(tests, testCase{ tests = append(tests, testCase{
testType: clientTest, testType: clientTest,
@ -3424,6 +3425,7 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
"-verify-fail", "-verify-fail",
"-expect-verify-result", "-expect-verify-result",
}, },
resumeSession: vers.version != VersionTLS13,
}) })
} }