Google Git
Sign in
boringssl/boringssl.git/a6cd185a545841d122d8f0a49c2cffdabab149b7^!/.
commit
a6cd185a545841d122d8f0a49c2cffdabab149b7
[log]
author
Adam Langley <agl@google.com>
Fri Aug 26 09:38:13 2016 -0700
committer
Adam Langley <agl@google.com>
Fri Aug 26 17:47:40 2016 +0000
tree
c7a1cae6111427bfa58fa4d186e87ec1059bc932
parent
008f081c6304f79b2506d4a035a3b4bf72ee01b4 [diff]
Set verify_result, even on failure.

If code tries to inspect the verify result in the case of a failure then
it seems reasonable that the error code should be in there.

Change-Id: Ic32ac9d340c2c10a405a7b6580f22a06427f041d
Reviewed-on: https://boringssl-review.googlesource.com/10641
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index f18a62c..e770279 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -335,6 +335,8 @@
     verify_ret = X509_verify_cert(&ctx);
   }
 
+  *out_verify_result = ctx.error;
+
   /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
   if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, ssl_verify_alarm_type(ctx.error));
@@ -343,7 +345,6 @@
   }
 
   ERR_clear_error();
-  *out_verify_result = ctx.error;
   ret = 1;
 
 err: