Push some duplicated code into ssl_verify_cert_chain.
No sense in having it in both the 1.2 and 1.3 code.
Change-Id: Ib3854714afed24253af7f4bcee26d25e95a10211
Reviewed-on: https://boringssl-review.googlesource.com/9071
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index e81e83d..81e6365 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -319,14 +319,26 @@
X509_STORE_CTX_set_verify_cb(&ctx, ssl->verify_callback);
}
+ int verify_ret;
if (ssl->ctx->app_verify_callback != NULL) {
- ret = ssl->ctx->app_verify_callback(&ctx, ssl->ctx->app_verify_arg);
+ verify_ret = ssl->ctx->app_verify_callback(&ctx, ssl->ctx->app_verify_arg);
} else {
- ret = X509_verify_cert(&ctx);
+ verify_ret = X509_verify_cert(&ctx);
}
ssl->verify_result = ctx.error;
+ /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
+ if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL,
+ ssl_verify_alarm_type(ssl->verify_result));
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
+ goto err;
+ }
+
+ ERR_clear_error();
+ ret = 1;
+
err:
X509_STORE_CTX_cleanup(&ctx);
return ret;
