Remove some dead code from SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_chain_file has some extra logic where, if
SSL_CTX_use_certificate succeeds but leaves an error in the error queue,
it fails anyway.
The comment claims it's because, on cert/key mismatch, it succeeds and
leaves an error. When the function was added in upstream's
b3ca645f479b1f0bcfa1d1a65c955e8b7ff33de6, this appears to have been
true.
However, years later upstream's 6049399bafac74bd809ffac2108e8d5d284cd720
added an ERR_clear_error and made SSL_CTX_use_certificate behave more
consistently. Now the behavior is that installing a certificate silently
clears any pre-existing mismatched keys, so this case no longer exists.
The recently-added tests also demonstrate this behavior.
Change-Id: I4c7de44046f10bc653f8f1fd86aff0d6956b2b1a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/79009
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/ssl_file.cc b/ssl/ssl_file.cc
index 0b55a9d..1fe01ab 100644
--- a/ssl/ssl_file.cc
+++ b/ssl/ssl_file.cc
@@ -384,8 +384,6 @@
int ret = 0;
X509 *x = NULL;
- ERR_clear_error(); // clear error stack for SSL_CTX_use_certificate()
-
in = BIO_new(BIO_s_file());
if (in == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
@@ -405,11 +403,6 @@
}
ret = SSL_CTX_use_certificate(ctx, x);
-
- if (ERR_peek_error() != 0) {
- ret = 0; // Key/certificate mismatch doesn't imply ret==0 ...
- }
-
if (ret) {
// If we could set up our certificate, now proceed to the CA
// certificates.
