commit a6cd185a545841d122d8f0a49c2cffdabab149b7
author Adam Langley <agl@google.com> Fri Aug 26 09:38:13 2016 -0700
committer Adam Langley <agl@google.com> Fri Aug 26 17:47:40 2016 +0000
tree c7a1cae6111427bfa58fa4d186e87ec1059bc932
parent 008f081c6304f79b2506d4a035a3b4bf72ee01b4

Set verify_result, even on failure.

If code tries to inspect the verify result in the case of a failure then
it seems reasonable that the error code should be in there.

Change-Id: Ic32ac9d340c2c10a405a7b6580f22a06427f041d
Reviewed-on: https://boringssl-review.googlesource.com/10641
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index f18a62c..e770279 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -335,6 +335,8 @@
     verify_ret = X509_verify_cert(&ctx);
   }
 
+  *out_verify_result = ctx.error;
+
   /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
   if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, ssl_verify_alarm_type(ctx.error));
@@ -343,7 +345,6 @@
   }
 
   ERR_clear_error();
-  *out_verify_result = ctx.error;
   ret = 1;
 
 err: