Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 8997b2aa574208aef44e1d3c06afb4d554153359^! / .
commit8997b2aa574208aef44e1d3c06afb4d554153359[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue Aug 29 12:50:01 2017 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue Aug 29 16:56:52 2017 +0000
tree2137aa572efe32f7a70c54d39543b48aafb96972
parente3bb51cb2360fca5b87d559fc263b2763bd14739 [diff]
Better test cert verification happening only once.

OpenSSL's API has a non-fatal "soft fail" mode (can we get rid of
this?), so we should set the flag even if config->verify_fail is true.

Change-Id: I5a2a3290b9bf45c682f3a629a8b6474b1090fc6e
Reviewed-on: https://boringssl-review.googlesource.com/19684
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 7179832..8daa105 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc

@@ -115,6 +115,8 @@
   bool custom_verify_ready = false;
   std::string msg_callback_text;
   bool msg_callback_ok = true;
+  // cert_verified is true if certificate verification has been driven to
+  // completion. This tests that the callback is not called again after this.
   bool cert_verified = false;
 };
 
@@ -716,12 +718,12 @@
     return 0;
   }
 
+  GetTestState(ssl)->cert_verified = true;
   if (config->verify_fail) {
     store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
     return 0;
   }
 
-  GetTestState(ssl)->cert_verified = true;
   return 1;
 }
 
@@ -735,11 +737,11 @@
     return ssl_verify_retry;
   }
 
+  GetTestState(ssl)->cert_verified = true;
   if (config->verify_fail) {
     return ssl_verify_invalid;
   }
 
-  GetTestState(ssl)->cert_verified = true;
   return ssl_verify_ok;
 }