Deprecate and no-op SSL_set_verify_result.
As documented by OpenSSL, it does not interact with session resumption
correctly:
https://www.openssl.org/docs/manmaster/ssl/SSL_set_verify_result.html
Sadly, netty-tcnative calls it, but we should be able to get them to
take it out because it doesn't do anything. Two of the three calls are
immediately after SSL_new. In OpenSSL and BoringSSL as of the previous
commit, this does nothing.
The final call is in verify_callback (see SSL_set_verify). This callback
is called in X509_verify_cert by way of X509_STORE_CTX_set_verify_cb.
As soon as X509_verify_cert returns, ssl->verify_result is clobbered
anyway, so it doesn't do anything.
Within OpenSSL, it's used in testdane.c. As far as I can tell, it does
not actually do a handshake and just uses this function to fake having
done one. (Regardless, we don't need to build against that.)
This is done in preparation for removing ssl->verify_result in favor of
session->verify_result.
Change-Id: I7e32d7f26c44f70136c72e58be05a3a43e62582b
Reviewed-on: https://boringssl-review.googlesource.com/10485
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 224cae8..da66263 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -141,6 +141,7 @@
#include <openssl/ssl.h>
#include <assert.h>
+#include <stdlib.h>
#include <string.h>
#include <openssl/bytestring.h>
@@ -2310,7 +2311,9 @@
}
void SSL_set_verify_result(SSL *ssl, long result) {
- ssl->verify_result = result;
+ if (result != X509_V_OK) {
+ abort();
+ }
}
long SSL_get_verify_result(const SSL *ssl) { return ssl->verify_result; }