Push some duplicated code into ssl_verify_cert_chain.
No sense in having it in both the 1.2 and 1.3 code.
Change-Id: Ib3854714afed24253af7f4bcee26d25e95a10211
Reviewed-on: https://boringssl-review.googlesource.com/9071
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 7135a8f..850b2bc 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1092,16 +1092,10 @@
}
static int ssl3_verify_server_cert(SSL *ssl) {
- int ret = ssl_verify_cert_chain(ssl, ssl->s3->new_session->cert_chain);
- if (ssl->verify_mode != SSL_VERIFY_NONE && ret <= 0) {
- int al = ssl_verify_alarm_type(ssl->verify_result);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
- OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
- return ret;
+ if (!ssl_verify_cert_chain(ssl, ssl->s3->new_session->cert_chain)) {
+ return -1;
}
- /* Otherwise the error is non-fatal, but we keep verify_result. */
- ERR_clear_error();
ssl->s3->new_session->verify_result = ssl->verify_result;
return 1;
}