Add comment explaining why we don't check a return value A call to X509_verify_cert() is used to build a chain of certs for the server to send back to the client. It isn't *actually* used for verifying the cert at all - just building the chain. Therefore the return value is ignored. Reviewed-by: Kurt Roeckx <kurt@openssl.org>

commit: ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc [log] [tgz]
author: Matt Caswell <matt@openssl.org> Wed Nov 11 10:17:22 2015 +0000
committer: Matt Caswell <matt@openssl.org> Tue Nov 17 11:21:17 2015 +0000
tree: 68954bdc43c6de9f4ac5df05ea1f5faecd9a79d1
parent: d73ca3efa74bbb620a1e74deb5eec6f3d10203d5 [diff] [blame]
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9a373b1..6f9fcdb 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -914,6 +914,12 @@
             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
             return (0);
         }
+        /*
+         * It is valid for the chain not to be complete (because normally we
+         * don't include the root cert in the chain). Therefore we deliberately
+         * ignore the error return from this call. We're not actually verifying
+         * the cert - we're just building as much of the chain as we can
+         */
         X509_verify_cert(&xs_ctx);
         /* Don't leave errors in the queue */
         ERR_clear_error();
commit	ae4d0c8d227d0cf4f9f3f7a5d07189c0a18b25fc	[log] [tgz]
author	Matt Caswell <matt@openssl.org>	Wed Nov 11 10:17:22 2015 +0000
committer	Matt Caswell <matt@openssl.org>	Tue Nov 17 11:21:17 2015 +0000
tree	68954bdc43c6de9f4ac5df05ea1f5faecd9a79d1
parent	d73ca3efa74bbb620a1e74deb5eec6f3d10203d5 [diff] [blame]