httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: svn commit: r1650047 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h modules/ssl/ssl_util_ssl.c modules/ssl/ssl_util_ssl.h
Date Wed, 07 Jan 2015 14:01:23 GMT
On 07.01.2015 14:03, Ruediger Pluem wrote:
>> +/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
>> +BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
>> +{
>> +    X509_NAME *subj;
>> +    int i = -1;
>> +
>> +    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
>> +    if (!x509 ||
>> +        (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids))
{
>> +        *ids = NULL;
> 
> Why checking for FALSE and !*ids? Shouldn't the empty array cause a return of FALSE?

Not necessarily. Early returns in SSL_X509_getSAN (when argument
checking etc. is taking place) may return a NULL pointer for the array,
and since we want to add the CN-ID elements further down here in
SSL_X509_getIDs, we have to make sure that we really have an array to
push to.

Kaspar

Mime
View raw message