httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com>
Subject AW: svn commit: r1650047 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h modules/ssl/ssl_util_ssl.c modules/ssl/ssl_util_ssl.h
Date Wed, 07 Jan 2015 14:17:48 GMT


> -----Ursprüngliche Nachricht-----
> Von: Kaspar Brand [mailto:httpd-dev.2014@velox.ch]
> Gesendet: Mittwoch, 7. Januar 2015 15:01
> An: dev@httpd.apache.org
> Betreff: Re: svn commit: r1650047 - in /httpd/httpd/trunk: CHANGES
> docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c
> modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h
> modules/ssl/ssl_util_ssl.c modules/ssl/ssl_util_ssl.h
> 
> On 07.01.2015 14:03, Ruediger Pluem wrote:
> >> +/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a
> certificate */
> >> +BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t
> **ids)
> >> +{
> >> +    X509_NAME *subj;
> >> +    int i = -1;
> >> +
> >> +    /* First, the DNS-IDs (dNSName entries in the subjectAltName
> extension) */
> >> +    if (!x509 ||
> >> +        (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE &&
> !*ids)) {
> >> +        *ids = NULL;
> >
> > Why checking for FALSE and !*ids? Shouldn't the empty array cause a
> return of FALSE?
> 
> Not necessarily. Early returns in SSL_X509_getSAN (when argument
> checking etc. is taking place) may return a NULL pointer for the array,

But don't they always return FALSE in this case as well? If yes a check for FALSE should be
sufficient,
or if we only want to ensure that the array is available for !*ids. My point is more: Why
do we need to do both checks. Wouldn't be one sufficient either?

Regards

Rüdiger
Mime
View raw message