ret->references = 1;
ret->key = &ret->pkeys[cert->key - cert->pkeys];
-#ifndef OPENSSL_NO_RSA
- if (cert->rsa_tmp != NULL) {
- RSA_up_ref(cert->rsa_tmp);
- ret->rsa_tmp = cert->rsa_tmp;
- }
- ret->rsa_tmp_cb = cert->rsa_tmp_cb;
-#endif
-
#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL) {
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
ret->dh_tmp_auto = cert->dh_tmp_auto;
#endif
-#ifndef OPENSSL_NO_EC
- if (cert->ecdh_tmp) {
- ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
- if (ret->ecdh_tmp == NULL) {
- SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
- goto err;
- }
- }
- ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
- ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
-#endif
-
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = cert->pkeys + i;
CERT_PKEY *rpk = ret->pkeys + i;
}
#endif
-#ifndef OPENSSL_NO_RSA
- RSA_free(c->rsa_tmp);
-#endif
#ifndef OPENSSL_NO_DH
DH_free(c->dh_tmp);
#endif
-#ifndef OPENSSL_NO_EC
- EC_KEY_free(c->ecdh_tmp);
-#endif
ssl_cert_clear_certs(c);
OPENSSL_free(c->conf_sigalgs);
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
return (0);
}
+ /*
+ * It is valid for the chain not to be complete (because normally we
+ * don't include the root cert in the chain). Therefore we deliberately
+ * ignore the error return from this call. We're not actually verifying
+ * the cert - we're just building as much of the chain as we can
+ */
X509_verify_cert(&xs_ctx);
/* Don't leave errors in the queue */
ERR_clear_error();