return 0;
for (i = idx; i < SSL_PKEY_NUM; i++)
{
- CERT_PKEY *cpk = c->key + i;
+ CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509 && cpk->privatekey)
{
c->key = cpk;
* 0: match
* 1: no match
*/
-static int tlsa_cmp(const X509 *cert, const unsigned char *tlsa_record, unsigned int reclen)
+static int tlsa_cmp(const X509 *cert, const unsigned char *tlsa_record,
+ int reclen)
{
const EVP_MD *md;
unsigned char digest[EVP_MAX_MD_SIZE];
STACK_OF(X509) *chain = NULL, *untrusted = NULL;
X509 *x;
int i, rv = 0;
+ unsigned long error;
if (!cpk->x509)
{
{
x = sk_X509_value(cpk->chain, i);
if (!X509_STORE_add_cert(chain_store, x))
- goto err;
+ {
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
+ ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+ goto err;
+ ERR_clear_error();
+ }
}
/* Add EE cert too: it might be self signed */
if (!X509_STORE_add_cert(chain_store, cpk->x509))
- goto err;
+ {
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
+ ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+ goto err;
+ ERR_clear_error();
+ }
}
else
{
i = X509_verify_cert(&xs_ctx);
if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)
{
- ERR_clear_error();
+ if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR)
+ ERR_clear_error();
i = 1;
+ rv = 2;
}
if (i > 0)
chain = X509_STORE_CTX_get1_chain(&xs_ctx);
}
}
cpk->chain = chain;
- rv = 1;
+ if (rv == 0)
+ rv = 1;
err:
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)
X509_STORE_free(chain_store);