diff options
| author | beck <> | 2024-03-25 00:05:49 +0000 | 
|---|---|---|
| committer | beck <> | 2024-03-25 00:05:49 +0000 | 
| commit | e9b001f0ec0e1d250cdf229432ac3949a3580968 (patch) | |
| tree | e85f499e6080f22102d08a49b6f7ce777768d4c3 /src/lib/libssl/tls13_lib.c | |
| parent | ba4c518e207b14a673a38e3d710160e9011bc408 (diff) | |
| download | openbsd-e9b001f0ec0e1d250cdf229432ac3949a3580968.tar.gz openbsd-e9b001f0ec0e1d250cdf229432ac3949a3580968.tar.bz2 openbsd-e9b001f0ec0e1d250cdf229432ac3949a3580968.zip | |
Remove unnecessary stat() calls from by_dir
When searching for a CA or CRL file in by_dir, this stat()
was used to short circuit attempting to open the file with
X509_load_cert_file(). This was a deliberate TOCTOU introduced
to avoid setting an error on the error stack, when what you
really want to say is "we couldn't find a CA" and continue
merrily on your way.
As it so happens you really do not care why the load_file failed
in any of these cases, it all boils down to "I can't find the CA
or CRL". Instead we just omit the stat call, and clear the error
stack if the load_file fails. The fact that you don't have a CA or
CRL is caught later in the callers and is what you want, mimicing
the non by_dir behaviour instead of possibly some bizzaro file
system error.
Based on a similar change in Boring.
ok tb@
Diffstat (limited to 'src/lib/libssl/tls13_lib.c')
0 files changed, 0 insertions, 0 deletions
