On 07.01.2015 14:03, Ruediger Pluem wrote:
>> +/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate
>> */
>> +BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
>> +{
>> + X509_NAME *subj;
>> + int i = -1;
>> +
>> + /* First, the DNS-IDs (dNSName entries in the subjectAltName extension)
>> */
>> + if (!x509 ||
>> + (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
>> + *ids = NULL;
>
> Why checking for FALSE and !*ids? Shouldn't the empty array cause a return of
> FALSE?
Not necessarily. Early returns in SSL_X509_getSAN (when argument
checking etc. is taking place) may return a NULL pointer for the array,
and since we want to add the CN-ID elements further down here in
SSL_X509_getIDs, we have to make sure that we really have an array to
push to.
Kaspar
