On 07.01.2015 14:03, Ruediger Pluem wrote: >> +/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate >> */ >> +BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) >> +{ >> + X509_NAME *subj; >> + int i = -1; >> + >> + /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) >> */ >> + if (!x509 || >> + (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) { >> + *ids = NULL; > > Why checking for FALSE and !*ids? Shouldn't the empty array cause a return of > FALSE?
Not necessarily. Early returns in SSL_X509_getSAN (when argument checking etc. is taking place) may return a NULL pointer for the array, and since we want to add the CN-ID elements further down here in SSL_X509_getIDs, we have to make sure that we really have an array to push to. Kaspar