> -----Ursprüngliche Nachricht----- > Von: Kaspar Brand [mailto:[email protected]] > Gesendet: Mittwoch, 7. Januar 2015 15:01 > An: [email protected] > Betreff: Re: svn commit: r1650047 - in /httpd/httpd/trunk: CHANGES > docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c > modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h > modules/ssl/ssl_util_ssl.c modules/ssl/ssl_util_ssl.h > > On 07.01.2015 14:03, Ruediger Pluem wrote: > >> +/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a > certificate */ > >> +BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t > **ids) > >> +{ > >> + X509_NAME *subj; > >> + int i = -1; > >> + > >> + /* First, the DNS-IDs (dNSName entries in the subjectAltName > extension) */ > >> + if (!x509 || > >> + (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && > !*ids)) { > >> + *ids = NULL; > > > > Why checking for FALSE and !*ids? Shouldn't the empty array cause a > return of FALSE? > > Not necessarily. Early returns in SSL_X509_getSAN (when argument > checking etc. is taking place) may return a NULL pointer for the array,
But don't they always return FALSE in this case as well? If yes a check for FALSE should be sufficient, or if we only want to ensure that the array is available for !*ids. My point is more: Why do we need to do both checks. Wouldn't be one sufficient either? Regards Rüdiger
