On 07.01.2015 15:17, Plüm, Rüdiger, Vodafone Group wrote: >>> Why checking for FALSE and !*ids? Shouldn't the empty array cause a >> return of FALSE? >> >> Not necessarily. Early returns in SSL_X509_getSAN (when argument >> checking etc. is taking place) may return a NULL pointer for the array, > > But don't they always return FALSE in this case as well? If yes a check for > FALSE should be sufficient, > or if we only want to ensure that the array is available for !*ids. My point > is more: Why do we need to do both checks. Wouldn't be one sufficient either?
Ah, my first answer was missing an essential part, I think. Only checking for SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE would mean that we would stop when we get back an empty array from SSL_X509_getSAN. For SSL_X509_getIDs, however, we want to continue and push the CN-IDs to the array (i.e., in the case of a certificate without a subjectAltName extension, which was relatively common until a few years ago). That's the reason for the additional "&& !*ids" - to make sure that we continue when getting back an empty array from SSL_X509_getSAN. Kaspar
