On Mon, Oct 20, 2025 at 03:12:34PM +0100, Daniel P. Berrangé wrote: > The loop that checks the CA certificate chain can fail to report > an error message if one of the certs in the chain has an issuer > that is not present in the chain. In this case, the outer loop > 'while (checking_issuer)' will terminate after failing to find > the issuer, and no error message will be reported. > > Signed-off-by: Daniel P. Berrangé <[email protected]> > --- > crypto/tlscredsx509.c | 33 ++++++++++++++++++--------- > tests/unit/test-crypto-tlscredsx509.c | 12 ++++++++++ > 2 files changed, 34 insertions(+), 11 deletions(-) >
> diff --git a/tests/unit/test-crypto-tlscredsx509.c > b/tests/unit/test-crypto-tlscredsx509.c > index 85f51aee1b..5f78fe7d6f 100644 > --- a/tests/unit/test-crypto-tlscredsx509.c > @@ -652,6 +661,9 @@ int main(int argc, char **argv) > TLS_TEST_REG(certchainwithexpiredcert, false, > WORKDIR "cacertchain-with-invalid-ctx.pem", > clientcertlevel2breq.filename, false); > + TLS_TEST_REG(chainincomlpete, true, chainincomplete > + WORKDIR "cacertchain-incomplete-ctx.pem", > + servercertlevel3areq.filename, true); With the typo fixed, Reviewed-by: Eric Blake <[email protected]> -- Eric Blake, Principal Software Engineer Red Hat, Inc. Virtualization: qemu.org | libguestfs.org
