From 690a9a27a515ea56f613a9ae2baa9b237daf4f91 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 1 May 2026 18:29:50 +0000 Subject: Ignore more bearssl errors under --no-verify-cert --- src/sbearssl/sbearssl_x509_small_vtable.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'src/sbearssl') diff --git a/src/sbearssl/sbearssl_x509_small_vtable.c b/src/sbearssl/sbearssl_x509_small_vtable.c index 951290a..7ec47f5 100644 --- a/src/sbearssl/sbearssl_x509_small_vtable.c +++ b/src/sbearssl/sbearssl_x509_small_vtable.c @@ -1,5 +1,7 @@ /* ISC license. */ +#include + #include #include @@ -39,11 +41,25 @@ static void end_cert (br_x509_class const **c) ctx->i++ ; } +static inline int isin (unsigned int key, unsigned int const *table, unsigned int n) +{ + for (unsigned int i = 0 ; i < n ; i++) + if (key == table[i]) return 1 ; + return 0 ; +} + static unsigned int end_chain (br_x509_class const **c) { + static unsigned int const ignored_errors[] = + { + BR_ERR_X509_EXPIRED, + BR_ERR_X509_DN_MISMATCH, + BR_ERR_X509_BAD_SERVER_NAME, + BR_ERR_X509_NOT_TRUSTED, + } ; sbearssl_x509_small_context *ctx = INSTANCE(c) ; unsigned int r = ctx->minimal.vtable->end_chain(&ctx->minimal.vtable) ; - if (ctx->flags & 1 && r == BR_ERR_X509_NOT_TRUSTED) r = 0 ; + if (ctx->flags & 1 && isin(r, ignored_errors, sizeof(ignored_errors)/sizeof(unsigned int))) r = 0 ; if (!r) { uint8_t mask = 1 ; -- cgit v1.3.1