Comment and indentation

diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 0de252c65d5cc138e6e4d34bcd577353d683c61a..7a41bc2d825fa9f5c1bc50f9cd5edbeb16e941a5 100644 (file)
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -99,10 +99,10 @@ static int tr_cmp(const X509_TRUST * const *a,
 
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
 {
-int (*oldtrust)(int , X509 *, int);
-oldtrust = default_trust;
-default_trust = trust;
-return oldtrust;
+       int (*oldtrust)(int , X509 *, int);
+       oldtrust = default_trust;
+       default_trust = trust;
+       return oldtrust;
 }
 
 

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 73eecd6ee4087c5f56ca97ff4b55dc1073a957f0..5d88efd4a0dd48b89e0730ce63e173a957ef2038 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -488,6 +488,13 @@ static int internal_verify(X509_STORE_CTX *ctx)
                                if (!ok) goto end;
                                }
                        if (X509_verify(xs,pkey) <= 0)
+                               /* XXX  For the final trusted self-signed cert,
+                                * this is a waste of time.  That check should
+                                * optional so that e.g. 'openssl x509' can be
+                                * used to detect invalid self-signatures, but
+                                * we don't verify again and again in SSL
+                                * handshakes and the like once the cert has
+                                * been declared trusted. */
                                {
                                ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
                                ctx->current_cert=xs;