openssl: avoid overwriting 'result' after error

Follow-up to eefd03c572996e5de4dec4fe295ad6f

Pointed out by ZeroPath https://zeropath.com/
Closes #19099

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index d51022b664740438d7edb90843be0e4bef389a43..43fa417a3554854c5ed62daffa4613fe635d67fb 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5106,12 +5106,6 @@ static CURLcode ossl_apple_verify(struct Curl_cfilter *cf,
 {
   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
   struct ossl_certs_ctx chain;
-  long ocsp_len = 0;
-#ifdef HAVE_BORINGSSL_LIKE
-  const uint8_t *ocsp_data = NULL;
-#else
-  unsigned char *ocsp_data = NULL;
-#endif
   CURLcode result;
 
   memset(&chain, 0, sizeof(chain));
@@ -5123,13 +5117,20 @@ static CURLcode ossl_apple_verify(struct Curl_cfilter *cf,
     failf(data, "SSL: could not get peer certificate");
     result = CURLE_PEER_FAILED_VERIFICATION;
   }
+  else {
+#ifdef HAVE_BORINGSSL_LIKE
+    const uint8_t *ocsp_data = NULL;
+#else
+    unsigned char *ocsp_data = NULL;
+#endif
+    long ocsp_len = 0;
+    if(conn_config->verifystatus && !octx->reused_session)
+      ocsp_len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &ocsp_data);
 
-  if(conn_config->verifystatus && !octx->reused_session)
-    ocsp_len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &ocsp_data);
-
-  result = Curl_vtls_apple_verify(cf, data, peer, chain.num_certs,
-                                  ossl_chain_get_der, &chain,
-                                  ocsp_data, ocsp_len);
+    result = Curl_vtls_apple_verify(cf, data, peer, chain.num_certs,
+                                    ossl_chain_get_der, &chain,
+                                    ocsp_data, ocsp_len);
+  }
   *pverified = !result;
   return result;
 }