From: Daniel Stenberg Date: Fri, 17 Oct 2025 12:27:58 +0000 (+0200) Subject: openssl: avoid overwriting 'result' after error X-Git-Tag: rc-8_17_0-3~145 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbff1d5b9071283024253ddf48e81547f6474394;p=thirdparty%2Fcurl.git openssl: avoid overwriting 'result' after error Follow-up to eefd03c572996e5de4dec4fe295ad6f Pointed out by ZeroPath https://zeropath.com/ Closes #19099 --- diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index d51022b664..43fa417a35 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -5106,12 +5106,6 @@ static CURLcode ossl_apple_verify(struct Curl_cfilter *cf, { struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct ossl_certs_ctx chain; - long ocsp_len = 0; -#ifdef HAVE_BORINGSSL_LIKE - const uint8_t *ocsp_data = NULL; -#else - unsigned char *ocsp_data = NULL; -#endif CURLcode result; memset(&chain, 0, sizeof(chain)); @@ -5123,13 +5117,20 @@ static CURLcode ossl_apple_verify(struct Curl_cfilter *cf, failf(data, "SSL: could not get peer certificate"); result = CURLE_PEER_FAILED_VERIFICATION; } + else { +#ifdef HAVE_BORINGSSL_LIKE + const uint8_t *ocsp_data = NULL; +#else + unsigned char *ocsp_data = NULL; +#endif + long ocsp_len = 0; + if(conn_config->verifystatus && !octx->reused_session) + ocsp_len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &ocsp_data); - if(conn_config->verifystatus && !octx->reused_session) - ocsp_len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &ocsp_data); - - result = Curl_vtls_apple_verify(cf, data, peer, chain.num_certs, - ossl_chain_get_der, &chain, - ocsp_data, ocsp_len); + result = Curl_vtls_apple_verify(cf, data, peer, chain.num_certs, + ossl_chain_get_der, &chain, + ocsp_data, ocsp_len); + } *pverified = !result; return result; }