openssl: Use 'CURLcode result' (f0b4bc12) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/vtls/openssl.c

+20 −14

Original line number	Diff line number	Diff line
		@@ -2432,7 +2432,7 @@ static CURLcode servercert(struct connectdata *conn,
		struct ssl_connect_data *connssl,
		bool strict)
		{
		CURLcode retcode = CURLE_OK;
		CURLcode result = CURLE_OK;
		int rc;
		long lerr;
		ASN1_TIME *certdate;
		@@ -2452,6 +2452,7 @@ static CURLcode servercert(struct connectdata *conn,
		failf(data, "SSL: couldn't get peer certificate!");
		return CURLE_PEER_FAILED_VERIFICATION;
		}

		infof(data, "Server certificate:\n");

		rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
		@@ -2467,11 +2468,11 @@ static CURLcode servercert(struct connectdata *conn,
		infof(data, "\t expire date: %s\n", buffer);

		if(data->set.ssl.verifyhost) {
		retcode = verifyhost(conn, connssl->server_cert);
		if(retcode) {
		result = verifyhost(conn, connssl->server_cert);
		if(result) {
		X509_free(connssl->server_cert);
		connssl->server_cert = NULL;
		return retcode;
		return result;
		}
		}

		@@ -2480,7 +2481,7 @@ static CURLcode servercert(struct connectdata *conn,
		if(rc) {
		if(strict)
		failf(data, "SSL: couldn't get X509-issuer name!");
		retcode = CURLE_SSL_CONNECT_ERROR;
		result = CURLE_SSL_CONNECT_ERROR;
		}
		else {
		infof(data, "\t issuer: %s\n", buffer);
		@@ -2499,6 +2500,7 @@ static CURLcode servercert(struct connectdata *conn,
		connssl->server_cert = NULL;
		return CURLE_SSL_ISSUER_ERROR;
		}

		issuer = PEM_read_X509(fp, NULL, ZERO_NULL, NULL);
		if(!issuer) {
		if(strict)
		@@ -2509,7 +2511,9 @@ static CURLcode servercert(struct connectdata *conn,
		fclose(fp);
		return CURLE_SSL_ISSUER_ERROR;
		}

		fclose(fp);

		if(X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) {
		if(strict)
		failf(data, "SSL: Certificate issuer check failed (%s)",
		@@ -2519,6 +2523,7 @@ static CURLcode servercert(struct connectdata *conn,
		connssl->server_cert = NULL;
		return CURLE_SSL_ISSUER_ERROR;
		}

		infof(data, "\t SSL certificate issuer check ok (%s)\n",
		data->set.str[STRING_SSL_ISSUERCERT]);
		X509_free(issuer);
		@@ -2526,6 +2531,7 @@ static CURLcode servercert(struct connectdata *conn,

		lerr = data->set.ssl.certverifyresult =
		SSL_get_verify_result(connssl->handle);

		if(data->set.ssl.certverifyresult != X509_V_OK) {
		if(data->set.ssl.verifypeer) {
		/* We probably never reach this, because SSL_connect() will fail
		@@ -2533,7 +2539,7 @@ static CURLcode servercert(struct connectdata *conn,
		if(strict)
		failf(data, "SSL certificate verify result: %s (%ld)",
		X509_verify_cert_error_string(lerr), lerr);
		retcode = CURLE_PEER_FAILED_VERIFICATION;
		result = CURLE_PEER_FAILED_VERIFICATION;
		}
		else
		infof(data, "\t SSL certificate verify result: %s (%ld),"
		@@ -2545,9 +2551,9 @@ static CURLcode servercert(struct connectdata *conn,
		}

		ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
		if(retcode == CURLE_OK && ptr) {
		retcode = pkp_pin_peer_pubkey(connssl->server_cert, ptr);
		if(retcode != CURLE_OK)
		if(!result && ptr) {
		result = pkp_pin_peer_pubkey(connssl->server_cert, ptr);
		if(result)
		failf(data, "SSL: public key does not match pinned public key!");
		}

		@@ -2555,7 +2561,7 @@ static CURLcode servercert(struct connectdata *conn,
		connssl->server_cert = NULL;
		connssl->connecting_state = ssl_connect_done;

		return retcode;
		return result;
		}

		static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)