Fail early if an X509_VERIFY_PARAM is poisoned - don't allow

this to be "overridden" by the user supplied callback.
ok jsing@

1 files changed, 10 insertions, 8 deletions

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 8392f509e79..9b4c06310ae 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.69 2018/04/06 07:08:20 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.70 2018/04/08 16:57:57 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -185,9 +185,6 @@ check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
 	size_t i, n;
 	char *name;
 
-	if (id->poisoned)
-		return 0;
-
 	n = sk_OPENSSL_STRING_num(id->hosts);
 	free(id->peername);
 	id->peername = NULL;
@@ -208,10 +205,6 @@ check_id(X509_STORE_CTX *ctx)
 	X509_VERIFY_PARAM_ID *id = vpm->id;
 	X509 *x = ctx->cert;
 
-	if (id->poisoned)
-		if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
-			return 0;
-
 	if (id->hosts && check_hosts(x, id) <= 0) {
 		if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
 			return 0;
@@ -253,6 +246,15 @@ X509_verify_cert(X509_STORE_CTX *ctx)
 		ctx->error = X509_V_ERR_INVALID_CALL;
 		return -1;
 	}
+	if (ctx->param->id->poisoned) {
+		/*
+		 * This X509_STORE_CTX had failures setting
+		 * up verify parameters. We can not use it.
+		 */
+		X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ctx->error = X509_V_ERR_INVALID_CALL;
+		return -1;
+	}
 	if (ctx->error != X509_V_ERR_INVALID_CALL) {
 		/*
 		 * This X509_STORE_CTX has not been properly initialized.