pledge stdio before parsing the http response

ok tb@

1 files changed, 11 insertions, 9 deletions

diff --git a/usr.sbin/ocspcheck/ocspcheck.c b/usr.sbin/ocspcheck/ocspcheck.c
index 65342fa13c2..5124d588b31 100644
--- a/usr.sbin/ocspcheck/ocspcheck.c
+++ b/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.16 2017/02/20 23:55:22 beck Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.17 2017/02/25 23:48:08 beck Exp $ */
 /*
  * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
  *
@@ -589,6 +589,16 @@ main(int argc, char **argv)
 	    request->data, request->size);
 	if (hget == NULL)
 		errx(1, "http_get");
+
+	/*
+	 * Pledge minimally before fiddling with libcrypto init
+	 * routines and parsing untrusted input from someone's OCSP
+	 * server.
+	 */
+
+	if (pledge("stdio", NULL) == -1)
+		err(1, "pledge");
+
 	httph = http_head_parse(hget->http, hget->xfer, &httphsz);
 	dspew("Server at %s returns:\n", host);
 	for (i = 0; i < httphsz; i++)
@@ -598,14 +608,6 @@ main(int argc, char **argv)
 		errx(1, "No body in reply from %s", host);
 
 	/*
-	 * Pledge minimally before fiddling with libcrypto init routines
-	 * and untrusted input from someone's OCSP server.
-	 */
-
-	if (pledge("stdio", NULL) == -1)
-		err(1, "pledge");
-
-	/*
 	 * Validate the OCSP response we got back
 	 */
 	OPENSSL_add_all_algorithms_noconf();