From cbd1d6a8808038e6f357e956a343f70ecaf110f4 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Fri, 6 Apr 2018 07:08:20 +0000
Subject: poison for X509_VERIFY_PARAM's

Tighten up checks for various X509_VERIFY_PARAM functions, and
allow for the verify param to be poisoned (preculding future
successful cert validation) if the setting of host, ip, or email
for certificate validation fails. (since many callers do not
check the return code in the wild and blunder along anyway)

Inspired by some discussions with Adam Langley.

ok jsing@
---
 src/lib/libcrypto/x509/vpm_int.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/lib/libcrypto/x509/vpm_int.h')

diff --git a/src/lib/libcrypto/x509/vpm_int.h b/src/lib/libcrypto/x509/vpm_int.h
index 6c8061c847..7fc9fef761 100644
--- a/src/lib/libcrypto/x509/vpm_int.h
+++ b/src/lib/libcrypto/x509/vpm_int.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: vpm_int.h,v 1.3 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: vpm_int.h,v 1.4 2018/04/06 07:08:20 beck Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2013.
@@ -69,6 +69,7 @@ struct X509_VERIFY_PARAM_ID_st {
 	size_t emaillen;
 	unsigned char *ip;          /* If not NULL IP address to match */
 	size_t iplen;               /* Length of IP address */
+	int poisoned;
 };
 
 __END_HIDDEN_DECLS
-- 
cgit v1.2.3-55-g6feb