diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-09-02 22:01:18 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-09-06 00:17:37 +0100 |
commit | a8d8e06b0ac06c421fd11cc1772126dcb98f79ae (patch) | |
tree | 14775147addd9c7785f12bc00db95c1a4a96d566 /crypto/x509v3/pcy_tree.c | |
parent | f728254a840bf7fdd2252fe09e11a0e99c7df1d4 (diff) |
Avoid direct X509 structure access
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'crypto/x509v3/pcy_tree.c')
-rw-r--r-- | crypto/x509v3/pcy_tree.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index c6be015193..bbc9ada143 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -184,7 +184,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * explicit_policy value at this point. */ for (i = n - 2; i >= 0; i--) { + uint32_t ex_flags; x = sk_X509_value(certs, i); + ex_flags = X509_get_extension_flags(x); X509_check_purpose(x, -1, -1); cache = policy_cache_set(x); /* If cache NULL something bad happened: return immediately */ @@ -193,7 +195,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* * If inconsistent extensions keep a note of it but continue */ - if (x->ex_flags & EXFLAG_INVALID_POLICY) + if (ex_flags & EXFLAG_INVALID_POLICY) ret = -1; /* * Otherwise if we have no data (hence no CertificatePolicies) and @@ -202,7 +204,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, else if ((ret == 1) && !cache->data) ret = 2; if (explicit_policy > 0) { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) explicit_policy--; if ((cache->explicit_skip != -1) && (cache->explicit_skip < explicit_policy)) @@ -235,8 +237,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, goto bad_tree; for (i = n - 2; i >= 0; i--) { + uint32_t ex_flags; level++; x = sk_X509_value(certs, i); + ex_flags = X509_get_extension_flags(x); cache = policy_cache_set(x); X509_up_ref(x); level->cert = x; @@ -250,10 +254,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * Any matching allowed if certificate is self issued and not the * last in the chain. */ - if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) + if (!(ex_flags & EXFLAG_SI) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) any_skip--; if ((cache->any_skip >= 0) && (cache->any_skip < any_skip)) @@ -263,7 +267,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, if (map_skip == 0) level->flags |= X509_V_FLAG_INHIBIT_MAP; else { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) map_skip--; if ((cache->map_skip >= 0) && (cache->map_skip < map_skip)) |