diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-29 16:38:21 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-29 17:00:40 -0500 |
commit | bc8c34d74ad26dca410f919b928db534b846d65f (patch) | |
tree | 9c2ceb3157ef6f88db36a5d302a81b7a37f7c638 /crypto/x509v3/pcy_tree.c | |
parent | ced2c2c598e195175950a67756d426052d38c228 (diff) |
Fix invalid policy detection
As a side-effect of opaque x509, ex_flags were looked up too early,
before additional policy cache updates.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'crypto/x509v3/pcy_tree.c')
-rw-r--r-- | crypto/x509v3/pcy_tree.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 850d488460..cac2d51dc3 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -185,14 +185,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, for (i = n - 2; i >= 0; i--) { uint32_t ex_flags; x = sk_X509_value(certs, i); - ex_flags = X509_get_extension_flags(x); + + /* + * Note, this modifies x->ex_flags. If cache NULL something bad + * happened: return immediately + */ cache = policy_cache_set(x); - /* If cache NULL something bad happened: return immediately */ if (cache == NULL) return 0; /* * If inconsistent extensions keep a note of it but continue */ + ex_flags = X509_get_extension_flags(x); if (ex_flags & EXFLAG_INVALID_POLICY) ret = -1; /* |