diff options
author | Matt Caswell <matt@openssl.org> | 2020-03-20 11:55:19 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-03-30 14:54:37 +0100 |
commit | 9f0f53b7db502ad338baa45edfd163d0ca7aabc5 (patch) | |
tree | 22e334c36b500d7731c5990a92a9324dbaef2a95 /ssl/ssl_cert.c | |
parent | 33328581b83e8e9f573f08f0e2e0d6b32d095857 (diff) |
Explicitly cache X509v3 extensions in libssl
Caching the X509v3 extensions requires an explicit libctx. We do that
where required in libssl.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)
Diffstat (limited to 'ssl/ssl_cert.c')
-rw-r--r-- | ssl/ssl_cert.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 56e3642fbd..f753bbee38 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -253,11 +253,20 @@ void ssl_cert_free(CERT *c) int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain) { int i, r; - CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; + CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key; + SSL_CTX *realctx = s != NULL ? s->ctx : ctx; + if (!cpk) return 0; for (i = 0; i < sk_X509_num(chain); i++) { - r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0); + X509 *x = sk_X509_value(chain, i); + + if (!X509v3_cache_extensions(x, realctx->libctx, realctx->propq)) { + SSLerr(0, ERR_LIB_X509); + return 0; + } + + r = ssl_security_cert(s, ctx, x, 0, 0); if (r != 1) { SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r); return 0; |