Explicitly cache X509v3 extensions in libssl

Caching the X509v3 extensions requires an explicit libctx. We do that where required in libssl. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11409)
author: Matt Caswell <matt@openssl.org> 2020-03-20 11:55:19 +0000
committer: Matt Caswell <matt@openssl.org> 2020-03-30 14:54:37 +0100
commit: 9f0f53b7db502ad338baa45edfd163d0ca7aabc5 (patch)
tree: 22e334c36b500d7731c5990a92a9324dbaef2a95 /ssl/ssl_cert.c
parent: 33328581b83e8e9f573f08f0e2e0d6b32d095857 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 56e3642fbd..f753bbee38 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -253,11 +253,20 @@ void ssl_cert_free(CERT *c)
 int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
 {
     int i, r;
-    CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
+    CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key;
+    SSL_CTX *realctx = s != NULL ? s->ctx : ctx;
+
     if (!cpk)
         return 0;
     for (i = 0; i < sk_X509_num(chain); i++) {
-        r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0);
+        X509 *x = sk_X509_value(chain, i);
+
+        if (!X509v3_cache_extensions(x, realctx->libctx, realctx->propq)) {
+            SSLerr(0, ERR_LIB_X509);
+            return 0;
+        }
+
+        r = ssl_security_cert(s, ctx, x, 0, 0);
         if (r != 1) {
             SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r);
             return 0;
author	Matt Caswell <matt@openssl.org>	2020-03-20 11:55:19 +0000
committer	Matt Caswell <matt@openssl.org>	2020-03-30 14:54:37 +0100
commit	9f0f53b7db502ad338baa45edfd163d0ca7aabc5 (patch)
tree	22e334c36b500d7731c5990a92a9324dbaef2a95 /ssl/ssl_cert.c
parent	33328581b83e8e9f573f08f0e2e0d6b32d095857 (diff)