mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-30 14:01:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix invalid policy detection

Browse Source 
As a side-effect of opaque x509, ex_flags were looked up too early,
before additional policy cache updates.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-01-29 16:38:21 -05:00
parent ced2c2c598
commit bc8c34d74a
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
crypto/x509v3/pcy_tree.c
View File

@ -185,14 +185,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
for (i = n - 2; i >= 0; i--) {
uint32_t ex_flags;
x = sk_X509_value(certs, i);
ex_flags = X509_get_extension_flags(x);
/*
* Note, this modifies x->ex_flags. If cache NULL something bad
* happened: return immediately
*/
cache = policy_cache_set(x);
/* If cache NULL something bad happened: return immediately */
if (cache == NULL)
return 0;
/*
* If inconsistent extensions keep a note of it but continue
*/
ex_flags = X509_get_extension_flags(x);
if (ex_flags & EXFLAG_INVALID_POLICY)
ret = -1;
/*