From bc8c34d74ad26dca410f919b928db534b846d65f Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Fri, 29 Jan 2016 16:38:21 -0500
Subject: [PATCH] Fix invalid policy detection

As a side-effect of opaque x509, ex_flags were looked up too early,
before additional policy cache updates.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
---
 crypto/x509v3/pcy_tree.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 850d488460..cac2d51dc3 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -185,14 +185,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
     for (i = n - 2; i >= 0; i--) {
         uint32_t ex_flags;
         x = sk_X509_value(certs, i);
-        ex_flags = X509_get_extension_flags(x);
+
+        /*
+         * Note, this modifies x->ex_flags.  If cache NULL something bad
+         * happened: return immediately
+         */
         cache = policy_cache_set(x);
-        /* If cache NULL something bad happened: return immediately */
         if (cache == NULL)
             return 0;
         /*
          * If inconsistent extensions keep a note of it but continue
          */
+        ex_flags = X509_get_extension_flags(x);
         if (ex_flags & EXFLAG_INVALID_POLICY)
             ret = -1;
         /*