[openssl-commits] [openssl] master update
Viktor Dukhovni
viktor at openssl.org
Fri Jan 29 22:00:57 UTC 2016
The branch master has been updated
via bc8c34d74ad26dca410f919b928db534b846d65f (commit)
from ced2c2c598e195175950a67756d426052d38c228 (commit)
- Log -----------------------------------------------------------------
commit bc8c34d74ad26dca410f919b928db534b846d65f
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Fri Jan 29 16:38:21 2016 -0500
Fix invalid policy detection
As a side-effect of opaque x509, ex_flags were looked up too early,
before additional policy cache updates.
Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509v3/pcy_tree.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 850d488..cac2d51 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -185,14 +185,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
for (i = n - 2; i >= 0; i--) {
uint32_t ex_flags;
x = sk_X509_value(certs, i);
- ex_flags = X509_get_extension_flags(x);
+
+ /*
+ * Note, this modifies x->ex_flags. If cache NULL something bad
+ * happened: return immediately
+ */
cache = policy_cache_set(x);
- /* If cache NULL something bad happened: return immediately */
if (cache == NULL)
return 0;
/*
* If inconsistent extensions keep a note of it but continue
*/
+ ex_flags = X509_get_extension_flags(x);
if (ex_flags & EXFLAG_INVALID_POLICY)
ret = -1;
/*
More information about the openssl-commits
mailing list