提交 bc8c34d7 编写于 作者: V Viktor Dukhovni

Fix invalid policy detection

As a side-effect of opaque x509, ex_flags were looked up too early,
before additional policy cache updates.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
上级 ced2c2c5
...@@ -185,14 +185,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, ...@@ -185,14 +185,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
for (i = n - 2; i >= 0; i--) { for (i = n - 2; i >= 0; i--) {
uint32_t ex_flags; uint32_t ex_flags;
x = sk_X509_value(certs, i); x = sk_X509_value(certs, i);
ex_flags = X509_get_extension_flags(x);
/*
* Note, this modifies x->ex_flags. If cache NULL something bad
* happened: return immediately
*/
cache = policy_cache_set(x); cache = policy_cache_set(x);
/* If cache NULL something bad happened: return immediately */
if (cache == NULL) if (cache == NULL)
return 0; return 0;
/* /*
* If inconsistent extensions keep a note of it but continue * If inconsistent extensions keep a note of it but continue
*/ */
ex_flags = X509_get_extension_flags(x);
if (ex_flags & EXFLAG_INVALID_POLICY) if (ex_flags & EXFLAG_INVALID_POLICY)
ret = -1; ret = -1;
/* /*
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册