Fix invalid policy detection

As a side-effect of opaque x509, ex_flags were looked up too early, before additional policy cache updates. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-29 16:38:21 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-29 17:00:40 -0500
commit: bc8c34d74ad26dca410f919b928db534b846d65f (patch)
tree: 9c2ceb3157ef6f88db36a5d302a81b7a37f7c638 /crypto/x509v3
parent: ced2c2c598e195175950a67756d426052d38c228 (diff)
download: openssl-bc8c34d74ad26dca410f919b928db534b846d65f.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 850d488460..cac2d51dc3 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -185,14 +185,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
     for (i = n - 2; i >= 0; i--) {
         uint32_t ex_flags;
         x = sk_X509_value(certs, i);
-        ex_flags = X509_get_extension_flags(x);
+
+        /*
+         * Note, this modifies x->ex_flags.  If cache NULL something bad
+         * happened: return immediately
+         */
         cache = policy_cache_set(x);
-        /* If cache NULL something bad happened: return immediately */
         if (cache == NULL)
             return 0;
         /*
          * If inconsistent extensions keep a note of it but continue
          */
+        ex_flags = X509_get_extension_flags(x);
         if (ex_flags & EXFLAG_INVALID_POLICY)
             ret = -1;
         /*
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-29 16:38:21 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-29 17:00:40 -0500
commit	bc8c34d74ad26dca410f919b928db534b846d65f (patch)
tree	9c2ceb3157ef6f88db36a5d302a81b7a37f7c638 /crypto/x509v3
parent	ced2c2c598e195175950a67756d426052d38c228 (diff)
download	openssl-bc8c34d74ad26dca410f919b928db534b846d65f.tar.gz