Initial support for Encrypted Data type generation.

[oweals/openssl.git] / crypto / x509v3 / pcy_tree.c

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 62eea0c4ab1e43f613158ce918183554ecb5005a..4fda1d419af6da9488b7a952eedd60920265e8c1 100644 (file)
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -197,7 +197,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        /* Any matching allowed if certificate is self
                         * issued and not the last in the chain.
                         */
-                       if (!(x->ex_flags && EXFLAG_SS) || (i == 0))
+                       if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
                                level->flags |= X509_V_FLAG_INHIBIT_ANY;
                        }
                else
@@ -345,7 +345,7 @@ static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
                        {
                        node->parent->nchild--;
                        OPENSSL_free(node);
-                       sk_X509_POLICY_NODE_delete(curr->nodes, i);
+                       (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
                        }
                }
 
@@ -358,7 +358,7 @@ static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
                                {
                                node->parent->nchild--;
                                OPENSSL_free(node);
-                               sk_X509_POLICY_NODE_delete(curr->nodes, i);
+                               (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
                                }
                        }
                if (curr->anyPolicy && !curr->anyPolicy->nchild)
@@ -628,9 +628,20 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
                /* Tree OK: continue */
 
                case 1:
+               if (!tree)
+                       /*
+                        * tree_init() returns success and a null tree
+                        * if it's just looking at a trust anchor.
+                        * I'm not sure that returning success here is
+                        * correct, but I'm sure that reporting this
+                        * as an internal error which our caller
+                        * interprets as a malloc failure is wrong.
+                        */
+                       return 1;
                break;
                }
 
+       if (!tree) goto error;
        ret = tree_evaluate(tree);
 
        if (ret <= 0)