/* pcy_tree.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
/* ====================================================================
ret = 2;
if (explicit_policy > 0)
{
- explicit_policy--;
- if (!(x->ex_flags & EXFLAG_SS)
- && (cache->explicit_skip != -1)
+ if (!(x->ex_flags & EXFLAG_SI))
+ explicit_policy--;
+ if ((cache->explicit_skip != -1)
&& (cache->explicit_skip < explicit_policy))
explicit_policy = cache->explicit_skip;
}
tree->auth_policies = NULL;
tree->user_policies = NULL;
- if (!tree)
+ if (!tree->levels)
{
OPENSSL_free(tree);
return 0;
/* Any matching allowed if certificate is self
* issued and not the last in the chain.
*/
- if (!(x->ex_flags && EXFLAG_SS) || (i == 0))
+ if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
level->flags |= X509_V_FLAG_INHIBIT_ANY;
}
else
{
- any_skip--;
- if ((cache->any_skip > 0)
+ if (!(x->ex_flags & EXFLAG_SI))
+ any_skip--;
+ if ((cache->any_skip >= 0)
&& (cache->any_skip < any_skip))
any_skip = cache->any_skip;
}
else
{
map_skip--;
- if ((cache->map_skip > 0)
+ if ((cache->map_skip >= 0)
&& (cache->map_skip < map_skip))
map_skip = cache->map_skip;
}
if (data == NULL)
return 0;
- data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+ /* Curr may not have anyPolicy */
+ data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (!level_add_node(curr, data, node, tree))
{
{
node->parent->nchild--;
OPENSSL_free(node);
- sk_X509_POLICY_NODE_delete(curr->nodes, i);
+ (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
}
}
{
node->parent->nchild--;
OPENSSL_free(node);
- sk_X509_POLICY_NODE_delete(curr->nodes, i);
+ (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
}
}
if (curr->anyPolicy && !curr->anyPolicy->nchild)
/* Tree OK: continue */
case 1:
+ if (!tree)
+ /*
+ * tree_init() returns success and a null tree
+ * if it's just looking at a trust anchor.
+ * I'm not sure that returning success here is
+ * correct, but I'm sure that reporting this
+ * as an internal error which our caller
+ * interprets as a malloc failure is wrong.
+ */
+ return 1;
break;
}
+ if (!tree) goto error;
ret = tree_evaluate(tree);
if (ret <= 0)