projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0c56a64)
Explicitly cache the X509v3_extensions in one more place in libssl
authorMatt Caswell <matt@openssl.org>
Wed, 1 Apr 2020 15:10:08 +0000 (16:10 +0100)
committerMatt Caswell <matt@openssl.org>
Wed, 8 Apr 2020 23:00:20 +0000 (00:00 +0100)
Make sure we cache the extensions for a cert using the right libctx.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11457)

ssl/ssl_rsa.c patch | blob | history

diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index ac9d01a76666c9e80b1992477b5b12a419a46df8..09b965fc190b489e15bd0349a569aa23b3203ed1 100644 (file)
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -1055,9 +1055,15 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr
     int j;
     int rv;
     CERT *c = ssl != NULL ? ssl->cert : ctx->cert;
+    SSL_CTX *actualctx = ssl == NULL ? ctx : ssl->ctx;
     STACK_OF(X509) *dup_chain = NULL;
     EVP_PKEY *pubkey = NULL;
 
+    if (!X509v3_cache_extensions(x509, actualctx->libctx, actualctx->propq)) {
+        SSLerr(0, ERR_R_X509_LIB);
+        goto out;
+    }
+
     /* Do all security checks before anything else */
     rv = ssl_security_cert(ssl, ctx, x509, 0, 1);
     if (rv != 1) {
Unnamed repository; edit this file 'description' to name the repository.