Avoid direct X509 structure access

[openssl.git] / crypto / x509v3 / pcy_tree.c

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 6b0167b2e38430d6cc3b966568bb3d40a1dbcd30..bbc9ada1437610aa5a276ddf0e06939443b19fe6 100644 (file)
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -57,7 +57,7 @@
  *
  */
 
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -184,7 +184,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
      * explicit_policy value at this point.
      */
     for (i = n - 2; i >= 0; i--) {
+        uint32_t ex_flags;
         x = sk_X509_value(certs, i);
+        ex_flags = X509_get_extension_flags(x);
         X509_check_purpose(x, -1, -1);
         cache = policy_cache_set(x);
         /* If cache NULL something bad happened: return immediately */
@@ -193,7 +195,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         /*
          * If inconsistent extensions keep a note of it but continue
          */
-        if (x->ex_flags & EXFLAG_INVALID_POLICY)
+        if (ex_flags & EXFLAG_INVALID_POLICY)
             ret = -1;
         /*
          * Otherwise if we have no data (hence no CertificatePolicies) and
@@ -202,7 +204,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         else if ((ret == 1) && !cache->data)
             ret = 2;
         if (explicit_policy > 0) {
-            if (!(x->ex_flags & EXFLAG_SI))
+            if (!(ex_flags & EXFLAG_SI))
                 explicit_policy--;
             if ((cache->explicit_skip != -1)
                 && (cache->explicit_skip < explicit_policy))
@@ -217,25 +219,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
     }
 
     /* If we get this far initialize the tree */
-
-    tree = OPENSSL_malloc(sizeof(*tree));
-
+    tree = OPENSSL_zalloc(sizeof(*tree));
     if (!tree)
         return 0;
-
-    tree->flags = 0;
-    tree->levels = OPENSSL_malloc(sizeof(*tree->levels) * n);
-    tree->nlevel = 0;
-    tree->extra_data = NULL;
-    tree->auth_policies = NULL;
-    tree->user_policies = NULL;
-
+    tree->levels = OPENSSL_zalloc(sizeof(*tree->levels) * n);
     if (!tree->levels) {
         OPENSSL_free(tree);
         return 0;
     }
-
-    memset(tree->levels, 0, sizeof(*tree->levels) * n);
     tree->nlevel = n;
     level = tree->levels;
 
@@ -246,10 +237,12 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         goto bad_tree;
 
     for (i = n - 2; i >= 0; i--) {
+        uint32_t ex_flags;
         level++;
         x = sk_X509_value(certs, i);
+        ex_flags = X509_get_extension_flags(x);
         cache = policy_cache_set(x);
-        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(x);
         level->cert = x;
 
         if (!cache->anyPolicy)
@@ -261,10 +254,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
              * Any matching allowed if certificate is self issued and not the
              * last in the chain.
              */
-            if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+            if (!(ex_flags & EXFLAG_SI) || (i == 0))
                 level->flags |= X509_V_FLAG_INHIBIT_ANY;
         } else {
-            if (!(x->ex_flags & EXFLAG_SI))
+            if (!(ex_flags & EXFLAG_SI))
                 any_skip--;
             if ((cache->any_skip >= 0)
                 && (cache->any_skip < any_skip))
@@ -274,7 +267,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         if (map_skip == 0)
             level->flags |= X509_V_FLAG_INHIBIT_MAP;
         else {
-            if (!(x->ex_flags & EXFLAG_SI))
+            if (!(ex_flags & EXFLAG_SI))
                 map_skip--;
             if ((cache->map_skip >= 0)
                 && (cache->map_skip < map_skip))
@@ -532,7 +525,7 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
          * If no anyPolicy node on this this level it can't appear on lower
          * levels so end search.
          */
-        if (!(anyptr = curr->anyPolicy))
+        if ((anyptr = curr->anyPolicy) == NULL)
             break;
         curr++;
         for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {