From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 30 Jul 2008 15:41:42 +0000 (+0000)
Subject: Policy validation fixes.
X-Git-Tag: OpenSSL_0_9_8k^2~291
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=592a207b94dadbd03f352e8f74133efc0a141e3d;hp=6bcbac0abb35992732b77912f1cdc07cf9b7adec

Policy validation fixes.

Inhibit any policy count should ignore self issued certificates.
Require explicit policy is the number certificate before an explict policy
is required.
---

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 846d3eae04..c8bfa3773c 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -134,7 +134,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 			if (!(x->ex_flags & EXFLAG_SI)
 				&& (cache->explicit_skip != -1)
 				&& (cache->explicit_skip < explicit_policy))
-				explicit_policy = cache->explicit_skip;
+				explicit_policy = cache->explicit_skip + 1;
 			}
 		}
 
@@ -202,7 +202,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 			}
 		else
 			{
-			any_skip--;
+			if (!(x->ex_flags & EXFLAG_SI))
+				any_skip--;
 			if ((cache->any_skip >= 0)
 				&& (cache->any_skip < any_skip))
 				any_skip = cache->any_skip;