In X509_check_issued() do the same dance around x509v3_cache_extensions()

as in all other palces. Check the EXFLAG_SET flag first and if not set
grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions().
OK tb@ beck@

1 files changed, 11 insertions, 3 deletions

diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 3f0081fe40..86ee27407e 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.6 2021/09/02 12:41:44 job Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.7 2021/09/13 15:26:53 claudio Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -871,10 +871,18 @@ X509_check_issued(X509 *issuer, X509 *subject)
         if (X509_NAME_cmp(X509_get_subject_name(issuer),
             X509_get_issuer_name(subject)))
                 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
-        x509v3_cache_extensions(issuer);
+        if (!(issuer->ex_flags & EXFLAG_SET)) {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                x509v3_cache_extensions(issuer);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        }
         if (issuer->ex_flags & EXFLAG_INVALID)
                 return X509_V_ERR_UNSPECIFIED;
-        x509v3_cache_extensions(subject);
+        if (!(subject->ex_flags & EXFLAG_SET)) {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                x509v3_cache_extensions(subject);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        }
         if (subject->ex_flags & EXFLAG_INVALID)
                 return X509_V_ERR_UNSPECIFIED;