Extension checking fixes.
authorDr. Stephen Henson <steve@openssl.org>
Tue, 15 Apr 2014 17:48:54 +0000 (18:48 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 15 Apr 2014 17:53:14 +0000 (18:53 +0100)
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.
(cherry picked from commit 300b9f0b704048f60776881f1d378c74d9c32fbd)

crypto/x509v3/v3_purp.c

index ad688657e01e6485f1f29a1bc46ba6cfaa31ed5c..f59bfc1844cf8e116d3848bf7d4be3c9abea5cfe 100644 (file)
@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
        /* Handle proxy certificates */
        if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
                if (x->ex_flags & EXFLAG_CA
-                   || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
-                   || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+                   || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
+                   || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
                        x->ex_flags |= EXFLAG_INVALID;
                }
                if (pci->pcPathLengthConstraint) {
@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
                return 0;
 
        /* Extended Key Usage MUST be critical */
-       i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
+       i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
        if (i_ext >= 0)
                {
                X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);