Fix two bugs which affect delta CRL handling:
authorDr. Stephen Henson <steve@openssl.org>
Thu, 6 Dec 2012 18:24:47 +0000 (18:24 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 6 Dec 2012 18:24:47 +0000 (18:24 +0000)
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.

crypto/x509/x509_vfy.c
crypto/x509v3/v3_purp.c

index ba10811f80bf46b842fc4710a8f9be0e85f696ac..99cf5be3fc7381c1fb86049d4d808c9224eedfd0 100644 (file)
@@ -888,7 +888,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
        {
        ASN1_OCTET_STRING *exta, *extb;
        int i;
-       i = X509_CRL_get_ext_by_NID(a, nid, 0);
+       i = X509_CRL_get_ext_by_NID(a, nid, -1);
        if (i >= 0)
                {
                /* Can't have multiple occurrences */
@@ -899,7 +899,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
        else
                exta = NULL;
 
-       i = X509_CRL_get_ext_by_NID(b, nid, 0);
+       i = X509_CRL_get_ext_by_NID(b, nid, -1);
 
        if (i >= 0)
                {
index ae41a7148171c70c1efde76820fc0c465c17acb5..2cc75eecaae62f6ce8abfba46b1c9b3975477a4e 100644 (file)
@@ -474,11 +474,11 @@ static void x509v3_cache_extensions(X509 *x)
        for (i = 0; i < X509_get_ext_count(x); i++)
                {
                ex = X509_get_ext(x, i);
-               if (!X509_EXTENSION_get_critical(ex))
-                       continue;
                if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
                                        == NID_freshest_crl)
                        x->ex_flags |= EXFLAG_FRESHEST;
+               if (!X509_EXTENSION_get_critical(ex))
+                       continue;
                if (!X509_supported_extension(ex))
                        {
                        x->ex_flags |= EXFLAG_CRITICAL;