Fix two bugs which affect delta CRL handling:

Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 8ba03d5d43d41032e22ca083c72d18e2b691c4ab..d96d500f5c02623e33517c989151ff262d04c4da 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -968,7 +968,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
        {
        ASN1_OCTET_STRING *exta, *extb;
        int i;
-       i = X509_CRL_get_ext_by_NID(a, nid, 0);
+       i = X509_CRL_get_ext_by_NID(a, nid, -1);
        if (i >= 0)
                {
                /* Can't have multiple occurrences */
@@ -979,7 +979,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
        else
                exta = NULL;
 
-       i = X509_CRL_get_ext_by_NID(b, nid, 0);
+       i = X509_CRL_get_ext_by_NID(b, nid, -1);
 
        if (i >= 0)
                {

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 4b986dfc5d6163158e6d5d8a42bb3e011d1e48e1..6c40c7dfc318e4b46fc20d38581ad3656e344b5e 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -483,11 +483,11 @@ static void x509v3_cache_extensions(X509 *x)
        for (i = 0; i < X509_get_ext_count(x); i++)
                {
                ex = X509_get_ext(x, i);
-               if (!X509_EXTENSION_get_critical(ex))
-                       continue;
                if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
                                        == NID_freshest_crl)
                        x->ex_flags |= EXFLAG_FRESHEST;
+               if (!X509_EXTENSION_get_critical(ex))
+                       continue;
                if (!X509_supported_extension(ex))
                        {
                        x->ex_flags |= EXFLAG_CRITICAL;