From: Rich Salz <rsalz@openssl.org>
Date: Sat, 22 Oct 2016 07:53:47 +0000 (-0400)
Subject: Correctly find all critical CRL extensions
X-Git-Tag: OpenSSL_1_0_2k~59
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3ade92e785bb3777c92332f88e23f6ce906ee260;p=openssl

Correctly find all critical CRL extensions

Unhandled critical CRL extensions were not detected if they appeared
after the handled ones.  (GitHub issue 1757).  Thanks to John Chuah
for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1769)
---

diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c
index 027950330d..c78ded89ef 100644
--- a/crypto/asn1/x_crl.c
+++ b/crypto/asn1/x_crl.c
@@ -254,6 +254,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
         for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
             int nid;
+
             ext = sk_X509_EXTENSION_value(exts, idx);
             nid = OBJ_obj2nid(ext->object);
             if (nid == NID_freshest_crl)
@@ -263,7 +264,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
                 if ((nid == NID_issuing_distribution_point)
                     || (nid == NID_authority_key_identifier)
                     || (nid == NID_delta_crl))
-                    break;;
+                    continue;
                 crl->flags |= EXFLAG_CRITICAL;
                 break;
             }