4 files changed, 26 insertions, 17 deletions
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 27ca5150c1..c6602dae4f 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -218,7 +218,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
        s=dir;
        p=s;
-        for (;;p++)
+        do
                {
                if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
                        {
@@ -264,9 +264,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
                                return 0;
                                }
                        }
-                if (*p == '\0')
+                } while (*p++ != '\0');
-                        break;
-                }
        return 1;
        }
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 7c2aaee2e9..352aa37434 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -86,10 +86,9 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
        EVP_MD_CTX_init(&ctx);
        f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
-        ret=strlen(f);
        if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
                goto err;
-        if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
+        if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,strlen(f)))
                goto err;
        OPENSSL_free(f);
        if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
@@ -249,14 +248,14 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)
        i2d_X509_NAME(x,NULL);
        EVP_MD_CTX_init(&md_ctx);
        EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-        EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
+        if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
-        EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
+            && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
-        EVP_DigestFinal_ex(&md_ctx,md,NULL);
+            && EVP_DigestFinal_ex(&md_ctx,md,NULL))
+                ret=(((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+                     ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+                     )&0xffffffffL;
        EVP_MD_CTX_cleanup(&md_ctx);
-        ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
-                ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
-                )&0xffffffffL;
        return(ret);
        }
 #endif
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index b0779db023..920066aeba 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        X509_CRL *crl = NULL, *dcrl = NULL;
        X509 *x;
        int ok, cnum;
+        unsigned int last_reasons;
        cnum = ctx->error_depth;
        x = sk_X509_value(ctx->chain, cnum);
        ctx->current_cert = x;
@@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        ctx->current_reasons = 0;
        while (ctx->current_reasons != CRLDP_ALL_REASONS)
                {
+                last_reasons = ctx->current_reasons;
                /* Try to retrieve relevant CRL */
                if (ctx->get_crl)
                        ok = ctx->get_crl(ctx, &crl, x);
@@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx)
                X509_CRL_free(dcrl);
                crl = NULL;
                dcrl = NULL;
+                /* If reasons not updated we wont get anywhere by
+                 * another iteration, so exit loop.
+                 */
+                if (last_reasons == ctx->current_reasons)
+                        {
+                        ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+                        ok = ctx->verify_cb(0, ctx);
+                        goto err;
+                        }
                }
        err:
        X509_CRL_free(crl);
@@ -872,7 +883,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
        {
        ASN1_OCTET_STRING *exta, *extb;
        int i;
-        i = X509_CRL_get_ext_by_NID(a, nid, 0);
+        i = X509_CRL_get_ext_by_NID(a, nid, -1);
        if (i >= 0)
                {
                /* Can't have multiple occurrences */
@@ -883,7 +894,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
        else
                exta = NULL;
-        i = X509_CRL_get_ext_by_NID(b, nid, 0);
+        i = X509_CRL_get_ext_by_NID(b, nid, -1);
        if (i >= 0)
                {
@@ -1451,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
         * a certificate was revoked. This has since been changed since 
         * critical extension can change the meaning of CRL entries.
         */
-        if (crl->flags & EXFLAG_CRITICAL)
+        if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
+                && (crl->flags & EXFLAG_CRITICAL))
                {
-                if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-                        return 1;
                ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
                ok = ctx->verify_cb(0, ctx);
                if(!ok)
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index b94aeeb873..e06602d65a 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
        {
+        x->cert_info->enc.modified = 1;
        return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
                x->cert_info->signature,
                x->sig_alg, x->signature, x->cert_info, ctx);
@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
        {
+        x->crl->enc.modified = 1;
        return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
                x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
        }