From c35453897494d2b488961f7a446b4df8e24c6f31 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Sun, 15 Jun 2014 22:21:10 +0200
Subject: Update OpenSSL to 1.0.1h

---
 main/openssl/crypto/asn1/a_strnid.c   |  2 +-
 main/openssl/crypto/bio/bio.h         |  3 +++
 main/openssl/crypto/bio/bss_dgram.c   |  9 ++++++-
 main/openssl/crypto/bn/bn_mont.c      | 46 ++++++++++++++++++++---------------
 main/openssl/crypto/cms/cms_env.c     |  2 ++
 main/openssl/crypto/cms/cms_sd.c      |  4 +--
 main/openssl/crypto/cms/cms_smime.c   |  5 ++--
 main/openssl/crypto/dso/dso_dlfcn.c   |  2 +-
 main/openssl/crypto/ec/ec_ameth.c     |  1 +
 main/openssl/crypto/ec/ec_asn1.c      |  7 ++++--
 main/openssl/crypto/ec/ec_lcl.h       |  2 +-
 main/openssl/crypto/evp/bio_b64.c     |  1 +
 main/openssl/crypto/evp/encode.c      |  1 +
 main/openssl/crypto/evp/p_lib.c       |  2 +-
 main/openssl/crypto/opensslv.h        |  6 ++---
 main/openssl/crypto/pkcs12/p12_crt.c  |  8 ++++++
 main/openssl/crypto/pkcs12/p12_kiss.c |  2 +-
 main/openssl/crypto/pkcs7/pk7_doit.c  |  6 +++++
 main/openssl/crypto/pkcs7/pkcs7.h     |  1 +
 main/openssl/crypto/pkcs7/pkcs7err.c  |  3 ++-
 main/openssl/crypto/rsa/rsa_ameth.c   |  2 +-
 main/openssl/crypto/srp/srp_vfy.c     |  3 +++
 main/openssl/crypto/x509v3/v3_purp.c  |  6 ++---
 23 files changed, 84 insertions(+), 40 deletions(-)

(limited to 'main/openssl/crypto')

diff --git a/main/openssl/crypto/asn1/a_strnid.c b/main/openssl/crypto/asn1/a_strnid.c
index 2fc48c15..2afd5a41 100644
--- a/main/openssl/crypto/asn1/a_strnid.c
+++ b/main/openssl/crypto/asn1/a_strnid.c
@@ -74,7 +74,7 @@ static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
  * certain software (e.g. Netscape) has problems with them.
  */
 
-static unsigned long global_mask = 0xFFFFFFFFL;
+static unsigned long global_mask = B_ASN1_UTF8STRING;
 
 void ASN1_STRING_set_default_mask(unsigned long mask)
 {
diff --git a/main/openssl/crypto/bio/bio.h b/main/openssl/crypto/bio/bio.h
index 05699ab2..d05fa22a 100644
--- a/main/openssl/crypto/bio/bio.h
+++ b/main/openssl/crypto/bio/bio.h
@@ -266,6 +266,9 @@ void BIO_clear_flags(BIO *b, int flags);
 #define BIO_RR_CONNECT			0x02
 /* Returned from the accept BIO when an accept would have blocked */
 #define BIO_RR_ACCEPT			0x03
+/* Returned from the SSL bio when the channel id retrieval code cannot find the
+ * private key. */
+#define BIO_RR_SSL_CHANNEL_ID_LOOKUP	0x04
 
 /* These are passed by the BIO callback */
 #define BIO_CB_FREE	0x01
diff --git a/main/openssl/crypto/bio/bss_dgram.c b/main/openssl/crypto/bio/bss_dgram.c
index 54c012c4..d9967e72 100644
--- a/main/openssl/crypto/bio/bss_dgram.c
+++ b/main/openssl/crypto/bio/bss_dgram.c
@@ -1333,7 +1333,7 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 	bio_dgram_sctp_data *data = NULL;
 	socklen_t sockopt_len = 0;
 	struct sctp_authkeyid authkeyid;
-	struct sctp_authkey *authkey;
+	struct sctp_authkey *authkey = NULL;
 
 	data = (bio_dgram_sctp_data *)b->ptr;
 
@@ -1388,6 +1388,11 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 		/* Add new key */
 		sockopt_len = sizeof(struct sctp_authkey) + 64 * sizeof(uint8_t);
 		authkey = OPENSSL_malloc(sockopt_len);
+		if (authkey == NULL)
+			{
+			ret = -1;
+			break;
+			}
 		memset(authkey, 0x00, sockopt_len);
 		authkey->sca_keynumber = authkeyid.scact_keynumber + 1;
 #ifndef __FreeBSD__
@@ -1399,6 +1404,8 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 		memcpy(&authkey->sca_key[0], ptr, 64 * sizeof(uint8_t));
 
 		ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_KEY, authkey, sockopt_len);
+		OPENSSL_free(authkey);
+		authkey = NULL;
 		if (ret < 0) break;
 
 		/* Reset active key */
diff --git a/main/openssl/crypto/bn/bn_mont.c b/main/openssl/crypto/bn/bn_mont.c
index 427b5cf4..ee8532c7 100644
--- a/main/openssl/crypto/bn/bn_mont.c
+++ b/main/openssl/crypto/bn/bn_mont.c
@@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
 BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
 					const BIGNUM *mod, BN_CTX *ctx)
 	{
-	int got_write_lock = 0;
 	BN_MONT_CTX *ret;
 
 	CRYPTO_r_lock(lock);
-	if (!*pmont)
+	ret = *pmont;
+	CRYPTO_r_unlock(lock);
+	if (ret)
+		return ret;
+
+	/* We don't want to serialise globally while doing our lazy-init math in
+	 * BN_MONT_CTX_set. That punishes threads that are doing independent
+	 * things. Instead, punish the case where more than one thread tries to
+	 * lazy-init the same 'pmont', by having each do the lazy-init math work
+	 * independently and only use the one from the thread that wins the race
+	 * (the losers throw away the work they've done). */
+	ret = BN_MONT_CTX_new();
+	if (!ret)
+		return NULL;
+	if (!BN_MONT_CTX_set(ret, mod, ctx))
 		{
-		CRYPTO_r_unlock(lock);
-		CRYPTO_w_lock(lock);
-		got_write_lock = 1;
+		BN_MONT_CTX_free(ret);
+		return NULL;
+		}
 
-		if (!*pmont)
-			{
-			ret = BN_MONT_CTX_new();
-			if (ret && !BN_MONT_CTX_set(ret, mod, ctx))
-				BN_MONT_CTX_free(ret);
-			else
-				*pmont = ret;
-			}
+	/* The locked compare-and-set, after the local work is done. */
+	CRYPTO_w_lock(lock);
+	if (*pmont)
+		{
+		BN_MONT_CTX_free(ret);
+		ret = *pmont;
 		}
-	
-	ret = *pmont;
-	
-	if (got_write_lock)
-		CRYPTO_w_unlock(lock);
 	else
-		CRYPTO_r_unlock(lock);
-		
+		*pmont = ret;
+	CRYPTO_w_unlock(lock);
 	return ret;
 	}
diff --git a/main/openssl/crypto/cms/cms_env.c b/main/openssl/crypto/cms/cms_env.c
index be20b1c0..add00bf9 100644
--- a/main/openssl/crypto/cms/cms_env.c
+++ b/main/openssl/crypto/cms/cms_env.c
@@ -185,6 +185,8 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
 	if (flags & CMS_USE_KEYID)
 		{
 		ktri->version = 2;
+		if (env->version < 2)
+			env->version = 2;
 		type = CMS_RECIPINFO_KEYIDENTIFIER;
 		}
 	else
diff --git a/main/openssl/crypto/cms/cms_sd.c b/main/openssl/crypto/cms/cms_sd.c
index 77fbd135..51dd33a1 100644
--- a/main/openssl/crypto/cms/cms_sd.c
+++ b/main/openssl/crypto/cms/cms_sd.c
@@ -158,8 +158,8 @@ static void cms_sd_set_version(CMS_SignedData *sd)
 			if (sd->version < 3)
 				sd->version = 3;
 			}
-		else
-			sd->version = 1;
+		else if (si->version < 1)
+			si->version = 1;
 		}
 
 	if (sd->version < 1)
diff --git a/main/openssl/crypto/cms/cms_smime.c b/main/openssl/crypto/cms/cms_smime.c
index 8c56e3a8..1af9f3a6 100644
--- a/main/openssl/crypto/cms/cms_smime.c
+++ b/main/openssl/crypto/cms/cms_smime.c
@@ -611,7 +611,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 	STACK_OF(CMS_RecipientInfo) *ris;
 	CMS_RecipientInfo *ri;
 	int i, r;
-	int debug = 0;
+	int debug = 0, ri_match = 0;
 	ris = CMS_get0_RecipientInfos(cms);
 	if (ris)
 		debug = cms->d.envelopedData->encryptedContentInfo->debug;
@@ -620,6 +620,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 		ri = sk_CMS_RecipientInfo_value(ris, i);
 		if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
 				continue;
+		ri_match = 1;
 		/* If we have a cert try matching RecipientInfo
 		 * otherwise try them all.
 		 */
@@ -655,7 +656,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 			}
 		}
 	/* If no cert and not debugging always return success */
-	if (!cert && !debug)
+	if (ri_match && !cert && !debug)
 		{
 		ERR_clear_error();
 		return 1;
diff --git a/main/openssl/crypto/dso/dso_dlfcn.c b/main/openssl/crypto/dso/dso_dlfcn.c
index 5f225480..4a56aace 100644
--- a/main/openssl/crypto/dso/dso_dlfcn.c
+++ b/main/openssl/crypto/dso/dso_dlfcn.c
@@ -464,7 +464,7 @@ static int dlfcn_pathbyaddr(void *addr,char *path,int sz)
 		return len;
 		}
 
-	ERR_add_error_data(4, "dlfcn_pathbyaddr(): ", dlerror());
+	ERR_add_error_data(2, "dlfcn_pathbyaddr(): ", dlerror());
 #endif
 	return -1;
 	}
diff --git a/main/openssl/crypto/ec/ec_ameth.c b/main/openssl/crypto/ec/ec_ameth.c
index 0ce45240..f715a238 100644
--- a/main/openssl/crypto/ec/ec_ameth.c
+++ b/main/openssl/crypto/ec/ec_ameth.c
@@ -352,6 +352,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 		EC_KEY_set_enc_flags(ec_key, old_flags);
 		OPENSSL_free(ep);
 		ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
+		return 0;
 	}
 	/* restore old encoding flags */
 	EC_KEY_set_enc_flags(ec_key, old_flags);
diff --git a/main/openssl/crypto/ec/ec_asn1.c b/main/openssl/crypto/ec/ec_asn1.c
index 145807b6..e94f34e1 100644
--- a/main/openssl/crypto/ec/ec_asn1.c
+++ b/main/openssl/crypto/ec/ec_asn1.c
@@ -1435,8 +1435,11 @@ int i2o_ECPublicKey(EC_KEY *a, unsigned char **out)
 				*out, buf_len, NULL))
 		{
 		ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
-		OPENSSL_free(*out);
-		*out = NULL;
+		if (new_buffer)
+			{
+			OPENSSL_free(*out);
+			*out = NULL;
+			}
 		return 0;
 		}
 	if (!new_buffer)
diff --git a/main/openssl/crypto/ec/ec_lcl.h b/main/openssl/crypto/ec/ec_lcl.h
index 6f714c75..dae91483 100644
--- a/main/openssl/crypto/ec/ec_lcl.h
+++ b/main/openssl/crypto/ec/ec_lcl.h
@@ -405,7 +405,7 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
 
-#ifndef OPENSSL_EC_NISTP_64_GCC_128
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 /* method functions in ecp_nistp224.c */
 int ec_GFp_nistp224_group_init(EC_GROUP *group);
 int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
diff --git a/main/openssl/crypto/evp/bio_b64.c b/main/openssl/crypto/evp/bio_b64.c
index ac6d441a..16863fe2 100644
--- a/main/openssl/crypto/evp/bio_b64.c
+++ b/main/openssl/crypto/evp/bio_b64.c
@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl)
 		else if (ctx->start)
 			{
 			q=p=(unsigned char *)ctx->tmp;
+			num = 0;
 			for (j=0; j<i; j++)
 				{
 				if (*(q++) != '\n') continue;
diff --git a/main/openssl/crypto/evp/encode.c b/main/openssl/crypto/evp/encode.c
index 28546a84..4654bdc6 100644
--- a/main/openssl/crypto/evp/encode.c
+++ b/main/openssl/crypto/evp/encode.c
@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 				v=EVP_DecodeBlock(out,d,n);
 				n=0;
 				if (v < 0) { rv=0; goto end; }
+				if (eof > v) { rv=-1; goto end; }
 				ret+=(v-eof);
 				}
 			else
diff --git a/main/openssl/crypto/evp/p_lib.c b/main/openssl/crypto/evp/p_lib.c
index bd1977d7..8ee53c1d 100644
--- a/main/openssl/crypto/evp/p_lib.c
+++ b/main/openssl/crypto/evp/p_lib.c
@@ -202,7 +202,7 @@ EVP_PKEY *EVP_PKEY_new(void)
 
 EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey)
 	{
-	CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
 	return pkey;
 	}
 
diff --git a/main/openssl/crypto/opensslv.h b/main/openssl/crypto/opensslv.h
index ebe71807..c3b6acec 100644
--- a/main/openssl/crypto/opensslv.h
+++ b/main/openssl/crypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000107fL
+#define OPENSSL_VERSION_NUMBER	0x1000108fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g-fips 7 Apr 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1h-fips 5 Jun 2014"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g 7 Apr 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1h 5 Jun 2014"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
diff --git a/main/openssl/crypto/pkcs12/p12_crt.c b/main/openssl/crypto/pkcs12/p12_crt.c
index a34915d0..35e8a4a8 100644
--- a/main/openssl/crypto/pkcs12/p12_crt.c
+++ b/main/openssl/crypto/pkcs12/p12_crt.c
@@ -96,7 +96,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 		else
 #endif
+#ifdef OPENSSL_NO_RC2
+		nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+#else
 		nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+#endif
 		}
 	if (!nid_key)
 		nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
@@ -286,7 +290,11 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
 		free_safes = 0;
 
 	if (nid_safe == 0)
+#ifdef OPENSSL_NO_RC2
+		nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+#else
 		nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
+#endif
 
 	if (nid_safe == -1)
 		p7 = PKCS12_pack_p7data(bags);
diff --git a/main/openssl/crypto/pkcs12/p12_kiss.c b/main/openssl/crypto/pkcs12/p12_kiss.c
index 206b1b0b..c9b7ab61 100644
--- a/main/openssl/crypto/pkcs12/p12_kiss.c
+++ b/main/openssl/crypto/pkcs12/p12_kiss.c
@@ -269,7 +269,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 			int len, r;
 			unsigned char *data;
 			len = ASN1_STRING_to_UTF8(&data, fname);
-			if(len > 0) {
+			if(len >= 0) {
 				r = X509_alias_set1(x509, data, len);
 				OPENSSL_free(data);
 				if (!r)
diff --git a/main/openssl/crypto/pkcs7/pk7_doit.c b/main/openssl/crypto/pkcs7/pk7_doit.c
index 77fda3b8..d91aa116 100644
--- a/main/openssl/crypto/pkcs7/pk7_doit.c
+++ b/main/openssl/crypto/pkcs7/pk7_doit.c
@@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 		{
 	case NID_pkcs7_signed:
 		data_body=PKCS7_get_octet_string(p7->d.sign->contents);
+		if (!PKCS7_is_detached(p7) && data_body == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE);
+			goto err;
+			}
 		md_sk=p7->d.sign->md_algs;
 		break;
 	case NID_pkcs7_signedAndEnveloped:
@@ -928,6 +933,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
 	if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
 		goto err;
 	OPENSSL_free(abuf);
+	abuf = NULL;
 	if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
 		goto err;
 	abuf = OPENSSL_malloc(siglen);
diff --git a/main/openssl/crypto/pkcs7/pkcs7.h b/main/openssl/crypto/pkcs7/pkcs7.h
index e4d44319..04f60379 100644
--- a/main/openssl/crypto/pkcs7/pkcs7.h
+++ b/main/openssl/crypto/pkcs7/pkcs7.h
@@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void);
 #define PKCS7_R_ERROR_SETTING_CIPHER			 121
 #define PKCS7_R_INVALID_MIME_TYPE			 131
 #define PKCS7_R_INVALID_NULL_POINTER			 143
+#define PKCS7_R_INVALID_SIGNED_DATA_TYPE		 155
 #define PKCS7_R_MIME_NO_CONTENT_TYPE			 132
 #define PKCS7_R_MIME_PARSE_ERROR			 133
 #define PKCS7_R_MIME_SIG_PARSE_ERROR			 134
diff --git a/main/openssl/crypto/pkcs7/pkcs7err.c b/main/openssl/crypto/pkcs7/pkcs7err.c
index d0af32a2..f3db08e0 100644
--- a/main/openssl/crypto/pkcs7/pkcs7err.c
+++ b/main/openssl/crypto/pkcs7/pkcs7err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs7/pkcs7err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[]=
 {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
 {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE)   ,"invalid mime type"},
 {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
+{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"},
 {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
 {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR)    ,"mime parse error"},
 {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},
diff --git a/main/openssl/crypto/rsa/rsa_ameth.c b/main/openssl/crypto/rsa/rsa_ameth.c
index 5a2062f9..4c8ecd92 100644
--- a/main/openssl/crypto/rsa/rsa_ameth.c
+++ b/main/openssl/crypto/rsa/rsa_ameth.c
@@ -358,7 +358,7 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
 		if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
 			goto err;
 		}
-	else if (BIO_puts(bp, "0x14 (default)") <= 0)
+	else if (BIO_puts(bp, "14 (default)") <= 0)
 		goto err;
 	BIO_puts(bp, "\n");
 
diff --git a/main/openssl/crypto/srp/srp_vfy.c b/main/openssl/crypto/srp/srp_vfy.c
index 4a3d13ed..fdca19ff 100644
--- a/main/openssl/crypto/srp/srp_vfy.c
+++ b/main/openssl/crypto/srp/srp_vfy.c
@@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, const char *src)
 		else a[i] = loc - b64table;
 		++i;
 		}
+	/* if nothing valid to process we have a zero length response */
+	if (i == 0)
+		return 0;
 	size = i;
 	i = size - 1;
 	j = size;
diff --git a/main/openssl/crypto/x509v3/v3_purp.c b/main/openssl/crypto/x509v3/v3_purp.c
index ad688657..f59bfc18 100644
--- a/main/openssl/crypto/x509v3/v3_purp.c
+++ b/main/openssl/crypto/x509v3/v3_purp.c
@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
 	/* Handle proxy certificates */
 	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
 		if (x->ex_flags & EXFLAG_CA
-		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
-		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+		    || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
+		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
 			x->ex_flags |= EXFLAG_INVALID;
 		}
 		if (pci->pcPathLengthConstraint) {
@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
 		return 0;
 
 	/* Extended Key Usage MUST be critical */
-	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
+	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
 	if (i_ext >= 0)
 		{
 		X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
-- 
cgit v1.2.3