hostname and key purpose checks were moved above CRL checks

1 files changed, 28 insertions, 26 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index d296a5115c..86b49a2975 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -936,6 +936,34 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		}
 	}
 
+	/* End-certificate, key purpose and hostname checks. */
+	if (purpose) do {
+		gnutls_datum_t ext_data = {NULL, 0};
+
+		ret = gnutls_x509_crt_get_extension_by_oid2(cert_list[0], "2.5.29.37", 0, &ext_data, NULL);
+		if (ret < 0) {
+			/* it's not a fatal error if the extended key usage extension isn't there */
+			gnutls_assert();
+			break;
+		}
+
+		ret = check_key_purpose(cert_list[0], &ext_data, voutput, purpose);
+		gnutls_free(ext_data.data);
+
+		if (ret < 0) {
+			gnutls_assert();
+		}
+	} while(0);
+
+	if (hostname) {
+		ret =
+		    gnutls_x509_crt_check_hostname2(cert_list[0], hostname, flags);
+		if (ret == 0)
+			*voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID;
+	}
+
+	/* CRL checks follow */
+
 	if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))
 		return 0;
 
@@ -974,32 +1002,6 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		}
 	}
 
-	/* check the purpose if given */
-	if (purpose) do {
-		gnutls_datum_t ext_data = {NULL, 0};
-
-		ret = gnutls_x509_crt_get_extension_by_oid2(cert_list[0], "2.5.29.37", 0, &ext_data, NULL);
-		if (ret < 0) {
-			/* it's not a fatal error if the extended key usage extension isn't there */
-			gnutls_assert();
-			break;
-		}
-
-		ret = check_key_purpose(cert_list[0], &ext_data, voutput, purpose);
-		gnutls_free(ext_data.data);
-
-		if (ret < 0) {
-			gnutls_assert();
-		}
-	} while(0);
-
-	if (hostname) {
-		ret =
-		    gnutls_x509_crt_check_hostname2(cert_list[0], hostname, flags);
-		if (ret == 0)
-			*voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID;
-	}
-
 	return 0;
 }