diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-01-09 22:47:22 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-01-09 22:52:49 +0000 |
commit | 8f4077ca69076cebaca51b7b666db1ed49e46b9e (patch) | |
tree | b4b7fd637a2ec6c481f6e03b6ebeba76a719f138 /crypto/x509 | |
parent | 0ecfd920e592c4299b8154e675b164ded8c55cbb (diff) | |
download | openssl-8f4077ca69076cebaca51b7b666db1ed49e46b9e.tar.gz |
Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_vfy.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ab9bf8d184..b7e3f6e996 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1614,10 +1614,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */ - if (crl->flags & EXFLAG_CRITICAL) + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) + && (crl->flags & EXFLAG_CRITICAL)) { - if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - return 1; ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) |