Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.

author: Dr. Stephen Henson <steve@openssl.org> 2014-01-09 22:47:22 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-01-09 22:52:49 +0000
commit: 8f4077ca69076cebaca51b7b666db1ed49e46b9e (patch)
tree: b4b7fd637a2ec6c481f6e03b6ebeba76a719f138 /crypto/x509
parent: 0ecfd920e592c4299b8154e675b164ded8c55cbb (diff)
download: openssl-8f4077ca69076cebaca51b7b666db1ed49e46b9e.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ab9bf8d184..b7e3f6e996 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1614,10 +1614,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	 * a certificate was revoked. This has since been changed since 
 	 * critical extension can change the meaning of CRL entries.
 	 */
-	if (crl->flags & EXFLAG_CRITICAL)
+	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
+		&& (crl->flags & EXFLAG_CRITICAL))
 		{
-		if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-			return 1;
 		ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
 		ok = ctx->verify_cb(0, ctx);
 		if(!ok)
author	Dr. Stephen Henson <steve@openssl.org>	2014-01-09 22:47:22 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-01-09 22:52:49 +0000
commit	8f4077ca69076cebaca51b7b666db1ed49e46b9e (patch)
tree	b4b7fd637a2ec6c481f6e03b6ebeba76a719f138 /crypto/x509
parent	0ecfd920e592c4299b8154e675b164ded8c55cbb (diff)
download	openssl-8f4077ca69076cebaca51b7b666db1ed49e46b9e.tar.gz