Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.
authorDr. Stephen Henson <steve@openssl.org>
Thu, 9 Jan 2014 22:47:22 +0000 (22:47 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 9 Jan 2014 22:53:50 +0000 (22:53 +0000)
(cherry picked from commit 8f4077ca69076cebaca51b7b666db1ed49e46b9e)

crypto/x509/x509_vfy.c

index 677d9579d58444dad21eb876d7647b1319097864..bcbf9ea55039672b6ab8d493469a52523d43cbca 100644 (file)
@@ -1586,10 +1586,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
         * a certificate was revoked. This has since been changed since 
         * critical extension can change the meaning of CRL entries.
         */
-       if (crl->flags & EXFLAG_CRITICAL)
+       if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
+               && (crl->flags & EXFLAG_CRITICAL))
                {
-               if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-                       return 1;
                ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
                ok = ctx->verify_cb(0, ctx);
                if(!ok)