From: Dr. Stephen Henson Date: Thu, 9 Jan 2014 22:47:22 +0000 (+0000) Subject: Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling. X-Git-Tag: OpenSSL_1_0_0m~95 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6c6f6c44e55a744d63c11ed6b0a696e9325bed7f;p=oweals%2Fopenssl.git Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling. (cherry picked from commit 8f4077ca69076cebaca51b7b666db1ed49e46b9e) --- diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 5195ffef26..920066aeba 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1462,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */ - if (crl->flags & EXFLAG_CRITICAL) + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) + && (crl->flags & EXFLAG_CRITICAL)) { - if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - return 1; ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok)