Reject certificates with unhandled critical extensions.

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 892b7849fd3ca2d943c9aa048c422903939bf8f0..3c69bb9e0ec392bd17b93b4044ca04005ee5f7a7 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -384,6 +384,15 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
        for (i = 0; i < ctx->last_untrusted; i++)
                {
                x = sk_X509_value(ctx->chain, i);
+               if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+                       && (x->ex_flags & EXFLAG_CRITICAL))
+                       {
+                       ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
+                       ctx->error_depth = i;
+                       ctx->current_cert = x;
+                       ok=cb(0,ctx);
+                       if (!ok) goto end;
+                       }
                if (!X509_check_purpose(x, ctx->purpose, i))
                        {
                        if (i)
@@ -721,8 +730,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
                        if (!ok) goto end;
                        }
 
-               /* CRL CHECK */
-
                /* The last error (if any) is still in the error value */
                ctx->current_cert=xs;
                ok=(*cb)(1,ctx);