Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.

author Dr. Stephen Henson <steve@openssl.org>

Thu, 9 Jan 2014 22:47:22 +0000 (22:47 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Thu, 9 Jan 2014 22:52:49 +0000 (22:52 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Thu, 9 Jan 2014 22:47:22 +0000 (22:47 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Thu, 9 Jan 2014 22:52:49 +0000 (22:52 +0000)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index ab9bf8d18420f92b0a33f021b23a560a996352b9..b7e3f6e996f6c575afef04f9316b43116fb2bae4 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1614,10 +1614,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
          * a certificate was revoked. This has since been changed since 
          * critical extension can change the meaning of CRL entries.
          */
          * a certificate was revoked. This has since been changed since 
          * critical extension can change the meaning of CRL entries.
          */
-       if (crl->flags & EXFLAG_CRITICAL)
+       if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
+               && (crl->flags & EXFLAG_CRITICAL))
                 {
                 {
-               if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-                       return 1;
                 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
                 ok = ctx->verify_cb(0, ctx);
                 if(!ok)
                 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
                 ok = ctx->verify_cb(0, ctx);
                 if(!ok)
author	Dr. Stephen Henson <steve@openssl.org>
	Thu, 9 Jan 2014 22:47:22 +0000 (22:47 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Thu, 9 Jan 2014 22:52:49 +0000 (22:52 +0000)