From: Martin Willi <martin@revosec.ch>
Date: Fri, 17 Dec 2010 10:40:01 +0000 (+0100)
Subject: Fail on critical extensions in openssl CRLs
X-Git-Tag: 4.5.1~175
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e24a02a28fbde4efcba79da0bcf7068ad4127dae;p=thirdparty%2Fstrongswan.git

Fail on critical extensions in openssl CRLs
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index b9d97a9018..793899d33c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -458,7 +458,12 @@ static bool parse_extensions(private_openssl_crl_t *this)
 					ok = parse_crlNumber_ext(this, ext);
 					break;
 				default:
-					ok = TRUE;
+					ok = X509_EXTENSION_get_critical(ext) != 0;
+					if (!ok)
+					{
+						DBG1(DBG_LIB, "found unsupported critical X.509 "
+							 "CRL extension");
+					}
 					break;
 			}
 			if (!ok)