From e0377f161e260f469c7bca512739a3c80f0a32b8 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Fri, 11 Jul 2014 13:54:41 +0000
Subject: Tolerate critical AKID in CRLs; OpenSSL PR #3014 via OpenSSL trunk,
 and also update the comments to reflect what the code now does.

---
 src/lib/libssl/src/crypto/asn1/x_crl.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

(limited to 'src/lib/libssl/src')

diff --git a/src/lib/libssl/src/crypto/asn1/x_crl.c b/src/lib/libssl/src/crypto/asn1/x_crl.c
index ad77ef7737..bdec50dc80 100644
--- a/src/lib/libssl/src/crypto/asn1/x_crl.c
+++ b/src/lib/libssl/src/crypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.17 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: x_crl.c,v 1.18 2014/07/11 13:54:41 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -238,8 +238,8 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
 			crl->flags |= EXFLAG_INVALID;
 
 		/* See if we have any unhandled critical CRL extensions and
-		 * indicate this in a flag. We only currently handle IDP so
-		 * anything else critical sets the flag.
+		 * indicate this in a flag. We only currently handle IDP,
+		 * AKID and deltas, so anything else critical sets the flag.
 		 *
 		 * This code accesses the X509_CRL structure directly:
 		 * applications shouldn't do this.
@@ -254,10 +254,11 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
 			if (nid == NID_freshest_crl)
 				crl->flags |= EXFLAG_FRESHEST;
 			if (ext->critical > 0) {
-				/* We handle IDP and deltas */
-				if ((nid == NID_issuing_distribution_point) ||
-				    (nid == NID_delta_crl))
-					break;;
+				/* We handle IDP, AKID and deltas */
+				if (nid == NID_issuing_distribution_point ||
+				    nid == NID_authority_key_identifier ||
+				    nid == NID_delta_crl)
+					break;
 				crl->flags |= EXFLAG_CRITICAL;
 				break;
 			}
-- 
cgit v1.2.3-55-g6feb