From f1558bb4243d83781793ed758367bd71d0983a35 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 21 Oct 2001 02:09:15 +0000
Subject: Reject certificates with unhandled critical extensions.

---
 crypto/x509/x509_vfy.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'crypto/x509/x509_vfy.h')

diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 689062fa30..f0be21f452 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -303,6 +303,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define		X509_V_ERR_KEYUSAGE_NO_CERTSIGN			32
 
 #define		X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER		33
+#define		X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION		34
 
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50
@@ -313,6 +314,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define	X509_V_FLAG_USE_CHECK_TIME		0x2	/* Use check time instead of current time */
 #define	X509_V_FLAG_CRL_CHECK			0x4	/* Lookup CRLs */
 #define	X509_V_FLAG_CRL_CHECK_ALL		0x8	/* Lookup CRLs for whole chain */
+#define	X509_V_FLAG_IGNORE_CRITICAL		0x10	/* Ignore unhandled critical extensions */
 
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 	     X509_NAME *name);
-- 
cgit v1.2.3