Skip to content

Retain flag after custom critical extensions check#3030

Merged
samuel40791765 merged 1 commit intoaws:mainfrom
samuel40791765:fix-custom-ext
Feb 26, 2026
Merged

Retain flag after custom critical extensions check#3030
samuel40791765 merged 1 commit intoaws:mainfrom
samuel40791765:fix-custom-ext

Conversation

@samuel40791765
Copy link
Copy Markdown
Contributor

@samuel40791765 samuel40791765 commented Feb 23, 2026

Description of changes:

check_custom_critical_extensions previously cleared the EXFLAG_CRITICAL bit from a certificate's cached ex_flags after successfully validating custom critical extensions. The original intent was to record that the certificate's critical extensions had been handled, preserving that outcome for the certificate going forward.
However, custom critical extension validation is a property of the verification context, not the certificate itself. This change removes the flag clearing so that the custom extension check is evaluated during each verification rather than permanently mutated on the cert. This ensures that re-verifying the same X509 object without a custom callback correctly reports X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION.

Call-outs:

N/A

Testing:

Tweak and add minor test that checks the behavior.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@samuel40791765 samuel40791765 requested a review from a team as a code owner February 23, 2026 23:46
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.36%. Comparing base (c74fef5) to head (a1119e7).
⚠️ Report is 30 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3030      +/-   ##
==========================================
+ Coverage   78.30%   78.36%   +0.05%     
==========================================
  Files         689      689              
  Lines      120966   121011      +45     
  Branches    16989    16991       +2     
==========================================
+ Hits        94722    94827     +105     
+ Misses      25349    25288      -61     
- Partials      895      896       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@samuel40791765
Copy link
Copy Markdown
Contributor Author

samuel40791765 commented Feb 24, 2026

Synced up s2n-tls team that this won't break them or their consumers.

@samuel40791765 samuel40791765 enabled auto-merge (squash) February 24, 2026 18:54
@samuel40791765 samuel40791765 merged commit bf03332 into aws:main Feb 26, 2026
650 of 659 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@samuel40791765 @codecov-commenter @skmcgrail @justsmth