Stop Delta CRL processing if a CRL number is misssing

A malformed Delta CRL could cause a crash. Funnily enough the deserializer
recognizes this and marks such a CRL as invalid, but nothing ever checks
the EXFLAG_INVALID for CRLs. For certificates this would usually result in
verification failure due to x509v3_cache_extensions() failing.

This is only reachable if the X509_V_FLAG_USE_DELTAS is used, which only
a handful of ports do, plus openssl(1) does if you use the undocumented
-use_deltas flag.

Reported by Igor Morgenstern to OpenSSL who then sat on this since Jan 8
and assigned CVE-2026-28388.

ok jsing

lib/libcrypto/x509/x509_vfy.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.148 2025/05/10 05:54:39 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.149 2026/04/07 12:48:37 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1148,11 +1148,15 @@ crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
 static int
 check_delta_base(X509_CRL *delta, X509_CRL *base)
 {
-	/* Delta CRL must be a delta */
-	if (!delta->base_crl_number)
+	/*
+	 * Delta CRL must be a delta and have a CRL number.
+	 * XXX - This means EXFLAG_INVALID was set by crl_cb(),
+	 * which we should check somewhere and bail out.
+	 */
+	if (delta->base_crl_number == NULL || delta->crl_number == NULL)
 		return 0;
 	/* Base must have a CRL number */
-	if (!base->crl_number)
+	if (base->crl_number == NULL)
 		return 0;
 	/* Issuer names must match */
 	if (X509_NAME_cmp(X509_CRL_get_issuer(base),