openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-04-15 17:54:36 +00:00
Code Issues Projects Releases Wiki Activity

Add a few to-do items to the crl_cb()

Browse Source 
Prompted by the "fix" fighting symptoms of misdesign in Delta CRL processing
rather than addressing the root cause. Probably the best fix is to remove
support for Indirect CRLs and Delta CRLs outright.

ok jsing
This commit is contained in:
tb
2026-04-07 12:52:19 +00:00
parent 842a6bbe14
commit 9ad5b7ec74
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/libcrypto/asn1/x_crl.c
View File

@@ -1,4 +1,4 @@
/* $OpenBSD: x_crl.c,v 1.51 2025/08/19 21:54:11 tb Exp $ */
/* $OpenBSD: x_crl.c,v 1.52 2026/04/07 12:52:19 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -282,6 +282,11 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
break;
case ASN1_OP_D2I_POST:
/*
* XXX - This sets EXFLAG_INVALID but there's no code checking
* it. The verifier treats CRLs with EXFLAG_INVALID as valid.
* Also fix all the missing and incomplete error checks here.
*/
X509_CRL_digest(crl, X509_CRL_HASH_EVP, crl->hash, NULL);
crl->idp = X509_CRL_get_ext_d2i(crl,
NID_issuing_distribution_point, NULL, NULL);