From 9ad5b7ec744e57a40a33cd8080a894fc6e159a75 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 7 Apr 2026 12:52:19 +0000 Subject: [PATCH] Add a few to-do items to the crl_cb() Prompted by the "fix" fighting symptoms of misdesign in Delta CRL processing rather than addressing the root cause. Probably the best fix is to remove support for Indirect CRLs and Delta CRLs outright. ok jsing --- lib/libcrypto/asn1/x_crl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/libcrypto/asn1/x_crl.c b/lib/libcrypto/asn1/x_crl.c index 59f867bc128..d95b044a89b 100644 --- a/lib/libcrypto/asn1/x_crl.c +++ b/lib/libcrypto/asn1/x_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_crl.c,v 1.51 2025/08/19 21:54:11 tb Exp $ */ +/* $OpenBSD: x_crl.c,v 1.52 2026/04/07 12:52:19 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -282,6 +282,11 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) break; case ASN1_OP_D2I_POST: + /* + * XXX - This sets EXFLAG_INVALID but there's no code checking + * it. The verifier treats CRLs with EXFLAG_INVALID as valid. + * Also fix all the missing and incomplete error checks here. + */ X509_CRL_digest(crl, X509_CRL_HASH_EVP, crl->hash, NULL); crl->idp = X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, NULL, NULL);