Add a few to-do items to the crl_cb()

Prompted by the "fix" fighting symptoms of misdesign in Delta CRL processing
rather than addressing the root cause. Probably the best fix is to remove
support for Indirect CRLs and Delta CRLs outright.

ok jsing

1 files changed, 6 insertions, 1 deletions

diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 59f867bc12..d95b044a89 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.51 2025/08/19 21:54:11 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.52 2026/04/07 12:52:19 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -282,6 +282,11 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                 break;
 
         case ASN1_OP_D2I_POST:
+                /*
+                 * XXX - This sets EXFLAG_INVALID but there's no code checking
+                 * it. The verifier treats CRLs with EXFLAG_INVALID as valid.
+                 * Also fix all the missing and incomplete error checks here.
+                 */
                 X509_CRL_digest(crl, X509_CRL_HASH_EVP, crl->hash, NULL);
                 crl->idp = X509_CRL_get_ext_d2i(crl,
                     NID_issuing_distribution_point, NULL, NULL);