summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_srtp.c
diff options
context:
space:
mode:
authorschwarze <>2021-11-13 18:24:45 +0000
committerschwarze <>2021-11-13 18:24:45 +0000
commitd1c771771e633b52f5fb1935364b74f017dd074c (patch)
treeaf2b33645fa80d440b575ecb9471393968b5dc08 /src/lib/libssl/d1_srtp.c
parent3cb18f834001c26f2b63b0c01567a7babf1c6ec6 (diff)
downloadopenbsd-d1c771771e633b52f5fb1935364b74f017dd074c.tar.gz
openbsd-d1c771771e633b52f5fb1935364b74f017dd074c.tar.bz2
openbsd-d1c771771e633b52f5fb1935364b74f017dd074c.zip
Fix a bug in check_crl_time() that could result in incomplete
verification, accepting CRLs that ought to be rejected, if an unusual combination of verification flags was specified. If time verification was explicitly requested with X509_V_FLAG_USE_CHECK_TIME, it was skipped on CRLs if X509_V_FLAG_NO_CHECK_TIME was also set, even though the former is documented to override the latter both in the OpenSSL and in the LibreSSL X509_VERIFY_PARAM_set_flags(3) manual page. The same bug in x509_check_cert_time() was already fixed by beck@ in rev. 1.57 on 2017/01/20. This syncs the beginning of the function check_crl_time() with the OpenSSL 1.1.1 branch, which is still under a free license. OK beck@ This teaches that having too many flags and options is bad because they breed bugs, and even more so if they are poorly designed to override each other in surprising ways.
Diffstat (limited to 'src/lib/libssl/d1_srtp.c')
0 files changed, 0 insertions, 0 deletions