Add a comment on abuse of EXFLAG_INVALID

We added things we probably shouldn't have, and so did BoringSSL and OpenSSL. Terrible API is terrible. discussed with jsing
author: tb <> 2024-04-09 15:00:44 +0000
committer: tb <> 2024-04-09 15:00:44 +0000
commit: bbf690f8fa85727944755535bb3512d598ade359 (patch)
tree: ed3bd5aa4d2988fb4a8dbd6af2702a94d176086b /src
parent: bc8830ea3ee7194a6d4d4915db8a2b7ccc9aef27 (diff)
download: openbsd-bbf690f8fa85727944755535bb3512d598ade359.tar.gz
openbsd-bbf690f8fa85727944755535bb3512d598ade359.tar.bz2
openbsd-bbf690f8fa85727944755535bb3512d598ade359.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 8f4e5934e1..baa33d5764 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.41 2024/04/09 15:00:44 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -398,6 +398,13 @@ x509v3_cache_extensions_internal(X509 *x)
        if (x->ex_flags & EXFLAG_SET)
                return;
+        /*
+         * XXX - this should really only set EXFLAG_INVALID if extensions are
+         * invalid. However, the X509_digest() failure matches OpenSSL/BoringSSL
+         * behavior and the version checks are at least vaguely related to
+         * extensions.
+         */
        if (!X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL))
                x->ex_flags |= EXFLAG_INVALID;
author	tb <>	2024-04-09 15:00:44 +0000
committer	tb <>	2024-04-09 15:00:44 +0000
commit	bbf690f8fa85727944755535bb3512d598ade359 (patch)
tree	ed3bd5aa4d2988fb4a8dbd6af2702a94d176086b /src
parent	bc8830ea3ee7194a6d4d4915db8a2b7ccc9aef27 (diff)
download	openbsd-bbf690f8fa85727944755535bb3512d598ade359.tar.gz openbsd-bbf690f8fa85727944755535bb3512d598ade359.tar.bz2 openbsd-bbf690f8fa85727944755535bb3512d598ade359.zip