commit 3e28180d3a337a524c07c9301a967aaa739a10ec
author David Benjamin <davidben@google.com> Sun Nov 12 13:48:29 2023 -0500
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Fri Nov 17 18:47:30 2023 +0000
tree f8334dcff9a0752b433479bcbd1cc012fcb10f03
parent f86149982323e57050f853c278ce8aa955b681dc

Remove EXFLAG_FRESHEST

Update-Note: Though exported, this was an internal flag to the delta CRL
implementation. Remove it.

Bug: 601
Change-Id: Ic7f99da94391aea861fd7ea9ad79a3fb66cc649e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63930
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

crypto/x509/x_crl.c

diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 81aa489..227867b 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -190,8 +190,6 @@
 static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
                   void *exarg) {
   X509_CRL *crl = (X509_CRL *)*pval;
-  STACK_OF(X509_EXTENSION) *exts;
-  X509_EXTENSION *ext;
   size_t idx;
   int i;
 
@@ -266,20 +264,14 @@
       // this in a flag. We only currently handle IDP so anything else
       // critical sets the flag. This code accesses the X509_CRL structure
       // directly: applications shouldn't do this.
-
-      exts = crl->crl->extensions;
-
+      const STACK_OF(X509_EXTENSION) *exts = crl->crl->extensions;
       for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
-        int nid;
-        ext = sk_X509_EXTENSION_value(exts, idx);
-        nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
-        if (nid == NID_freshest_crl) {
-          crl->flags |= EXFLAG_FRESHEST;
-        }
+        const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, idx);
+        int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
         if (X509_EXTENSION_get_critical(ext)) {
           // We handle IDP and deltas
-          if ((nid == NID_issuing_distribution_point) ||
-              (nid == NID_authority_key_identifier) || (nid == NID_delta_crl)) {
+          if (nid == NID_issuing_distribution_point ||
+              nid == NID_authority_key_identifier || nid == NID_delta_crl) {
             continue;
           }
           crl->flags |= EXFLAG_CRITICAL;

crypto/x509v3/v3_purp.c

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 1f5a88c..2952d2a 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -554,9 +554,6 @@
 
   for (j = 0; j < X509_get_ext_count(x); j++) {
     const X509_EXTENSION *ex = X509_get_ext(x, j);
-    if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl) {
-      x->ex_flags |= EXFLAG_FRESHEST;
-    }
     if (!X509_EXTENSION_get_critical(ex)) {
       continue;
     }

include/openssl/x509v3.h

diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 2a2e02c..7db61c5 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -342,7 +342,6 @@
 #define EXFLAG_SET 0x100
 #define EXFLAG_CRITICAL 0x200
 
-#define EXFLAG_FRESHEST 0x1000
 // Self signed
 #define EXFLAG_SS 0x2000