Remove the delta CRL special case on expiry
We never set CRL_SCORE_TIME_DELTA.
Bug: 601
Change-Id: Ic7497492565bda9f3e9d7091f5e16b81e111cfa1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63937
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9210dcc..c750db2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -77,42 +77,30 @@
// CRL score values
// No unhandled critical extensions
-
#define CRL_SCORE_NOCRITICAL 0x100
// certificate is within CRL scope
-
#define CRL_SCORE_SCOPE 0x080
// CRL times valid
-
#define CRL_SCORE_TIME 0x040
// Issuer name matches certificate
-
#define CRL_SCORE_ISSUER_NAME 0x020
// If this score or above CRL is probably valid
-
#define CRL_SCORE_VALID \
(CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
// CRL issuer is certificate issuer
-
#define CRL_SCORE_ISSUER_CERT 0x018
// CRL issuer is on certificate path
-
#define CRL_SCORE_SAME_PATH 0x008
// CRL issuer matches CRL AKID
-
#define CRL_SCORE_AKID 0x004
-// Have a delta CRL with valid times
-
-#define CRL_SCORE_TIME_DELTA 0x002
-
static int null_callback(int ok, X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
@@ -910,8 +898,7 @@
return 0;
}
}
- // Ignore expiry of base CRL is delta is valid
- if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
+ if (i < 0) {
if (!notify) {
return 0;
}
