Remove the redundant idp_reasons field This is part of onlySomeReasons handling, which was removed with extended CRL support. Demonstrating that the code to be removed is a no-op takes a few steps, so I'm splitting this into a couple CLs for ease of review. First, every CRL either has the IDP_REASONS set, or idp_reasons is CRLDP_ALL_REASONS. The only thing that reads idp_reasons is crl_crldp_check, which is run after get_crl_score skips all IDP_REASONS certificates. Thus, the field can be assumed to be CRLDP_ALL_REASONS. Bug: 601 Change-Id: I4d41b5665d35db10dd9752e47553ae90f46f1e44 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63934 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h index 72d0f9b..e56f243 100644 --- a/crypto/x509/internal.h +++ b/crypto/x509/internal.h
@@ -218,7 +218,6 @@ ISSUING_DIST_POINT *idp; // Convenient breakdown of IDP int idp_flags; - int idp_reasons; unsigned char crl_hash[SHA256_DIGEST_LENGTH]; STACK_OF(GENERAL_NAMES) *issuers; } /* X509_CRL */;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1abbc00..c83de7d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c
@@ -1257,7 +1257,7 @@ return 0; } } - *preasons = crl->idp_reasons; + *preasons = CRLDP_ALL_REASONS; for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); if (crldp_check_crlissuer(dp, crl, crl_score)) {
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index e7b5eda..c999523 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c
@@ -190,7 +190,6 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509_CRL *crl = (X509_CRL *)*pval; - size_t idx; int i; switch (operation) { @@ -199,7 +198,6 @@ crl->akid = NULL; crl->flags = 0; crl->idp_flags = 0; - crl->idp_reasons = CRLDP_ALL_REASONS; crl->issuers = NULL; break; @@ -248,7 +246,7 @@ // critical sets the flag. This code accesses the X509_CRL structure // directly: applications shouldn't do this. const STACK_OF(X509_EXTENSION) *exts = crl->crl->extensions; - for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { + for (size_t idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, idx); int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); if (X509_EXTENSION_get_critical(ext)) { @@ -306,13 +304,6 @@ if (idp->onlysomereasons) { crl->idp_flags |= IDP_REASONS; - if (idp->onlysomereasons->length > 0) { - crl->idp_reasons = idp->onlysomereasons->data[0]; - } - if (idp->onlysomereasons->length > 1) { - crl->idp_reasons |= (idp->onlysomereasons->data[1] << 8); - } - crl->idp_reasons &= CRLDP_ALL_REASONS; } return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));