Add a comment on abuse of EXFLAG_INVALID

author tb <tb@openbsd.org>

Tue, 9 Apr 2024 15:00:44 +0000 (15:00 +0000)

committer tb <tb@openbsd.org>

Tue, 9 Apr 2024 15:00:44 +0000 (15:00 +0000)
author tb <tb@openbsd.org>
Tue, 9 Apr 2024 15:00:44 +0000 (15:00 +0000)
committer tb <tb@openbsd.org>
Tue, 9 Apr 2024 15:00:44 +0000 (15:00 +0000)
diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c

index 8f4e593..baa33d5 100644 (file)
--- a/lib/libcrypto/x509/x509_purp.c
+++ b/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.41 2024/04/09 15:00:44 tb Exp $ */
  /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   * project 2001.
   */
@@ -398,6 +398,13 @@ x509v3_cache_extensions_internal(X509 *x)
         if (x->ex_flags & EXFLAG_SET)
                 return;
  
+       /*
+        * XXX - this should really only set EXFLAG_INVALID if extensions are
+        * invalid. However, the X509_digest() failure matches OpenSSL/BoringSSL
+        * behavior and the version checks are at least vaguely related to
+        * extensions.
+        */
+
         if (!X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL))
                 x->ex_flags |= EXFLAG_INVALID;