From b0fd99856f5b87514c3514e4971843ef500af31d Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Tue, 9 Apr 2024 15:00:44 +0000
Subject: [PATCH] Add a comment on abuse of EXFLAG_INVALID

We added things we probably shouldn't have, and so did BoringSSL and
OpenSSL. Terrible API is terrible.

discussed with jsing
---
 lib/libcrypto/x509/x509_purp.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c
index 8f4e5934e1f..baa33d5764b 100644
--- a/lib/libcrypto/x509/x509_purp.c
+++ b/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.41 2024/04/09 15:00:44 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -398,6 +398,13 @@ x509v3_cache_extensions_internal(X509 *x)
 	if (x->ex_flags & EXFLAG_SET)
 		return;
 
+	/*
+	 * XXX - this should really only set EXFLAG_INVALID if extensions are
+	 * invalid. However, the X509_digest() failure matches OpenSSL/BoringSSL
+	 * behavior and the version checks are at least vaguely related to
+	 * extensions.
+	 */
+
 	if (!X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL))
 		x->ex_flags |= EXFLAG_INVALID;
 
-- 
2.20.1