SecBSD/src
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync with OpenBSD -current

Browse Source
This commit is contained in:
purplerain 2024-03-20 03:03:31 +00:00
parent c8468dd63a
commit caadbe0d20
Signed by: purplerain
GPG Key ID: F42C07F07E2E35B7
15 changed files with 44 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/libcrypto/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.174 2024/03/02 13:39:28 tb Exp $ # $OpenBSD: Makefile,v 1.175 2024/03/19 19:27:33 tb Exp $
LIB= crypto LIB= crypto
LIBREBUILD=y LIBREBUILD=y
@ -69,7 +69,6 @@ SRCS+= malloc-wrapper.c
SRCS+= mem_clr.c SRCS+= mem_clr.c
SRCS+= mem_dbg.c SRCS+= mem_dbg.c
SRCS+= o_fips.c SRCS+= o_fips.c
SRCS+= o_init.c
SRCS+= o_str.c SRCS+= o_str.c
# aes/ # aes/

7
lib/libcrypto/crypto_init.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_init.c,v 1.18 2024/01/25 12:22:31 tb Exp $ */ /* $OpenBSD: crypto_init.c,v 1.19 2024/03/19 19:27:33 tb Exp $ */
/* /*
* Copyright (c) 2018 Bob Beck <beck@openbsd.org> * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
* *
@ -37,6 +37,11 @@ static pthread_once_t crypto_init_once = PTHREAD_ONCE_INIT;
static pthread_t crypto_init_thread; static pthread_t crypto_init_thread;
static int crypto_init_cleaned_up; static int crypto_init_cleaned_up;
void
OPENSSL_init(void)
{
}
static void static void
OPENSSL_init_crypto_internal(void) OPENSSL_init_crypto_internal(void)
{ {

6
lib/libcrypto/man/EVP_DigestInit.3
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_DigestInit.3,v 1.32 2024/03/05 17:21:40 tb Exp $ .\" $OpenBSD: EVP_DigestInit.3,v 1.33 2024/03/19 17:34:05 tb Exp $
.\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000 .\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
.\" .\"
@ -70,7 +70,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: March 5 2024 $ .Dd $Mdocdate: March 19 2024 $
.Dt EVP_DIGESTINIT 3 .Dt EVP_DIGESTINIT 3
.Os .Os
.Sh NAME .Sh NAME
@ -547,7 +547,7 @@ main(int argc, char *argv[])
.Xr OCSP_request_sign 3 , .Xr OCSP_request_sign 3 ,
.Xr PKCS5_PBKDF2_HMAC 3 , .Xr PKCS5_PBKDF2_HMAC 3 ,
.Xr PKCS7_sign_add_signer 3 , .Xr PKCS7_sign_add_signer 3 ,
.Xr X509_ALGOR_set_md 3 , .Xr X509_ALGOR_set0 3 ,
.Xr X509_digest 3 , .Xr X509_digest 3 ,
.Xr X509_sign 3 .Xr X509_sign 3
.Sh HISTORY .Sh HISTORY

25
lib/libcrypto/man/OPENSSL_malloc.3
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: OPENSSL_malloc.3,v 1.11 2023/11/16 20:27:43 schwarze Exp $ .\" $OpenBSD: OPENSSL_malloc.3,v 1.12 2024/03/19 17:48:57 tb Exp $
.\" .\"
.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org> .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
.\" .\"
@ -14,16 +14,14 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.Dd $Mdocdate: November 16 2023 $ .Dd $Mdocdate: March 19 2024 $
.Dt OPENSSL_MALLOC 3 .Dt OPENSSL_MALLOC 3
.Os .Os
.Sh NAME .Sh NAME
.Nm OPENSSL_malloc , .Nm OPENSSL_malloc ,
.Nm OPENSSL_realloc ,
.Nm OPENSSL_free , .Nm OPENSSL_free ,
.Nm OPENSSL_strdup , .Nm OPENSSL_strdup ,
.Nm CRYPTO_malloc , .Nm CRYPTO_malloc ,
.Nm CRYPTO_realloc ,
.Nm CRYPTO_free , .Nm CRYPTO_free ,
.Nm CRYPTO_strdup .Nm CRYPTO_strdup
.Nd legacy OpenSSL memory allocation wrappers .Nd legacy OpenSSL memory allocation wrappers
@ -33,11 +31,6 @@
.Fo OPENSSL_malloc .Fo OPENSSL_malloc
.Fa "size_t num" .Fa "size_t num"
.Fc .Fc
.Ft void *
.Fo OPENSSL_realloc
.Fa "void *addr"
.Fa "size_t num"
.Fc
.Ft void .Ft void
.Fo OPENSSL_free .Fo OPENSSL_free
.Fa "void *addr" .Fa "void *addr"
@ -52,13 +45,6 @@
.Fa "const char *file" .Fa "const char *file"
.Fa "int line" .Fa "int line"
.Fc .Fc
.Ft void *
.Fo CRYPTO_realloc
.Fa "void *p"
.Fa "size_t num"
.Fa "const char *file"
.Fa "int line"
.Fc
.Ft void .Ft void
.Fo CRYPTO_free .Fo CRYPTO_free
.Fa "void *str" .Fa "void *str"
@ -78,7 +64,6 @@ They are provided purely for compatibility with legacy application code.
All 8 of these functions are wrappers around the corresponding All 8 of these functions are wrappers around the corresponding
standard standard
.Xr malloc 3 , .Xr malloc 3 ,
.Xr realloc 3 ,
.Xr free 3 , .Xr free 3 ,
and and
.Xr strdup 3 .Xr strdup 3
@ -93,15 +78,13 @@ standard functions.
.Sh SEE ALSO .Sh SEE ALSO
.Xr crypto 3 .Xr crypto 3
.Sh HISTORY .Sh HISTORY
.Fn CRYPTO_malloc , .Fn CRYPTO_malloc
.Fn CRYPTO_realloc ,
and and
.Fn CRYPTO_free .Fn CRYPTO_free
first appeared in SSLeay 0.6.4 and have been available since first appeared in SSLeay 0.6.4 and have been available since
.Ox 2.4 . .Ox 2.4 .
.Pp .Pp
.Fn OPENSSL_malloc , .Fn OPENSSL_malloc
.Fn OPENSSL_realloc ,
and and
.Fn OPENSSL_free .Fn OPENSSL_free
first appeared in OpenSSL 0.9.6 and have been available since first appeared in OpenSSL 0.9.6 and have been available since

33
lib/libcrypto/man/X509_ALGOR_dup.3
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: X509_ALGOR_dup.3,v 1.22 2023/10/13 05:49:34 tb Exp $ .\" $OpenBSD: X509_ALGOR_dup.3,v 1.23 2024/03/19 17:34:05 tb Exp $
.\" OpenSSL 4692340e Jun 7 15:49:08 2016 -0400 .\" OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
.\" .\"
.\" This file is a derived work. .\" This file is a derived work.
@ -66,7 +66,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: October 13 2023 $ .Dd $Mdocdate: March 19 2024 $
.Dt X509_ALGOR_DUP 3 .Dt X509_ALGOR_DUP 3
.Os .Os
.Sh NAME .Sh NAME
@ -75,7 +75,6 @@
.Nm X509_ALGOR_dup , .Nm X509_ALGOR_dup ,
.Nm X509_ALGOR_set0 , .Nm X509_ALGOR_set0 ,
.Nm X509_ALGOR_get0 , .Nm X509_ALGOR_get0 ,
.Nm X509_ALGOR_set_md ,
.Nm X509_ALGOR_cmp .Nm X509_ALGOR_cmp
.Nd create, change, and inspect algorithm identifiers .Nd create, change, and inspect algorithm identifiers
.Sh SYNOPSIS .Sh SYNOPSIS
@ -102,11 +101,6 @@
.Fa "const void **ppval" .Fa "const void **ppval"
.Fa "const X509_ALGOR *alg" .Fa "const X509_ALGOR *alg"
.Fc .Fc
.Ft void
.Fo X509_ALGOR_set_md
.Fa "X509_ALGOR *alg"
.Fa "const EVP_MD *md"
.Fc
.Ft int .Ft int
.Fo X509_ALGOR_cmp .Fo X509_ALGOR_cmp
.Fa "const X509_ALGOR *a" .Fa "const X509_ALGOR *a"
@ -240,22 +234,6 @@ then
.Pf * Fa ppval Ns 's .Pf * Fa ppval Ns 's
value is undefined. value is undefined.
.Pp .Pp
.Fn X509_ALGOR_set_md
sets
.Fa alg
to appropriate values for the message digest
.Fa md .
If the
.Dv EVP_MD_FLAG_DIGALGID_ABSENT
flag is not set on
.Fa md ,
.Fn X509_ALGOR_set_md
can leave
.Fa alg
in a corrupted state due to memory allocation failure.
This problem can be avoided by preallocating with an error-checked call to
.Fn X509_ALGOR_set0 alg NULL 0 NULL .
.Pp
.Fn X509_ALGOR_cmp .Fn X509_ALGOR_cmp
compares compares
.Fa a .Fa a
@ -317,10 +295,3 @@ first appeared in OpenSSL 0.9.8h and have been available since
first appeared in OpenSSL 0.9.8zd, 1.0.0p, and 1.0.1k first appeared in OpenSSL 0.9.8zd, 1.0.0p, and 1.0.1k
and has been available since and has been available since
.Ox 4.9 . .Ox 4.9 .
.Pp
.Fn X509_ALGOR_set_md
first appeared in OpenSSL 1.0.1 and has been available since
.Ox 5.3 .
.Sh BUGS
.Fn X509_ALGOR_set_md
can fail but cannot communicate failure to the caller.

6
lib/libcrypto/man/evp.3
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: evp.3,v 1.29 2024/03/06 02:34:14 tb Exp $ .\" $OpenBSD: evp.3,v 1.30 2024/03/19 17:34:05 tb Exp $
.\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100 .\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100
.\" .\"
.\" This file was written by Ulf Moeller <ulf@openssl.org>, .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@ -51,7 +51,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: March 6 2024 $ .Dd $Mdocdate: March 19 2024 $
.Dt EVP 3 .Dt EVP 3
.Os .Os
.Sh NAME .Sh NAME
@ -232,7 +232,7 @@ family of functions provides base64 encoding and decoding.
.Xr PKCS7_sign 3 , .Xr PKCS7_sign 3 ,
.Xr RSA_pkey_ctx_ctrl 3 , .Xr RSA_pkey_ctx_ctrl 3 ,
.Xr SSL_CTX_set_tlsext_ticket_key_cb 3 , .Xr SSL_CTX_set_tlsext_ticket_key_cb 3 ,
.Xr X509_ALGOR_set_md 3 , .Xr X509_ALGOR_set0 3 ,
.Xr X509_check_private_key 3 , .Xr X509_check_private_key 3 ,
.Xr X509_digest 3 , .Xr X509_digest 3 ,
.Xr X509_get_pubkey 3 , .Xr X509_get_pubkey 3 ,

10
lib/libcrypto/o_init.c
View File

@ -1,10 +0,0 @@
/* $OpenBSD: o_init.c,v 1.8 2014/06/12 15:49:27 deraadt Exp $ */
/* Ted Unangst places this file in the public domain. */
#include <openssl/crypto.h>
void
OPENSSL_init(void)
{
}

4
sys/net/if_sec.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: if_sec.c,v 1.10 2024/01/24 00:17:01 dlg Exp $ */ /* $OpenBSD: if_sec.c,v 1.11 2024/03/19 03:49:11 dlg Exp $ */
/* /*
* Copyright (c) 2022 The University of Queensland * Copyright (c) 2022 The University of Queensland
@ -327,7 +327,7 @@ sec_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
error = if_enqueue(ifp, m); error = if_enqueue(ifp, m);
if (error != 0) if (error != 0)
counters_inc(ifp->if_counters, ifc_oerrors); counters_inc(ifp->if_counters, ifc_oqdrops);
return (error); return (error);

6
usr.sbin/rpki-client/cert.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cert.c,v 1.127 2024/02/16 14:48:47 tb Exp $ */ /* $OpenBSD: cert.c,v 1.128 2024/03/19 05:04:13 tb Exp $ */
/* /*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org> * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@ -1198,7 +1198,7 @@ auth_find(struct auth_tree *auths, const char *aki)
} }
struct auth * struct auth *
auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent) auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *issuer)
{ {
struct auth *na; struct auth *na;
@ -1206,7 +1206,7 @@ auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)
if (na == NULL) if (na == NULL)
err(1, NULL); err(1, NULL);
na->parent = parent; na->issuer = issuer;
na->cert = cert; na->cert = cert;
na->any_inherits = x509_any_inherits(cert->x509); na->any_inherits = x509_any_inherits(cert->x509);

8
usr.sbin/rpki-client/extern.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: extern.h,v 1.211 2024/03/17 01:44:59 tb Exp $ */ /* $OpenBSD: extern.h,v 1.212 2024/03/19 05:04:13 tb Exp $ */
/* /*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
* *
@ -26,7 +26,7 @@
enum cert_as_type { enum cert_as_type {
CERT_AS_ID, /* single identifier */ CERT_AS_ID, /* single identifier */
CERT_AS_INHERIT, /* inherit from parent */ CERT_AS_INHERIT, /* inherit from issuer */
CERT_AS_RANGE, /* range of identifiers */ CERT_AS_RANGE, /* range of identifiers */
}; };
@ -376,7 +376,7 @@ struct gbr {
* A single ASPA record * A single ASPA record
*/ */
struct aspa { struct aspa {
int valid; /* contained in parent auth */ int valid; /* contained in issuer auth */
int talid; /* TAL the ASPA is chained up to */ int talid; /* TAL the ASPA is chained up to */
char *aia; /* AIA */ char *aia; /* AIA */
char *aki; /* AKI */ char *aki; /* AKI */
@ -491,7 +491,7 @@ RB_HEAD(crl_tree, crl);
struct auth { struct auth {
RB_ENTRY(auth) entry; RB_ENTRY(auth) entry;
struct cert *cert; /* owner information */ struct cert *cert; /* owner information */
struct auth *parent; /* pointer to parent or NULL for TA cert */ struct auth *issuer; /* pointer to issuer or NULL for TA cert */
int any_inherits; int any_inherits;
}; };
/* /*

10
usr.sbin/rpki-client/filemode.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filemode.c,v 1.38 2024/02/22 12:49:42 job Exp $ */ /* $OpenBSD: filemode.c,v 1.39 2024/03/19 05:04:13 tb Exp $ */
/* /*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -268,13 +268,13 @@ print_signature_path(const char *crl, const char *aia, const struct auth *a)
if (aia != NULL) if (aia != NULL)
printf(" %s\n", aia); printf(" %s\n", aia);
for (; a != NULL; a = a->parent) { for (; a != NULL; a = a->issuer) {
if (a->cert->crl != NULL) if (a->cert->crl != NULL)
printf(" %s\n", a->cert->crl); printf(" %s\n", a->cert->crl);
if (a->parent != NULL && a->parent->cert != NULL && if (a->issuer != NULL && a->issuer->cert != NULL &&
a->parent->cert->mft != NULL) a->issuer->cert->mft != NULL)
printf(" %s\n", printf(" %s\n",
a->parent->cert->mft); a->issuer->cert->mft);
if (a->cert->aia != NULL) if (a->cert->aia != NULL)
printf(" %s\n", a->cert->aia); printf(" %s\n", a->cert->aia);
} }

4
usr.sbin/rpki-client/ip.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ip.c,v 1.32 2023/12/27 07:15:55 tb Exp $ */ /* $OpenBSD: ip.c,v 1.33 2024/03/19 05:04:13 tb Exp $ */
/* /*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
* *
@ -72,7 +72,7 @@ ip_addr_afi_parse(const char *fn, const ASN1_OCTET_STRING *p, enum afi *afi)
* specified in the "ips" array. * specified in the "ips" array.
* This means that the IP prefix must be strictly within the ranges or * This means that the IP prefix must be strictly within the ranges or
* singletons given in the array. * singletons given in the array.
* Return 0 if we're inheriting from the parent, >0 if we're covered, * Return 0 if we're inheriting from the issuer, >0 if we're covered,
* or <0 if we're not covered. * or <0 if we're not covered.
*/ */
int int

4
usr.sbin/rpki-client/parser.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: parser.c,v 1.130 2024/03/01 08:10:09 tb Exp $ */ /* $OpenBSD: parser.c,v 1.131 2024/03/19 05:04:13 tb Exp $ */
/* /*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -670,7 +670,7 @@ proc_parser_tak(char *file, const unsigned char *der, size_t len,
} }
/* TAK EE must be signed by self-signed CA */ /* TAK EE must be signed by self-signed CA */
if (a->parent != NULL) if (a->issuer != NULL)
goto out; goto out;
tak->talid = a->cert->talid; tak->talid = a->cert->talid;

10
usr.sbin/rpki-client/validate.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: validate.c,v 1.72 2024/02/22 12:49:42 job Exp $ */ /* $OpenBSD: validate.c,v 1.73 2024/03/19 05:04:13 tb Exp $ */
/* /*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
* *
@ -50,7 +50,7 @@ valid_as(struct auth *a, uint32_t min, uint32_t max)
return 0; return 0;
/* If it inherits, walk up the chain. */ /* If it inherits, walk up the chain. */
return valid_as(a->parent, min, max); return valid_as(a->issuer, min, max);
} }
/* /*
@ -76,13 +76,13 @@ valid_ip(struct auth *a, enum afi afi,
return 0; return 0;
/* If it inherits, walk up the chain. */ /* If it inherits, walk up the chain. */
return valid_ip(a->parent, afi, min, max); return valid_ip(a->issuer, afi, min, max);
} }
/* /*
* Make sure the AKI is the same as the AKI listed on the Manifest, * Make sure the AKI is the same as the AKI listed on the Manifest,
* and that the SKI doesn't already exist. * and that the SKI doesn't already exist.
* Return the parent by its AKI, or NULL on failure. * Return the issuer by its AKI, or NULL on failure.
*/ */
struct auth * struct auth *
valid_ski_aki(const char *fn, struct auth_tree *auths, valid_ski_aki(const char *fn, struct auth_tree *auths,
@ -357,7 +357,7 @@ build_chain(const struct auth *a, STACK_OF(X509) **intermediates,
err(1, "sk_X509_new_null"); err(1, "sk_X509_new_null");
if ((*root = sk_X509_new_null()) == NULL) if ((*root = sk_X509_new_null()) == NULL)
err(1, "sk_X509_new_null"); err(1, "sk_X509_new_null");
for (; a != NULL; a = a->parent) { for (; a != NULL; a = a->issuer) {
assert(a->cert->x509 != NULL); assert(a->cert->x509 != NULL);
if (!a->any_inherits) { if (!a->any_inherits) {
if (!sk_X509_push(*root, a->cert->x509)) if (!sk_X509_push(*root, a->cert->x509))

4
usr.sbin/rpki-client/x509.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: x509.c,v 1.81 2024/02/22 12:49:42 job Exp $ */ /* $OpenBSD: x509.c,v 1.82 2024/03/19 05:04:13 tb Exp $ */
/* /*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@ -1046,7 +1046,7 @@ x509_find_expires(time_t notafter, struct auth *a, struct crl_tree *crlt)
expires = notafter; expires = notafter;
for (; a != NULL; a = a->parent) { for (; a != NULL; a = a->issuer) {
if (expires > a->cert->notafter) if (expires > a->cert->notafter)
expires = a->cert->notafter; expires = a->cert->notafter;
crl = crl_get(crlt, a); crl = crl_get(crlt, a);