CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/26 00:03:32
Modified files:
lib/libcrypto/x509: x509_vfy.c
Log message:
x509_vfy: sync get_crl_sk() with BoringSSL and OpenSSL
Among CRLs with the same score prefer the one with the most recent
lastUpdate (RFC 5280 thisUpdate). This pulls in OpenSSL commits
626aa248, e032117d, 8b7c51a0 from 2016, so before the license change.
This uses the annoying ASN1_TIME_diff() API, but there is no better
way, really. Every other ASN1_TIME API will be just as awkward.
This fixes the currently failing x509_crl test cases.
ok kenjiro