We should not use CRLs if now isn't between thisUpdate and nextUpdate. This also ensures that thisUpdate <= nextUpdate. While the verifier will catch all this, doing this early will often remove one of the two possible choices of a CRL to use for a MFT since these are typically short-lived. While there, let's simplify the exit of crl_parse().
I was pondering whether we should mark such CRLs stale and add them to the statistics as we do for MFTs, but I think it's not super interesting. Index: crl.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v retrieving revision 1.13 diff -u -p -r1.13 crl.c --- crl.c 8 Feb 2022 14:53:03 -0000 1.13 +++ crl.c 9 Feb 2022 06:23:30 -0000 @@ -34,7 +34,7 @@ crl_parse(const char *fn, const unsigned struct crl *crl; const ASN1_TIME *at; struct tm issued_tm, expires_tm; - int rc = 0; + time_t now; /* just fail for empty buffers, the warning was printed elsewhere */ if (der == NULL) @@ -66,7 +66,6 @@ crl_parse(const char *fn, const unsigned if ((crl->issued = mktime(&issued_tm)) == -1) errx(1, "%s: mktime failed", fn); - /* extract expire time for later use */ at = X509_CRL_get0_nextUpdate(crl->x509_crl); if (at == NULL) { warnx("%s: X509_CRL_get0_nextUpdate failed", fn); @@ -80,13 +79,25 @@ crl_parse(const char *fn, const unsigned if ((crl->expires = mktime(&expires_tm)) == -1) errx(1, "%s: mktime failed", fn); - rc = 1; - out: - if (rc == 0) { - crl_free(crl); - crl = NULL; + now = time(NULL); + if (now < crl->issued) { + if (verbose > 1) + warnx("%s: crl not yet valid %s", fn, + time2str(crl->issued)); + goto out; + } + if (now > crl->expires) { + if (verbose > 1) + warnx("%s: crl expired on %s", fn, + time2str(crl->expires)); + goto out; } + return crl; + + out: + crl_free(crl); + return NULL; } static inline int Index: extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v retrieving revision 1.118 diff -u -p -r1.118 extern.h --- extern.h 8 Feb 2022 14:53:03 -0000 1.118 +++ extern.h 9 Feb 2022 06:21:49 -0000 @@ -502,6 +502,7 @@ void entity_free(struct entity *); void entity_read_req(struct ibuf *, struct entity *); void entityq_flush(struct entityq *, struct repo *); void proc_parser(int) __attribute__((noreturn)); +char *time2str(time_t); /* Rsync-specific. */ Index: parser.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v retrieving revision 1.63 diff -u -p -r1.63 parser.c --- parser.c 8 Feb 2022 14:53:03 -0000 1.63 +++ parser.c 9 Feb 2022 06:19:40 -0000 @@ -94,7 +94,7 @@ repo_add(unsigned int id, char *path, ch errx(1, "repository already added: id %d, %s", id, path); } -static char * +char * time2str(time_t t) { static char buf[64];