Ensure current_crl always points to the crl we are considering

Ensure current_crl always points to the crl we are considering

As mentioned by Viktor Dukhovni, the desired behaviour is:

The current_crl is NULL when the running callback invocation is about errors
unrelated to validation failures via a particular CRL a user may want to
report the issuer of.

The current_crl is (whenever possible) not NULL when reporting errors
specifically related to that CRL.

The problem with this happens when we call check_crl with something that
is not what current_crl is set to. We can potentially enter the time check
code, and we then need to call the callback with the certificate that
failed the time check which is not current_crl.

Correct this by removing the dance in the time check code, and always
setting current_crl whenver we call check_crl.

This means that when we are considering a delta crl, we report the
correct crl to the callback, instead of possibly handing them NULL
(if they get called after a failing time check clobbers it), or the
non-delta crl (because we are looking at a delta while having
current_crl set to crl - which was why we had the dance in the time code
to begin with.  We don't need to change current_crl in the time check
code if we always have current_crl set to the thing we are evaluting.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb  3 08:50:52 2026
(Merged from https://github.com/openssl/openssl/pull/29679)