From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 30 May 2025 15:17:43 +0000 (+0100)
Subject: Extract and store CRL number
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=308c5ee349f1a67ed3cba9714eb0e0d5a445d38e;p=thirdparty%2Ffreeradius-server.git

Extract and store CRL number

Needed to verify that delta CRLs are for the correct base
---

diff --git a/src/modules/rlm_crl/rlm_crl.c b/src/modules/rlm_crl/rlm_crl.c
index 0d64cef73ea..5d81060eeeb 100644
--- a/src/modules/rlm_crl/rlm_crl.c
+++ b/src/modules/rlm_crl/rlm_crl.c
@@ -74,6 +74,7 @@ typedef struct {
 typedef struct {
 	X509_CRL			*crl;				//!< The CRL.
 	char const 			*cdp_url;			//!< The URL of the CRL.
+	ASN1_INTEGER			*crl_num;			//!< The CRL number.
 	fr_timer_t 			*ev;				//!< When to expire the CRL
 	fr_rb_node_t			node;				//!< The node in the tree
 	rlm_crl_t const			*inst;				//!< The instance of the CRL module.
@@ -215,6 +216,7 @@ static crl_ret_t crl_check_serial(fr_rb_tree_t *crls, request_t *request, char c
 static int _crl_entry_free(crl_entry_t *crl_entry)
 {
 	X509_CRL_free(crl_entry->crl);
+	if (crl_entry->crl_num) ASN1_INTEGER_free(crl_entry->crl_num);
 	return 0;
 }
 
@@ -229,6 +231,7 @@ static crl_entry_t *crl_entry_create(rlm_crl_t const *inst, fr_timer_list_t *tl,
 	time_t		next_update;
 	fr_time_t	now = fr_time();
 	fr_time_delta_t	expiry_time;
+	int		i;
 
 	MEM(crl = talloc_zero(inst->mutable->crls, crl_entry_t));
 	crl->cdp_url = talloc_bstrdup(crl, url);
@@ -241,6 +244,8 @@ static crl_entry_t *crl_entry_create(rlm_crl_t const *inst, fr_timer_list_t *tl,
 	}
 	talloc_set_destructor(crl, _crl_entry_free);
 
+	crl->crl_num = X509_CRL_get_ext_d2i(crl->crl, NID_crl_number, &i, NULL);
+
 	if (fr_tls_utils_asn1time_to_epoch(&next_update, X509_CRL_get0_nextUpdate(crl->crl)) < 0) {
 		fr_tls_strerror_printf("Failed to parse nextUpdate from CRL");
 		goto error;