bring back CRL checks, noted by claudio@

1 files changed, 7 insertions, 4 deletions

diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index 4b6fb98f5c7..e72053c5bb6 100644
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.43 2019/11/29 16:25:59 deraadt Exp $ */
+/*	$OpenBSD: main.c,v 1.44 2019/11/29 17:52:59 benno Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -841,7 +841,8 @@ proc_parser_roa(struct entity *entp,
 	if ((param = X509_STORE_CTX_get0_param(ctx)) == NULL)
 		cryptoerrx("X509_STORE_CTX_get0_param");
 	fl = X509_VERIFY_PARAM_get_flags(param);
-	nfl = X509_V_FLAG_IGNORE_CRITICAL;
+	nfl = X509_V_FLAG_IGNORE_CRITICAL |  X509_V_FLAG_CRL_CHECK |
+	    X509_V_FLAG_CRL_CHECK_ALL
 	if (!X509_VERIFY_PARAM_set_flags(param, fl | nfl))
 		cryptoerrx("X509_VERIFY_PARAM_set_flags");
 	X509_STORE_CTX_set0_crls(ctx, crls);
@@ -911,7 +912,8 @@ proc_parser_mft(struct entity *entp, int force, X509_STORE *store,
 	if ((param = X509_STORE_CTX_get0_param(ctx)) == NULL)
 		cryptoerrx("X509_STORE_CTX_get0_param");
 	fl = X509_VERIFY_PARAM_get_flags(param);
-	nfl = X509_V_FLAG_IGNORE_CRITICAL;
+	nfl = X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK |
+	    X509_V_FLAG_CRL_CHECK_ALL;
 	if (!X509_VERIFY_PARAM_set_flags(param, fl | nfl))
 		cryptoerrx("X509_VERIFY_PARAM_set_flags");
 	X509_STORE_CTX_set0_crls(ctx, crls);
@@ -981,7 +983,8 @@ proc_parser_cert(const struct entity *entp,
 	if ((param = X509_STORE_CTX_get0_param(ctx)) == NULL)
 		cryptoerrx("X509_STORE_CTX_get0_param");
 	fl = X509_VERIFY_PARAM_get_flags(param);
-	nfl = X509_V_FLAG_IGNORE_CRITICAL;
+	nfl = X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK |
+	    X509_V_FLAG_CRL_CHECK_ALL;
 	if (!X509_VERIFY_PARAM_set_flags(param, fl | nfl))
 		cryptoerrx("X509_VERIFY_PARAM_set_flags");
 	X509_STORE_CTX_set0_crls(ctx, crls);