Fix CRL distribution point scope check logic in crl_crldp_check

[samuel40791765]

Commit authored by @nebeid.

Description of changes:

A logic error in crl_crldp_check() (crypto/x509/x509_vfy.c) prevents CRL distribution point matching from ever running for normal certificates. When a CRL has an Issuing Distribution Point (IDP) extension, the CRL is incorrectly considered out of scope and a revoked certificate escapes detection.

Three bugs in one condition:

1. && should be || — the comment says skip DPs with reasons OR CRLissuer, but the code only triggers when BOTH are present.
2. return 1 should be continue — when the condition matches, the code declares the CRL in scope instead of skipping the DP.
3. idp_check_dp is in the wrong branch — it only runs for DPs with reasons+CRLissuer, never for normal clean DPs.

Fix

Took upstream commit 5386d90.

Testing

Two test scenarios added in crypto/x509/x509_test.cc:

Scenario 1: Cert with a single clean CRLDP + CRL with matching IDP

Leaf has a clean CRLDP (distpoint URI only, no reasons, no CRLissuer). CRL has a matching IDP and revokes the leaf's serial.

• Before fix: idp_check_dp is never called for clean DPs → CRL is out-of-scope.
• After fix: idp_check_dp matches the distpoints → CRL in scope → CERT_REVOKED.

Scenario 2: Cert with two DPs + two CRLs

Leaf has two distribution points:

• DP1: distpoint matching CRL-B IDP + reasons + CRLissuer (should be skipped)
• DP2: clean distpoint (matches the revoking CRL-A)

CRL-A (matching IDP) revokes the leaf. CRL-B (other IDP) has no revocations.

• Before fix:
  • DP1 has reasons+CRLissuer so the && condition is true. idp_check_dp matches DP1 against CRL-B → return 1 → CRL-B is in scope → no revocations → cert appears valid.
  • DP2 never gets checked against CRL-A; it's skipped both by the && check and by the fallback because it has an IDP.
• After fix:
  • DP1 is skipped (|| catches reasons).
  • DP2 matches CRL-A via idp_check_dp → CERT_REVOKED.

PoC output without fix:

Scenario 1: Cert with clean CRLDP (distpoint only) + CRL with matching IDP
 Result: 44 (Different CRL scope)
 FAIL: Expected CERT_REVOKED (23), got 44

Scenario 2: Cert with two DPs (reasons+CRLissuer DP and clean DP) + two CRLs
 Result: 0 (ok)
 FAIL: Expected CERT_REVOKED (23), got 0

PoC output with fix:

Scenario 1: Cert with clean CRLDP (distpoint only) + CRL with matching IDP
 Result: 23 (certificate revoked)
 PASS: Revoked cert correctly detected

Scenario 2: Cert with two DPs (reasons+CRLissuer DP and clean DP) + two CRLs
 Result: 23 (certificate revoked)
 PASS: Revoked cert correctly detected

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 70.16129% with 37 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.20%. Comparing base (a9e26fe) to head (ed5e786).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
crypto/x509/x509_test.cc	69.42%	22 Missing and 15 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3105      +/-   ##
==========================================
+ Coverage   78.18%   78.20%   +0.01%     
==========================================
  Files         689      689              
  Lines      121825   121949     +124     
  Branches    16994    17013      +19     
==========================================
+ Hits        95247    95366     +119     
+ Misses      25694    25683      -11     
- Partials      884      900      +16     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.