Fix CRL distribution point scope check logic in crl_crldp_check

[samuel40791765]

Commit authored by @nebeid.

Description of changes:

A logic error in crl_crldp_check() (crypto/x509/x509_vfy.c) prevents CRL distribution point matching from ever running for normal certificates. When a CRL has an Issuing Distribution Point (IDP) extension, the CRL is incorrectly considered out of scope and a revoked certificate escapes detection.

Three bugs in one condition:

1. && should be || — the comment says skip DPs with reasons OR CRLissuer, but the code only triggers when BOTH are present.
2. return 1 should be continue — when the condition matches, the code declares the CRL in scope instead of skipping the DP.
3. idp_check_dp is in the wrong branch — it only runs for DPs with reasons+CRLissuer, never for normal clean DPs.

Fix

Took upstream commit 5386d90.

Testing

Two test scenarios added in crypto/x509/x509_test.cc:

Scenario 1: Cert with a single clean CRLDP + CRL with matching IDP

Leaf has a clean CRLDP (distpoint URI only, no reasons, no CRLissuer). CRL has a matching IDP and revokes the leaf's serial.

• Before fix: idp_check_dp is never called for clean DPs → CRL is out-of-scope.
• After fix: idp_check_dp matches the distpoints → CRL in scope → CERT_REVOKED.

Scenario 2: Cert with two DPs + two CRLs

Leaf has two distribution points:

• DP1: distpoint matching CRL-B IDP + reasons + CRLissuer (should be skipped)
• DP2: clean distpoint (matches the revoking CRL-A)

CRL-A (matching IDP) revokes the leaf. CRL-B (other IDP) has no revocations.

• Before fix:
  • DP1 has reasons+CRLissuer so the && condition is true. idp_check_dp matches DP1 against CRL-B → return 1 → CRL-B is in scope → no revocations → cert appears valid.
  • DP2 never gets checked against CRL-A; it's skipped both by the && check and by the fallback because it has an IDP.
• After fix:
  • DP1 is skipped (|| catches reasons).
  • DP2 matches CRL-A via idp_check_dp → CERT_REVOKED.

PoC output without fix:

Scenario 1: Cert with clean CRLDP (distpoint only) + CRL with matching IDP
 Result: 44 (Different CRL scope)
 FAIL: Expected CERT_REVOKED (23), got 44

Scenario 2: Cert with two DPs (reasons+CRLissuer DP and clean DP) + two CRLs
 Result: 0 (ok)
 FAIL: Expected CERT_REVOKED (23), got 0

PoC output with fix:

Scenario 1: Cert with clean CRLDP (distpoint only) + CRL with matching IDP
 Result: 23 (certificate revoked)
 PASS: Revoked cert correctly detected

Scenario 2: Cert with two DPs (reasons+CRLissuer DP and clean DP) + two CRLs
 Result: 23 (certificate revoked)
 PASS: Revoked cert correctly detected

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 70.16129% with 37 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.75%. Comparing base (3417d9e) to head (73bfa63).
⚠️ Report is 2 commits behind head on fips-2025-09-12.

Files with missing lines	Patch %	Lines
crypto/x509/x509_test.cc	69.42%	22 Missing and 15 partials ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##           fips-2025-09-12    #3109      +/-   ##
===================================================
+ Coverage            78.73%   78.75%   +0.01%     
===================================================
  Files                  667      667              
  Lines               113124   113248     +124     
  Branches             16057    16075      +18     
===================================================
+ Hits                 89072    89183     +111     
  Misses               23277    23277              
- Partials               775      788      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.