If not checking all certificates don't attempt to find a CRL

author Dr. Stephen Henson <steve@openssl.org>

Fri, 23 Oct 2009 12:06:35 +0000 (12:06 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 23 Oct 2009 12:06:35 +0000 (12:06 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 23 Oct 2009 12:06:35 +0000 (12:06 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 23 Oct 2009 12:06:35 +0000 (12:06 +0000)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index d1a15502a27bcca6a86003dec3bcf9bcc8dd9505..f5f632a45dd45dd62dd2136f5add5cb76de05b03 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -679,7 +679,12 @@ static int check_revocation(X509_STORE_CTX *ctx)
         if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
                 last = sk_X509_num(ctx->chain) - 1;
         else
         if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
                 last = sk_X509_num(ctx->chain) - 1;
         else
+               {
+               /* If checking CRL paths this isn't the EE certificate */
+               if (ctx->parent)
+                       return 1;
                 last = 0;
                 last = 0;
+               }
         for(i = 0; i <= last; i++)
                 {
                 ctx->error_depth = i;
         for(i = 0; i <= last; i++)
                 {
                 ctx->error_depth = i;
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 23 Oct 2009 12:06:35 +0000 (12:06 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 23 Oct 2009 12:06:35 +0000 (12:06 +0000)