PR: 1899

Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Check for <= 0 when verifying CRL issuers.

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f662124d76332d9da3494f4febde8a3983db8734..9ff66cff1323c6bd2a6ff66f604e6c15a57b3ac4 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1124,7 +1124,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
        /* Verify CRL issuer */
        ret = X509_verify_cert(&crl_ctx);
 
-       if (!ret)
+       if (ret <= 0)
                goto err;
 
        /* Check chain is acceptable */