If not checking all certificates don't attempt to find a CRL

[oweals/openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index c680980f8a2c15198be74667bb93b0e0218be46e..f5f632a45dd45dd62dd2136f5add5cb76de05b03 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -679,7 +679,12 @@ static int check_revocation(X509_STORE_CTX *ctx)
        if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
                last = sk_X509_num(ctx->chain) - 1;
        else
+               {
+               /* If checking CRL paths this isn't the EE certificate */
+               if (ctx->parent)
+                       return 1;
                last = 0;
+               }
        for(i = 0; i <= last; i++)
                {
                ctx->error_depth = i;
@@ -1387,7 +1392,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 
                        if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
                                {
-                               if (!check_crl_path(ctx, ctx->current_issuer))
+                               if (check_crl_path(ctx, ctx->current_issuer) <= 0)
                                        {
                                        ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
                                        ok = ctx->verify_cb(0, ctx);