From 60565bcb5c26f38b9f1c0261c0608751979571d4 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 12 Feb 2013 10:56:42 +1100
Subject:    - djm@cvs.openbsd.org 2013/01/25 10:22:19      [krl.c]      redo
 last commit without the vi-vomit that snuck in:      skip serial lookup when
 cert's serial number is zero      (now with 100% better comment)

---
 krl.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'krl.c')

diff --git a/krl.c b/krl.c
index 6d86c2097..e4e1788f4 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: krl.c,v 1.7 2013/01/25 05:00:27 krw Exp $ */
+/* $OpenBSD: krl.c,v 1.8 2013/01/25 10:22:19 djm Exp $ */
 
 #include "includes.h"
 
@@ -1148,8 +1148,11 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
 		return -1;
 	}
 
-	/* Legacy cert formats lack serial numbers */
-	if (key_cert_is_legacy(key))
+	/*
+	 * Legacy cert formats lack serial numbers. Zero serials numbers
+	 * are ignored (it's the default when the CA doesn't specify one).
+	 */
+	if (key_cert_is_legacy(key) || key->cert->serial == 0)
 		return 0;
 
 	bzero(&rs, sizeof(rs));
-- 
cgit v1.2.3