- djm@cvs.openbsd.org 2013/01/25 10:22:19

[krl.c]
     redo last commit without the vi-vomit that snuck in:
     skip serial lookup when cert's serial number is zero
     (now with 100% better comment)

ChangeLog

@@ -10,6 +10,11 @@
      [krl.c]
      Revert last. Breaks due to likely typo. Let djm@ fix later.
      ok djm@ via dlg@
+   - djm@cvs.openbsd.org 2013/01/25 10:22:19
+     [krl.c]
+     redo last commit without the vi-vomit that snuck in:
+     skip serial lookup when cert's serial number is zero
+     (now with 100% better comment)
 
 20130211
  - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old

krl.c

@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: krl.c,v 1.7 2013/01/25 05:00:27 krw Exp $ */
+/* $OpenBSD: krl.c,v 1.8 2013/01/25 10:22:19 djm Exp $ */
 
 #include "includes.h"
 
@@ -1148,8 +1148,11 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
 		return -1;
 	}
 
-	/* Legacy cert formats lack serial numbers */
-	if (key_cert_is_legacy(key))
+	/*
+	 * Legacy cert formats lack serial numbers. Zero serials numbers
+	 * are ignored (it's the default when the CA doesn't specify one).
+	 */
+	if (key_cert_is_legacy(key) || key->cert->serial == 0)
 		return 0;
 
 	bzero(&rs, sizeof(rs));