Check for issuer only if we actually got a CRL
authorMartin Willi <martin@revosec.ch>
Thu, 23 Dec 2010 10:44:36 +0000 (11:44 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:06 +0000 (16:46 +0100)
src/libstrongswan/plugins/revocation/revocation_validator.c

index be6d3a9..0aeea41 100644 (file)
@@ -457,15 +457,15 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
                {
                        *uri_found = TRUE;
                        current = fetch_crl(uri);
-                       if (!current->has_issuer(current, issuer))
-                       {
-                               DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match CRL "
-                                        "issuer '%Y'", current->get_issuer(current), issuer);
-                               current->destroy(current);
-                               continue;
-                       }
                        if (current)
                        {
+                               if (!current->has_issuer(current, issuer))
+                               {
+                                       DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match CRL "
+                                                "issuer '%Y'", current->get_issuer(current), issuer);
+                                       current->destroy(current);
+                                       continue;
+                               }
                                *best = get_better_crl(current, *best, subject,
                                                                           &valid, auth, TRUE);
                                if (*best && valid != VALIDATION_STALE)