From 73ddd325396d423c6808996d55281bc0400267a1 Mon Sep 17 00:00:00 2001
From: toddouska <todd@yassl.com>
Date: Thu, 24 May 2012 12:45:10 -0700
Subject: [PATCH] add crl checkall processing

---
 examples/client/client.c |  2 +-
 src/internal.c           | 18 +++++++++++++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/examples/client/client.c b/examples/client/client.c
index 7e5abcdb9..9d72f904d 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -208,7 +208,7 @@ void client_test(void* args)
     ssl = CyaSSL_new(ctx);
     CyaSSL_set_fd(ssl, sockfd);
 #ifdef HAVE_CRL
-    CyaSSL_EnableCRL(ssl, 0);
+    CyaSSL_EnableCRL(ssl, CYASSL_CRL_CHECKALL);
     CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0);
     CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
 #endif
diff --git a/src/internal.c b/src/internal.c
index 858415059..db896fc88 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -1628,11 +1628,9 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
                                 ssl->ctx->cm);
         if (ret == 0 && dCert.isCA == 0) {
             CYASSL_MSG("Chain cert is not a CA, not adding as one");
-            (void)ret;
         }
         else if (ret == 0 && ssl->options.verifyNone) {
             CYASSL_MSG("Chain cert not verified by option, not adding as CA");
-            (void)ret;
         }
         else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, dCert.subjectHash)) {
             buffer add;
@@ -1651,13 +1649,22 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
         }
         else if (ret != 0) {
             CYASSL_MSG("Failed to verify CA from chain");
-            (void)ret;
         }
         else {
             CYASSL_MSG("Verified CA from chain and already had it");
-            (void)ret;
         }
 
+#ifdef HAVE_CRL
+        if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) {
+            CYASSL_MSG("Doing Non Leaf CRL check");
+            ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
+
+            if (ret != 0) {
+                CYASSL_MSG("\tCRL check not ok");
+            }
+        }
+#endif /* HAVE_CRL */
+
         if (ret != 0 && anyError == 0)
             anyError = ret;   /* save error from last time */
 
@@ -1705,7 +1712,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
 #endif
 
 #ifdef HAVE_CRL
-        if (ssl->ctx->cm->crlEnabled) {
+        if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
+            CYASSL_MSG("Doing Leaf CRL check");
             ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
 
             if (ret != 0) {