Fix CRL time comparison.

Thanks to David Benjamin <davidben@google.com> for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e032117db251968bd09badc7d4718c2497302e55)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 5873ad4c63d57460996577ee1e54af437156d997..ade5985db5e320b8574fb36d4b4fd9ca0ca7ac6d 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1130,7 +1130,11 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
             if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
                                X509_CRL_get_lastUpdate(crl)) == 0)
                 continue;
-            if (day < 0 || sec <= 0)
+            /*
+             * ASN1_TIME_diff never returns inconsistent signs for |day|
+             * and |sec|.
+             */
+            if (day <= 0 && sec <= 0)
                 continue;
         }
         best_crl = crl;