gnutls_x509_crl_verify: check next update field for presence

If not present do not attempt to utilize its value.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 66e49d60d8275a6b4de6588fe90df5a4bb81cf2c..26b1ab3f44db8e210d274d1df1455eb75dce2858 100644 (file)
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1562,6 +1562,7 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
        gnutls_x509_crt_t issuer = NULL;
        int result, sigalg;
        time_t now = gnutls_time(0);
+       time_t nextu;
        unsigned int usage;
 
        if (verify)
@@ -1677,7 +1678,8 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
        if (gnutls_x509_crl_get_this_update(crl) > now && verify)
                *verify |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
 
-       if (gnutls_x509_crl_get_next_update(crl) < now && verify)
+       nextu = gnutls_x509_crl_get_next_update(crl);
+       if (nextu != -1 && nextu < now && verify)
                *verify |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED;