X509_cmp_time: only return 1, 0, -1.

The behaviour of X509_cmp_time used to be undocumented. The new behaviour, documented in master, is to return only 0, 1, or -1. Make the code in the other branches to adhere to this behaviour too, to reduce confusion. There is nothing to be gained from returning other values. Fixes GH#4954 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4955) (cherry picked from commit 48345917747a34feea3da2936994a265c7f2ca11)
author: Emilia Kasper <emilia@openssl.org> 2017-12-18 18:41:05 +0100
committer: Richard Levitte <levitte@openssl.org> 2018-04-19 09:42:09 +0200
commit: 67567b221bd06aca1719c926fadc5ce1a0452e9a (patch)
tree: cde9579eb712b5d66f63242cb7f8953f693fd30c /crypto
parent: 82d8cec06ae8af5dbe68c8e4be38ad32ce9fa594 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b1472018ba..ff238331e6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2046,10 +2046,11 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
             return 1;
     }
     i = strcmp(buff1, buff2);
-    if (i == 0)                 /* wait a second then return younger :-) */
-        return -1;
-    else
-        return i;
+    /*
+     * X509_cmp_time comparison is <=.
+     * The return value 0 is reserved for errors.
+     */
+    return i > 0 ? 1 : -1;
 }
 
 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
author	Emilia Kasper <emilia@openssl.org>	2017-12-18 18:41:05 +0100
committer	Richard Levitte <levitte@openssl.org>	2018-04-19 09:42:09 +0200
commit	67567b221bd06aca1719c926fadc5ce1a0452e9a (patch)
tree	cde9579eb712b5d66f63242cb7f8953f693fd30c /crypto
parent	82d8cec06ae8af5dbe68c8e4be38ad32ce9fa594 (diff)