5 files changed, 50 insertions, 10 deletions

diff --git a/NEWS b/NEWS
index b45c934cb4..c74bcb7976 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,15 @@ GnuTLS NEWS -- History of user-visible changes.                -*- outline -*-
 Copyright (C) 2000-2012 Free Software Foundation, Inc.
 See the end for copying conditions.
 
+* Version 3.0.26 (unreleased)
+
+** libgnutls: gnutls_x509_crl_verify() includes the time checks.
+
+** API and ABI modifications:
+GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
+GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added
+
+
 * Version 3.0.25 (released 2012-10-12)
 
 ** libgnutls: Fixed the receipt of session tickets during session resumption.
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 357569f0e4..3284683b0d 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -826,4 +826,3 @@ gnutls_sign_callback_get (gnutls_session_t session, void **userdata)
   return session->internals.sign_func;
 }
 
-
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 355621a370..24f5e8ad9e 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -437,6 +437,8 @@ extern "C"
  *   should not be trusted.
  * @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
  * @GNUTLS_CERT_EXPIRED: The certificate has expired.
+ * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
+ * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date.
  *
  * Enumeration of certificate status codes.  Note that the status
  * bits have different meanings in OpenPGP keys and X.509
@@ -444,13 +446,16 @@ extern "C"
  */
   typedef enum
   {
-    GNUTLS_CERT_INVALID = 2,
-    GNUTLS_CERT_REVOKED = 32,
-    GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
-    GNUTLS_CERT_SIGNER_NOT_CA = 128,
-    GNUTLS_CERT_INSECURE_ALGORITHM = 256,
-    GNUTLS_CERT_NOT_ACTIVATED = 512,
-    GNUTLS_CERT_EXPIRED = 1024
+    GNUTLS_CERT_INVALID = 1<<1,
+    GNUTLS_CERT_REVOKED = 1<<5,
+    GNUTLS_CERT_SIGNER_NOT_FOUND = 1<<6,
+    GNUTLS_CERT_SIGNER_NOT_CA = 1<<7,
+    GNUTLS_CERT_INSECURE_ALGORITHM = 1<<8,
+    GNUTLS_CERT_NOT_ACTIVATED = 1<<9,
+    GNUTLS_CERT_EXPIRED = 1<<10,
+    GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11,
+    GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<12,
+    GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15,
   } gnutls_certificate_status_t;
 
 /**
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index bcca386810..318aec5933 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -943,7 +943,8 @@ gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl,
  *
  * This function will try to verify the given crl and return its status.
  * See gnutls_x509_crt_list_verify() for a detailed description of
- * return values.
+ * return values. Note that since GnuTLS 3.1.4 this function includes
+ * the time checks.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
@@ -1039,6 +1040,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
   gnutls_datum_t crl_signature = { NULL, 0 };
   gnutls_x509_crt_t issuer;
   int result, hash_algo;
+  time_t now = gnutls_time(0);
 
   if (output)
     *output = 0;
@@ -1127,12 +1129,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
          !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
       {
         if (output)
-          *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
+          *output |= GNUTLS_CERT_INSECURE_ALGORITHM;
         result = 0;
       }
   }
+  
+  if (gnutls_x509_crl_get_this_update (crl) > now)
+    *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
+    
+  if (gnutls_x509_crl_get_next_update (crl) < now)
+    *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+
 
 cleanup:
+  if (*output) *output |= GNUTLS_CERT_INVALID;
+
   _gnutls_free_datum (&crl_signed_data);
   _gnutls_free_datum (&crl_signature);
 
diff --git a/src/certtool.c b/src/certtool.c
index c438642209..ad5a3e9cb3 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2223,6 +2223,22 @@ print_verification_res (FILE* outfile, unsigned int output)
       comma = 1;
     }
 
+  if (output & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
+    {
+      if (comma)
+        fprintf (outfile, ", ");
+      fprintf (outfile, "Newer CRL is available");
+      comma = 1;
+    }
+
+  if (output & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
+    {
+      if (comma)
+        fprintf (outfile, ", ");
+      fprintf (outfile, "CRL has future date");
+      comma = 1;
+    }
+
   if (output & GNUTLS_CERT_REVOKED)
     {
       if (comma)