From 93486c97a9ba588e1b6eaec9918b7f4bf425d442 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 1 Dec 2016 08:40:13 +0100
Subject: gnutls_x509_crl_verify: always return zero on success

Also document that in previous versions a positive number could
be returned on success. Reported by Adrien Beraud.
---
 lib/x509/verify.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index ecd2369b1c..e645c58bb1 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1377,7 +1377,10 @@ find_crl_issuer(gnutls_x509_crl_t crl,
  * function is success (i.e, failure to trust a CRL a certificate does not imply 
  * a negative return value).
  *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * Before GnuTLS 3.5.7 this function would return zero or a positive
+ * number on success.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0), otherwise a
  *   negative error value.
  **/
 int
@@ -1483,6 +1486,8 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
 			if (verify)
 				*verify |= GNUTLS_CERT_INVALID;
 			goto cleanup;
+		} else if (result >= 0) {
+			result = 0; /* everything ok */
 		}
 	}
 
-- 
cgit v1.2.1