Fix SuiteB chain checking logic.

author Dr. Stephen Henson <steve@openssl.org>

Thu, 20 Nov 2014 14:06:50 +0000 (14:06 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Thu, 20 Nov 2014 22:13:05 +0000 (22:13 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Thu, 20 Nov 2014 14:06:50 +0000 (14:06 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Thu, 20 Nov 2014 22:13:05 +0000 (22:13 +0000)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 8b2b16bc87883937b87760d590742fa40791078a..e0f28d254ba2be11a0b5fae220ff70bee7c2cb31 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -4294,13 +4294,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
                 if (check_flags)
                         check_flags |= CERT_PKEY_SUITEB;
                 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
-               if (ok != X509_V_OK)
-                       {
-                       if (check_flags)
-                               rv |= CERT_PKEY_SUITEB;
-                       else
-                               goto end;
-                       }
+               if (ok == X509_V_OK)
+                       rv |= CERT_PKEY_SUITEB;
+               else if (!check_flags)
+                       goto end;
                 }
  
         /* Check all signature algorithms are consistent with
author	Dr. Stephen Henson <steve@openssl.org>
	Thu, 20 Nov 2014 14:06:50 +0000 (14:06 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Thu, 20 Nov 2014 22:13:05 +0000 (22:13 +0000)