Fix client verify mode to check SSL_VERIFY_PEER

The original check for != SSL_VERIFY_NONE can give surprising results when flags SSL_VERIFY_PEER is not set, but other flags are. Note that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense of all other flag bits. Signed-off-by: Rob Percival <robpercival@google.com> Reviewed-by: Emilia Käsper <emilia@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-04-02 16:47:48 -0400
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-04-07 14:41:34 -0400
commit: c636c1c470fd2b4b0cb546e6ee85971375e42ec1 (patch)
tree: 68c9a306d606ae2bae3a77ee677999209ccdd7b4 /ssl
parent: 6afef8b1fb679df7d6a8606d713192c9907b1890 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 4806e6782b..19ea227e6a 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1334,7 +1334,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
     }
 
     i = ssl_verify_cert_chain(s, sk);
-    if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
+    if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
         al = ssl_verify_alarm_type(s->verify_result);
         SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
                SSL_R_CERTIFICATE_VERIFY_FAILED);
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-04-02 16:47:48 -0400
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-04-07 14:41:34 -0400
commit	c636c1c470fd2b4b0cb546e6ee85971375e42ec1 (patch)
tree	68c9a306d606ae2bae3a77ee677999209ccdd7b4 /ssl
parent	6afef8b1fb679df7d6a8606d713192c9907b1890 (diff)