diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-02 16:47:48 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-07 14:41:34 -0400 |
commit | c636c1c470fd2b4b0cb546e6ee85971375e42ec1 (patch) | |
tree | 68c9a306d606ae2bae3a77ee677999209ccdd7b4 /ssl | |
parent | 6afef8b1fb679df7d6a8606d713192c9907b1890 (diff) |
Fix client verify mode to check SSL_VERIFY_PEER
The original check for != SSL_VERIFY_NONE can give surprising results
when flags SSL_VERIFY_PEER is not set, but other flags are. Note
that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
of all other flag bits.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/statem_clnt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 4806e6782b..19ea227e6a 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1334,7 +1334,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) } i = ssl_verify_cert_chain(s, sk); - if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { + if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) { al = ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED); |