Fix SuiteB chain checking logic. Reviewed-by: Matt Caswell <matt@openssl.org>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8b2b16b..e0f28d2 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c
@@ -4294,13 +4294,10 @@ if (check_flags) check_flags |= CERT_PKEY_SUITEB; ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); - if (ok != X509_V_OK) - { - if (check_flags) - rv |= CERT_PKEY_SUITEB; - else - goto end; - } + if (ok == X509_V_OK) + rv |= CERT_PKEY_SUITEB; + else if (!check_flags) + goto end; } /* Check all signature algorithms are consistent with