fix cert verify. a cert with an alt chain may verify but leave an error

in the context. don't look for errors in case of success.
fixes spurious verify errors.
guilty change tracked and fix tested by sthen

1 files changed, 5 insertions, 5 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 6937afe3b8..53a8506622 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.53 2016/12/26 16:20:58 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.54 2017/01/02 22:03:56 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -369,19 +369,19 @@ static int
 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
 {
         struct tls *ctx = arg;
-        int x509_err;
+        int x509_err, rv;
 
         if (ctx->config->verify_cert == 0)
                 return (1);
 
-        if ((X509_verify_cert(x509_ctx)) < 0) {
+        if ((rv = X509_verify_cert(x509_ctx)) < 0) {
                 tls_set_errorx(ctx, "X509 verify cert failed");
                 return (0);
         }
+        if (rv == 1)
+                return 1;
 
         x509_err = X509_STORE_CTX_get_error(x509_ctx);
-        if (x509_err == X509_V_OK)
-                return (1);
 
         tls_set_errorx(ctx, "certificate verification failed: %s",
             X509_verify_cert_error_string(x509_err));