From 14f13a25c8ec9fb31f3a6b4971c73c48d39f5b45 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 23 Jun 2016 23:13:50 +0200
Subject: gnutls_pkcs11_crt_is_known: always assume
 GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless
 GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given

---
 lib/pkcs11.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 50d0621ce9..4210bdc877 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -3993,10 +3993,10 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
 	priv.issuer_dn.data = cert->raw_issuer_dn.data;
 	priv.issuer_dn.size = cert->raw_issuer_dn.size;
 
-	/* when looking for a trusted certificate, we always fully compare
-	 * with the given */
-	if (flags & GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED && !(flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY))
+	/* assume PKCS11_OBJ_FLAG_COMPARE everywhere but DISTRUST info */
+	if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) && !(flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY)) {
 		flags |= GNUTLS_PKCS11_OBJ_FLAG_COMPARE;
+	}
 
 	priv.flags = flags;
 
-- 
cgit v1.2.1