Prepare for next version.

[oweals/openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 57113672328165652e4cb6ffb1b2dbdb8c38d95f..336c40ddd7e7d6a76a9759038667f04741b41392 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -79,7 +79,7 @@ static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
-const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
+const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
 
 
 static int null_callback(int ok, X509_STORE_CTX *e)
@@ -164,7 +164,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                                        goto end;
                                        }
                                CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
-                               sk_X509_delete_ptr(sktmp,xtmp);
+                               (void)sk_X509_delete_ptr(sktmp,xtmp);
                                ctx->last_untrusted++;
                                x=xtmp;
                                num++;
@@ -214,7 +214,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                                 */
                                X509_free(x);
                                x = xtmp;
-                               sk_X509_set(ctx->chain, i - 1, x);
+                               (void)sk_X509_set(ctx->chain, i - 1, x);
                                ctx->last_untrusted=0;
                                }
                        }
@@ -312,6 +312,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                ok=internal_verify(ctx);
        if(!ok) goto end;
 
+#ifndef OPENSSL_NO_RFC3779
+       /* RFC 3779 path validation, now that CRL check has been done */
+       ok = v3_asid_validate_path(ctx);
+       if (!ok) goto end;
+       ok = v3_addr_validate_path(ctx);
+       if (!ok) goto end;
+#endif
+
        /* If we get this far evaluate policies */
        if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
                ok = ctx->check_policy(ctx);
@@ -386,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
        return 1;
 #else
-       int i, ok=0, must_be_ca;
+       int i, ok=0, must_be_ca, plen = 0;
        X509 *x;
        int (*cb)(int xok,X509_STORE_CTX *xctx);
        int proxy_path_length = 0;
@@ -487,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                if (!ok) goto end;
                                }
                        }
-               /* Check pathlen */
-               if ((i > 1) && (x->ex_pathlen != -1)
-                          && (i > (x->ex_pathlen + proxy_path_length + 1)))
+               /* Check pathlen if not self issued */
+               if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                          && (x->ex_pathlen != -1)
+                          && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                        {
                        ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                        ctx->error_depth = i;
@@ -497,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+               /* Increment path length if not self issued */
+               if (!(x->ex_flags & EXFLAG_SI))
+                       plen++;
                /* If this certificate is a proxy certificate, the next
                   certificate must be another proxy certificate or a EE
                   certificate.  If not, the next certificate must be a
@@ -1081,7 +1093,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
                offset=0;
        else
                {
-               if ((*str != '+') && (str[5] != '-'))
+               if ((*str != '+') && (*str != '-'))
                        return 0;
                offset=((str[1]-'0')*10+(str[2]-'0'))*60;
                offset+=(str[3]-'0')*10+(str[4]-'0');
@@ -1460,9 +1472,16 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
        {
        if (ctx->cleanup) ctx->cleanup(ctx);
-       X509_VERIFY_PARAM_free(ctx->param);
-       if (ctx->tree)
+       if (ctx->param != NULL)
+               {
+               X509_VERIFY_PARAM_free(ctx->param);
+               ctx->param=NULL;
+               }
+       if (ctx->tree != NULL)
+               {
                X509_policy_tree_free(ctx->tree);
+               ctx->tree=NULL;
+               }
        if (ctx->chain != NULL)
                {
                sk_X509_pop_free(ctx->chain,X509_free);