Update from HEAD.

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9a62ebcf679e5349532294b8cbbfdc974d2c99c8..336c40ddd7e7d6a76a9759038667f04741b41392 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
        return 1;
 #else
-       int i, ok=0, must_be_ca;
+       int i, ok=0, must_be_ca, plen = 0;
        X509 *x;
        int (*cb)(int xok,X509_STORE_CTX *xctx);
        int proxy_path_length = 0;
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                if (!ok) goto end;
                                }
                        }
-               /* Check pathlen */
-               if ((i > 1) && (x->ex_pathlen != -1)
-                          && (i > (x->ex_pathlen + proxy_path_length + 1)))
+               /* Check pathlen if not self issued */
+               if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                          && (x->ex_pathlen != -1)
+                          && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                        {
                        ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                        ctx->error_depth = i;
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+               /* Increment path length if not self issued */
+               if (!(x->ex_flags & EXFLAG_SI))
+                       plen++;
                /* If this certificate is a proxy certificate, the next
                   certificate must be another proxy certificate or a EE
                   certificate.  If not, the next certificate must be a

diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c
index 614d2b493550790436833e950b880b98ca27450b..4711b1ee927b9d824ded08083e0b7be7a4e327f8 100644 (file)
--- a/crypto/x509v3/pcy_data.c
+++ b/crypto/x509v3/pcy_data.c
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        X509_POLICY_DATA *ret;
        if (!policy && !id)
                return NULL;
+       if (id)
+               {
+               id = OBJ_dup(id);
+               if (!id)
+                       return NULL;
+               }
        ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
        if (!ret)
                return NULL;
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        if (!ret->expected_policy_set)
                {
                OPENSSL_free(ret);
+               if (id)
+                       ASN1_OBJECT_free(id);
                return NULL;
                }
 

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 4fda1d419af6da9488b7a952eedd60920265e8c1..aed0155c2afc2f8fea1120275a98add0032cf7a7 100644 (file)
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -131,7 +131,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                if (explicit_policy > 0)
                        {
                        explicit_policy--;
-                       if (!(x->ex_flags & EXFLAG_SS)
+                       if (!(x->ex_flags & EXFLAG_SI)
                                && (cache->explicit_skip != -1)
                                && (cache->explicit_skip < explicit_policy))
                                explicit_policy = cache->explicit_skip;
@@ -197,7 +197,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        /* Any matching allowed if certificate is self
                         * issued and not the last in the chain.
                         */
-                       if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
+                       if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                                level->flags |= X509_V_FLAG_INHIBIT_ANY;
                        }
                else
@@ -310,7 +310,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
                if (data == NULL)
                        return 0;
-               data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+               /* Curr may not have anyPolicy */
+               data->qualifier_set = cache->anyPolicy->qualifier_set;
                data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
                if (!level_add_node(curr, data, node, tree))
                        {

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index b2f5cdfa05f3cbfb8c54808d8aa91c1017ca7c25..1ef54ae9a1e09f98fe1d37a0af482dcde04d2472 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -291,6 +291,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
                NID_sbgp_ipAddrBlock,   /* 290 */
                NID_sbgp_autonomousSysNum, /* 291 */
 #endif
+               NID_policy_constraints, /* 401 */
                NID_proxyCertInfo       /* 661 */
        };
 
@@ -325,7 +326,7 @@ static void x509v3_cache_extensions(X509 *x)
 #endif
        /* Does subject name match issuer ? */
        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                        x->ex_flags |= EXFLAG_SS;
+                        x->ex_flags |= EXFLAG_SI;
        /* V1 should mean no extensions ... */
        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
        /* Handle basic constraints */

diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index db2b0482c152e57fcc1749ca097ab053f82bdb1a..a208d4b5950d7069c5f318755a801b548d44e3f6 100644 (file)
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_NSCERT          0x8
 
 #define EXFLAG_CA              0x10
+/* Really self issued not necessarily self signed */
+#define EXFLAG_SI              0x20
 #define EXFLAG_SS              0x20
 #define EXFLAG_V1              0x40
 #define EXFLAG_INVALID         0x80