From: Viktor Dukhovni Date: Mon, 8 Oct 2018 16:05:14 +0000 (-0400) Subject: Apply self-imposed path length also to root CAs X-Git-Tag: openssl-3.0.0-alpha1~3035 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=dc5831da59e9bfad61ba425d886a0b06ac160cd6;p=oweals%2Fopenssl.git Apply self-imposed path length also to root CAs Also, some readers of the code find starting the count at 1 for EE cert confusing (since RFC5280 counts only non-self-issued intermediate CAs, but we also counted the leaf). Therefore, never count the EE cert, and adjust the path length comparison accordinly. This may be more clear to the reader. Reviewed-by: Matt Caswell --- diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2ecdb48f14..61e81922b4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) /* check_purpose() makes the callback as needed */ if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) return 0; - /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + /* Check pathlen */ + if ((i > 1) && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length))) { if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) return 0; } /* Increment path length if not a self issued intermediate CA */ - if (i == 0 || (x->ex_flags & EXFLAG_SI) == 0) + if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0) plen++; /* * If this certificate is a proxy certificate, the next certificate