Commit dc5831da authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Apply self-imposed path length also to root CAs 



Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent ed422a2d

crypto/x509/x509_vfy.c

+4 −5
Original line number Original line Diff line number Diff line
@@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) 
        /* check_purpose() makes the callback as needed */

        /* check_purpose() makes the callback as needed */

        if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))

        if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))

            return 0;

            return 0;

        /* Check pathlen if not self issued */

        /* Check pathlen */

        if ((i > 1) && !(x->ex_flags & EXFLAG_SI)

        if ((i > 1) && (x->ex_pathlen != -1)

            && (x->ex_pathlen != -1)

            && (plen > (x->ex_pathlen + proxy_path_length))) {

            && (plen > (x->ex_pathlen + proxy_path_length + 1))) {

            if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))

            if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))

                return 0;

                return 0;

        }

        }

        /* Increment path length if not a self issued intermediate CA */

        /* Increment path length if not a self issued intermediate CA */

        if (i == 0 || (x->ex_flags & EXFLAG_SI) == 0)

        if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)

            plen++;

            plen++;

        /*

        /*

         * If this certificate is a proxy certificate, the next certificate

         * If this certificate is a proxy certificate, the next certificate