Commit f7c95287 authored by Richard Levitte's avatar Richard Levitte
Browse files

Fix proxy certificate pathlength verification 



While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly.  This corresponds to
RFC 3820, 4.1.4 (a).

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 30aeb312)
parent 26576cf9

crypto/x509/x509_vfy.c

+21 −7
Original line number Diff line number Diff line
@@ -633,7 +633,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) 
         * the next certificate must be a CA certificate.

         */

        if (x->ex_flags & EXFLAG_PROXY) {

            if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {

            /*

             * RFC3820, 4.1.3 (b)(1) stipulates that if pCPathLengthConstraint

             * is less than max_path_length, the former should be copied to

             * the latter, and 4.1.4 (a) stipulates that max_path_length

             * should be verified to be larger than zero and decrement it.

             *

             * Because we're checking the certs in the reverse order, we start

             * with verifying that proxy_path_length isn't larger than pcPLC,

             * and copy the latter to the former if it is, and finally,

             * increment proxy_path_length.

             */

            if (x->ex_pcpathlen != -1) {

                if (proxy_path_length > x->ex_pcpathlen) {

                    ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;

                    ctx->error_depth = i;

                    ctx->current_cert = x;
@@ -641,6 +653,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) 
                    if (!ok)

                        goto end;

                }

                proxy_path_length = x->ex_pcpathlen;

            }

            proxy_path_length++;

            must_be_ca = 0;

        } else