Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints

If we encounter certificate with basic constraints CA:false, pathlen present and X509_V_FLAG_X509_STRICT is set we set X509_V_ERR_INVALID_EXTENSION error. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11463) (cherry picked from commit fa86e2ee3533bb7fa9f3c62c38920cf960e9fec0)
author: Tomas Mraz <tmraz@fedoraproject.org> 2020-04-02 17:31:21 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> 2020-04-06 10:28:48 +0200
commit: 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e (patch)
tree: 9e6f455bba33a22a6520754bf3d36cd62e5d915a /crypto/x509/x509_vfy.c
parent: 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f28f2d2610..41625e75ad 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -508,6 +508,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 ret = 1;
             break;
         }
+        if ((x->ex_flags & EXFLAG_CA) == 0
+            && x->ex_pathlen != -1
+            && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
+            ctx->error = X509_V_ERR_INVALID_EXTENSION;
+            ret = 0;
+        }
         if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
             return 0;
         /* check_purpose() makes the callback as needed */
author	Tomas Mraz <tmraz@fedoraproject.org>	2020-04-02 17:31:21 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	2020-04-06 10:28:48 +0200
commit	29e94f285f7f05b1aec6fa275e320bc5fa37ab1e (patch)
tree	9e6f455bba33a22a6520754bf3d36cd62e5d915a /crypto/x509/x509_vfy.c
parent	00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91 (diff)