diff options
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1a1a65d9cf..da778d47b1 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -694,10 +694,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) goto end; } } - /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + /* Check pathlen */ + if ((i > 1) && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; @@ -706,7 +705,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) goto end; } /* Increment path length if not a self issued intermediate CA */ - if (i == 0 || (x->ex_flags & EXFLAG_SI) == 0) + if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0) plen++; /* * If this certificate is a proxy certificate, the next certificate |