From 35cf781c20b65e51c6d0d3e9a199e74534b60b4a Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 8 Oct 2018 12:05:14 -0400 Subject: Apply self-imposed path length also to root CAs Also, some readers of the code find starting the count at 1 for EE cert confusing (since RFC5280 counts only non-self-issued intermediate CAs, but we also counted the leaf). Therefore, never count the EE cert, and adjust the path length comparison accordinly. This may be more clear to the reader. Reviewed-by: Matt Caswell (cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6) --- crypto/x509/x509_vfy.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'crypto') diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1a1a65d9cf..da778d47b1 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -694,10 +694,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) goto end; } } - /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + /* Check pathlen */ + if ((i > 1) && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; @@ -706,7 +705,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) goto end; } /* Increment path length if not a self issued intermediate CA */ - if (i == 0 || (x->ex_flags & EXFLAG_SI) == 0) + if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0) plen++; /* * If this certificate is a proxy certificate, the next certificate -- cgit v1.2.3