diff options
| author | Jung-uk Kim <jkim@FreeBSD.org> | 2018-11-20 21:35:20 +0000 |
|---|---|---|
| committer | Jung-uk Kim <jkim@FreeBSD.org> | 2018-11-20 21:35:20 +0000 |
| commit | cb4e98802be771d5e12e87adece3c351ad69aa38 (patch) | |
| tree | 431af2e98111dd209d126a5433e987b2f2a26c08 /crypto/openssl/crypto/x509/x509_vfy.c | |
| parent | 500d06c3a6ca4713ef18e67cef861326fe9601ad (diff) | |
| download | src-cb4e98802be771d5e12e87adece3c351ad69aa38.tar.gz src-cb4e98802be771d5e12e87adece3c351ad69aa38.zip | |
MFC: r340703
Merge OpenSSL 1.1.1a.
Notes
Notes:
svn path=/stable/12/; revision=340705
Diffstat (limited to 'crypto/openssl/crypto/x509/x509_vfy.c')
| -rw-r--r-- | crypto/openssl/crypto/x509/x509_vfy.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 3a60d412daf8..61e81922b4da 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) /* check_purpose() makes the callback as needed */ if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) return 0; - /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + /* Check pathlen */ + if ((i > 1) && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length))) { if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) return 0; } - /* Increment path length if not self issued */ - if (!(x->ex_flags & EXFLAG_SI)) + /* Increment path length if not a self issued intermediate CA */ + if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0) plen++; /* * If this certificate is a proxy certificate, the next certificate |