The branch OpenSSL_1_1_1-stable has been updated via 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e (commit) from 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91 (commit)
- Log ----------------------------------------------------------------- commit 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e Author: Tomas Mraz <tm...@fedoraproject.org> Date: Thu Apr 2 17:31:21 2020 +0200 Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints If we encounter certificate with basic constraints CA:false, pathlen present and X509_V_FLAG_X509_STRICT is set we set X509_V_ERR_INVALID_EXTENSION error. Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> Reviewed-by: Viktor Dukhovni <vik...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11463) (cherry picked from commit fa86e2ee3533bb7fa9f3c62c38920cf960e9fec0) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f28f2d2610..41625e75ad 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -508,6 +508,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; } + if ((x->ex_flags & EXFLAG_CA) == 0 + && x->ex_pathlen != -1 + && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) { + ctx->error = X509_V_ERR_INVALID_EXTENSION; + ret = 0; + } if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK)) return 0; /* check_purpose() makes the callback as needed */