mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-31 20:10:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2

Browse Source 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
This commit is contained in:
Dr. David von Oheimb 2020-09-07 22:38:46 +02:00
parent d72c8b457b
commit e41a2c4c60
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
crypto/x509/x509_vfy.c
View File

@ -526,8 +526,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
* because RFC 5280 does not apply to them according RFC 6818 section 2.
*/
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0
&& !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0
&& (x->ex_flags & EXFLAG_SI) != 0)) {
&& num > 1) { /*
* this should imply
* !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0
* && (x->ex_flags & EXFLAG_SI) != 0)
*/
/* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */
if (x->ex_pathlen != -1) {
if ((x->ex_flags & EXFLAG_CA) == 0)