aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/x509
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2018-11-20 18:59:41 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2018-11-20 18:59:41 +0000
commit8c3f9abd70b3f447a4795c1b00b386b044fb322d (patch)
tree884976f2693f42bade35b92edc3c1f7f8c53825b /crypto/x509
parenta43ce912fc025d11e1395506111f75fc194d7ba5 (diff)
downloadsrc-8c3f9abd70b3f447a4795c1b00b386b044fb322d.tar.gz
src-8c3f9abd70b3f447a4795c1b00b386b044fb322d.zip
Import OpenSSL 1.1.1a.vendor/openssl/1.1.1a
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=340690 svn path=/vendor-crypto/openssl/1.1.1a/; revision=340691; tag=vendor/openssl/1.1.1a
Diffstat (limited to 'crypto/x509')
-rw-r--r--crypto/x509/by_dir.c2
-rw-r--r--crypto/x509/by_file.c2
-rw-r--r--crypto/x509/x509_vfy.c11
3 files changed, 7 insertions, 8 deletions
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 11ac52ce3c55..b3760dbadf3a 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -73,7 +73,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
- const char *dir = getenv(X509_get_default_cert_dir_env());
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index 78d7fbdf4488..244512c9352b 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -46,7 +46,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
switch (cmd) {
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) {
- file = getenv(X509_get_default_cert_file_env());
+ file = ossl_safe_getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3a60d412daf8..61e81922b4da 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
- /* Check pathlen if not self issued */
- if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
- && (x->ex_pathlen != -1)
- && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+ /* Check pathlen */
+ if ((i > 1) && (x->ex_pathlen != -1)
+ && (plen > (x->ex_pathlen + proxy_path_length))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
- /* Increment path length if not self issued */
- if (!(x->ex_flags & EXFLAG_SI))
+ /* Increment path length if not a self issued intermediate CA */
+ if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
plen++;
/*
* If this certificate is a proxy certificate, the next certificate