Bug in OpenSSL-0.9.5a:
The ex_pathlen in the X509 is only initialized if there are basic
constraints in the x509v3_cache_extensions(). This causes problems in
x509_vfy.c when checking pathlen and the certificate does not have
basic constraints.
Possible fix:
*** ,x509_vfy.c Mon Mar 13 17:54:41 2000
--- x509_vfy.c Mon Aug 21 14:43:32 2000
***************
*** 349,354 ****
--- 349,355 ----
}
/* Check pathlen */
if((i > 1) && (x->ex_pathlen != -1)
+ && (x->ex_flags & EXFLAG_BCONS)
&& (i > (x->ex_pathlen + 1))) {
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
Thanks.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
