From 63d3a7e33db8574cae29a17a000c79f8b66a3444 Mon Sep 17 00:00:00 2001 From: jsing Date: Wed, 1 Apr 2026 14:38:26 +0000 Subject: [PATCH] Restore the previous behaviour with maximum verification depth. The maximum depth is not expected to include the leaf certificate - restore the decrement prior to checking, which means the previous behaviour is retained for the callback depth and the maximum depth. Reduce the maximum depth by one in order to avoid the overwrite that could previously occur. Thanks to anton@ for flagging the rust-openssl failure in regress. ok tb@ --- lib/libcrypto/x509/x509_verify.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index a530275ac9b..fc3fbc14da6 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.74 2026/03/31 13:58:05 jsing Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.75 2026/04/01 14:38:26 jsing Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -666,13 +666,13 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, return; depth = sk_X509_num(current_chain->certs); + if (depth > 0) + depth--; if (depth >= ctx->max_depth) { (void)x509_verify_cert_error(ctx, cert, depth, X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); return; } - if (depth > 0) - depth--; count = ctx->chains_count; @@ -978,8 +978,8 @@ x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc) (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL) goto err; - max_depth = X509_VERIFY_MAX_CHAIN_CERTS; - if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS) + max_depth = X509_VERIFY_MAX_CHAIN_CERTS - 1; + if (xsc->param->depth > 0 && xsc->param->depth < max_depth) max_depth = xsc->param->depth; if (!x509_verify_ctx_set_max_depth(ctx, max_depth)) goto err; @@ -1008,7 +1008,7 @@ x509_verify_ctx_new(STACK_OF(X509) *roots) goto err; } - ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; + ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS - 1; ctx->max_chains = X509_VERIFY_MAX_CHAINS; ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS; @@ -1035,7 +1035,7 @@ x509_verify_ctx_free(struct x509_verify_ctx *ctx) int x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max) { - if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS) + if (max < 1 || max >= X509_VERIFY_MAX_CHAIN_CERTS) return 0; ctx->max_depth = max; return 1;