Fix bug checking pathlen on first intermediate

Remove check on the pathLenConstraint value when looking for a parent to the EE cert, as the constraint is on the number of intermediate certs below the parent, and that number is always 0 at that point, so the constraint is always satisfied. The check was actually off-by-one, which caused valid chains to be rejected under the following conditions: - the parent certificate is not a trusted root, and - it has pathLenConstraint == 0 (max_pathlen == 1 in our representation) fixes #280
2025-07-08 15:30:38 +00:00 · 2015-12-03 09:53:20 +01:00 · 2015-12-03 09:53:20 +01:00 · 7929229a32
parent d7d0b0118c
commit 7929229a32
2 changed files with 7 additions and 9 deletions
--- a/7
+++ b/7
@ -1,5 +1,12 @@
 PolarSSL ChangeLog

+= Version 1.2.19 released 2015-12-xx
+
+Bugfix
+   * Fix bug in certificate validation that caused valid chains to be rejected
+     when the first intermediate certificate has pathLenConstraint=0. Found by
+     Nicholas Wilson. Introduced in mbed TLS 1.3.15. #280
+
 = Version 1.2.18 released 2015-11-04

 Security
--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -3679,15 +3679,6 @@ int x509parse_verify( x509_cert *crt,
            continue;
        }

-        /* +2 because the current step is not yet accounted for
-         * and because max_pathlen is one higher than it should be */
-        if( parent->max_pathlen > 0 &&
-            parent->max_pathlen < 2 + pathlen )
-        {
-            parent = parent->next;
-            continue;
-        }
-
        break;
    }