Import OpenSSL 1.0.2q

2018-12-07 11:08:57 -08:00
parent 4b1c388f4d
commit 4155d3c2bd
75 changed files with 3071 additions and 1937 deletions
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -128,7 +128,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
    switch (cmd) {
    case X509_L_ADD_DIR:
        if (argl == X509_FILETYPE_DEFAULT) {
-            dir = (char *)getenv(X509_get_default_cert_dir_env());
+            dir = (char *)ossl_safe_getenv(X509_get_default_cert_dir_env());
            if (dir)
                ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
            else
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -97,7 +97,8 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
    switch (cmd) {
    case X509_L_FILE_LOAD:
        if (argl == X509_FILETYPE_DEFAULT) {
-            file = getenv(X509_get_default_cert_file_env());
+            file = ossl_safe_getenv(X509_get_default_cert_file_env());
+
            if (file)
                ok = (X509_load_cert_crl_file(ctx, file,
                                              X509_FILETYPE_PEM) != 0);
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -621,7 +621,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
         * A hack to keep people who don't want to modify their software
         * happy
         */
-        if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+        if (ossl_safe_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
            allow_proxy_certs = 1;
        purpose = ctx->param->purpose;
    }
@@ -694,10 +694,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                    goto end;
            }
        }
-        /* Check pathlen if not self issued */
-        if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
-            && (x->ex_pathlen != -1)
-            && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+        /* Check pathlen */
+        if ((i > 1) && (x->ex_pathlen != -1)
+            && (plen > (x->ex_pathlen + proxy_path_length))) {
            ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
            ctx->error_depth = i;
            ctx->current_cert = x;
@@ -705,8 +704,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
            if (!ok)
                goto end;
        }
-        /* Increment path length if not self issued */
-        if (!(x->ex_flags & EXFLAG_SI))
+        /* Increment path length if not a self issued intermediate CA */
+        if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
            plen++;
        /*
         * If this certificate is a proxy certificate, the next certificate