X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fopenssl.git;a=blobdiff_plain;f=crypto%2Fx509%2Fx509_vfy.c;fp=crypto%2Fx509%2Fx509_vfy.c;h=510b4f1109caa96c8be0040d00a8233c1b501622;hp=b338b635316e584f7aff18c4c176e2c94f7bcf85;hb=fa86e2ee3533bb7fa9f3c62c38920cf960e9fec0;hpb=428cf5ff83a48d0b51c97476586b2cbd053b6302

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b338b63531..510b4f1109 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -509,6 +509,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 ret = 1;
             break;
         }
+        if ((x->ex_flags & EXFLAG_CA) == 0
+            && x->ex_pathlen != -1
+            && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
+            ctx->error = X509_V_ERR_INVALID_EXTENSION;
+            ret = 0;
+        }
         if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
             return 0;
         /* check_purpose() makes the callback as needed */