diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.bypass-strict-flag openssl-1.1.1g/crypto/x509/x509_vfy.c
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.bypass-strict-flag 2021-03-25 15:04:24.786522525 +0100
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2021-03-25 15:14:01.392910477 +0100
@@ -509,15 +509,19 @@ static int check_chain_extensions(X509_S
ret = 1;
break;
}
- if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
+ if (ret > 0
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
/* Check for presence of explicit elliptic curve parameters */
ret = check_curve(x);
- if (ret < 0)
+ if (ret < 0) {
ctx->error = X509_V_ERR_UNSPECIFIED;
- else if (ret == 0)
+ ret = 0;
+ } else if (ret == 0) {
ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
+ }
}
- if ((x->ex_flags & EXFLAG_CA) == 0
+ if (ret > 0
+ && (x->ex_flags & EXFLAG_CA) == 0
&& x->ex_pathlen != -1
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
diff -up openssl-1.1.1g/test/verify_extra_test.c.bypass-strict-flag openssl-1.1.1g/test/verify_extra_test.c
--- openssl-1.1.1g/test/verify_extra_test.c.bypass-strict-flag 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/test/verify_extra_test.c 2021-03-25 15:04:24.793522594 +0100
@@ -125,10 +125,22 @@ static int test_alt_chains_cert_forgery(
i = X509_verify_cert(sctx);
- if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) {
+ if (i != 0 || X509_STORE_CTX_get_error(sctx) != X509_V_ERR_INVALID_CA)
+ goto err;
+
+ /* repeat with X509_V_FLAG_X509_STRICT */
+ X509_STORE_CTX_cleanup(sctx);
+ X509_STORE_set_flags(store, X509_V_FLAG_X509_STRICT);
+
+ if (!X509_STORE_CTX_init(sctx, store, x, untrusted))
+ goto err;
+
+ i = X509_verify_cert(sctx);
+
+ if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA)
/* This is the result we were expecting: Test passed */
ret = 1;
- }
+
err:
X509_STORE_CTX_free(sctx);
X509_free(x);