update to openssl-0.9.8i; tested by several, especially krw@

2 files changed, 17 insertions, 7 deletions

diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 511b49d589..98460e8921 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -245,7 +245,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
                 goto err;
         if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
                 goto err;
-        
+
         if ((attr != NULL) && (*attr == NULL)) *attr=ret;
         return(ret);
 err:
@@ -302,8 +302,15 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
                 atype = attrtype;
         }
         if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+        attr->single = 0;
+        /* This is a bit naughty because the attribute should really have
+         * at least one value but some types use and zero length SET and
+         * require this.
+         */
+        if (attrtype == 0)
+                return 1;
         if(!(ttmp = ASN1_TYPE_new())) goto err;
-        if (len == -1)
+        if ((len == -1) && !(attrtype & MBSTRING_FLAG))
                 {
                 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
                         goto err;
@@ -311,7 +318,6 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
         else
                 ASN1_TYPE_set(ttmp, atype, stmp);
         if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
-        attr->single = 0;
         return 1;
         err:
         X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 9a62ebcf67..336c40ddd7 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
         return 1;
 #else
-        int i, ok=0, must_be_ca;
+        int i, ok=0, must_be_ca, plen = 0;
         X509 *x;
         int (*cb)(int xok,X509_STORE_CTX *xctx);
         int proxy_path_length = 0;
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                 if (!ok) goto end;
                                 }
                         }
-                /* Check pathlen */
-                if ((i > 1) && (x->ex_pathlen != -1)
-                           && (i > (x->ex_pathlen + proxy_path_length + 1)))
+                /* Check pathlen if not self issued */
+                if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                           && (x->ex_pathlen != -1)
+                           && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                         {
                         ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                         ctx->error_depth = i;
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                         ok=cb(0,ctx);
                         if (!ok) goto end;
                         }
+                /* Increment path length if not self issued */
+                if (!(x->ex_flags & EXFLAG_SI))
+                        plen++;
                 /* If this certificate is a proxy certificate, the next
                    certificate must be another proxy certificate or a EE
                    certificate.  If not, the next certificate must be a