Restore the previous behaviour with maximum verification depth.

The maximum depth is not expected to include the leaf certificate - restore the decrement prior to checking, which means the previous behaviour is retained for the callback depth and the maximum depth. Reduce the maximum depth by one in order to avoid the overwrite that could previously occur. Thanks to anton@ for flagging the rust-openssl failure in regress. ok tb@
author: jsing <> 2026-04-01 14:38:26 +0000
committer: jsing <> 2026-04-01 14:38:26 +0000
commit: 67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5 (patch)
tree: ba628ea167739db71df8200e20d6387005e97ebc /src
parent: 78103634af9a3c6964b84982770f7a76f56e8c2c (diff)
download: openbsd-67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5.tar.gz
openbsd-67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5.tar.bz2
openbsd-67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5.zip
1 files changed, 7 insertions, 7 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index a530275ac9..fc3fbc14da 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.74 2026/03/31 13:58:05 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.75 2026/04/01 14:38:26 jsing Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -666,13 +666,13 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
                return;
        depth = sk_X509_num(current_chain->certs);
+        if (depth > 0)
+                depth--;
        if (depth >= ctx->max_depth) {
                (void)x509_verify_cert_error(ctx, cert, depth,
                    X509_V_ERR_CERT_CHAIN_TOO_LONG, 0);
                return;
        }
-        if (depth > 0)
-                depth--;
        count = ctx->chains_count;
@@ -978,8 +978,8 @@ x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc)
            (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL)
                goto err;
-        max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
+        max_depth = X509_VERIFY_MAX_CHAIN_CERTS - 1;
-        if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS)
+        if (xsc->param->depth > 0 && xsc->param->depth < max_depth)
                max_depth = xsc->param->depth;
        if (!x509_verify_ctx_set_max_depth(ctx, max_depth))
                goto err;
@@ -1008,7 +1008,7 @@ x509_verify_ctx_new(STACK_OF(X509) *roots)
                        goto err;
        }
-        ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
+        ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS - 1;
        ctx->max_chains = X509_VERIFY_MAX_CHAINS;
        ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS;
@@ -1035,7 +1035,7 @@ x509_verify_ctx_free(struct x509_verify_ctx *ctx)
 int
 x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max)
 {
-        if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS)
+        if (max < 1 || max >= X509_VERIFY_MAX_CHAIN_CERTS)
                return 0;
        ctx->max_depth = max;
        return 1;
author	jsing <>	2026-04-01 14:38:26 +0000
committer	jsing <>	2026-04-01 14:38:26 +0000
commit	67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5 (patch)
tree	ba628ea167739db71df8200e20d6387005e97ebc /src
parent	78103634af9a3c6964b84982770f7a76f56e8c2c (diff)
download	openbsd-67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5.tar.gz openbsd-67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5.tar.bz2 openbsd-67ef63bdfc3a504381a2ca266dcaf63bae2c5bf5.zip