Merge pull request #3732 from miyazakh/setverifydepth

issue callback when exceeding depth limit rather than error out
2025-07-29 18:27:29 +02:00 · 2021-02-09 09:51:45 +10:00
parent f14f1f37d2 f13186827a
commit 3217c7afae
1 changed files with 10 additions and 7 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -10834,12 +10834,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
            while (listSz) {
                word32 certSz;

-            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-                if (args->totalCerts > ssl->verifyDepth) {
-                    ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
-                    ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
-                }
-            #else
+            #if !defined(OPENSSL_EXTRA) && !defined(OPENSS_EXTRA_X509_SMALL)
                if (args->totalCerts >= ssl->verifyDepth ||
                        args->totalCerts >= MAX_CHAIN_DEPTH) {
                    ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
@ -11078,7 +11073,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                        (void)doCrlLookup;
                    }
            #endif /* HAVE_OCSP || HAVE_CRL */
-
+#ifdef OPENSSL_EXTRA
+                    if (ret == 0 && 
+                        /* extend the limit "+1" until reaching 
+                         * an ultimately trusted issuer.*/
+                        args->count > (ssl->verifyDepth + 1)) {
+                        ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+                        ret = MAX_CHAIN_ERROR;
+                    }
+#endif
                    /* Do verify callback */
                    ret = DoVerifyCallback(ssl->ctx->cm, ssl, ret, args);
                    if (ssl->options.verifyNone &&