Merge pull request #4049 from miyazakh/set_verifyDepth_3

Set verify depth limit
2025-08-03 04:34:41 +02:00 · 2021-06-22 10:23:43 -06:00
parent b70e028200 23fc810b3c
commit 4b3bd3e384
2 changed files with 8 additions and 3 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -12425,7 +12425,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
            }

        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-            if (args->untrustedDepth > ssl->options.verifyDepth) {
+           /* limit compliant with OpenSSL verify Depth + 1
+            * OpenSSL tries to expand the chain one longer than limit until
+            * reaching an ultimately trusted issuer. Becoming failure if
+            * we hit the limit, with X509_V_ERR_CERT_CHAIN_TOO_LONG
+            */
+            if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) {
                ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
                ret = MAX_CHAIN_ERROR;
            }
--- a/tests/api.c
+++ b/tests/api.c
@@ -5101,8 +5101,8 @@ static void test_wolfSSL_CTX_verifyDepth_ServerClient(void)
        client_args.argc = -1;
        test_client_verifyDepth(&client_args);
        join_thread(serverThread);
-        AssertIntEQ(client_args.return_code, TEST_FAIL);
-        AssertIntEQ(server_args.return_code, TEST_FAIL);
+        AssertIntEQ(client_args.return_code, TEST_SUCCESS);
+        AssertIntEQ(server_args.return_code, TEST_SUCCESS);
    }
    
    FreeTcpReady(&ready);