check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 29a7f3ff526ad177e21196fb5d77c52b3a45171f..83dae9a79bb1dddbe4b434c4d3d9e3c83f8cae70 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -526,8 +526,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
          * because RFC 5280 does not apply to them according RFC 6818 section 2.
          */
         if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0
-            && !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0
-                 && (x->ex_flags & EXFLAG_SI) != 0)) {
+            && num > 1) { /*
+                           * this should imply
+                           * !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0
+                           *          && (x->ex_flags & EXFLAG_SI) != 0)
+                           */
             /* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */
             if (x->ex_pathlen != -1) {
                 if ((x->ex_flags & EXFLAG_CA) == 0)