From 7439cb7c54e5f5754acc41209c578d4e6531352b Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Mon, 21 Oct 2013 08:43:24 -0700
Subject: [PATCH] check the EE if its a proxy certificate and fail up front

---
 lib/hx509/cert.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index fdc1304e9..ba7f112d5 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -2002,6 +2002,16 @@ hx509_verify_path(hx509_context context,
 
     memset(&proxy_issuer, 0, sizeof(proxy_issuer));
 
+    if ((ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE) == 0 &&
+	is_proxy_cert(context, cert->data, NULL) == 0)
+    {
+	ret = HX509_PROXY_CERT_INVALID;
+	hx509_set_error_string(context, 0, ret,
+			       "Proxy certificate is not allowed as an EE "
+			       "certificae if proxy certificate is disabled");
+	return ret;
+    }
+
     ret = init_name_constraints(&nc);
     if (ret)
 	return ret;