Fix an error exit in X509v3_addr_validate_path()

If the topmost cert is invalid, this should result in a validation failure.
Do the same dance as elsewhere permitting the verify callback to intercept
the error but ensuring that we throw an error.

ok jsing

diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c
index 5e4223c..a3b28ac 100644 (file)
--- a/lib/libcrypto/x509/x509_addr.c
+++ b/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509_addr.c,v 1.90 2023/09/27 11:29:22 tb Exp $ */
+/*     $OpenBSD: x509_addr.c,v 1.91 2023/10/29 13:22:37 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1886,8 +1886,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
        if (ext == NULL) {
                depth = 0;
                cert = sk_X509_value(chain, depth);
-               if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0)
-                       goto done;
+               if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) {
+                       if ((ret = verify_error(ctx, cert,
+                           X509_V_ERR_INVALID_EXTENSION, depth)) == 0)
+                               goto done;
+               }
                if ((ext = cert->rfc3779_addr) == NULL)
                        goto done;
        } else if (!X509v3_addr_is_canonical(ext)) {