From: tb Date: Sun, 29 Oct 2023 13:22:37 +0000 (+0000) Subject: Fix an error exit in X509v3_addr_validate_path() X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=c8ef2279606ab66d81c3e2ad056a0ea13ec53bd3;p=openbsd Fix an error exit in X509v3_addr_validate_path() If the topmost cert is invalid, this should result in a validation failure. Do the same dance as elsewhere permitting the verify callback to intercept the error but ensuring that we throw an error. ok jsing --- diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 5e4223ce2b2..a3b28ac07a7 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.90 2023/09/27 11:29:22 tb Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.91 2023/10/29 13:22:37 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -1886,8 +1886,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, if (ext == NULL) { depth = 0; cert = sk_X509_value(chain, depth); - if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) - goto done; + if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) { + if ((ret = verify_error(ctx, cert, + X509_V_ERR_INVALID_EXTENSION, depth)) == 0) + goto done; + } if ((ext = cert->rfc3779_addr) == NULL) goto done; } else if (!X509v3_addr_is_canonical(ext)) {