From c8ef2279606ab66d81c3e2ad056a0ea13ec53bd3 Mon Sep 17 00:00:00 2001 From: tb Date: Sun, 29 Oct 2023 13:22:37 +0000 Subject: [PATCH] Fix an error exit in X509v3_addr_validate_path() If the topmost cert is invalid, this should result in a validation failure. Do the same dance as elsewhere permitting the verify callback to intercept the error but ensuring that we throw an error. ok jsing --- lib/libcrypto/x509/x509_addr.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 5e4223ce2b2..a3b28ac07a7 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.90 2023/09/27 11:29:22 tb Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.91 2023/10/29 13:22:37 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -1886,8 +1886,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, if (ext == NULL) { depth = 0; cert = sk_X509_value(chain, depth); - if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) - goto done; + if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) { + if ((ret = verify_error(ctx, cert, + X509_V_ERR_INVALID_EXTENSION, depth)) == 0) + goto done; + } if ((ext = cert->rfc3779_addr) == NULL) goto done; } else if (!X509v3_addr_is_canonical(ext)) { -- 2.20.1