Fix an error exit in X509v3_addr_validate_path()

If the topmost cert is invalid, this should result in a validation failure.
Do the same dance as elsewhere permitting the verify callback to intercept
the error but ensuring that we throw an error.

ok jsing

1 files changed, 6 insertions, 3 deletions

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 5e4223ce2b..a3b28ac07a 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.90 2023/09/27 11:29:22 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.91 2023/10/29 13:22:37 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1886,8 +1886,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
         if (ext == NULL) {
                 depth = 0;
                 cert = sk_X509_value(chain, depth);
-                if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0)
-                        goto done;
+                if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) {
+                        if ((ret = verify_error(ctx, cert,
+                            X509_V_ERR_INVALID_EXTENSION, depth)) == 0)
+                                goto done;
+                }
                 if ((ext = cert->rfc3779_addr) == NULL)
                         goto done;
         } else if (!X509v3_addr_is_canonical(ext)) {