From 1614f91f69f2f60af24bd0a632e800ba8567a146 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sun, 29 Oct 2023 13:22:37 +0000
Subject: Fix an error exit in X509v3_addr_validate_path()

If the topmost cert is invalid, this should result in a validation failure.
Do the same dance as elsewhere permitting the verify callback to intercept
the error but ensuring that we throw an error.

ok jsing
---
 src/lib/libcrypto/x509/x509_addr.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 5e4223ce2b..a3b28ac07a 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.90 2023/09/27 11:29:22 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.91 2023/10/29 13:22:37 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1886,8 +1886,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 	if (ext == NULL) {
 		depth = 0;
 		cert = sk_X509_value(chain, depth);
-		if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0)
-			goto done;
+		if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) {
+			if ((ret = verify_error(ctx, cert,
+			    X509_V_ERR_INVALID_EXTENSION, depth)) == 0)
+				goto done;
+		}
 		if ((ext = cert->rfc3779_addr) == NULL)
 			goto done;
 	} else if (!X509v3_addr_is_canonical(ext)) {
-- 
cgit v1.2.3-55-g6feb