Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
authorMatt Caswell <matt@openssl.org>
Tue, 7 Mar 2023 16:52:55 +0000 (16:52 +0000)
committerTomas Mraz <tomas@openssl.org>
Tue, 28 Mar 2023 12:01:58 +0000 (14:01 +0200)
commit1dd43e0709fece299b15208f36cc7c76209ba0bb
tree9660ab674cf72d9b837744aed8c94e7ca273bc43
parentd2f0d05807fc70c68dcc22bcc6979147782d4adf
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20587)
crypto/x509/x509_vfy.c