Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
authorMatt Caswell <matt@openssl.org>
Tue, 7 Mar 2023 16:52:55 +0000 (16:52 +0000)
committerTomas Mraz <tomas@openssl.org>
Tue, 28 Mar 2023 12:09:38 +0000 (14:09 +0200)
commitb013765abfa80036dc779dd0e50602c57bb3bf95
tree82c349de4c3059d06a9fb0c92069dbec65d9c269
parentf675d164e5d9648c3537a0f5efe1cc2fd232b4a9
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)
crypto/x509/x509_vfy.c