OpenSSL 3.2.0: dane_tlsa_add(): tlsa_free() problem?
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Nov 25 19:43:57 UTC 2023
On Sat, Nov 25, 2023 at 01:47:13PM -0500, Viktor Dukhovni wrote:
> + /*
> + * The Full(0) certificate decodes to a seemingly valid X.509
> + * object with a plausible key, so the TLSA record is well
> + * formed. However, we don't actually need the certifiate for
> + * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
> + * certificate is always presented by the peer. We discard the
> + * certificate, and just use the TLSA data as an opaque blob
> + * for matching the raw presented DER octets.
> + *
> + * DO NOT FREE `t` here, it will be added to the TLSA record
> + * list below!
> + */
I've opened PRs against the "openssl-3.2" and "master" branches:
https://github.com/openssl/openssl/pull/22820
https://github.com/openssl/openssl/pull/22821
--
Viktor.
More information about the openssl-users
mailing list