[openssl/openssl] f636e7: Fix freshly introduced double-free.

openssl-machine noreply at github.com
Wed Nov 29 09:34:15 UTC 2023 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: f636e7e6bd8e06c6d84e42729b4131b4f5df488f
      https://github.com/openssl/openssl/commit/f636e7e6bd8e06c6d84e42729b4131b4f5df488f
  Author: Viktor Dukhovni <openssl-users at dukhovni.org>
  Date:   2023-11-29 (Wed, 29 Nov 2023)

  Changed paths:
    M ssl/ssl_lib.c
    M test/danetest.in

  Log Message:
  -----------
  Fix freshly introduced double-free.

We don't need the decoded X.509 Full(0) certificate for the EE usages 1 and 3,
because the leaf certificate is always part of the presented chain, so the
certificate is only validated as well-formed, and then discarded, but the
TLSA record is of course still used after the validation step.

Added DANE test cases for: 3 0 0, 3 1 0, 1 0 0, and 1 1 0

Reported by Claus Assmann.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)


  Commit: c8fe4b5948486e792016208f7c8ccea9c380f354
      https://github.com/openssl/openssl/commit/c8fe4b5948486e792016208f7c8ccea9c380f354
  Author: Viktor Dukhovni <openssl-users at dukhovni.org>
  Date:   2023-11-29 (Wed, 29 Nov 2023)

  Changed paths:
    M test/danetest.in

  Log Message:
  -----------
  Add last missing TLSA usage/selector/mtype test case

There were no PKIX-TA(0) SPKI(1) Full(0) (i.e. "0 1 0") test cases in
"danetest.in".

There is now at least a success case, which will exercise freeing the public
key after it is sanity checked, since with PKIX-TA(0) there's nothing we can do
with just the raw public key, a full chain to a local trust anchor is in any
case required.

The failure (to match) code path is already well oiled, but failure to decode
while adding malfored TLSA records could still use some additional tests...

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)


Compare: https://github.com/openssl/openssl/compare/870f26e66ad6...c8fe4b594848

More information about the openssl-commits mailing list