[openssl/openssl] dcfed0: Fix freshly introduced double-free.

openssl-machine noreply at github.com
Wed Nov 29 09:42:08 UTC 2023


  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: dcfed001a969f7c6df2d6a53896f5c60a653212b
      https://github.com/openssl/openssl/commit/dcfed001a969f7c6df2d6a53896f5c60a653212b
  Author: Viktor Dukhovni <openssl-users at dukhovni.org>
  Date:   2023-11-29 (Wed, 29 Nov 2023)

  Changed paths:
    M ssl/ssl_lib.c
    M test/danetest.in

  Log Message:
  -----------
  Fix freshly introduced double-free.

We don't need the decoded X.509 Full(0) certificate for the EE usages 1 and 3,
because the leaf certificate is always part of the presented chain, so the
certificate is only validated as well-formed, and then discarded, but the
TLSA record is of course still used after the validation step.

Added DANE test cases for: 3 0 0, 3 1 0, 1 0 0, and 1 1 0

Reported by Claus Assmann.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)

(cherry picked from commit f636e7e6bd8e06c6d84e42729b4131b4f5df488f)


  Commit: f6b93319bea061075c095f9002f4db030770f507
      https://github.com/openssl/openssl/commit/f6b93319bea061075c095f9002f4db030770f507
  Author: Viktor Dukhovni <openssl-users at dukhovni.org>
  Date:   2023-11-29 (Wed, 29 Nov 2023)

  Changed paths:
    M test/danetest.in

  Log Message:
  -----------
  Add last missing TLSA usage/selector/mtype test case

There were no PKIX-TA(0) SPKI(1) Full(0) (i.e. "0 1 0") test cases in
"danetest.in".

There is now at least a success case, which will exercise freeing the public
key after it is sanity checked, since with PKIX-TA(0) there's nothing we can do
with just the raw public key, a full chain to a local trust anchor is in any
case required.

The failure (to match) code path is already well oiled, but failure to decode
while adding malfored TLSA records could still use some additional tests...

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)

(cherry picked from commit c8fe4b5948486e792016208f7c8ccea9c380f354)


Compare: https://github.com/openssl/openssl/compare/3b61584ac74b...f6b93319bea0


More information about the openssl-commits mailing list