[openssl/openssl] 9b7e14: Fix freshly introduced double-free.

openssl-machine noreply at github.com
Wed Nov 29 09:42:09 UTC 2023


  Branch: refs/heads/openssl-3.0
  Home:   https://github.com/openssl/openssl
  Commit: 9b7e14c91d404fb616b6cd7be28df5bbf5c196eb
      https://github.com/openssl/openssl/commit/9b7e14c91d404fb616b6cd7be28df5bbf5c196eb
  Author: Viktor Dukhovni <openssl-users at dukhovni.org>
  Date:   2023-11-29 (Wed, 29 Nov 2023)

  Changed paths:
    M ssl/ssl_lib.c
    M test/danetest.in

  Log Message:
  -----------
  Fix freshly introduced double-free.

We don't need the decoded X.509 Full(0) certificate for the EE usages 1 and 3,
because the leaf certificate is always part of the presented chain, so the
certificate is only validated as well-formed, and then discarded, but the
TLSA record is of course still used after the validation step.

Added DANE test cases for: 3 0 0, 3 1 0, 1 0 0, and 1 1 0

Reported by Claus Assmann.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)

(cherry picked from commit f636e7e6bd8e06c6d84e42729b4131b4f5df488f)


  Commit: e3b9cc49de3ae020cd660dcd74512455558ec3b1
      https://github.com/openssl/openssl/commit/e3b9cc49de3ae020cd660dcd74512455558ec3b1
  Author: Viktor Dukhovni <openssl-users at dukhovni.org>
  Date:   2023-11-29 (Wed, 29 Nov 2023)

  Changed paths:
    M test/danetest.in

  Log Message:
  -----------
  Add last missing TLSA usage/selector/mtype test case

There were no PKIX-TA(0) SPKI(1) Full(0) (i.e. "0 1 0") test cases in
"danetest.in".

There is now at least a success case, which will exercise freeing the public
key after it is sanity checked, since with PKIX-TA(0) there's nothing we can do
with just the raw public key, a full chain to a local trust anchor is in any
case required.

The failure (to match) code path is already well oiled, but failure to decode
while adding malfored TLSA records could still use some additional tests...

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)

(cherry picked from commit c8fe4b5948486e792016208f7c8ccea9c380f354)


Compare: https://github.com/openssl/openssl/compare/c10e911cba74...e3b9cc49de3a


More information about the openssl-commits mailing list