Some dude named Tavis Ormandy reported a bug which has gone unfixed.

http://marc.info/?l=openssl-users&m=138014120223264&w=2 Arguably a doc bug, but we argue not. If you parse a new cert into memory occupied by a previously verified cert, the new cert will inherit that state, bypassing future verification checks. To avoid this, we will always start fresh with a new object. grudging ok from guenther, after i threatened to make him read the code yet again. "that ok was way more painful and tiring then it should have been"
author: tedu <tedu@openbsd.org> 2014-04-18 15:03:20 +0000
committer: tedu <tedu@openbsd.org> 2014-04-18 15:03:20 +0000
commit: a25f52752d2d86a204d2b0f6d4346d6ee88bd76c (patch)
tree: 253a330af54a3d13fa63d80e568229e58d5378c1 /lib/libssl/src
parent: reaching into altq unconditionally (and w/o ifdef ALTQ) is bad, mmkay? (diff)
download: wireguard-openbsd-a25f52752d2d86a204d2b0f6d4346d6ee88bd76c.tar.xz
wireguard-openbsd-a25f52752d2d86a204d2b0f6d4346d6ee88bd76c.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/libssl/src/crypto/asn1/tasn_dec.c b/lib/libssl/src/crypto/asn1/tasn_dec.c
index f19c4571696..1ce40039b1b 100644
--- a/lib/libssl/src/crypto/asn1/tasn_dec.c
+++ b/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 
 	if (!pval)
 		return 0;
+	/* always start fresh */
+	if (*pval) {
+		ASN1_item_ex_free(pval, it);
+		*pval = NULL;
+	}
 	if (aux && aux->asn1_cb)
 		asn1_cb = aux->asn1_cb;
 	else
author	tedu <tedu@openbsd.org>	2014-04-18 15:03:20 +0000
committer	tedu <tedu@openbsd.org>	2014-04-18 15:03:20 +0000
commit	a25f52752d2d86a204d2b0f6d4346d6ee88bd76c (patch)
tree	253a330af54a3d13fa63d80e568229e58d5378c1 /lib/libssl/src
parent	reaching into altq unconditionally (and w/o ifdef ALTQ) is bad, mmkay? (diff)
download	wireguard-openbsd-a25f52752d2d86a204d2b0f6d4346d6ee88bd76c.tar.xz wireguard-openbsd-a25f52752d2d86a204d2b0f6d4346d6ee88bd76c.zip