Some dude named Tavis Ormandy reported a bug which has gone unfixed.

http://marc.info/?l=openssl-users&m=138014120223264&w=2
Arguably a doc bug, but we argue not. If you parse a new cert into memory
occupied by a previously verified cert, the new cert will inherit that
state, bypassing future verification checks. To avoid this, we will always
start fresh with a new object.

grudging ok from guenther, after i threatened to make him read the code yet
again. "that ok was way more painful and tiring then it should have been"

diff --git a/lib/libcrypto/asn1/tasn_dec.c b/lib/libcrypto/asn1/tasn_dec.c
index f19c457..1ce4003 100644 (file)
--- a/lib/libcrypto/asn1/tasn_dec.c
+++ b/lib/libcrypto/asn1/tasn_dec.c
@@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 
        if (!pval)
                return 0;
+       /* always start fresh */
+       if (*pval) {
+               ASN1_item_ex_free(pval, it);
+               *pval = NULL;
+       }
        if (aux && aux->asn1_cb)
                asn1_cb = aux->asn1_cb;
        else

diff --git a/lib/libssl/src/crypto/asn1/tasn_dec.c b/lib/libssl/src/crypto/asn1/tasn_dec.c
index f19c457..1ce4003 100644 (file)
--- a/lib/libssl/src/crypto/asn1/tasn_dec.c
+++ b/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 
        if (!pval)
                return 0;
+       /* always start fresh */
+       if (*pval) {
+               ASN1_item_ex_free(pval, it);
+               *pval = NULL;
+       }
        if (aux && aux->asn1_cb)
                asn1_cb = aux->asn1_cb;
        else