Some dude named Tavis Ormandy reported a bug which has gone unfixed.

http://marc.info/?l=openssl-users&m=138014120223264&w=2 Arguably a doc bug, but we argue not. If you parse a new cert into memory occupied by a previously verified cert, the new cert will inherit that state, bypassing future verification checks. To avoid this, we will always start fresh with a new object. grudging ok from guenther, after i threatened to make him read the code yet again. "that ok was way more painful and tiring then it should have been"
libressl · Apr 18, 2014 · 91744d3 · 91744d3
1 parent 0979258
commit 91744d3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 
 	if (!pval)
 		return 0;
+	/* always start fresh */
+	if (*pval) {
+		ASN1_item_ex_free(pval, it);
+		*pval = NULL;
+	}
 	if (aux && aux->asn1_cb)
 		asn1_cb = aux->asn1_cb;
 	else

diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 
 	if (!pval)
 		return 0;
+	/* always start fresh */
+	if (*pval) {
+		ASN1_item_ex_free(pval, it);
+		*pval = NULL;
+	}
 	if (aux && aux->asn1_cb)
 		asn1_cb = aux->asn1_cb;
 	else