Fix freshly introduced double-free.

We don't need the decoded X.509 Full(0) certificate for the EE usages 1 and 3,
because the leaf certificate is always part of the presented chain, so the
certificate is only validated as well-formed, and then discarded, but the
TLSA record is of course still used after the validation step.

Added DANE test cases for: 3 0 0, 3 1 0, 1 0 0, and 1 1 0

Reported by Claus Assmann.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)

1 files changed, 12 insertions, 1 deletions

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b9858be937..0150589fea 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -340,8 +340,19 @@ static int dane_tlsa_add(SSL_DANE *dane,
             }
 
             if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
+                /*
+                 * The Full(0) certificate decodes to a seemingly valid X.509
+                 * object with a plausible key, so the TLSA record is well
+                 * formed.  However, we don't actually need the certifiate for
+                 * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
+                 * certificate is always presented by the peer.  We discard the
+                 * certificate, and just use the TLSA data as an opaque blob
+                 * for matching the raw presented DER octets.
+                 *
+                 * DO NOT FREE `t` here, it will be added to the TLSA record
+                 * list below!
+                 */
                 X509_free(cert);
-                tlsa_free(t);
                 break;
             }