Dev news

Commit 0ace7b7bcf for openssl.org

commit 0ace7b7bcf5b1f1492a9d4f053d9e8807dd0f566
Author: Neil Horman <nhorman@openssl.org>
Date:   Wed Feb 11 13:38:56 2026 -0500

    Fix a legitimate leak in v2i_issuer_sign_tool

    Valgrind found a legitimate leak that, somehow asan missed.

    v2i_issuer_sign_tool, when creating a new issuer sign tool,
    automatically creates the member utf8 asn1 string objects for us.

    However, based on configuration, this function will also create its own
    utf8 asn1 strings, which overwrite those initial allocations, creating a
    leak.

    We don't need to create those strings at all in this fuction, just make
    sure the ISSUER_SIGN_TOOL_new function did it for us, by checking them
    all for NULL

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Norbert Pocs <norbertp@openssl.org>
    MergeDate: Tue Feb 24 15:11:16 2026
    (Merged from https://github.com/openssl/openssl/pull/30003)

diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c
index fb7aaacbb3..345142464f 100644
--- a/crypto/x509/v3_ist.c
+++ b/crypto/x509/v3_ist.c
@@ -48,7 +48,6 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_
             continue;
         }
         if (strcmp(cnf->name, "signTool") == 0) {
-            ist->signTool = ASN1_UTF8STRING_new();
             if (ist->signTool == NULL
                 || cnf->value == NULL
                 || !ASN1_STRING_set(ist->signTool, cnf->value, (int)strlen(cnf->value))) {
@@ -56,7 +55,6 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_
                 goto err;
             }
         } else if (strcmp(cnf->name, "cATool") == 0) {
-            ist->cATool = ASN1_UTF8STRING_new();
             if (ist->cATool == NULL
                 || cnf->value == NULL
                 || !ASN1_STRING_set(ist->cATool, cnf->value, (int)strlen(cnf->value))) {
@@ -64,7 +62,6 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_
                 goto err;
             }
         } else if (strcmp(cnf->name, "signToolCert") == 0) {
-            ist->signToolCert = ASN1_UTF8STRING_new();
             if (ist->signToolCert == NULL
                 || cnf->value == NULL
                 || !ASN1_STRING_set(ist->signToolCert, cnf->value, (int)strlen(cnf->value))) {
@@ -72,7 +69,6 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_
                 goto err;
             }
         } else if (strcmp(cnf->name, "cAToolCert") == 0) {
-            ist->cAToolCert = ASN1_UTF8STRING_new();
             if (ist->cAToolCert == NULL
                 || cnf->value == NULL
                 || !ASN1_STRING_set(ist->cAToolCert, cnf->value, (int)strlen(cnf->value))) {