From 1b69f1667f3673a6f846a8e2776d150f6b68d54b Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 1 Nov 2010 17:00:32 -0400 Subject: [PATCH 095/150] - give the id context and req context pointers to each other so that they can both hang on to the peer cert and clean up for each other, whichever we clean up first --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 30 ++++++++++++++++++++++- 1 files changed, 28 insertions(+), 2 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 1e9abd9..54cfdf0 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -226,7 +226,8 @@ struct _pkinit_req_crypto_context { SECKEYPrivateKey *client_dh_privkey; /* used by clients */ SECKEYPublicKey *client_dh_pubkey; /* used by clients */ struct domain_parameters client_dh_params; /* used by KDCs */ - CERTCertificate *peer_cert; /* the other party */ + CERTCertificate *peer_cert; /* the other party, shared */ + struct _pkinit_identity_crypto_context *peer_cert_holder; }; struct _pkinit_identity_crypto_context { @@ -236,7 +237,8 @@ struct _pkinit_identity_crypto_context { PK11SlotInfo **id_userdbs; PK11GenericObject **id_objects; CERTCertList *id_certs, *ca_certs; - CERTCertificate *id_cert; + CERTCertificate *id_cert, *peer_cert; /* the other party, shared */ + struct _pkinit_req_crypto_context *peer_cert_holder; struct { krb5_context context; krb5_prompter_fct prompter; @@ -648,7 +650,19 @@ pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) void pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx) { + struct _pkinit_req_crypto_context *peer_holder; int i; + if (id_cryptoctx->peer_cert != NULL) { + CERT_DestroyCertificate(id_cryptoctx->peer_cert); + } + if (id_cryptoctx->peer_cert_holder != NULL) { + peer_holder = id_cryptoctx->peer_cert_holder; + if (peer_holder->peer_cert != NULL) { + CERT_DestroyCertificate(peer_holder->peer_cert); + peer_holder->peer_cert_holder = NULL; + peer_holder->peer_cert = NULL; + } + } if (id_cryptoctx->id_cert != NULL) { CERT_DestroyCertificate(id_cryptoctx->id_cert); } @@ -766,6 +780,7 @@ pkinit_init_req_crypto(pkinit_req_crypto_context *req_cryptoctx) void pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx) { + struct _pkinit_identity_crypto_context *peer_holder; if (req_cryptoctx->client_dh_privkey != NULL) { SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); } @@ -775,6 +790,14 @@ pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx) if (req_cryptoctx->peer_cert != NULL) { CERT_DestroyCertificate(req_cryptoctx->peer_cert); } + if (req_cryptoctx->peer_cert_holder != NULL) { + peer_holder = req_cryptoctx->peer_cert_holder; + if (peer_holder->peer_cert != NULL) { + CERT_DestroyCertificate(peer_holder->peer_cert); + peer_holder->peer_cert_holder = NULL; + peer_holder->peer_cert = NULL; + } + } PORT_FreeArena(req_cryptoctx->pool, PR_TRUE); } @@ -4140,6 +4163,9 @@ crypto_signeddata_common_verify(krb5_context context, } cert = NSS_CMSSignerInfo_GetSigningCertificate(signer, certdb); req_cryptoctx->peer_cert = CERT_DupCertificate(cert); + req_cryptoctx->peer_cert_holder = id_cryptoctx; + id_cryptoctx->peer_cert_holder = req_cryptoctx; + id_cryptoctx->peer_cert = CERT_DupCertificate(cert); *is_signed = 1; return 0; } -- 1.7.6.4