Ylianst · mgr-inz-rafal · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/meshcore/agentcore.c b/meshcore/agentcore.c
@@ -3552,7 +3552,6 @@ void MeshServer_OnResponse(ILibWebClient_StateObject WebStateObject, int Interru
 	if (agent->controlChannelRequest != NULL)
 	{
 		ILibLifeTime_Remove(ILibGetBaseTimer(agent->chain), agent->controlChannelRequest);
-		ILibMemory_Free(agent->controlChannelRequest);
 		agent->controlChannelRequest = NULL;
 	}
 
@@ -4026,6 +4025,7 @@ void MeshServer_ConnectEx(MeshAgentHostContainer *agent)
 		{
 			printf("agentcore: DNS Lock[%s]: Unauthorized to connect to: %s\n", agent->DNS_LOCK, host);
 			free(host); free(path);
+			ILibDestructParserResults(rs);
 			ILibLifeTime_Add(ILibGetBaseTimer(agent->chain), agent, 5, MeshServer_ConnectEx_Lockout_Retry, NULL);
 			return;
 		}
@@ -4103,6 +4103,7 @@ void MeshServer_ConnectEx(MeshAgentHostContainer *agent)
 		{
 			printf("agentcore: ServerID Lock: ServerID MISMATCH for: %s\n", host);
 			free(host); free(path);
+			ILibDestructParserResults(rs);
 			ILibLifeTime_Add(ILibGetBaseTimer(agent->chain), agent, 5, MeshServer_ConnectEx_Lockout_Retry, NULL);
 			return;
 		}
@@ -4265,20 +4266,11 @@ void MeshServer_Agent_SelfTest(MeshAgentHostContainer *agent)
 	duk_pop(agent->meshCoreCtx);
 }
 
-void MeshServer_Connect(MeshAgentHostContainer *agent)
+#ifdef WIN32
+static void MeshServer_CheckAuthenticode(MeshAgentHostContainer *agent)
 {
-	unsigned int timeout;
+	if (agent->authenticodeChecked != 0) return;
 
-	// If this is called while we are in any connection state, just leave now.
-	if (agent->serverConnectionState != 0) return;
-
-	if (ILibSimpleDataStore_Get(agent->masterDb, "selfTest", NULL, 0) != 0)
-	{
-		MeshServer_Agent_SelfTest(agent);
-		return;
-	}
-
-#ifdef WIN32
 	duk_idx_t top = duk_get_top(agent->meshCoreCtx);
 	if (duk_peval_string(agent->meshCoreCtx, "require('win-authenticode-opus')(process.execPath);") == 0)							// [obj]
 	{
@@ -4302,6 +4294,26 @@ void MeshServer_Connect(MeshAgentHostContainer *agent)
 		}
 	}
 	duk_set_top(agent->meshCoreCtx, top);																							// ...
+	duk_gc(agent->meshCoreCtx, 0);
+	agent->authenticodeChecked = 1;
+}
+#endif
+
+void MeshServer_Connect(MeshAgentHostContainer *agent)
+{
+	unsigned int timeout;
+
+	// If this is called while we are in any connection state, just leave now.
+	if (agent->serverConnectionState != 0) return;
+
+	if (ILibSimpleDataStore_Get(agent->masterDb, "selfTest", NULL, 0) != 0)
+	{
+		MeshServer_Agent_SelfTest(agent);
+		return;
+	}
+
+#ifdef WIN32
+	MeshServer_CheckAuthenticode(agent);
 #endif
 
 	util_random(sizeof(int), (char*)&timeout);
@@ -4527,6 +4539,7 @@ MeshAgentHostContainer* MeshAgent_Create(MeshCommand_AuthInfo_CapabilitiesMask c
 			retVal->shCore = NULL;
 		}
 	}
+	retVal->authenticodeChecked = 0;
 #endif
 
 	retVal->agentID = (AgentIdentifiers)MESH_AGENTID;

diff --git a/meshcore/agentcore.h b/meshcore/agentcore.h
@@ -187,6 +187,7 @@ typedef struct MeshAgentHostContainer
 	DpiAwarenessFunc dpiAwareness;
 	char DNS_LOCK[255];
 	char ID_LOCK[255];
+	int authenticodeChecked;
 #endif
 
 	int showModuleNames;

diff --git a/modules/win-authenticode-opus.js b/modules/win-authenticode-opus.js
@@ -33,14 +33,16 @@ function read(path)
     crypt.CreateMethod('CryptQueryObject');
     crypt.CreateMethod('CryptMsgGetParam');
     crypt.CreateMethod('CryptDecodeObject');
+    crypt.CreateMethod('CertCloseStore');
+    crypt.CreateMethod('CryptMsgClose');
 
     var dwEncoding = GM.CreateVariable(4);
     var dwContentType = GM.CreateVariable(4);
     var dwFormatType = GM.CreateVariable(4);
     var hStore = GM.CreatePointer();
     var hMsg = GM.CreatePointer();
     var dwSignerInfo = GM.CreateVariable(4);
-    var n, result;
+    var n, result = null;
 
     if (crypt.CryptQueryObject(CERT_QUERY_OBJECT_FILE, GM.CreateVariable(path, { wide: true }),
                     CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
@@ -87,15 +89,19 @@ function read(path)
                         var opus = GM.CreateVariable(dwData.toBuffer().readUInt32LE());
                         if (crypt.CryptDecodeObject(ENCODING, GM.CreateVariable(SPC_SP_OPUS_INFO_OBJID), pb, cb, 0, opus, dwData).Val != 0)
                         {
-
-                            return ({ description: opus.Deref().Val != 0 ? opus.Deref().Wide2UTF8 : null, url: opus.Deref(GM.PointerSize, GM.PointerSize).Deref().Val != 0 ? opus.Deref(GM.PointerSize, GM.PointerSize).Deref().Deref(GM.PointerSize, GM.PointerSize).Deref().Wide2UTF8.trim() : null });
+                            result = { description: opus.Deref().Val != 0 ? opus.Deref().Wide2UTF8 : null, url: opus.Deref(GM.PointerSize, GM.PointerSize).Deref().Val != 0 ? opus.Deref(GM.PointerSize, GM.PointerSize).Deref().Deref(GM.PointerSize, GM.PointerSize).Deref().Wide2UTF8.trim() : null };
                         }
                     }
+                    break;
                 }
             }
         }
     }
-    return (null);
+
+    if (hMsg.Deref().Val != 0) { crypt.CryptMsgClose(hMsg.Deref()); }
+    if (hStore.Deref().Val != 0) { crypt.CertCloseStore(hStore.Deref(), 0); }
+
+    return (result);
 }
 function locked(uri)
 {