Skip to content

Commit b6e91c8

Browse files
CDRIVER-3228 fix memory leaks in SChannel cert loading (#2009) (#2014)
* Store and free client cert context * Free on successful load of client cert ** Do not return before `fail` label. * Free `hKey` * Free pem file and cert when loading CA file * Release provider context on error * NUL terminate pem file contents ** To ensure `strstr` does not read past memory on failure to find. * Remove unused printf * Add `read_file_and_null_terminate` helper * Rename `encrypted_*` to `encoded_*` ** Encrypted keys are not supported with SChannel. ** "encoded" is consistent with naming in WinCrypt API. * check if `pem_public` is NULL ** Avoids NULL deref if PEM file does not have public cert * Remove call to `CryptQueryObject` for public cert ** The flag `CERT_QUERY_CONTENT_FLAG_ALL` is likely incorrect (only certificate is expected) * Remove call to `CryptQueryObject` for CRL ** Return was wrongly stored in a `CERT_CONTEXT` (needed `CRL_CONTEXT`). ** Use `CertCreateCRLContext` for consistency with other PEM-reading functions. * Remove unused params --------- Co-authored-by: Ezra Chung <[email protected]>
1 parent d44bbb9 commit b6e91c8

File tree

5 files changed

+413
-166
lines changed

5 files changed

+413
-166
lines changed

src/libmongoc/src/mongoc/mongoc-secure-channel-private.h

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,14 @@
3333
BSON_BEGIN_DECLS
3434

3535
bool
36-
mongoc_secure_channel_setup_ca (mongoc_stream_tls_secure_channel_t *secure_channel, mongoc_ssl_opt_t *opt);
36+
mongoc_secure_channel_setup_ca (mongoc_ssl_opt_t *opt);
3737

3838
bool
39-
mongoc_secure_channel_setup_crl (mongoc_stream_tls_secure_channel_t *secure_channel, mongoc_ssl_opt_t *opt);
39+
mongoc_secure_channel_setup_crl (mongoc_ssl_opt_t *opt);
40+
41+
// mongoc_secure_channel_load_crl is used in tests.
42+
PCCRL_CONTEXT
43+
mongoc_secure_channel_load_crl (const char *crl_file);
4044

4145
ssize_t
4246
mongoc_secure_channel_read (mongoc_stream_tls_t *tls, void *data, size_t data_length);
@@ -45,7 +49,7 @@ ssize_t
4549
mongoc_secure_channel_write (mongoc_stream_tls_t *tls, const void *data, size_t data_length);
4650

4751
PCCERT_CONTEXT
48-
mongoc_secure_channel_setup_certificate (mongoc_stream_tls_secure_channel_t *secure_channel, mongoc_ssl_opt_t *opt);
52+
mongoc_secure_channel_setup_certificate (mongoc_ssl_opt_t *opt);
4953

5054

5155
/* it may require 16k + some overhead to hold one decryptable block of data - do

0 commit comments

Comments
 (0)