CDRIVER-3228 fix memory leaks in SChannel cert loading (#2009) (#2014)

* Store and free client cert context
* Free on successful load of client cert
** Do not return before `fail` label.
* Free `hKey`
* Free pem file and cert when loading CA file
* Release provider context on error
* NUL terminate pem file contents
** To ensure `strstr` does not read past memory on failure to find.
* Remove unused printf
* Add `read_file_and_null_terminate` helper
* Rename `encrypted_*` to `encoded_*`
** Encrypted keys are not supported with SChannel.
** "encoded" is consistent with naming in WinCrypt API.
* check if `pem_public` is NULL
** Avoids NULL deref if PEM file does not have public cert
* Remove call to `CryptQueryObject` for public cert
** The flag `CERT_QUERY_CONTENT_FLAG_ALL`  is likely incorrect (only certificate is expected)
* Remove call to `CryptQueryObject` for CRL
** Return was wrongly stored in a `CERT_CONTEXT` (needed `CRL_CONTEXT`).
** Use `CertCreateCRLContext` for consistency with other PEM-reading functions.
* Remove unused params

---------

Co-authored-by: Ezra Chung <[email protected]>

Author: kevinAlbs

src/libmongoc/src/mongoc/mongoc-secure-channel-private.h

@@ -33,10 +33,14 @@
 BSON_BEGIN_DECLS
 
 bool
-mongoc_secure_channel_setup_ca (mongoc_stream_tls_secure_channel_t *secure_channel, mongoc_ssl_opt_t *opt);
+mongoc_secure_channel_setup_ca (mongoc_ssl_opt_t *opt);
 
 bool
-mongoc_secure_channel_setup_crl (mongoc_stream_tls_secure_channel_t *secure_channel, mongoc_ssl_opt_t *opt);
+mongoc_secure_channel_setup_crl (mongoc_ssl_opt_t *opt);
+
+// mongoc_secure_channel_load_crl is used in tests.
+PCCRL_CONTEXT
+mongoc_secure_channel_load_crl (const char *crl_file);
 
 ssize_t
 mongoc_secure_channel_read (mongoc_stream_tls_t *tls, void *data, size_t data_length);
@@ -45,7 +49,7 @@ ssize_t
 mongoc_secure_channel_write (mongoc_stream_tls_t *tls, const void *data, size_t data_length);
 
 PCCERT_CONTEXT
-mongoc_secure_channel_setup_certificate (mongoc_stream_tls_secure_channel_t *secure_channel, mongoc_ssl_opt_t *opt);
+mongoc_secure_channel_setup_certificate (mongoc_ssl_opt_t *opt);
 
 
 /* it may require 16k + some overhead to hold one decryptable block of data - do