summaryrefslogtreecommitdiff
path: root/security/nss/lib
diff options
context:
space:
mode:
authorrelyea%netscape.com <devnull@localhost>2002-04-12 19:05:21 +0000
committerrelyea%netscape.com <devnull@localhost>2002-04-12 19:05:21 +0000
commit06cfb9fce3ac974ddd6f90f8649c94643dd62b62 (patch)
treee2afae5a09e338f058b83ed7aaa90811ee68ba02 /security/nss/lib
parent58f42841249c15477fbc8a99d256299dba10da7a (diff)
downloadnss-hg-06cfb9fce3ac974ddd6f90f8649c94643dd62b62.tar.gz
Bug 133584: Fix reference leaks which prevent shutdown in NSS and in the tests.
Debug builds can verify correct operation by setting NSS_STRICT_SHUTDOWN, which will cause an assert if shutdown is called but not all the modules are freed (which means a slot, key, or cert reference has been leaked).
Diffstat (limited to 'security/nss/lib')
-rw-r--r--security/nss/lib/certdb/certdb.c6
-rw-r--r--security/nss/lib/certdb/stanpcertdb.c10
-rw-r--r--security/nss/lib/dev/devobject.c7
-rw-r--r--security/nss/lib/nss/nssinit.c2
-rw-r--r--security/nss/lib/pk11wrap/pk11cert.c9
-rw-r--r--security/nss/lib/pk11wrap/pk11pars.c17
-rw-r--r--security/nss/lib/pk11wrap/pk11skey.c11
-rw-r--r--security/nss/lib/pk11wrap/pk11slot.c8
-rw-r--r--security/nss/lib/pk11wrap/pk11util.c25
-rw-r--r--security/nss/lib/pk11wrap/secmodi.h2
-rw-r--r--security/nss/lib/pkcs12/p12d.c44
-rw-r--r--security/nss/lib/pkcs12/p12e.c21
-rw-r--r--security/nss/lib/smime/cmscinfo.c5
-rw-r--r--security/nss/lib/smime/cmsencdata.c9
-rw-r--r--security/nss/lib/smime/cmssigdata.c3
-rw-r--r--security/nss/lib/softoken/pkcs11.c6
16 files changed, 140 insertions, 45 deletions
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 8f61d8978..c4dca2d99 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -2043,6 +2043,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
}
if ( keepCerts ) {
+ PK11SlotInfo *intSlot = PK11_GetInternalKeySlot();
for ( i = 0; i < fcerts; i++ ) {
SECKEY_UpdateCertPQG(certs[i]);
if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
@@ -2051,10 +2052,10 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
* otherwise if there are more than one cert, we don't
* know which cert it belongs to.
*/
- rv = PK11_ImportCert(PK11_GetInternalKeySlot(),certs[i],
+ rv = PK11_ImportCert(intSlot,certs[i],
CK_INVALID_HANDLE,NULL,PR_TRUE);
} else {
- rv = PK11_ImportCert(PK11_GetInternalKeySlot(),certs[i],
+ rv = PK11_ImportCert(intSlot,certs[i],
CK_INVALID_HANDLE,nickname,PR_TRUE);
}
if (rv == SECSuccess) {
@@ -2062,6 +2063,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
}
/* don't care if it fails - keep going */
}
+ PK11_FreeSlot(intSlot);
}
}
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index e2252f4b6..7b1dd0f82 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -825,6 +825,9 @@ loser:
if (stanProfile) {
nssSMIMEProfile_Destroy(stanProfile);
}
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
return(rv);
}
@@ -835,11 +838,12 @@ CERT_FindSMimeProfile(CERTCertificate *cert)
PK11SlotInfo *slot = NULL;
NSSCertificate *c;
NSSCryptoContext *cc;
+ SECItem *rvItem = NULL;
+
c = STAN_GetNSSCertificate(cert);
if (!c) return NULL;
cc = c->object.cryptoContext;
if (cc != NULL) {
- SECItem *rvItem = NULL;
nssSMIMEProfile *stanProfile;
stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
if (stanProfile) {
@@ -852,8 +856,10 @@ CERT_FindSMimeProfile(CERTCertificate *cert)
}
return rvItem;
}
- return
+ rvItem =
PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL);
+ PK11_FreeSlot(slot);
+ return rvItem;
}
/*
diff --git a/security/nss/lib/dev/devobject.c b/security/nss/lib/dev/devobject.c
index 5da9799a5..7818cac93 100644
--- a/security/nss/lib/dev/devobject.c
+++ b/security/nss/lib/dev/devobject.c
@@ -578,7 +578,12 @@ retrieve_cert(NSSToken *t, nssSession *session, CK_OBJECT_HANDLE h, void *arg)
} else {
nssrv = PR_SUCCESS; /* cached entries already handled */
}
- NSSCertificate_Destroy(cert);
+#ifdef NSS_3_4_CODE
+ CERT_DestroyCertificate(STAN_GetCERTCertificate(cert));
+#else
+ NSSCertificate_Destroy(cert);
+#endif
+
return nssrv;
}
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index 1389867fe..7e4a2d4a0 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -458,8 +458,8 @@ void
NSS_Shutdown(void)
{
SECOID_Shutdown();
- SECMOD_Shutdown();
STAN_Shutdown();
+ SECMOD_Shutdown();
nss_IsInitted = PR_FALSE;
}
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index ccb24821b..39bbf804f 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -3592,7 +3592,6 @@ PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname)
int tsize = 0;
int objCount = 0;
CK_OBJECT_HANDLE *key_ids;
- SECStatus status;
SECKEYPublicKeyList *keys;
int i,len;
@@ -3638,7 +3637,6 @@ PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
int tsize = 0;
int objCount = 0;
CK_OBJECT_HANDLE *key_ids;
- SECStatus status;
SECKEYPrivateKeyList *keys;
int i,len;
@@ -3967,6 +3965,7 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_SESSION_HANDLE rwsession;
+ PK11SlotInfo *free_slot = NULL;
CK_RV crv;
#ifdef DEBUG
int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
@@ -3987,7 +3986,7 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
PORT_Assert (realSize <= tsize);
if (slot == NULL) {
- slot = PK11_GetInternalKeySlot();
+ free_slot = slot = PK11_GetInternalKeySlot();
/* we need to free the key slot in the end!!! */
}
@@ -4004,6 +4003,10 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
}
PK11_RestoreROSession(slot,rwsession);
+
+ if (free_slot) {
+ PK11_FreeSlot(free_slot);
+ }
return SECSuccess;
}
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
index 903a1622b..b1602f1c8 100644
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -145,6 +145,8 @@ SECMOD_CreateModule(char *library, char *moduleName, char *parameters, char *nss
pk11_argSetNewCipherFlags(&mod->ssl[0],ciphers);
if (ciphers) PORT_Free(ciphers);
+ secmod_PrivateModuleCount++;
+
return mod;
}
@@ -262,15 +264,16 @@ SECMOD_DeletePermDB(SECMODModule *module)
}
SECStatus
-SECMOD_FreeModuleSpecList(SECMODModule *parent, char **moduleSpecList)
+SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList)
{
- char ** index;
-
- for(index = moduleSpecList; *index; index++) {
- PORT_Free(*index);
+ SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
+ char **retString;
+ if (func) {
+ retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE,
+ module->libraryParams,moduleSpecList);
+ if (retString != NULL) return SECSuccess;
}
- PORT_Free(moduleSpecList);
- return SECSuccess;
+ return SECFailure;
}
/*
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
index efc8a9504..f5be7d61b 100644
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -1566,7 +1566,6 @@ pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey,
PK11_ExitSlotMonitor(slot);
PORT_SetError( PK11_MapError(crv) );
PORT_Free( ciphertext );
- PK11_FreeSlot(slot);
return SECFailure;
}
@@ -1589,7 +1588,6 @@ pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey,
if( crv != CKR_OK ) {
PORT_SetError( PK11_MapError(crv) );
- PK11_FreeSlot(slot);
return SECFailure;
}
@@ -1600,7 +1598,6 @@ pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey,
PAIRWISE_MESSAGE_LENGTH ) != 0 ) ) {
/* Set error to Bad PUBLIC Key. */
PORT_SetError( SEC_ERROR_BAD_KEY );
- PK11_FreeSlot(slot);
return SECFailure;
}
}
@@ -3205,12 +3202,14 @@ PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
if (crv != CKR_OK) {
if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
pk11_CloseSession(slot,session,owner);
+ PK11_FreeSlot(slot);
PORT_SetError( PK11_MapError(crv) );
return SECFailure;
}
crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out);
if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
pk11_CloseSession(slot,session,owner);
+ PK11_FreeSlot(slot);
if (crv != CKR_OK) {
PORT_SetError( PK11_MapError(crv) );
return SECFailure;
@@ -4461,7 +4460,7 @@ PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
SECItem *pwitem, CERTCertificate *cert, int iteration, void *wincx)
{
SECKEYEncryptedPrivateKeyInfo *epki = NULL;
- SECKEYPrivateKey *pk;
+ SECKEYPrivateKey *pk = NULL;
PRArenaPool *arena = NULL;
SECAlgorithmID *algid;
CK_MECHANISM_TYPE mechanism;
@@ -4578,6 +4577,10 @@ loser:
PK11_FreeSymKey(key);
}
+ if (pk != NULL) {
+ SECKEY_DestroyPrivateKey(pk);
+ }
+
if(rv == SECFailure) {
if(arena != NULL) {
PORT_FreeArena(arena, PR_TRUE);
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
index cd2d29bd4..edbbd9e4e 100644
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -4356,12 +4356,18 @@ PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) {
SECItem param;
PK11SymKey *symKey;
+ PK11SlotInfo *intSlot = PK11_GetInternalSlot();
+
+ if (intSlot == NULL) {
+ return CKR_DEVICE_ERROR;
+ }
param.data = pPBEMechanism->pParameter;
param.len = pPBEMechanism->ulParameterLen;
- symKey = PK11_RawPBEKeyGen(PK11_GetInternalSlot(),
+ symKey = PK11_RawPBEKeyGen(intSlot,
pPBEMechanism->mechanism, &param, pbe_pwd, faulty3DES, NULL);
+ PK11_FreeSlot(intSlot);
if (symKey== NULL) {
return CKR_DEVICE_ERROR; /* sigh */
}
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
index 67b439125..f7d2405de 100644
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -49,6 +49,8 @@ static SECMODModule *internalModule = NULL;
static SECMODModule *defaultDBModule = NULL;
static SECMODListLock *moduleLock = NULL;
+int secmod_PrivateModuleCount = 0;
+
extern PK11DefaultArrayEntry PK11_DefaultArray[];
extern int num_pk11_default_mechanisms;
@@ -73,6 +75,13 @@ void SECMOD_Shutdown() {
SECMOD_DestroyModule(internalModule);
internalModule = NULL;
}
+
+ /* free the default database module */
+ if (defaultDBModule) {
+ SECMOD_DestroyModule(defaultDBModule);
+ defaultDBModule = NULL;
+ }
+
/* destroy the list */
if (modules) {
SECMOD_DestroyModuleList(modules);
@@ -91,6 +100,12 @@ void SECMOD_Shutdown() {
/* make all the slots and the lists go away */
PK11_DestroySlotLists();
+
+#ifdef DEBUG
+ if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+ PORT_Assert(secmod_PrivateModuleCount == 0);
+ }
+#endif
}
@@ -334,7 +349,7 @@ SECMOD_DeleteInternalModule(char *name) {
SECMOD_DestroyModule(oldModule);
SECMOD_DeletePermDB(mlp->module);
SECMOD_DestroyModuleListElement(mlp);
- internalModule = SECMOD_ReferenceModule(newModule);
+ internalModule = newModule; /* adopt the module */
SECMOD_AddModule(internalModule);
}
return rv;
@@ -590,6 +605,13 @@ SECMOD_DestroyModule(SECMODModule *module) {
if (!willfree) {
return;
}
+
+ if (module->parent != NULL) {
+ SECMODModule *parent = module->parent;
+ /* paranoia, don't loop forever if the modules are looped */
+ module->parent = NULL;
+ SECMOD_DestroyModule(parent);
+ }
/* slots can't really disappear until our module starts freeing them,
* so this check is safe */
@@ -632,6 +654,7 @@ SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) {
}
PK11_USE_THREADS(PZ_DestroyLock((PZLock *)module->refLock);)
PORT_FreeArena(module->arena,PR_FALSE);
+ secmod_PrivateModuleCount--;
}
/* destroy a list element
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
index 9e78addb4..050f7de4f 100644
--- a/security/nss/lib/pk11wrap/secmodi.h
+++ b/security/nss/lib/pk11wrap/secmodi.h
@@ -57,6 +57,8 @@ SEC_BEGIN_PROTOS
extern SECStatus SECMOD_DeletePermDB(SECMODModule *module);
extern SECStatus SECMOD_AddPermDB(SECMODModule *module);
+extern int secmod_PrivateModuleCount;
+
extern void SECMOD_Init(void);
/* list managment */
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
index 051428575..62af42b9e 100644
--- a/security/nss/lib/pkcs12/p12d.c
+++ b/security/nss/lib/pkcs12/p12d.c
@@ -1093,7 +1093,7 @@ p12u_DigestRead(void *arg, unsigned char *buf, unsigned long len)
return -1;
}
- if (!p12cxt->buffer || ((p12cxt->filesize-p12cxt->currentpos)<len) ) {
+ if (!p12cxt->buffer || ((p12cxt->filesize-p12cxt->currentpos)<(long)len) ) {
/* trying to read past the end of the buffer */
toread = p12cxt->filesize-p12cxt->currentpos;
}
@@ -1111,7 +1111,7 @@ p12u_DigestWrite(void *arg, unsigned char *buf, unsigned long len)
return -1;
}
- if (p12cxt->currentpos+len > p12cxt->filesize) {
+ if (p12cxt->currentpos+(long)len > p12cxt->filesize) {
p12cxt->filesize = p12cxt->currentpos + len;
}
else {
@@ -1191,7 +1191,8 @@ SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
p12dcx->arena = arena;
p12dcx->pwitem = pwitem;
- p12dcx->slot = (slot ? slot : PK11_GetInternalKeySlot());
+ p12dcx->slot = (slot ? PK11_ReferenceSlot(slot)
+ : PK11_GetInternalKeySlot());
p12dcx->wincx = wincx;
#ifdef IS_LITTLE_ENDIAN
p12dcx->swapUnicodeBytes = PR_TRUE;
@@ -1279,14 +1280,15 @@ static SECStatus
sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
{
SECStatus rv = SECFailure;
+ SECStatus lrv;
SECItem hmacRes;
unsigned char buf[IN_BUF_LEN];
unsigned int bufLen;
int iteration;
PK11Context *pk11cx = NULL;
+ PK11SymKey *symKey = NULL;
+ SECItem *params = NULL;
SECItem ignore = {0};
- PK11SymKey *symKey;
- SECItem *params;
SECOidTag algtag;
CK_MECHANISM_TYPE integrityMech;
@@ -1318,15 +1320,18 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
PK11_DestroyPBEParams(params);
+ params = NULL;
if (!symKey) goto loser;
/* init hmac */
pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag),
CKA_SIGN, symKey, &ignore);
if(!pk11cx) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
+ goto loser;
+ }
+ lrv = PK11_DigestBegin(pk11cx);
+ if (lrv == SECFailure ) {
+ goto loser;
}
- rv = PK11_DigestBegin(pk11cx);
/* try to open the data for readback */
if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE)
@@ -1346,14 +1351,20 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
goto loser;
}
- rv = PK11_DigestOp(pk11cx, buf, bytesRead);
+ lrv = PK11_DigestOp(pk11cx, buf, bytesRead);
+ if (lrv == SECFailure) {
+ goto loser;
+ }
if(bytesRead < IN_BUF_LEN) {
break;
}
}
/* finish the hmac context */
- rv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN);
+ lrv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN);
+ if (lrv == SECFailure ) {
+ goto loser;
+ }
hmacRes.data = buf;
hmacRes.len = bufLen;
@@ -1375,6 +1386,12 @@ loser:
if(pk11cx) {
PK11_DestroyContext(pk11cx, PR_TRUE);
}
+ if (params) {
+ PK11_DestroyPBEParams(params);
+ }
+ if (symKey) {
+ PK11_FreeSymKey(symKey);
+ }
return rv;
}
@@ -1460,6 +1477,11 @@ SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx)
p12dcx->hmacDcx = NULL;
}
+ if(p12dcx->slot) {
+ PK11_FreeSlot(p12dcx->slot);
+ p12dcx->slot = NULL;
+ }
+
if(p12dcx->arena) {
PORT_FreeArena(p12dcx->arena, PR_TRUE);
}
@@ -3312,7 +3334,7 @@ sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot,
}
p12dcx->arena = arena;
- p12dcx->slot = slot;
+ p12dcx->slot = PK11_ReferenceSlot(slot);
p12dcx->wincx = wincx;
p12dcx->error = PR_FALSE;
p12dcx->swapUnicodeBytes = swapUnicode;
diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c
index 9f9a92cea..e3ddd08ce 100644
--- a/security/nss/lib/pkcs12/p12e.c
+++ b/security/nss/lib/pkcs12/p12e.c
@@ -352,7 +352,7 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt,
{
SEC_PKCS12SafeInfo *safeInfo = NULL;
void *mark = NULL;
- PK11SlotInfo *slot;
+ PK11SlotInfo *slot = NULL;
SECAlgorithmID *algId;
SECItem uniPwitem = {siBuffer, NULL, 0};
@@ -393,7 +393,7 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt,
}
/* generate the encryption key */
- slot = p12ctxt->slot;
+ slot = PK11_ReferenceSlot(p12ctxt->slot);
if(!slot) {
slot = PK11_GetInternalKeySlot();
if(!slot) {
@@ -419,9 +419,16 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt,
SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
}
PORT_ArenaUnmark(p12ctxt->arena, mark);
+
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
return safeInfo;
loser:
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
if(safeInfo->cinfo) {
SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
}
@@ -1285,7 +1292,7 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *sa
/* extract the key encrypted */
SECKEYEncryptedPrivateKeyInfo *epki = NULL;
- PK11SlotInfo *slot = p12ctxt->slot;
+ PK11SlotInfo *slot = NULL;
if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
@@ -1296,14 +1303,14 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *sa
/* we want to make sure to take the key out of the key slot */
if(PK11_IsInternal(p12ctxt->slot)) {
slot = PK11_GetInternalKeySlot();
+ } else {
+ slot = PK11_ReferenceSlot(p12ctxt->slot);
}
epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm,
&uniPwitem, cert, 1,
p12ctxt->wincx);
- if(PK11_IsInternal(p12ctxt->slot)) {
- PK11_FreeSlot(slot);
- }
+ PK11_FreeSlot(slot);
keyItem = PORT_ArenaZAlloc(p12ctxt->arena,
sizeof(SECKEYEncryptedPrivateKeyInfo));
@@ -1719,6 +1726,8 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
p12enc->hmacCx = PK11_CreateContextBySymKey(
sec_pkcs12_algtag_to_mech(p12exp->integrityInfo.pwdInfo.algorithm),
CKA_SIGN, symKey, &ignore);
+
+ PK11_FreeSymKey(symKey);
if(!p12enc->hmacCx) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c
index 9e4a2dc5e..85756a536 100644
--- a/security/nss/lib/smime/cmscinfo.c
+++ b/security/nss/lib/smime/cmscinfo.c
@@ -78,6 +78,11 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
}
if (cinfo->bulkkey)
PK11_FreeSymKey(cinfo->bulkkey);
+
+ if (cinfo->ciphcx) {
+ NSS_CMSCipherContext_Destroy(cinfo->ciphcx);
+ cinfo->ciphcx = NULL;
+ }
/* we live in a pool, so no need to worry about storage */
}
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
index 61aae96d8..fdfa0a2b9 100644
--- a/security/nss/lib/smime/cmsencdata.c
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -202,8 +202,10 @@ NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
SECStatus
NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd)
{
- if (encd->contentInfo.ciphcx)
+ if (encd->contentInfo.ciphcx) {
NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
+ encd->contentInfo.ciphcx = NULL;
+ }
/* nothing to do after data */
return SECSuccess;
@@ -265,7 +267,10 @@ loser:
SECStatus
NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd)
{
- NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
+ if (encd->contentInfo.ciphcx) {
+ NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
+ encd->contentInfo.ciphcx = NULL;
+ }
return SECSuccess;
}
diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c
index fab7189f2..03a37cda1 100644
--- a/security/nss/lib/smime/cmssigdata.c
+++ b/security/nss/lib/smime/cmssigdata.c
@@ -540,7 +540,7 @@ NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd,
count = NSS_CMSArray_Count((void**)sigd->rawCerts);
for (i=0; i < count; i++) {
if (sigd->certs && sigd->certs[i]) {
- cert = sigd->certs[i];
+ cert = CERT_DupCertificate(sigd->certs[i]);
} else {
cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
if (!cert) {
@@ -550,6 +550,7 @@ NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd,
}
rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, PR_Now(),
NULL, NULL);
+ CERT_DestroyCertificate(cert);
}
return rv;
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 885e1c9f4..42a58b460 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -1705,7 +1705,7 @@ pk11_mkPrivKey(PK11Object *object,CK_KEY_TYPE key_type)
if (arena == NULL) return NULL;
privKey = (NSSLOWKEYPrivateKey *)
- PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+ PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
if (privKey == NULL) {
PORT_FreeArena(arena,PR_FALSE);
return NULL;
@@ -1893,7 +1893,7 @@ pk11_mkSecretKeyRep(PK11Object *object)
if (arena == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
privKey = (NSSLOWKEYPrivateKey *)
- PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+ PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
if (privKey == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
privKey->arena = arena;
@@ -2302,7 +2302,7 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
int i;
if (nsc_init) {
- return crv;
+ return CKR_CRYPTOKI_ALREADY_INITIALIZED;
}
rv = RNG_RNGInit(); /* initialize random number generator */
View Lorry Controller Status