diff options
author | relyea%netscape.com <devnull@localhost> | 2002-04-12 19:05:21 +0000 |
---|---|---|
committer | relyea%netscape.com <devnull@localhost> | 2002-04-12 19:05:21 +0000 |
commit | 06cfb9fce3ac974ddd6f90f8649c94643dd62b62 (patch) | |
tree | e2afae5a09e338f058b83ed7aaa90811ee68ba02 /security/nss/lib | |
parent | 58f42841249c15477fbc8a99d256299dba10da7a (diff) | |
download | nss-hg-06cfb9fce3ac974ddd6f90f8649c94643dd62b62.tar.gz |
Bug 133584: Fix reference leaks which prevent shutdown in NSS and in the tests.
Debug builds can verify correct operation by setting NSS_STRICT_SHUTDOWN, which
will cause an assert if shutdown is called but not all the modules are freed (which
means a slot, key, or cert reference has been leaked).
Diffstat (limited to 'security/nss/lib')
-rw-r--r-- | security/nss/lib/certdb/certdb.c | 6 | ||||
-rw-r--r-- | security/nss/lib/certdb/stanpcertdb.c | 10 | ||||
-rw-r--r-- | security/nss/lib/dev/devobject.c | 7 | ||||
-rw-r--r-- | security/nss/lib/nss/nssinit.c | 2 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11cert.c | 9 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11pars.c | 17 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11skey.c | 11 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11slot.c | 8 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11util.c | 25 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/secmodi.h | 2 | ||||
-rw-r--r-- | security/nss/lib/pkcs12/p12d.c | 44 | ||||
-rw-r--r-- | security/nss/lib/pkcs12/p12e.c | 21 | ||||
-rw-r--r-- | security/nss/lib/smime/cmscinfo.c | 5 | ||||
-rw-r--r-- | security/nss/lib/smime/cmsencdata.c | 9 | ||||
-rw-r--r-- | security/nss/lib/smime/cmssigdata.c | 3 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11.c | 6 |
16 files changed, 140 insertions, 45 deletions
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 8f61d8978..c4dca2d99 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -2043,6 +2043,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, } if ( keepCerts ) { + PK11SlotInfo *intSlot = PK11_GetInternalKeySlot(); for ( i = 0; i < fcerts; i++ ) { SECKEY_UpdateCertPQG(certs[i]); if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) { @@ -2051,10 +2052,10 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, * otherwise if there are more than one cert, we don't * know which cert it belongs to. */ - rv = PK11_ImportCert(PK11_GetInternalKeySlot(),certs[i], + rv = PK11_ImportCert(intSlot,certs[i], CK_INVALID_HANDLE,NULL,PR_TRUE); } else { - rv = PK11_ImportCert(PK11_GetInternalKeySlot(),certs[i], + rv = PK11_ImportCert(intSlot,certs[i], CK_INVALID_HANDLE,nickname,PR_TRUE); } if (rv == SECSuccess) { @@ -2062,6 +2063,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, } /* don't care if it fails - keep going */ } + PK11_FreeSlot(intSlot); } } diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index e2252f4b6..7b1dd0f82 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -825,6 +825,9 @@ loser: if (stanProfile) { nssSMIMEProfile_Destroy(stanProfile); } + if (slot) { + PK11_FreeSlot(slot); + } return(rv); } @@ -835,11 +838,12 @@ CERT_FindSMimeProfile(CERTCertificate *cert) PK11SlotInfo *slot = NULL; NSSCertificate *c; NSSCryptoContext *cc; + SECItem *rvItem = NULL; + c = STAN_GetNSSCertificate(cert); if (!c) return NULL; cc = c->object.cryptoContext; if (cc != NULL) { - SECItem *rvItem = NULL; nssSMIMEProfile *stanProfile; stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c); if (stanProfile) { @@ -852,8 +856,10 @@ CERT_FindSMimeProfile(CERTCertificate *cert) } return rvItem; } - return + rvItem = PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL); + PK11_FreeSlot(slot); + return rvItem; } /* diff --git a/security/nss/lib/dev/devobject.c b/security/nss/lib/dev/devobject.c index 5da9799a5..7818cac93 100644 --- a/security/nss/lib/dev/devobject.c +++ b/security/nss/lib/dev/devobject.c @@ -578,7 +578,12 @@ retrieve_cert(NSSToken *t, nssSession *session, CK_OBJECT_HANDLE h, void *arg) } else { nssrv = PR_SUCCESS; /* cached entries already handled */ } - NSSCertificate_Destroy(cert); +#ifdef NSS_3_4_CODE + CERT_DestroyCertificate(STAN_GetCERTCertificate(cert)); +#else + NSSCertificate_Destroy(cert); +#endif + return nssrv; } diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index 1389867fe..7e4a2d4a0 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -458,8 +458,8 @@ void NSS_Shutdown(void) { SECOID_Shutdown(); - SECMOD_Shutdown(); STAN_Shutdown(); + SECMOD_Shutdown(); nss_IsInitted = PR_FALSE; } diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index ccb24821b..39bbf804f 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -3592,7 +3592,6 @@ PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname) int tsize = 0; int objCount = 0; CK_OBJECT_HANDLE *key_ids; - SECStatus status; SECKEYPublicKeyList *keys; int i,len; @@ -3638,7 +3637,6 @@ PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx) int tsize = 0; int objCount = 0; CK_OBJECT_HANDLE *key_ids; - SECStatus status; SECKEYPrivateKeyList *keys; int i,len; @@ -3967,6 +3965,7 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE; CK_ATTRIBUTE *attrs = theTemplate; CK_SESSION_HANDLE rwsession; + PK11SlotInfo *free_slot = NULL; CK_RV crv; #ifdef DEBUG int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); @@ -3987,7 +3986,7 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, PORT_Assert (realSize <= tsize); if (slot == NULL) { - slot = PK11_GetInternalKeySlot(); + free_slot = slot = PK11_GetInternalKeySlot(); /* we need to free the key slot in the end!!! */ } @@ -4004,6 +4003,10 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, } PK11_RestoreROSession(slot,rwsession); + + if (free_slot) { + PK11_FreeSlot(free_slot); + } return SECSuccess; } diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c index 903a1622b..b1602f1c8 100644 --- a/security/nss/lib/pk11wrap/pk11pars.c +++ b/security/nss/lib/pk11wrap/pk11pars.c @@ -145,6 +145,8 @@ SECMOD_CreateModule(char *library, char *moduleName, char *parameters, char *nss pk11_argSetNewCipherFlags(&mod->ssl[0],ciphers); if (ciphers) PORT_Free(ciphers); + secmod_PrivateModuleCount++; + return mod; } @@ -262,15 +264,16 @@ SECMOD_DeletePermDB(SECMODModule *module) } SECStatus -SECMOD_FreeModuleSpecList(SECMODModule *parent, char **moduleSpecList) +SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList) { - char ** index; - - for(index = moduleSpecList; *index; index++) { - PORT_Free(*index); + SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc; + char **retString; + if (func) { + retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE, + module->libraryParams,moduleSpecList); + if (retString != NULL) return SECSuccess; } - PORT_Free(moduleSpecList); - return SECSuccess; + return SECFailure; } /* diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index efc8a9504..f5be7d61b 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -1566,7 +1566,6 @@ pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey, PK11_ExitSlotMonitor(slot); PORT_SetError( PK11_MapError(crv) ); PORT_Free( ciphertext ); - PK11_FreeSlot(slot); return SECFailure; } @@ -1589,7 +1588,6 @@ pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey, if( crv != CKR_OK ) { PORT_SetError( PK11_MapError(crv) ); - PK11_FreeSlot(slot); return SECFailure; } @@ -1600,7 +1598,6 @@ pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey, PAIRWISE_MESSAGE_LENGTH ) != 0 ) ) { /* Set error to Bad PUBLIC Key. */ PORT_SetError( SEC_ERROR_BAD_KEY ); - PK11_FreeSlot(slot); return SECFailure; } } @@ -3205,12 +3202,14 @@ PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc, if (crv != CKR_OK) { if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); pk11_CloseSession(slot,session,owner); + PK11_FreeSlot(slot); PORT_SetError( PK11_MapError(crv) ); return SECFailure; } crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out); if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); pk11_CloseSession(slot,session,owner); + PK11_FreeSlot(slot); if (crv != CKR_OK) { PORT_SetError( PK11_MapError(crv) ); return SECFailure; @@ -4461,7 +4460,7 @@ PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem, CERTCertificate *cert, int iteration, void *wincx) { SECKEYEncryptedPrivateKeyInfo *epki = NULL; - SECKEYPrivateKey *pk; + SECKEYPrivateKey *pk = NULL; PRArenaPool *arena = NULL; SECAlgorithmID *algid; CK_MECHANISM_TYPE mechanism; @@ -4578,6 +4577,10 @@ loser: PK11_FreeSymKey(key); } + if (pk != NULL) { + SECKEY_DestroyPrivateKey(pk); + } + if(rv == SECFailure) { if(arena != NULL) { PORT_FreeArena(arena, PR_TRUE); diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index cd2d29bd4..edbbd9e4e 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -4356,12 +4356,18 @@ PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) { SECItem param; PK11SymKey *symKey; + PK11SlotInfo *intSlot = PK11_GetInternalSlot(); + + if (intSlot == NULL) { + return CKR_DEVICE_ERROR; + } param.data = pPBEMechanism->pParameter; param.len = pPBEMechanism->ulParameterLen; - symKey = PK11_RawPBEKeyGen(PK11_GetInternalSlot(), + symKey = PK11_RawPBEKeyGen(intSlot, pPBEMechanism->mechanism, ¶m, pbe_pwd, faulty3DES, NULL); + PK11_FreeSlot(intSlot); if (symKey== NULL) { return CKR_DEVICE_ERROR; /* sigh */ } diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index 67b439125..f7d2405de 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -49,6 +49,8 @@ static SECMODModule *internalModule = NULL; static SECMODModule *defaultDBModule = NULL; static SECMODListLock *moduleLock = NULL; +int secmod_PrivateModuleCount = 0; + extern PK11DefaultArrayEntry PK11_DefaultArray[]; extern int num_pk11_default_mechanisms; @@ -73,6 +75,13 @@ void SECMOD_Shutdown() { SECMOD_DestroyModule(internalModule); internalModule = NULL; } + + /* free the default database module */ + if (defaultDBModule) { + SECMOD_DestroyModule(defaultDBModule); + defaultDBModule = NULL; + } + /* destroy the list */ if (modules) { SECMOD_DestroyModuleList(modules); @@ -91,6 +100,12 @@ void SECMOD_Shutdown() { /* make all the slots and the lists go away */ PK11_DestroySlotLists(); + +#ifdef DEBUG + if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) { + PORT_Assert(secmod_PrivateModuleCount == 0); + } +#endif } @@ -334,7 +349,7 @@ SECMOD_DeleteInternalModule(char *name) { SECMOD_DestroyModule(oldModule); SECMOD_DeletePermDB(mlp->module); SECMOD_DestroyModuleListElement(mlp); - internalModule = SECMOD_ReferenceModule(newModule); + internalModule = newModule; /* adopt the module */ SECMOD_AddModule(internalModule); } return rv; @@ -590,6 +605,13 @@ SECMOD_DestroyModule(SECMODModule *module) { if (!willfree) { return; } + + if (module->parent != NULL) { + SECMODModule *parent = module->parent; + /* paranoia, don't loop forever if the modules are looped */ + module->parent = NULL; + SECMOD_DestroyModule(parent); + } /* slots can't really disappear until our module starts freeing them, * so this check is safe */ @@ -632,6 +654,7 @@ SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) { } PK11_USE_THREADS(PZ_DestroyLock((PZLock *)module->refLock);) PORT_FreeArena(module->arena,PR_FALSE); + secmod_PrivateModuleCount--; } /* destroy a list element diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h index 9e78addb4..050f7de4f 100644 --- a/security/nss/lib/pk11wrap/secmodi.h +++ b/security/nss/lib/pk11wrap/secmodi.h @@ -57,6 +57,8 @@ SEC_BEGIN_PROTOS extern SECStatus SECMOD_DeletePermDB(SECMODModule *module); extern SECStatus SECMOD_AddPermDB(SECMODModule *module); +extern int secmod_PrivateModuleCount; + extern void SECMOD_Init(void); /* list managment */ diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index 051428575..62af42b9e 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -1093,7 +1093,7 @@ p12u_DigestRead(void *arg, unsigned char *buf, unsigned long len) return -1; } - if (!p12cxt->buffer || ((p12cxt->filesize-p12cxt->currentpos)<len) ) { + if (!p12cxt->buffer || ((p12cxt->filesize-p12cxt->currentpos)<(long)len) ) { /* trying to read past the end of the buffer */ toread = p12cxt->filesize-p12cxt->currentpos; } @@ -1111,7 +1111,7 @@ p12u_DigestWrite(void *arg, unsigned char *buf, unsigned long len) return -1; } - if (p12cxt->currentpos+len > p12cxt->filesize) { + if (p12cxt->currentpos+(long)len > p12cxt->filesize) { p12cxt->filesize = p12cxt->currentpos + len; } else { @@ -1191,7 +1191,8 @@ SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx, p12dcx->arena = arena; p12dcx->pwitem = pwitem; - p12dcx->slot = (slot ? slot : PK11_GetInternalKeySlot()); + p12dcx->slot = (slot ? PK11_ReferenceSlot(slot) + : PK11_GetInternalKeySlot()); p12dcx->wincx = wincx; #ifdef IS_LITTLE_ENDIAN p12dcx->swapUnicodeBytes = PR_TRUE; @@ -1279,14 +1280,15 @@ static SECStatus sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) { SECStatus rv = SECFailure; + SECStatus lrv; SECItem hmacRes; unsigned char buf[IN_BUF_LEN]; unsigned int bufLen; int iteration; PK11Context *pk11cx = NULL; + PK11SymKey *symKey = NULL; + SECItem *params = NULL; SECItem ignore = {0}; - PK11SymKey *symKey; - SECItem *params; SECOidTag algtag; CK_MECHANISM_TYPE integrityMech; @@ -1318,15 +1320,18 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL); PK11_DestroyPBEParams(params); + params = NULL; if (!symKey) goto loser; /* init hmac */ pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag), CKA_SIGN, symKey, &ignore); if(!pk11cx) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; + goto loser; + } + lrv = PK11_DigestBegin(pk11cx); + if (lrv == SECFailure ) { + goto loser; } - rv = PK11_DigestBegin(pk11cx); /* try to open the data for readback */ if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE) @@ -1346,14 +1351,20 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) goto loser; } - rv = PK11_DigestOp(pk11cx, buf, bytesRead); + lrv = PK11_DigestOp(pk11cx, buf, bytesRead); + if (lrv == SECFailure) { + goto loser; + } if(bytesRead < IN_BUF_LEN) { break; } } /* finish the hmac context */ - rv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN); + lrv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN); + if (lrv == SECFailure ) { + goto loser; + } hmacRes.data = buf; hmacRes.len = bufLen; @@ -1375,6 +1386,12 @@ loser: if(pk11cx) { PK11_DestroyContext(pk11cx, PR_TRUE); } + if (params) { + PK11_DestroyPBEParams(params); + } + if (symKey) { + PK11_FreeSymKey(symKey); + } return rv; } @@ -1460,6 +1477,11 @@ SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx) p12dcx->hmacDcx = NULL; } + if(p12dcx->slot) { + PK11_FreeSlot(p12dcx->slot); + p12dcx->slot = NULL; + } + if(p12dcx->arena) { PORT_FreeArena(p12dcx->arena, PR_TRUE); } @@ -3312,7 +3334,7 @@ sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot, } p12dcx->arena = arena; - p12dcx->slot = slot; + p12dcx->slot = PK11_ReferenceSlot(slot); p12dcx->wincx = wincx; p12dcx->error = PR_FALSE; p12dcx->swapUnicodeBytes = swapUnicode; diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c index 9f9a92cea..e3ddd08ce 100644 --- a/security/nss/lib/pkcs12/p12e.c +++ b/security/nss/lib/pkcs12/p12e.c @@ -352,7 +352,7 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, { SEC_PKCS12SafeInfo *safeInfo = NULL; void *mark = NULL; - PK11SlotInfo *slot; + PK11SlotInfo *slot = NULL; SECAlgorithmID *algId; SECItem uniPwitem = {siBuffer, NULL, 0}; @@ -393,7 +393,7 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, } /* generate the encryption key */ - slot = p12ctxt->slot; + slot = PK11_ReferenceSlot(p12ctxt->slot); if(!slot) { slot = PK11_GetInternalKeySlot(); if(!slot) { @@ -419,9 +419,16 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, SECITEM_ZfreeItem(&uniPwitem, PR_FALSE); } PORT_ArenaUnmark(p12ctxt->arena, mark); + + if (slot) { + PK11_FreeSlot(slot); + } return safeInfo; loser: + if (slot) { + PK11_FreeSlot(slot); + } if(safeInfo->cinfo) { SEC_PKCS7DestroyContentInfo(safeInfo->cinfo); } @@ -1285,7 +1292,7 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *sa /* extract the key encrypted */ SECKEYEncryptedPrivateKeyInfo *epki = NULL; - PK11SlotInfo *slot = p12ctxt->slot; + PK11SlotInfo *slot = NULL; if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem, pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) { @@ -1296,14 +1303,14 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *sa /* we want to make sure to take the key out of the key slot */ if(PK11_IsInternal(p12ctxt->slot)) { slot = PK11_GetInternalKeySlot(); + } else { + slot = PK11_ReferenceSlot(p12ctxt->slot); } epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, &uniPwitem, cert, 1, p12ctxt->wincx); - if(PK11_IsInternal(p12ctxt->slot)) { - PK11_FreeSlot(slot); - } + PK11_FreeSlot(slot); keyItem = PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECKEYEncryptedPrivateKeyInfo)); @@ -1719,6 +1726,8 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) p12enc->hmacCx = PK11_CreateContextBySymKey( sec_pkcs12_algtag_to_mech(p12exp->integrityInfo.pwdInfo.algorithm), CKA_SIGN, symKey, &ignore); + + PK11_FreeSymKey(symKey); if(!p12enc->hmacCx) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c index 9e4a2dc5e..85756a536 100644 --- a/security/nss/lib/smime/cmscinfo.c +++ b/security/nss/lib/smime/cmscinfo.c @@ -78,6 +78,11 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo) } if (cinfo->bulkkey) PK11_FreeSymKey(cinfo->bulkkey); + + if (cinfo->ciphcx) { + NSS_CMSCipherContext_Destroy(cinfo->ciphcx); + cinfo->ciphcx = NULL; + } /* we live in a pool, so no need to worry about storage */ } diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c index 61aae96d8..fdfa0a2b9 100644 --- a/security/nss/lib/smime/cmsencdata.c +++ b/security/nss/lib/smime/cmsencdata.c @@ -202,8 +202,10 @@ NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd) SECStatus NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd) { - if (encd->contentInfo.ciphcx) + if (encd->contentInfo.ciphcx) { NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx); + encd->contentInfo.ciphcx = NULL; + } /* nothing to do after data */ return SECSuccess; @@ -265,7 +267,10 @@ loser: SECStatus NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd) { - NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx); + if (encd->contentInfo.ciphcx) { + NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx); + encd->contentInfo.ciphcx = NULL; + } return SECSuccess; } diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c index fab7189f2..03a37cda1 100644 --- a/security/nss/lib/smime/cmssigdata.c +++ b/security/nss/lib/smime/cmssigdata.c @@ -540,7 +540,7 @@ NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, count = NSS_CMSArray_Count((void**)sigd->rawCerts); for (i=0; i < count; i++) { if (sigd->certs && sigd->certs[i]) { - cert = sigd->certs[i]; + cert = CERT_DupCertificate(sigd->certs[i]); } else { cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]); if (!cert) { @@ -550,6 +550,7 @@ NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, } rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, PR_Now(), NULL, NULL); + CERT_DestroyCertificate(cert); } return rv; diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 885e1c9f4..42a58b460 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -1705,7 +1705,7 @@ pk11_mkPrivKey(PK11Object *object,CK_KEY_TYPE key_type) if (arena == NULL) return NULL; privKey = (NSSLOWKEYPrivateKey *) - PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPrivateKey)); + PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey)); if (privKey == NULL) { PORT_FreeArena(arena,PR_FALSE); return NULL; @@ -1893,7 +1893,7 @@ pk11_mkSecretKeyRep(PK11Object *object) if (arena == NULL) { crv = CKR_HOST_MEMORY; goto loser; } privKey = (NSSLOWKEYPrivateKey *) - PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPrivateKey)); + PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey)); if (privKey == NULL) { crv = CKR_HOST_MEMORY; goto loser; } privKey->arena = arena; @@ -2302,7 +2302,7 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) int i; if (nsc_init) { - return crv; + return CKR_CRYPTOKI_ALREADY_INITIALIZED; } rv = RNG_RNGInit(); /* initialize random number generator */ |