From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001

From: Your Name <you@example.com>

Date: Tue, 14 Apr 2020 13:17:14 +0000

Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when

 finished

The talloc context was freed in only a few cases and the curl

context was never freed.

---

 src/scep.c     | 127 ++++++++++++++++++++++++++++++++-----------------

 src/submit-h.c |  15 +++++-

 src/submit-h.h |   1 +

 3 files changed, 97 insertions(+), 46 deletions(-)

diff --git a/src/scep.c b/src/scep.c

index 0b8bef9..4d00692 100644

--- a/src/scep.c

+++ b/src/scep.c

@@ -199,7 +199,7 @@ int

 main(int argc, const char **argv)

 {

 	const char *url = NULL, *results = NULL, *results2 = NULL;

-	struct cm_submit_h_context *hctx;

+	struct cm_submit_h_context *hctx = NULL;

 	int c, verbose = 0, results_length = 0, results_length2 = 0, i;

 	int prefer_non_renewal = 0, can_renewal = 0;

 	int response_code = 0, response_code2 = 0;

@@ -225,7 +225,8 @@ main(int argc, const char **argv)

 	size_t payload_length;

 	long error;

 	PKCS7 *p7;

-	poptContext pctx;

+	int rval = CM_SUBMIT_STATUS_UNCONFIGURED;

+	poptContext pctx = NULL;

 	struct poptOption popts[] = {

 		{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},

 		{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},

@@ -388,8 +389,8 @@ main(int argc, const char **argv)

 			}

 			if ((message == NULL) || (strlen(message) == 0)) {

 				printf(_("Error reading request.  Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));

-				free(cainfo);

-				return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+				rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+				goto done;

 			}

 			/* First step: read capabilities for our use. */

 			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);

@@ -408,8 +409,8 @@ main(int argc, const char **argv)

 			}

 			if ((message == NULL) || (strlen(message) == 0)) {

 				printf(_("Error reading request.  Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));

-				free(cainfo);

-				return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+				rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+				goto done;

 			}

 			/* First step: read capabilities for our use. */

 			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);

@@ -420,8 +421,8 @@ main(int argc, const char **argv)

 	/* Supply help output, if it's needed. */

 	if (missing_args) {

 		poptPrintUsage(pctx, stdout, 0);

-		free(cainfo);

-		return CM_SUBMIT_STATUS_UNCONFIGURED;

+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;

+		goto done;

 	}

 	/* Check the rekey PKCSReq message, if we have one. */

@@ -505,7 +506,6 @@ main(int argc, const char **argv)

 				verbose > 1 ?

 				cm_submit_h_curl_verbose_on :

 				cm_submit_h_curl_verbose_off);

-	free(cainfo);

 	cm_submit_h_run(hctx);

 	content_type = cm_submit_h_result_type(hctx);

 	if (content_type == NULL) {

@@ -551,7 +551,8 @@ main(int argc, const char **argv)

 		}

 		if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {

 			printf(_("Error reading request.  Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));

-			return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+			rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+			goto done;

 		} else

 		if (verbose > 0) {

 			if (tmp2 == rekey_message) {

@@ -576,7 +577,8 @@ main(int argc, const char **argv)

 		}

 		if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {

 			printf(_("Error reading request.  Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));

-			return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+			rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;

+			goto done;

 		} else

 		if (verbose > 0) {

 			if (tmp2 == rekey_message) {

@@ -638,7 +640,8 @@ main(int argc, const char **argv)

 			       cm_submit_h_result_code(hctx),

 			       url);

 		}

-		return CM_SUBMIT_STATUS_UNREACHABLE;

+		rval = CM_SUBMIT_STATUS_UNREACHABLE;

+		goto done;

 	}

 	switch (op) {

 	case op_unset:

@@ -651,16 +654,19 @@ main(int argc, const char **argv)

 			       response_code, url);

 			if (response_code == 500) {

 				/* The server might recover, right? */

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			} else {

 				/* Maybe not? */

-				return CM_SUBMIT_STATUS_REJECTED;

+				rval = CM_SUBMIT_STATUS_REJECTED;

+				goto done;

 			}

 		}

 		if (results == NULL) {

 			printf(_("Internal error: no response to \"%s?%s\".\n"),

 			       url, params);

-			return CM_SUBMIT_STATUS_REJECTED;

+			rval = CM_SUBMIT_STATUS_REJECTED;

+			goto done;

 		}

 		break;

 	case op_get_cert_initial:

@@ -685,10 +691,12 @@ main(int argc, const char **argv)

 				fprintf(stderr, "Result is surprisingly large, "

 					"suppressing it.\n");

 			}

-			return CM_SUBMIT_STATUS_REJECTED;

+			rval = CM_SUBMIT_STATUS_REJECTED;

+			goto done;

 		}

 		printf("%s\n", results);

-		return CM_SUBMIT_STATUS_ISSUED;

+		rval = CM_SUBMIT_STATUS_ISSUED;

+		goto done;

 		break;

 	case op_get_ca_certs:

 		if ((strcasecmp(content_type,

@@ -697,7 +705,8 @@ main(int argc, const char **argv)

 				"application/x-x509-ca-ra-cert") != 0)) {

 			printf(_("Server reply was of unexpected MIME type "

 				 "\"%s\".\n"), content_type);

-			return CM_SUBMIT_STATUS_UNREACHABLE;

+			rval = CM_SUBMIT_STATUS_UNREACHABLE;

+			goto done;

 		}

 		if (racert == NULL) {

 			racertp = &racer;;

@@ -710,7 +719,8 @@ main(int argc, const char **argv)

 						 n_buffers + 1);

 			if ((buffers == NULL) || (lengths == NULL)) {

 				fprintf(stderr, "Out of memory.\n");

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			buffers[n_buffers] = (unsigned char *) racert;

 			lengths[n_buffers] = strlen(racert);

@@ -727,7 +737,8 @@ main(int argc, const char **argv)

 						 n_buffers + 1);

 			if ((buffers == NULL) || (lengths == NULL)) {

 				fprintf(stderr, "Out of memory.\n");

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			buffers[n_buffers] = (unsigned char *) cacert;

 			lengths[n_buffers] = strlen(cacert);

@@ -741,7 +752,8 @@ main(int argc, const char **argv)

 						 n_buffers + 1);

 			if ((buffers == NULL) || (lengths == NULL)) {

 				fprintf(stderr, "Out of memory.\n");

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			buffers[n_buffers] = (unsigned char *) results;

 			lengths[n_buffers] = results_length;

@@ -755,7 +767,8 @@ main(int argc, const char **argv)

 						 n_buffers + 1);

 			if ((buffers == NULL) || (lengths == NULL)) {

 				fprintf(stderr, "Out of memory.\n");

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			buffers[n_buffers] = (unsigned char *) results2;

 			lengths[n_buffers] = results_length2;

@@ -850,7 +863,8 @@ main(int argc, const char **argv)

 						 n_buffers + 1);

 			if ((buffers == NULL) || (lengths == NULL)) {

 				fprintf(stderr, "Out of memory.\n");

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			buffers[n_buffers] = (unsigned char *) results2;

 			lengths[n_buffers] = results_length2;

@@ -882,11 +896,11 @@ main(int argc, const char **argv)

 					}

 				}

 			}

-			talloc_free(ctx);

-			return CM_SUBMIT_STATUS_ISSUED;

+			rval = CM_SUBMIT_STATUS_ISSUED;

+			goto done;

 		} else {

-			talloc_free(ctx);

-			return CM_SUBMIT_STATUS_UNREACHABLE;

+			rval = CM_SUBMIT_STATUS_UNREACHABLE;

+			goto done;

 		}

 		break;

 	case op_get_cert_initial:

@@ -957,42 +971,50 @@ main(int argc, const char **argv)

 				fprintf(stderr, "%s", s);

 				cm_log(1, "%s", s);

 				free(s);

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			if ((msgtype == NULL) ||

 			    (strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) {

 				printf(_("Error: reply was not a CertRep (%s).\n"),

 				       msgtype ? msgtype : "none");

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			if (tx == NULL) {

 				printf(_("Error: reply is missing transactionId.\n"));

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			if (sent_tx != NULL) {

 				if (strcmp(sent_tx, tx) != 0) {

 					printf(_("Error: reply contains a "

 						 "different transactionId.\n"));

-					return CM_SUBMIT_STATUS_UNREACHABLE;

+					rval = CM_SUBMIT_STATUS_UNREACHABLE;

+					goto done;

 				}

 			}

 			if (pkistatus == NULL) {

 				printf(_("Error: reply is missing pkiStatus.\n"));

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			if (recipient_nonce == NULL) {

 				printf(_("Error: reply is missing recipientNonce.\n"));

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			if ((recipient_nonce_length != sent_nonce_length) ||

 			    (memcmp(recipient_nonce, sent_nonce,

 				    sent_nonce_length) != 0)) {

 				printf(_("Error: reply nonce doesn't match request.\n"));

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			if (sender_nonce == NULL) {

 				printf(_("Error: reply is missing senderNonce.\n"));

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 			if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) {

 				if (verbose > 0) {

@@ -1002,7 +1024,8 @@ main(int argc, const char **argv)

 				s = cm_store_base64_from_bin(ctx, sender_nonce,

 							     sender_nonce_length);

 				printf("%s\n", s);

-				return CM_SUBMIT_STATUS_WAIT;

+				rval = CM_SUBMIT_STATUS_WAIT;

+				goto done;

 			} else

 			if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) {

 				if (verbose > 0) {

@@ -1050,7 +1073,8 @@ main(int argc, const char **argv)

 					printf(_("Server returned failure code \"%s\".\n"),

 					       failinfo);

 				}

-				return CM_SUBMIT_STATUS_REJECTED;

+				rval = CM_SUBMIT_STATUS_REJECTED;

+				goto done;

 			} else

 			if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) {

 				if (verbose > 0) {

@@ -1067,7 +1091,8 @@ main(int argc, const char **argv)

 					s = cm_submit_u_pem_from_base64("PKCS7", 0, s);

 					fprintf(stderr, "Full reply:\n%s", s);

 					free(s);

-					return CM_SUBMIT_STATUS_UNREACHABLE;

+					rval = CM_SUBMIT_STATUS_UNREACHABLE;

+					goto done;

 				}

 				if (!PKCS7_type_is_enveloped(p7)) {

 					printf(_("Error: signed-data payload is not enveloped-data.\n"));

@@ -1079,7 +1104,8 @@ main(int argc, const char **argv)

 					s = cm_submit_u_pem_from_base64("PKCS7", 0, s);

 					fprintf(stderr, "Full reply:\n%s", s);

 					free(s);

-					return CM_SUBMIT_STATUS_UNREACHABLE;

+					rval = CM_SUBMIT_STATUS_UNREACHABLE;

+					goto done;

 				}

 				if ((p7->d.enveloped == NULL) ||

 				    (p7->d.enveloped->enc_data == NULL) ||

@@ -1094,29 +1120,42 @@ main(int argc, const char **argv)

 					s = cm_submit_u_pem_from_base64("PKCS7", 0, s);

 					fprintf(stderr, "Full reply:\n%s", s);

 					free(s);

-					return CM_SUBMIT_STATUS_UNREACHABLE;

+					rval = CM_SUBMIT_STATUS_UNREACHABLE;

+					goto done;

 				}

 				s = cm_store_base64_from_bin(ctx, payload,

 							     payload_length);

 				s = cm_submit_u_pem_from_base64("PKCS7", 0, s);

 				printf("%s", s);

 				free(s);

-				return CM_SUBMIT_STATUS_ISSUED;

+				rval = CM_SUBMIT_STATUS_ISSUED;

+				goto done;

 			} else {

 				if (verbose > 0) {

 					fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus);

 				}

 				printf(_("Error: pkiStatus \"%s\" not recognized.\n"),

 				       pkistatus);

-				return CM_SUBMIT_STATUS_UNREACHABLE;

+				rval = CM_SUBMIT_STATUS_UNREACHABLE;

+				goto done;

 			}

 		} else {

 			printf(_("Server reply was of unexpected MIME type "

 				 "\"%s\".\n"), content_type);

 			printf("Full reply:\n%.*s", results_length2, results2);

-			return CM_SUBMIT_STATUS_UNREACHABLE;

+			rval = CM_SUBMIT_STATUS_UNREACHABLE;

+			goto done;

 		}

 		break;

 	}

-	return CM_SUBMIT_STATUS_UNCONFIGURED;

+

+done:

+	if (pctx) {

+		poptFreeContext(pctx);

+	}

+	free(cainfo);

+	free(id);

+	cm_submit_h_cleanup(hctx);

+	talloc_free(ctx);

+	return rval;

 }

diff --git a/src/submit-h.c b/src/submit-h.c

index 33f9b39..9b507db 100644

--- a/src/submit-h.c

+++ b/src/submit-h.c

@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx)

 	return ret;

 }

+void

+cm_submit_h_cleanup(struct cm_submit_h_context *ctx)

+{

+

+	if (ctx != NULL && ctx->curl != NULL) {

+		curl_easy_cleanup(ctx->curl);

+	}

+}

+

 #ifdef CM_SUBMIT_H_MAIN

 int

 main(int argc, const char **argv)

@@ -307,7 +316,7 @@ main(int argc, const char **argv)

 	enum cm_submit_h_opt_negotiate negotiate;

 	enum cm_submit_h_opt_delegate negotiate_delegate;

 	enum cm_submit_h_opt_clientauth clientauth;

-	int c, fd, l, verbose = 0, length = 0;

+	int c, fd, l, verbose = 0, length = 0, rval = 0;

 	char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass;

 	char *pinfile;

 	const char *method, *url;

@@ -423,6 +432,8 @@ main(int argc, const char **argv)

 			cm_submit_h_result_code(ctx),

 			cm_submit_h_result_code_text(ctx));

 	}

-	return cm_submit_h_result_code(ctx);

+	rval = cm_submit_h_result_code(ctx);

+	cm_submit_h_cleanup(ctx);

+	return rval;

 }

 #endif

diff --git a/src/submit-h.h b/src/submit-h.h

index 1283c53..931cc89 100644

--- a/src/submit-h.h

+++ b/src/submit-h.h

@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx);

 const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx);

 const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length);

 const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx);

+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx);

 #endif

-- 

2.21.1