krb5 commit: Free cert info in pkinit_identity_initialize()

[Greg Hudson]

https://github.com/krb5/krb5/commit/e8909878b3ff95f4a9caf3a8cc80ce9d11a7d3e0
commit e8909878b3ff95f4a9caf3a8cc80ce9d11a7d3e0
Author: sashan <anedvedicky at gmail.com>
Date:   Tue Feb 20 22:30:53 2018 +0100

    Free cert info in pkinit_identity_initialize()
    
    The pkinit_identity_crypto_context creds field contains a collection
    of cert info deduced from configuration, and is used to select the
    identity certificate on the client and the KDC.  Its lifetime is
    managed separately from the context, by crypto_load_certs() and
    crypto_free_cert_info().
    
    Prior to commit 60426439f672fe273ceead17910f818da1954c5b, the lifetime
    was managed purely within pkinit_identity_initialize().  When that
    function now split into two phases, pkinit_identity_initialize() began
    leaving the creds array around unnecessarily.  The client calling
    function made its own call to free the creds array, but this was not
    done by the KDC calling function.  The result was that the creds array
    was overwritten in pkinit_identity_prompt(), leaking a small amount of
    memory at KDC startup.  This leak is trivial, but adds noise to leak
    detection tools.
    
    Fix the leak by freeing the creds array in
    pkinit_identity_initialize() before returning, and remove the
    no-longer-necessary call in pkinit_client_prep_questions().  In the
    longer term, it might be better to separate the creds array from
    pkinit_identity_crypto_context and manage it using local variables
    within pkinit_identity_initialize() and pkinit_identity_prompt().
    
    [ghudson at mit.edu: rewrote commit message]

 src/plugins/preauth/pkinit/pkinit_clnt.c     |    2 --
 src/plugins/preauth/pkinit/pkinit_identity.c |    3 +++
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index f1bc6b2..2604800 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1017,8 +1017,6 @@ pkinit_client_prep_questions(krb5_context context,
         }
 
         reqctx->identity_initialized = TRUE;
-        crypto_free_cert_info(context, plgctx->cryptoctx,
-                              reqctx->cryptoctx, reqctx->idctx);
         if (retval != 0) {
             pkiDebug("%s: not asking responder question\n", __FUNCTION__);
             retval = 0;
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index e8997c9..fa754e3 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -543,6 +543,9 @@ pkinit_identity_initialize(krb5_context context,
                                    idopts, id_cryptoctx, princ, TRUE);
         if (retval)
             goto errout;
+
+        crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
+                              id_cryptoctx);
     } else {
         /* We're the anonymous principal. */
         retval = 0;