RFR: 8303607: SunMSCAPI provider leaks memory and keys

Mon Mar 6 21:44:12 UTC 2023

Weijun,

Would you be so kind as to review and sponsor this change for me given that you are familiar with my previous changes [1] (although this issue existed prior)

Once this is in tip, I'll look to backport to 19, 17 and 11

Thanks in advance
Mat

[1] https://bugs.openjdk.org/browse/JDK-8284850

Sent from Outlook

From: security-dev <security-dev-retn at openjdk.org> on behalf of Mat Carter <macarte at openjdk.org>
Sent: Monday, March 6, 2023 1:35 PM
To: security-dev at openjdk.org <security-dev at openjdk.org>
Subject: RFR: 8303607: SunMSCAPI provider leaks memory and keys 

[Some people who received this message don't often get email from macarte at openjdk.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

The message from this sender included one or more files
which could not be scanned for virus detection; do not
open these files unless you are certain of the sender's intent.

----------------------------------------------------------------------
Use the correct API for freeing key handles when directed to by the output of CryptAcquireCertificatePrivateKey [1].
Specifically when [out] pfCallerFreeProvOrNCryptKey is true we test [out] pdwKeySpec for the CERT_NCRYPT_KEY_SPEC flag.  When flag bit is set we now call NCryptFreeObject, otherwise we continue to call CryptReleaseContext (as before)

[1] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fapi%2Fwincrypt%2Fnf-wincrypt-cryptacquirecertificateprivatekey&data=05%7C01%7Cmatthew.carter%40microsoft.com%7Ce26c0d2b15e8424b988f08db1e8ac459%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638137353598481138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DkDIdugqfKkENfLVcInWsdaN8mQHZk%2FMEzMo8a%2FofzQ%3D&reserved=0

-------------

Commit messages:
 - Merge branch 'openjdk:master' into ncrypt
 - Fix handle leak

Changes: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openjdk.org%2Fjdk%2Fpull%2F12891%2Ffiles&data=05%7C01%7Cmatthew.carter%40microsoft.com%7Ce26c0d2b15e8424b988f08db1e8ac459%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638137353598481138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=arWU6sUJYifADSnvxbxSbBhXixoV%2BfKQmERkfeleFWU%3D&reserved=0
 Webrev: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebrevs.openjdk.org%2F%3Frepo%3Djdk%26pr%3D12891%26range%3D00&data=05%7C01%7Cmatthew.carter%40microsoft.com%7Ce26c0d2b15e8424b988f08db1e8ac459%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638137353598481138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yVDaTyyNAasXuhsjGlKUE%2BybO%2FKYh853N54ONVfYUeE%3D&reserved=0
  Issue: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.org%2Fbrowse%2FJDK-8303607&data=05%7C01%7Cmatthew.carter%40microsoft.com%7Ce26c0d2b15e8424b988f08db1e8ac459%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638137353598637370%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HtZ9QLDhraylQ2H%2FNnuwMahhYI8MoMRP7A5zWGrXRgg%3D&reserved=0
  Stats: 5 lines in 1 file changed: 4 ins; 0 del; 1 mod
  Patch: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openjdk.org%2Fjdk%2Fpull%2F12891.diff&data=05%7C01%7Cmatthew.carter%40microsoft.com%7Ce26c0d2b15e8424b988f08db1e8ac459%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638137353598637370%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RnFSicrj4EDheFgBQ%2Fr7RszE%2FzS30gS2ykxpP%2FaSC10%3D&reserved=0
  Fetch: git fetch https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openjdk.org%2Fjdk&data=05%7C01%7Cmatthew.carter%40microsoft.com%7Ce26c0d2b15e8424b988f08db1e8ac459%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638137353598637370%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ObH7qip2rYafj%2FLaCXVz9Fq6ZmIzaPLycQe1AcYR%2Bv4%3D&reserved=0 pull/12891/head:pull/12891

PR: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openjdk.org%2Fjdk%2Fpull%2F12891&data=05%7C01%7Cmatthew.carter%40microsoft.com%7Ce26c0d2b15e8424b988f08db1e8ac459%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638137353598637370%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SQm05Uv%2B8Dde%2FUGdyDV%2FJl4be2vyYVMjuA6c2aLyVXk%3D&reserved=0