Refs #3430 -- fixed a memory leak in extension parsing for CRL dp (#3431)

* Refs #3430 -- fixed a memory leak in extension parsing for CRL dp

* same fix for policy info

* make this private

* consistency cleanup

4 files changed, 26 insertions, 5 deletions

diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py
index 38099a9a..164c1a58 100644
--- a/src/_cffi_src/openssl/x509v3.py
+++ b/src/_cffi_src/openssl/x509v3.py
@@ -172,6 +172,8 @@ typedef struct {
 } POLICYINFO;
 
 typedef void (*sk_GENERAL_NAME_freefunc)(GENERAL_NAME *);
+typedef void (*sk_DIST_POINT_freefunc)(DIST_POINT *);
+typedef void (*sk_POLICYINFO_freefunc)(POLICYINFO *);
 """
 
 
@@ -244,12 +246,16 @@ void sk_DIST_POINT_free(Cryptography_STACK_OF_DIST_POINT *);
 int sk_DIST_POINT_num(Cryptography_STACK_OF_DIST_POINT *);
 DIST_POINT *sk_DIST_POINT_value(Cryptography_STACK_OF_DIST_POINT *, int);
 int sk_DIST_POINT_push(Cryptography_STACK_OF_DIST_POINT *, DIST_POINT *);
+void sk_DIST_POINT_pop_free(Cryptography_STACK_OF_DIST_POINT *,
+                            sk_DIST_POINT_freefunc);
 
 void sk_POLICYINFO_free(Cryptography_STACK_OF_POLICYINFO *);
 int sk_POLICYINFO_num(Cryptography_STACK_OF_POLICYINFO *);
 POLICYINFO *sk_POLICYINFO_value(Cryptography_STACK_OF_POLICYINFO *, int);
 int sk_POLICYINFO_push(Cryptography_STACK_OF_POLICYINFO *, POLICYINFO *);
 Cryptography_STACK_OF_POLICYINFO *sk_POLICYINFO_new_null(void);
+void sk_POLICYINFO_pop_free(Cryptography_STACK_OF_POLICYINFO *,
+                            sk_POLICYINFO_freefunc);
 
 POLICYINFO *POLICYINFO_new(void);
 void POLICYINFO_free(POLICYINFO *);
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 446891d3..41b86d6b 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -46,7 +46,6 @@ from cryptography.hazmat.backends.openssl.x509 import (
     _Certificate, _CertificateRevocationList,
     _CertificateSigningRequest, _RevokedCertificate
 )
-from cryptography.hazmat.bindings._openssl import lib as _lib
 from cryptography.hazmat.bindings.openssl import binding
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
@@ -1137,7 +1136,9 @@ class Backend(object):
         evp_pkey = openssl_read_func(
             mem_bio.bio,
             self._ffi.NULL,
-            self._ffi.addressof(_lib, "Cryptography_pem_password_cb"),
+            self._ffi.addressof(
+                self._lib._original_lib, "Cryptography_pem_password_cb"
+            ),
             userdata,
         )
 
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index 2cbc349e..00937421 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -248,7 +248,14 @@ class _X509ExtensionParser(object):
 
 def _decode_certificate_policies(backend, cp):
     cp = backend._ffi.cast("Cryptography_STACK_OF_POLICYINFO *", cp)
-    cp = backend._ffi.gc(cp, backend._lib.sk_POLICYINFO_free)
+
+    cp_freefunc = backend._ffi.addressof(
+        backend._lib._original_lib, "POLICYINFO_free"
+    )
+    cp = backend._ffi.gc(
+        cp, lambda c: backend._lib.sk_POLICYINFO_pop_free(c, cp_freefunc)
+    )
+
     num = backend._lib.sk_POLICYINFO_num(cp)
     certificate_policies = []
     for i in range(num):
@@ -489,9 +496,15 @@ _DISTPOINT_TYPE_RELATIVENAME = 1
 
 def _decode_crl_distribution_points(backend, cdps):
     cdps = backend._ffi.cast("Cryptography_STACK_OF_DIST_POINT *", cdps)
-    cdps = backend._ffi.gc(cdps, backend._lib.sk_DIST_POINT_free)
-    num = backend._lib.sk_DIST_POINT_num(cdps)
 
+    dp_freefunc = backend._ffi.addressof(
+        backend._lib._original_lib, "DIST_POINT_free"
+    )
+    cdps = backend._ffi.gc(
+        cdps, lambda c: backend._lib.sk_DIST_POINT_pop_free(c, dp_freefunc)
+    )
+
+    num = backend._lib.sk_DIST_POINT_num(cdps)
     dist_points = []
     for i in range(num):
         full_name = None
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 59092c0d..6b3d50c4 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -63,6 +63,7 @@ def _openssl_assert(lib, ok):
 
 def build_conditional_library(lib, conditional_names):
     conditional_lib = types.ModuleType("lib")
+    conditional_lib._original_lib = lib
     excluded_names = set()
     for condition, names in conditional_names.items():
         if not getattr(lib, condition):