From d43a6331cc9b63c8d2ee2a6b6d7514c3f1872c62 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 22 Feb 2015 13:33:13 -0600
Subject: free PKCS8_PRIV_KEY_INFO * and reuse membio for der loading

---
 src/cryptography/hazmat/backends/openssl/backend.py | 19 +++++++++++--------
 src/cryptography/hazmat/bindings/openssl/x509.py    |  1 +
 2 files changed, 12 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 87ee1d7a..eb23ef00 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -702,12 +702,16 @@ class Backend(object):
         # this. Unfortunately it doesn't properly support PKCS8 on OpenSSL
         # 0.9.8 so we can't use it. Instead we sequentially try to load it 3
         # different ways. First we'll try to load it as a traditional key
-        key = self._evp_pkey_from_der_traditional_key(data, password)
+        bio_data = self._bytes_to_bio(data)
+        key = self._evp_pkey_from_der_traditional_key(bio_data, password)
         if not key:
             # Okay so it's not a traditional key. Let's try
             # PKCS8 unencrypted. OpenSSL 0.9.8 can't load unencrypted
             # PKCS8 keys using d2i_PKCS8PrivateKey_bio so we do this instead.
-            key = self._evp_pkey_from_der_unencrypted_pkcs8(data, password)
+            # Reset the memory BIO so we can read the data again.
+            res = self._lib.BIO_reset(bio_data.bio)
+            assert res == 1
+            key = self._evp_pkey_from_der_unencrypted_pkcs8(bio_data, password)
 
         if key:
             return self._evp_pkey_to_private_key(key)
@@ -721,9 +725,8 @@ class Backend(object):
                 password,
             )
 
-    def _evp_pkey_from_der_traditional_key(self, data, password):
-        mem_bio = self._bytes_to_bio(data)
-        key = self._lib.d2i_PrivateKey_bio(mem_bio.bio, self._ffi.NULL)
+    def _evp_pkey_from_der_traditional_key(self, bio_data, password):
+        key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL)
         if key != self._ffi.NULL:
             key = self._ffi.gc(key, self._lib.EVP_PKEY_free)
             if password is not None:
@@ -736,11 +739,11 @@ class Backend(object):
             self._consume_errors()
             return None
 
-    def _evp_pkey_from_der_unencrypted_pkcs8(self, data, password):
-        mem_bio = self._bytes_to_bio(data)
+    def _evp_pkey_from_der_unencrypted_pkcs8(self, bio_data, password):
         info = self._lib.d2i_PKCS8_PRIV_KEY_INFO_bio(
-            mem_bio.bio, self._ffi.NULL
+            bio_data.bio, self._ffi.NULL
         )
+        info = self._ffi.gc(info, self._lib.PKCS8_PRIV_KEY_INFO_free)
         if info != self._ffi.NULL:
             key = self._lib.EVP_PKCS82PKEY(info)
             assert key != self._ffi.NULL
diff --git a/src/cryptography/hazmat/bindings/openssl/x509.py b/src/cryptography/hazmat/bindings/openssl/x509.py
index e30d23b7..585a2e90 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509.py
@@ -229,6 +229,7 @@ int i2d_DSAPrivateKey_bio(BIO *, DSA *);
 
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *,
                                                  PKCS8_PRIV_KEY_INFO **);
+void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *);
 """
 
 MACROS = """
-- 
cgit v1.2.3