From ab5200fbe054264ace68232327202ab155d2d71a Mon Sep 17 00:00:00 2001
From: eugene <eugene.kobyakov@netfoundry.io>
Date: Thu, 8 Aug 2024 12:10:01 -0400
Subject: [PATCH 1/2] fix memory leaks in during enrollment

---
 includes/ziti/ziti.h                   |  3 ++-
 library/ziti_enroll.c                  | 15 ++++++++++++---
 programs/sample_enroll/sample_enroll.c |  3 ++-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/includes/ziti/ziti.h b/includes/ziti/ziti.h
index 244381b9..b5bf6278 100644
--- a/includes/ziti/ziti.h
+++ b/includes/ziti/ziti.h
@@ -409,7 +409,8 @@ typedef void (*ziti_close_cb)(ziti_connection conn);
  * @return #ZITI_OK or corresponding #ZITI_ERRORS
  */
 ZITI_FUNC
-extern int ziti_enroll(ziti_enroll_opts *opts, uv_loop_t *loop, ziti_enroll_cb enroll_cb, void *enroll_ctx);
+extern int ziti_enroll(const ziti_enroll_opts *opts, uv_loop_t *loop,
+                       ziti_enroll_cb enroll_cb, void *enroll_ctx);
 
 /**
  * Provide app information to Ziti SDK.
diff --git a/library/ziti_enroll.c b/library/ziti_enroll.c
index 4d9c9de5..87a46ade 100644
--- a/library/ziti_enroll.c
+++ b/library/ziti_enroll.c
@@ -78,7 +78,8 @@ static int check_cert_required(enroll_cfg *ecfg) {
     return ZITI_OK;
 }
 
-int ziti_enroll(ziti_enroll_opts *opts, uv_loop_t *loop, ziti_enroll_cb enroll_cb, void *enroll_ctx) {
+int ziti_enroll(const ziti_enroll_opts *opts, uv_loop_t *loop,
+                ziti_enroll_cb enroll_cb, void *enroll_ctx) {
     uv_timeval64_t start_time;
     uv_gettimeofday(&start_time);
 
@@ -149,12 +150,14 @@ static void well_known_certs_cb(char *base64_encoded_pkcs7, const ziti_error *er
     ziti_err = ZITI_PKCS7_ASN1_PARSING_FAILED;
     TRY(TLS, enroll_req->ecfg->tls->parse_pkcs7_certs(
             &chain, base64_encoded_pkcs7, strlen(base64_encoded_pkcs7)));
+    free(base64_encoded_pkcs7);
 
     char *ca = NULL;
     size_t total_pem_len = 0;
 
     ziti_err = ZITI_INVALID_CONFIG;
     TRY(TLS, chain->to_pem(chain, 1, &ca, &total_pem_len));
+    chain->free(chain);
 
     ZITI_LOG(DEBUG, "CA PEM len = %zd", total_pem_len);
     ZITI_LOG(TRACE, "CA PEM:\n%s", ca);
@@ -248,6 +251,7 @@ static void well_known_certs_cb(char *base64_encoded_pkcs7, const ziti_error *er
             enroll_req->enroll_cb(NULL, ERR(ziti), err ? err->code : "enroll failed", enroll_req->ecfg->external_enroll_ctx);
         }
     }
+    free(enroll_req);
 }
 
 static void enroll_cb(ziti_enrollment_resp *er, const ziti_error *err, void *enroll_ctx) {
@@ -270,20 +274,25 @@ static void enroll_cb(ziti_enrollment_resp *er, const ziti_error *err, void *enr
         cfg.id.key = strdup(enroll_req->ecfg->private_key);
 
         tlsuv_certificate_t c = NULL;
-        if (er->cert != NULL && enroll_req->ecfg->tls->load_cert(&c, er->cert, strlen(er->cert)) == 0 &&
+        if (er->cert != NULL &&
             enroll_req->ecfg->pk->store_certificate != NULL &&
+            enroll_req->ecfg->tls->load_cert(&c, er->cert, strlen(er->cert)) == 0 &&
             enroll_req->ecfg->pk->store_certificate(enroll_req->ecfg->pk, c) == 0) {
             ZITI_LOG(INFO, "stored certificate to PKCS#11 token");
         } else {
             cfg.id.cert = er->cert ? strdup(er->cert) : strdup(enroll_req->ecfg->own_cert);
         }
 
+        if (c != NULL) {
+            c->free(c);
+        }
+
         if (enroll_req->enroll_cb) {
             enroll_req->enroll_cb(&cfg, ZITI_OK, NULL, enroll_req->external_enroll_ctx);
         }
 
         free_ziti_config(&cfg);
     }
-
+    free_ziti_enrollment_resp_ptr(er);
     FREE(enroll_req);
 }
diff --git a/programs/sample_enroll/sample_enroll.c b/programs/sample_enroll/sample_enroll.c
index 3233b4cf..cd37c7a8 100644
--- a/programs/sample_enroll/sample_enroll.c
+++ b/programs/sample_enroll/sample_enroll.c
@@ -125,7 +125,7 @@ int main(int argc, char **argv) {
     }
 
     Ziti_lib_init();
-    char *cfg;
+    char *cfg = NULL;
     size_t len;
     int rc = Ziti_enroll_identity(jwt, key, cert, &cfg, &len);
     if (rc == ZITI_OK) {
@@ -140,5 +140,6 @@ int main(int argc, char **argv) {
     } else {
         printf("err = %d(%s)\n", rc, ziti_errorstr(rc));
     }
+    free(cfg);
     Ziti_lib_shutdown();
 }

From 443ab734913b15d015066b072b64de3d53d3b47e Mon Sep 17 00:00:00 2001
From: eugene <eugene.kobyakov@netfoundry.io>
Date: Thu, 8 Aug 2024 16:01:14 -0400
Subject: [PATCH 2/2] prefix keychain key name with `ziti://`

---
 library/ziti_enroll.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ziti_enroll.c b/library/ziti_enroll.c
index 87a46ade..488ee89f 100644
--- a/library/ziti_enroll.c
+++ b/library/ziti_enroll.c
@@ -185,9 +185,9 @@ static void well_known_certs_cb(char *base64_encoded_pkcs7, const ziti_error *er
                 tlsuv_parse_url(&url, enroll_req->ecfg->zej->controller);
 
                 string_buf_t *keyname_buf = new_string_buf();
-                string_buf_fmt(keyname_buf, "keychain:%s@%.*s",
+                string_buf_fmt(keyname_buf, "keychain:ziti://%s@%.*s:%d",
                                enroll_req->ecfg->zej->subject,
-                               (int)url.hostname_len, url.hostname);
+                               (int)url.hostname_len, url.hostname, url.port);
                 char *keyname_ref = string_buf_to_string(keyname_buf, NULL);
                 delete_string_buf(keyname_buf);