Fix AcquireCredentialHandle parameter lifetime (#113540)

rzikm · web-flow · commit bdaad4218c5d · 2025-03-17T09:28:00.000+01:00
* Fix lifetime of data passed to native code during SslStream handshake on Windows.

* Remove unnecessary init

* Fix init
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs
@@ -353,10 +353,11 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchannelCred(Ss
                 secureCredential.dwSessionLifespan = -1;
             }
 
+            Interop.Crypt32.CERT_CONTEXT* certificateHandle;
             if (certificate != null)
             {
                 secureCredential.cCreds = 1;
-                Interop.Crypt32.CERT_CONTEXT* certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;
+                certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;
                 secureCredential.paCred = &certificateHandle;
             }
 
@@ -434,19 +435,21 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchCredentials(
                 credential.dwSessionLifespan = -1;
             }
 
+            Interop.Crypt32.CERT_CONTEXT* certificateHandle;
             if (certificate != null)
             {
                 credential.cCreds = 1;
-                Interop.Crypt32.CERT_CONTEXT* certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;
+                certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;
                 credential.paCred = &certificateHandle;
             }
 
             if (NetEventSource.Log.IsEnabled()) NetEventSource.Info($"flags=({flags}), ProtocolFlags=({protocolFlags}), EncryptionPolicy={policy}");
 
+            Interop.SspiCli.TLS_PARAMETERS tlsParameters;
             if (protocolFlags != 0)
             {
                 // If we were asked to do specific protocol we need to fill TLS_PARAMETERS.
-                Interop.SspiCli.TLS_PARAMETERS tlsParameters = default;
+                tlsParameters = default;
                 tlsParameters.grbitDisabledProtocols = (uint)protocolFlags ^ uint.MaxValue;
 
                 credential.cTlsParameters = 1;

Original file line number	Diff line number	Diff line change
`@@ -353,10 +353,11 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchannelCred(Ss`
`353`	`353`	`secureCredential.dwSessionLifespan = -1;`
`354`	`354`	`}`
`355`	`355`
	`356`	`+ Interop.Crypt32.CERT_CONTEXT* certificateHandle;`
`356`	`357`	`if (certificate != null)`
`357`	`358`	`{`
`358`	`359`	`secureCredential.cCreds = 1;`
`359`		`- Interop.Crypt32.CERT_CONTEXT* certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;`
	`360`	`+ certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;`
`360`	`361`	`secureCredential.paCred = &certificateHandle;`
`361`	`362`	`}`
`362`	`363`
`@@ -434,19 +435,21 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchCredentials(`
`434`	`435`	`credential.dwSessionLifespan = -1;`
`435`	`436`	`}`
`436`	`437`
	`438`	`+ Interop.Crypt32.CERT_CONTEXT* certificateHandle;`
`437`	`439`	`if (certificate != null)`
`438`	`440`	`{`
`439`	`441`	`credential.cCreds = 1;`
`440`		`- Interop.Crypt32.CERT_CONTEXT* certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;`
	`442`	`+ certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;`
`441`	`443`	`credential.paCred = &certificateHandle;`
`442`	`444`	`}`
`443`	`445`
`444`	`446`	`if (NetEventSource.Log.IsEnabled()) NetEventSource.Info($"flags=({flags}), ProtocolFlags=({protocolFlags}), EncryptionPolicy={policy}");`
`445`	`447`
	`448`	`+ Interop.SspiCli.TLS_PARAMETERS tlsParameters;`
`446`	`449`	`if (protocolFlags != 0)`
`447`	`450`	`{`
`448`	`451`	`// If we were asked to do specific protocol we need to fill TLS_PARAMETERS.`
`449`		`- Interop.SspiCli.TLS_PARAMETERS tlsParameters = default;`
	`452`	`+ tlsParameters = default;`
`450`	`453`	`tlsParameters.grbitDisabledProtocols = (uint)protocolFlags ^ uint.MaxValue;`
`451`	`454`
`452`	`455`	`credential.cTlsParameters = 1;`