From efce4defdf31ce74d905ae4dd47c6a36df532854 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 23:05:05 +0200
Subject: [PATCH 09/23] Atfork checks for RSA and EC_KEY methods
---
src/p11_ec.c | 9 +++------
src/p11_pkey.c | 9 ++++-----
src/p11_rsa.c | 4 ++--
3 files changed, 9 insertions(+), 13 deletions(-)
diff --git a/src/p11_ec.c b/src/p11_ec.c
index eb0cbb2..1b58c01 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -394,7 +394,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
(void)rp; /* Precomputed values are not used for PKCS#11 */
key = pkcs11_get_ex_data_ec(ec);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
sign_sig_fn orig_sign_sig;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
@@ -406,7 +406,6 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
#endif
return orig_sign_sig(dgst, dlen, kinv, rp, ec);
}
- /* TODO: Add an atfork check */
/* Truncate digest if its byte size is longer than needed */
order = BN_new();
@@ -580,9 +579,8 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
int rv;
key = pkcs11_get_ex_data_ec(ecdh);
- if (key == NULL) /* The private key is not handled by PKCS#11 */
+ if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
- /* TODO: Add an atfork check */
/* both peer and ecdh use same group parameters */
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
@@ -622,9 +620,8 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
int rv;
key = pkcs11_get_ex_data_ec(ecdh);
- if (key == NULL) /* The private key is not handled by PKCS#11 */
+ if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
- /* TODO: Add an atfork check */
/* both peer and ecdh use same group parameters */
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 0efcaa4..2ba23d9 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -309,7 +309,7 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx,
if (rsa == NULL)
return -1;
key = pkcs11_get_ex_data_rsa(rsa);
- if (key == NULL)
+ if (check_key_fork(key) < 0)
return -1;
slot = KEY2SLOT(key);
ctx = KEY2CTX(key);
@@ -413,11 +413,10 @@ static int pkcs11_try_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
if (rsa == NULL)
return -1;
key = pkcs11_get_ex_data_rsa(rsa);
- if (key == NULL)
+ if (check_key_fork(key) < 0)
return -1;
-
- slot = KEY2SLOT(key);
- ctx = KEY2CTX(key);
+ slot = KEY2SLOT(key);
+ ctx = KEY2CTX(key);
kpriv = PRIVKEY(key);
spriv = PRIVSLOT(slot);
cpriv = PRIVCTX(ctx);
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index f69a8a6..6a519f9 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -355,7 +355,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
priv_dec = RSA_meth_get_priv_dec(RSA_get_default_method());
return priv_dec(flen, from, to, rsa, padding);
}
@@ -368,7 +368,7 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method());
return priv_enc(flen, from, to, rsa, padding);
}
--
2.17.1