crypto: refcnt struct secret_pubkey_stuff when passing to helper thread

Resolves: RHEL-68047 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-11-22 16:19:26 +09:00 · 2024-11-22 16:19:26 +09:00 · 03ecdb3b2a
commit 03ecdb3b2a
parent e7c228512b
2 changed files with 598 additions and 1 deletions
--- a/libreswan-4.15-rereadsecrets.patch
+++ b/libreswan-4.15-rereadsecrets.patch
@ -0,0 +1,593 @@
+From 7ed158f258e544854e793fa6bd02e86d008f1b92 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Sat, 23 Nov 2024 10:18:03 +0900
+Subject: [PATCH 1/2] secrets: allocate secret_pubkey_stuff separately from
+ heap
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ include/secrets.h                             |  2 +-
+ lib/libswan/pubkey_ecdsa.c                    | 12 +++----
+ lib/libswan/pubkey_rsa.c                      | 18 +++++------
+ .../secret_pubkey_stuff_to_pubkey_der.c       |  2 +-
+ lib/libswan/secrets.c                         | 32 ++++++++++---------
+ programs/pluto/ikev2_eap.c                    |  2 +-
+ programs/pluto/keys.c                         |  6 ++--
+ programs/showhostkey/showhostkey.c            | 31 ++++++++++--------
+ 8 files changed, 55 insertions(+), 50 deletions(-)
+
+diff --git a/include/secrets.h b/include/secrets.h
+index 971f559da7..38906bf6ba 100644
+--- a/include/secrets.h
+++ b/include/secrets.h
+@@ -88,7 +88,7 @@ struct secret_stuff {
+ 	int line;
+ 	union {
+ 		chunk_t preshared_secret;
+-		struct secret_pubkey_stuff pubkey;
+		struct secret_pubkey_stuff *pubkey;
+ 	} u;
+ 
+ 	chunk_t ppk;
+diff --git a/lib/libswan/pubkey_ecdsa.c b/lib/libswan/pubkey_ecdsa.c
+index 29af07f380..17f39fbbc1 100644
+--- a/lib/libswan/pubkey_ecdsa.c
+++ b/lib/libswan/pubkey_ecdsa.c
+@@ -287,7 +287,7 @@ static struct hash_signature ECDSA_raw_sign_hash(const struct secret_stuff *pks,
+ {
+ 	DBGF(DBG_CRYPT, "%s: started using NSS", __func__);
+ 
+-	if (!pexpect(pks->u.pubkey.private_key != NULL)) {
+	if (!pexpect(pks->u.pubkey->private_key != NULL)) {
+ 		dbg("no private key!");
+ 		return (struct hash_signature) { .len = 0, };
+ 	}
+@@ -304,14 +304,14 @@ static struct hash_signature ECDSA_raw_sign_hash(const struct secret_stuff *pks,
+ 	struct hash_signature signature = {0};
+ 	SECItem raw_signature = {
+ 		.type = siBuffer,
+-		.len = PK11_SignatureLen(pks->u.pubkey.private_key),
+		.len = PK11_SignatureLen(pks->u.pubkey->private_key),
+ 		.data = signature.ptr/*array*/,
+ 	};
+ 	passert(raw_signature.len <= sizeof(signature.ptr/*array*/));
+ 	dbg("ECDSA signature.len %d", raw_signature.len);
+ 
+ 	/* create the raw signature */
+-	SECStatus s = PK11_Sign(pks->u.pubkey.private_key, &raw_signature, &hash_to_sign);
+	SECStatus s = PK11_Sign(pks->u.pubkey->private_key, &raw_signature, &hash_to_sign);
+ 	if (DBGP(DBG_CRYPT)) {
+ 		DBG_dump("PK11_Sign()", raw_signature.data, raw_signature.len);
+ 	}
+@@ -407,7 +407,7 @@ static struct hash_signature ECDSA_digsig_sign_hash(const struct secret_stuff *p
+ 						    struct logger *logger)
+ {
+ 
+-	if (!pexpect(pks->u.pubkey.private_key != NULL)) {
+	if (!pexpect(pks->u.pubkey->private_key != NULL)) {
+ 		dbg("no private key!");
+ 		return (struct hash_signature) { .len = 0, };
+ 	}
+@@ -425,14 +425,14 @@ static struct hash_signature ECDSA_digsig_sign_hash(const struct secret_stuff *p
+ 	uint8_t raw_signature_data[sizeof(struct hash_signature)];
+ 	SECItem raw_signature = {
+ 		.type = siBuffer,
+-		.len = PK11_SignatureLen(pks->u.pubkey.private_key),
+		.len = PK11_SignatureLen(pks->u.pubkey->private_key),
+ 		.data = raw_signature_data,
+ 	};
+ 	passert(raw_signature.len <= sizeof(raw_signature_data));
+ 	dbg("ECDSA signature.len %d", raw_signature.len);
+ 
+ 	/* create the raw signature */
+-	SECStatus s = PK11_Sign(pks->u.pubkey.private_key, &raw_signature, &hash_to_sign);
+	SECStatus s = PK11_Sign(pks->u.pubkey->private_key, &raw_signature, &hash_to_sign);
+ 	if (DBGP(DBG_CRYPT)) {
+ 		DBG_dump("sig_from_nss", raw_signature.data, raw_signature.len);
+ 	}
+diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
+index 38b44ab61d..be8935c38c 100644
+--- a/lib/libswan/pubkey_rsa.c
+++ b/lib/libswan/pubkey_rsa.c
+@@ -350,7 +350,7 @@ static struct hash_signature RSA_sign_hash_raw_rsa(const struct secret_stuff *pk
+ 		return (struct hash_signature) { .len = 0, };
+ 	}
+ 
+-	if (!pexpect(pks->u.pubkey.private_key != NULL)) {
+	if (!pexpect(pks->u.pubkey->private_key != NULL)) {
+ 		dbg("no private key!");
+ 		return (struct hash_signature) { .len = 0, };
+ 	}
+@@ -361,7 +361,7 @@ static struct hash_signature RSA_sign_hash_raw_rsa(const struct secret_stuff *pk
+ 		.data = DISCARD_CONST(uint8_t *, hash_val),
+ 	};
+ 
+-	struct hash_signature sig = { .len = PK11_SignatureLen(pks->u.pubkey.private_key), };
+	struct hash_signature sig = { .len = PK11_SignatureLen(pks->u.pubkey->private_key), };
+ 	passert(sig.len <= sizeof(sig.ptr/*array*/));
+ 	SECItem signature = {
+ 		.type = siBuffer,
+@@ -369,7 +369,7 @@ static struct hash_signature RSA_sign_hash_raw_rsa(const struct secret_stuff *pk
+ 		.data = sig.ptr,
+ 	};
+ 
+-	SECStatus s = PK11_Sign(pks->u.pubkey.private_key, &signature, &data);
+	SECStatus s = PK11_Sign(pks->u.pubkey->private_key, &signature, &data);
+ 	if (s != SECSuccess) {
+ 		/* PR_GetError() returns the thread-local error */
+ 		llog_nss_error(RC_LOG_SERIOUS, logger,
+@@ -485,7 +485,7 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
+ {
+ 	dbg("%s: started using NSS", __func__);
+ 
+-	if (!pexpect(pks->u.pubkey.private_key != NULL)) {
+	if (!pexpect(pks->u.pubkey->private_key != NULL)) {
+ 		dbg("no private key!");
+ 		return (struct hash_signature) { .len = 0, };
+ 	}
+@@ -501,7 +501,7 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
+ 	 * used to generate the signature.
+ 	 */
+ 	SECItem signature_result = {0};
+-	SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
+	SECStatus s = SGN_Digest(pks->u.pubkey->private_key,
+ 				 hash_algo->nss.oid_tag,
+ 				 &signature_result, &digest);
+ 	if (s != SECSuccess) {
+@@ -516,7 +516,7 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
+ 	/* save the signature, free the returned pointer */
+ 
+ 	struct hash_signature signature = {
+-		.len = PK11_SignatureLen(pks->u.pubkey.private_key),
+		.len = PK11_SignatureLen(pks->u.pubkey->private_key),
+ 	};
+ 	passert(signature.len <= sizeof(signature.ptr/*array*/));
+ 	memcpy(signature.ptr, signature_result.data, signature.len);
+@@ -629,7 +629,7 @@ static struct hash_signature RSA_sign_hash_rsassa_pss(const struct secret_stuff
+ {
+ 	dbg("%s: started using NSS", __func__);
+ 
+-	if (!pexpect(pks->u.pubkey.private_key != NULL)) {
+	if (!pexpect(pks->u.pubkey->private_key != NULL)) {
+ 		dbg("no private key!");
+ 		return (struct hash_signature) { .len = 0, };
+ 	}
+@@ -640,7 +640,7 @@ static struct hash_signature RSA_sign_hash_rsassa_pss(const struct secret_stuff
+ 		.data = DISCARD_CONST(uint8_t *, hash_val),
+ 	};
+ 
+-	struct hash_signature sig = { .len = PK11_SignatureLen(pks->u.pubkey.private_key), };
+	struct hash_signature sig = { .len = PK11_SignatureLen(pks->u.pubkey->private_key), };
+ 	passert(sig.len <= sizeof(sig.ptr/*array*/));
+ 	SECItem signature = {
+ 		.type = siBuffer,
+@@ -661,7 +661,7 @@ static struct hash_signature RSA_sign_hash_rsassa_pss(const struct secret_stuff
+ 		.data = (void*)mech, /* strip const */
+ 		.len = sizeof(*mech),
+ 	};
+-	SECStatus s = PK11_SignWithMechanism(pks->u.pubkey.private_key, CKM_RSA_PKCS_PSS,
+	SECStatus s = PK11_SignWithMechanism(pks->u.pubkey->private_key, CKM_RSA_PKCS_PSS,
+ 					     &mech_item, &signature, &data);
+ 	if (s != SECSuccess) {
+ 		/* PR_GetError() returns the thread-local error */
+diff --git a/lib/libswan/secret_pubkey_stuff_to_pubkey_der.c b/lib/libswan/secret_pubkey_stuff_to_pubkey_der.c
+index 1b5de6917e..3f28cbd765 100644
+--- a/lib/libswan/secret_pubkey_stuff_to_pubkey_der.c
+++ b/lib/libswan/secret_pubkey_stuff_to_pubkey_der.c
+@@ -32,7 +32,7 @@ static diag_t seckey_pubkey_to_der(SECKEYPublicKey *seckey_pubkey, chunk_t *der)
+ 
+ diag_t secret_pubkey_stuff_to_pubkey_der(struct secret_stuff *pks, chunk_t *der)
+ {
+-	SECKEYPublicKey *seckey_pubkey = SECKEY_ConvertToPublicKey(pks->u.pubkey.private_key);
+	SECKEYPublicKey *seckey_pubkey = SECKEY_ConvertToPublicKey(pks->u.pubkey->private_key);
+ 	if (seckey_pubkey == NULL) {
+ 		return diag_nss_error("extracting Public Key from Private Key");
+ 	}
+diff --git a/lib/libswan/secrets.c b/lib/libswan/secrets.c
+index 44578efbe5..6becebe8e8 100644
+--- a/lib/libswan/secrets.c
+++ b/lib/libswan/secrets.c
+@@ -185,7 +185,7 @@ const ckaid_t *secret_ckaid(const struct secret *secret)
+ 	case SECRET_RSA:
+ 	case SECRET_ECDSA:
+ 		/* some sort of PKI */
+-		return &secret->stuff.u.pubkey.content.ckaid;
+		return &secret->stuff.u.pubkey->content.ckaid;
+ 	default:
+ 		return NULL;
+ 	}
+@@ -197,7 +197,7 @@ const keyid_t *secret_keyid(const struct secret *secret)
+ 	case SECRET_RSA:
+ 	case SECRET_ECDSA:
+ 		/* some sort of PKI */
+-		return &secret->stuff.u.pubkey.content.keyid;
+		return &secret->stuff.u.pubkey->content.keyid;
+ 	default:
+ 		return NULL;
+ 	}
+@@ -239,12 +239,12 @@ static struct secret *find_secret_by_pubkey_ckaid_1(struct secret *secrets,
+ 			dbg("  not PKI");
+ 			continue;
+ 		}
+-		if (type != NULL && pks->u.pubkey.content.type != type) {
+		if (type != NULL && pks->u.pubkey->content.type != type) {
+ 			/* need exact or wildcard */
+ 			dbg("  not %s", type->name);
+ 			continue;
+ 		}
+-		if (!ckaid_eq_nss(&pks->u.pubkey.content.ckaid, pubkey_ckaid)) {
+		if (!ckaid_eq_nss(&pks->u.pubkey->content.ckaid, pubkey_ckaid)) {
+ 			dbg("  wrong ckaid");
+ 			continue;
+ 		}
+@@ -274,12 +274,12 @@ bool secret_pubkey_same(struct secret *lhs, struct secret *rhs)
+ 		return false;
+ 	}
+ 
+-	if (lhs->stuff.u.pubkey.content.type != rhs->stuff.u.pubkey.content.type) {
+	if (lhs->stuff.u.pubkey->content.type != rhs->stuff.u.pubkey->content.type) {
+ 		return false;
+ 	}
+ 
+-	return lhs->stuff.u.pubkey.content.type->pubkey_same(&lhs->stuff.u.pubkey.content,
+-							    &rhs->stuff.u.pubkey.content);
+	return lhs->stuff.u.pubkey->content.type->pubkey_same(&lhs->stuff.u.pubkey->content,
+							    &rhs->stuff.u.pubkey->content);
+ }
+ 
+ struct secret *lsw_find_secret_by_id(struct secret *secrets,
+@@ -965,8 +965,9 @@ void lsw_free_preshared_secrets(struct secret **psecrets, struct logger *logger)
+ 			case SECRET_RSA:
+ 			case SECRET_ECDSA:
+ 				/* Note: pub is all there is */
+-				SECKEY_DestroyPrivateKey(s->stuff.u.pubkey.private_key);
+-				s->stuff.u.pubkey.content.type->free_pubkey_content(&s->stuff.u.pubkey.content);
+				SECKEY_DestroyPrivateKey(s->stuff.u.pubkey->private_key);
+				s->stuff.u.pubkey->content.type->free_pubkey_content(&s->stuff.u.pubkey->content);
+				pfree(s->stuff.u.pubkey);
+ 				break;
+ 			default:
+ 				bad_case(s->stuff.kind);
+@@ -1193,19 +1194,20 @@ static err_t add_private_key(struct secret **secrets, const struct secret_stuff
+ 	s->stuff.kind = type->private_key_kind;
+ 	s->stuff.line = 0;
+ 	/* make an unpacked copy of the private key */
+-	s->stuff.u.pubkey.private_key = copy_private_key(private_key);
+-	err_t err = type->extract_pubkey_content(&s->stuff.u.pubkey.content,
+	s->stuff.u.pubkey = alloc_thing(struct secret_pubkey_stuff, "secret_pubkey_stuff");
+	s->stuff.u.pubkey->private_key = copy_private_key(private_key);
+	err_t err = type->extract_pubkey_content(&s->stuff.u.pubkey->content,
+ 						 pubk, ckaid_nss);
+ 	if (err != NULL) {
+ 		/* extract should leave pubkey_content clean */
+-		SECKEY_DestroyPrivateKey(s->stuff.u.pubkey.private_key); /* allocated above */
+		SECKEY_DestroyPrivateKey(s->stuff.u.pubkey->private_key); /* allocated above */
+ 		pfree(s);
+ 		return err;
+ 	}
+ 
+-	passert(s->stuff.u.pubkey.content.type == type);
+-	pexpect(s->stuff.u.pubkey.content.ckaid.len > 0);
+-	pexpect(s->stuff.u.pubkey.content.keyid.keyid[0] != '\0');
+	passert(s->stuff.u.pubkey->content.type == type);
+	pexpect(s->stuff.u.pubkey->content.ckaid.len > 0);
+	pexpect(s->stuff.u.pubkey->content.keyid.keyid[0] != '\0');
+ 
+ 	add_secret(secrets, s, "lsw_add_rsa_secret");
+ 	*pks = &s->stuff;
+diff --git a/programs/pluto/ikev2_eap.c b/programs/pluto/ikev2_eap.c
+index d7f0b1d527..fe4c6e2e8c 100644
+--- a/programs/pluto/ikev2_eap.c
+++ b/programs/pluto/ikev2_eap.c
+@@ -264,7 +264,7 @@ static bool start_eap(struct ike_sa *ike, struct pbs_out *pbs)
+ 	    SSL_OptionSet(pr, SSL_ENABLE_SSL3, PR_FALSE) != SECSuccess ||
+ 	    SSL_BadCertHook(pr, eaptls_bad_cert_cb, eap) != SECSuccess ||
+ 	    SSL_HandshakeCallback(pr, eaptls_handshake_cb, eap) != SECSuccess ||
+-	    SSL_ConfigServerCert(pr, mycert->nss_cert, pks->u.pubkey.private_key, 0, 0) != SECSuccess) {
+	    SSL_ConfigServerCert(pr, mycert->nss_cert, pks->u.pubkey->private_key, 0, 0) != SECSuccess) {
+ 		llog_nss_error(RC_LOG, logger, "Failed to start configure TLS options");
+ 		return false;
+ 	}
+diff --git a/programs/pluto/keys.c b/programs/pluto/keys.c
+index 81e506556a..37f2408ae3 100644
+--- a/programs/pluto/keys.c
+++ b/programs/pluto/keys.c
+@@ -609,7 +609,7 @@ const struct secret_stuff *get_local_private_key(const struct connection *c,
+ 		 * etc) then best will end up as NULL
+ 		 */
+ 		pexpect(pks->kind == type->private_key_kind);
+-		pexpect(pks->u.pubkey.content.type == type);
+		pexpect(pks->u.pubkey->content.type == type);
+ 		dbg("connection %s's %s private key found in NSS DB using cert",
+ 		    c->name, type->name);
+ 		return pks;
+@@ -657,7 +657,7 @@ const struct secret_stuff *get_local_private_key(const struct connection *c,
+ 		 * etc) then best will end up as NULL
+ 		 */
+ 		pexpect(pks->kind == type->private_key_kind);
+-		pexpect(pks->u.pubkey.content.type == type);
+		pexpect(pks->u.pubkey->content.type == type);
+ 		dbg("connection %s's %s private key found in NSS DB using CKAID",
+ 		    c->name, type->name);
+ 		return pks;
+@@ -676,7 +676,7 @@ const struct secret_stuff *get_local_private_key(const struct connection *c,
+ 	passert(pks != NULL);
+ 
+ 	pexpect(pks->kind == type->private_key_kind);
+-	pexpect(pks->u.pubkey.content.type == type);
+	pexpect(pks->u.pubkey->content.type == type);
+ 	dbg("connection %s's %s private key found",
+ 	    c->name, type->name);
+ 	return pks;
+diff --git a/programs/showhostkey/showhostkey.c b/programs/showhostkey/showhostkey.c
+index 8f40b67a62..d873177068 100644
+--- a/programs/showhostkey/showhostkey.c
+++ b/programs/showhostkey/showhostkey.c
+@@ -172,14 +172,14 @@ static void print(struct secret_stuff *pks,
+ 	case SECRET_RSA:
+ 	case SECRET_ECDSA:
+ 	{
+-		printf("%s", pks->u.pubkey.content.type->name);
+-		keyid_t keyid = pks->u.pubkey.content.keyid;
+		printf("%s", pks->u.pubkey->content.type->name);
+		keyid_t keyid = pks->u.pubkey->content.keyid;
+ 		printf(" keyid: %s", str_keyid(keyid)[0] ? str_keyid(keyid) : "<missing-pubkey>");
+ 		if (id) {
+ 			printf(" id: %s", idb);
+ 		}
+ 		ckaid_buf cb;
+-		const ckaid_t *ckaid = &pks->u.pubkey.content.ckaid;
+		const ckaid_t *ckaid = &pks->u.pubkey->content.ckaid;
+ 		printf(" ckaid: %s\n", str_ckaid(ckaid, &cb));
+ 		break;
+ 	}
+@@ -237,7 +237,7 @@ static int pick_by_rsaid(struct secret *secret UNUSED,
+ {
+ 	char *rsaid = (char *)uservoid;
+ 
+-	if (pks->kind == SECRET_RSA && streq(pks->u.pubkey.content.keyid.keyid, rsaid)) {
+	if (pks->kind == SECRET_RSA && streq(pks->u.pubkey->content.keyid.keyid, rsaid)) {
+ 		/* stop */
+ 		return 0;
+ 	} else {
+@@ -254,7 +254,7 @@ static int pick_by_ckaid(struct secret *secret UNUSED,
+ 	switch (pks->kind) {
+ 	case SECRET_RSA:
+ 	case SECRET_ECDSA:
+-		if (ckaid_starts_with(&pks->u.pubkey.content.ckaid, start)) {
+		if (ckaid_starts_with(&pks->u.pubkey->content.ckaid, start)) {
+ 			/* stop */
+ 			return 0;
+ 		}
+@@ -283,7 +283,7 @@ static char *base64_ipseckey_rdata_from_pubkey_secret(struct secret_stuff *pks,
+ 						      enum ipseckey_algorithm_type *ipseckey_algorithm)
+ {
+ 	chunk_t ipseckey_pubkey = empty_chunk; /* must free */
+-	err_t e = pks->u.pubkey.content.type->pubkey_content_to_ipseckey_rdata(&pks->u.pubkey.content,
+	err_t e = pks->u.pubkey->content.type->pubkey_content_to_ipseckey_rdata(&pks->u.pubkey->content,
+ 									       &ipseckey_pubkey,
+ 									       ipseckey_algorithm);
+ 	if (e != NULL) {
+@@ -390,7 +390,7 @@ static int show_leftright(struct secret_stuff *pks,
+ 	}
+ 	}
+ 
+-	passert(pks->u.pubkey.content.type != NULL);
+	passert(pks->u.pubkey->content.type != NULL);
+ 
+ 	char *base64 = NULL;
+ 	if (pubkey_flg) {
+@@ -408,11 +408,11 @@ static int show_leftright(struct secret_stuff *pks,
+ 	} else {
+ 		switch (pks->kind) {
+ 		case SECRET_RSA:
+-			printf("\t# rsakey %s\n", pks->u.pubkey.content.keyid.keyid);
+			printf("\t# rsakey %s\n", pks->u.pubkey->content.keyid.keyid);
+ 			printf("\t%srsasigkey=0s", side);
+ 			break;
+ 		case SECRET_ECDSA:
+-			printf("\t# ecdsakey %s\n", pks->u.pubkey.content.keyid.keyid);
+			printf("\t# ecdsakey %s\n", pks->u.pubkey->content.keyid.keyid);
+ 			printf("\t%secdsakey=0s", side);
+ 			break;
+ 		default:
+@@ -481,14 +481,17 @@ static struct secret_stuff *foreach_nss_private_key(secret_eval func,
+ 			continue;
+ 		}
+ 
+		struct secret_pubkey_stuff pubkey = {
+			.private_key = SECKEY_CopyPrivateKey(private_key), /* add reference */
+		};
+		type->extract_pubkey_content(&pubkey.content, pubk, ckaid_nss);
+
+ 		struct secret_stuff pks = {
+ 			.kind = type->private_key_kind,
+ 			.line = 0,
+-			.u.pubkey.private_key = SECKEY_CopyPrivateKey(private_key), /* add reference */
+			.u.pubkey = &pubkey,
+ 		};
+ 
+-		type->extract_pubkey_content(&pks.u.pubkey.content, pubk, ckaid_nss);
+-
+ 		/*
+ 		 * Only count private keys that get processed.
+ 		 */
+@@ -513,8 +516,8 @@ static struct secret_stuff *foreach_nss_private_key(secret_eval func,
+ 			break;
+ 		}
+ 
+-		SECKEY_DestroyPrivateKey(pks.u.pubkey.private_key); /* destory reference */
+-		type->free_pubkey_content(&pks.u.pubkey.content);
+		SECKEY_DestroyPrivateKey(pks.u.pubkey->private_key); /* destory reference */
+		type->free_pubkey_content(&pks.u.pubkey->content);
+ 
+ 		if (ret < 0) {
+ 			break;
+-- 
+2.47.0
+
+
+From 8f0fc5ccf7f770e027f8266f7f825a24f88f150e Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Fri, 8 Nov 2024 17:45:53 -0500
+Subject: [PATCH 2/2] crypto: refcnt struct secret_pubkey_stuff when passing to
+ helper thread
+
+fix problem where a thread was trying to use a key when which
+was being deleted by reloadsecrets.
+
+close #1894 Segmentation fault in PK11_SignatureLen (key=0xa5a5a5a5a5a5a5a5)
+
+Modified-by: Daiki Ueno <dueno@redhat.com>
+---
+ include/secrets.h                  |  4 ++++
+ lib/libswan/secrets.c              | 26 +++++++++++++++++++++-----
+ programs/pluto/ikev2_auth_helper.c | 27 ++++++++++++++++++---------
+ 3 files changed, 43 insertions(+), 14 deletions(-)
+
+diff --git a/include/secrets.h b/include/secrets.h
+index 38906bf6ba..b64e9091ca 100644
+--- a/include/secrets.h
+++ b/include/secrets.h
+@@ -74,10 +74,14 @@ enum secret_kind {
+ };
+ 
+ struct secret_pubkey_stuff {
+	struct refcnt refcnt;
+ 	SECKEYPrivateKey *private_key;
+ 	struct pubkey_content content;
+ };
+ 
+struct secret_pubkey_stuff *secret_pubkey_stuff_addref(struct secret_pubkey_stuff *, where_t where);
+void secret_pubkey_stuff_delref(struct secret_pubkey_stuff **, where_t where);
+
+ struct secret_stuff {
+ 	enum secret_kind kind;
+ 	/*
+diff --git a/lib/libswan/secrets.c b/lib/libswan/secrets.c
+index 6becebe8e8..5c725c5734 100644
+--- a/lib/libswan/secrets.c
+++ b/lib/libswan/secrets.c
+@@ -964,10 +964,7 @@ void lsw_free_preshared_secrets(struct secret **psecrets, struct logger *logger)
+ 				break;
+ 			case SECRET_RSA:
+ 			case SECRET_ECDSA:
+-				/* Note: pub is all there is */
+-				SECKEY_DestroyPrivateKey(s->stuff.u.pubkey->private_key);
+-				s->stuff.u.pubkey->content.type->free_pubkey_content(&s->stuff.u.pubkey->content);
+-				pfree(s->stuff.u.pubkey);
+				secret_pubkey_stuff_delref(&s->stuff.u.pubkey, HERE);
+ 				break;
+ 			default:
+ 				bad_case(s->stuff.kind);
+@@ -1186,6 +1183,25 @@ static const struct pubkey_type *private_key_type_nss(SECKEYPrivateKey *private_
+ 	}
+ }
+ 
+struct secret_pubkey_stuff *secret_pubkey_stuff_addref(struct secret_pubkey_stuff *pks,
+						       where_t where)
+{
+	return addref_where(pks, where);
+}
+
+static void free_secret_pubkey_stuff(void *obj, where_t where UNUSED)
+{
+	struct secret_pubkey_stuff *pks = obj;
+	SECKEY_DestroyPrivateKey(pks->private_key);
+	pks->content.type->free_pubkey_content(&pks->content);
+	pfree(pks);
+}
+
+void secret_pubkey_stuff_delref(struct secret_pubkey_stuff **pks, where_t where)
+{
+	delref_where(pks, where)
+}
+
+ static err_t add_private_key(struct secret **secrets, const struct secret_stuff **pks,
+ 			     SECKEYPublicKey *pubk, SECItem *ckaid_nss,
+ 			     const struct pubkey_type *type, SECKEYPrivateKey *private_key)
+@@ -1194,7 +1210,7 @@ static err_t add_private_key(struct secret **secrets, const struct secret_stuff
+ 	s->stuff.kind = type->private_key_kind;
+ 	s->stuff.line = 0;
+ 	/* make an unpacked copy of the private key */
+-	s->stuff.u.pubkey = alloc_thing(struct secret_pubkey_stuff, "secret_pubkey_stuff");
+	s->stuff.u.pubkey = refcnt_alloc(struct secret_pubkey_stuff, free_secret_pubkey_stuff, HERE);
+ 	s->stuff.u.pubkey->private_key = copy_private_key(private_key);
+ 	err_t err = type->extract_pubkey_content(&s->stuff.u.pubkey->content,
+ 						 pubk, ckaid_nss);
+diff --git a/programs/pluto/ikev2_auth_helper.c b/programs/pluto/ikev2_auth_helper.c
+index 388f57c611..08edf412ee 100644
+--- a/programs/pluto/ikev2_auth_helper.c
+++ b/programs/pluto/ikev2_auth_helper.c
+@@ -38,7 +38,7 @@ struct task {
+ 	const struct crypt_mac hash_to_sign;
+ 	const struct hash_desc *hash_algo;
+ 	v2_auth_signature_cb *cb;
+-	const struct secret_stuff *pks;
+	struct secret_pubkey_stuff *pks;
+ 	const struct pubkey_signer *signer;
+ 	/* out */
+ 	struct hash_signature signature;
+@@ -63,19 +63,21 @@ bool submit_v2_auth_signature(struct ike_sa *ike,
+ 			      where_t where)
+ {
+ 	const struct connection *c = ike->sa.st_connection;
+	const struct secret_stuff *s = get_local_private_key(c, signer->type,
+							     ike->sa.st_logger);
+	if (s == NULL) {
+		/* failure: no key to use */
+		return false;
+	}
+
+ 	struct task task = {
+ 		.cb = cb,
+ 		.hash_algo = hash_algo,
+ 		.hash_to_sign = *hash_to_sign,
+ 		.signer = signer,
+-		.pks = get_local_private_key(c, signer->type,
+-					     ike->sa.st_logger),
+		.pks = secret_pubkey_stuff_addref(s->u.pubkey, HERE),
+ 	};
+ 
+-	if (task.pks == NULL)
+-		/* failure: no key to use */
+-		return false;
+-
+ 	submit_task(ike->sa.st_logger, &ike->sa /*state to resume*/,
+ 		    clone_thing(task, "signature task"),
+ 		    &v2_auth_signature_handler, where);
+@@ -85,7 +87,7 @@ bool submit_v2_auth_signature(struct ike_sa *ike,
+ static struct hash_signature v2_auth_signature(struct logger *logger,
+ 					       const struct crypt_mac *hash_to_sign,
+ 					       const struct hash_desc *hash_algo,
+-					       const struct secret_stuff *pks,
+					       const struct secret_pubkey_stuff *pks,
+ 					       const struct pubkey_signer *signer)
+ {
+ 	passert(hash_to_sign->len <= sizeof(hash_to_sign->ptr/*array*/)); /*hint to coverity*/
+@@ -95,8 +97,14 @@ static struct hash_signature v2_auth_signature(struct logger *logger,
+ 		DBG_dump_hunk("hash to sign", *hash_to_sign);
+ 	}
+ 
+	struct secret_stuff s = {
+		.kind = pks->content.type->private_key_kind,
+		.line = 0,
+		.u.pubkey = (struct secret_pubkey_stuff *)pks,
+	};
+
+ 	logtime_t sign_time = logtime_start(logger);
+-	struct hash_signature sig = signer->sign_hash(pks,
+	struct hash_signature sig = signer->sign_hash(&s,
+ 						      hash_to_sign->ptr,
+ 						      hash_to_sign->len,
+ 						      hash_algo,
+@@ -124,5 +132,6 @@ static stf_status v2_auth_signature_completed(struct state *st,
+ 
+ static void v2_auth_signature_cleanup(struct task **task)
+ {
+	secret_pubkey_stuff_delref(&(*task)->pks, HERE);
+ 	pfreeany(*task);
+ }
+-- 
+2.47.0
+
--- a/libreswan.spec
+++ b/libreswan.spec
@ -31,7 +31,7 @@ Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
 Version: 4.15
-Release: %{?prever:0.}4%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -45,6 +45,7 @@ Patch: libreswan-4.15-ondemand-tcp.patch
 Patch: libreswan-4.15-netlink-extack.patch
 Patch: libreswan-4.15-whack-fd-refcount.patch
 Patch: libreswan-4.15-create-child-sa-race-condition.patch
+Patch: libreswan-4.15-rereadsecrets.patch

 BuildRequires: audit-libs-devel
 BuildRequires: bison
@ -200,6 +201,9 @@ certutil -N -d sql:$tmpdir --empty-password
 %doc %{_mandir}/*/*

 %changelog
+* Fri Nov 22 2024 Daiki Ueno <dueno@redhat.com> - 4.15-5
+- crypto: refcnt struct secret_pubkey_stuff when passing to helper thread (RHEL-68047)
+
 * Tue Nov 12 2024 Daiki Ueno <dueno@redhat.com> - 4.15-4
 - pluto: fix refcounting of whack FD at CREATE_CHILD_SA request (RHEL-61461)
 - pluto: ignore CREATE_CHILD_SA request if crypto is in progress (RHEL-61461)