openssl-pkcs11/SOURCES/openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch

From efce4defdf31ce74d905ae4dd47c6a36df532854 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 23:05:05 +0200
Subject: [PATCH 09/23] Atfork checks for RSA and EC_KEY methods

---
 src/p11_ec.c   | 9 +++------
 src/p11_pkey.c | 9 ++++-----
 src/p11_rsa.c  | 4 ++--
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/src/p11_ec.c b/src/p11_ec.c
index eb0cbb2..1b58c01 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -394,7 +394,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
 	(void)rp; /* Precomputed values are not used for PKCS#11 */
 
 	key = pkcs11_get_ex_data_ec(ec);
-	if (key == NULL) {
+	if (check_key_fork(key) < 0) {
 		sign_sig_fn orig_sign_sig;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 		const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
@@ -406,7 +406,6 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
 #endif
 		return orig_sign_sig(dgst, dlen, kinv, rp, ec);
 	}
-	/* TODO: Add an atfork check */
 
 	/* Truncate digest if its byte size is longer than needed */
 	order = BN_new();
@@ -580,9 +579,8 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
 	int rv;
 
 	key = pkcs11_get_ex_data_ec(ecdh);
-	if (key == NULL) /* The private key is not handled by PKCS#11 */
+	if (check_key_fork(key) < 0)
 		return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
-	/* TODO: Add an atfork check */
 
 	/* both peer and ecdh use same group parameters */
 	parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
@@ -622,9 +620,8 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
 	int rv;
 
 	key = pkcs11_get_ex_data_ec(ecdh);
-	if (key == NULL) /* The private key is not handled by PKCS#11 */
+	if (check_key_fork(key) < 0)
 		return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
-	/* TODO: Add an atfork check */
 
 	/* both peer and ecdh use same group parameters */
 	parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 0efcaa4..2ba23d9 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -309,7 +309,7 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 	if (rsa == NULL)
 		return -1;
 	key = pkcs11_get_ex_data_rsa(rsa);
-	if (key == NULL)
+	if (check_key_fork(key) < 0)
 		return -1;
 	slot = KEY2SLOT(key);
 	ctx = KEY2CTX(key);
@@ -413,11 +413,10 @@ static int pkcs11_try_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
 	if (rsa == NULL)
 		return -1;
 	key = pkcs11_get_ex_data_rsa(rsa);
-	if (key == NULL)
+	if (check_key_fork(key) < 0)
 		return -1;
-
-	slot  = KEY2SLOT(key);
-	ctx   = KEY2CTX(key);
+	slot = KEY2SLOT(key);
+	ctx = KEY2CTX(key);
 	kpriv = PRIVKEY(key);
 	spriv = PRIVSLOT(slot);
 	cpriv = PRIVCTX(ctx);
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index f69a8a6..6a519f9 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -355,7 +355,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
 	PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
 	int (*priv_dec) (int flen, const unsigned char *from,
 		unsigned char *to, RSA *rsa, int padding);
-	if (key == NULL) {
+	if (check_key_fork(key) < 0) {
 		priv_dec = RSA_meth_get_priv_dec(RSA_get_default_method());
 		return priv_dec(flen, from, to, rsa, padding);
 	}
@@ -368,7 +368,7 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
 	PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
 	int (*priv_enc) (int flen, const unsigned char *from,
 		unsigned char *to, RSA *rsa, int padding);
-	if (key == NULL) {
+	if (check_key_fork(key) < 0) {
 		priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method());
 		return priv_enc(flen, from, to, rsa, padding);
 	}
-- 
2.17.1