Skip to content

20251114-WOLFSSL_BLIND_PRIVATE_KEY-thread-safety #9436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+105 −59
Open

20251114-WOLFSSL_BLIND_PRIVATE_KEY-thread-safety #9436

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dee0658
fix races around WOLFSSL_CTX.{privateKey,privateKeyMask,altPrivateKey…
douzzer Nov 14, 2025
c29abcc
src/internal.c: peer review: refactor wolfssl_priv_der_unblind() and …
douzzer Nov 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 36 additions & 13 deletions src/internal.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,12 +293,32 @@ int wolfssl_priv_der_blind(WC_RNG* rng, DerBuffer* key, DerBuffer** mask)
return ret;
}

void wolfssl_priv_der_unblind(DerBuffer* key, DerBuffer* mask)
void wolfssl_priv_der_blind_toggle(DerBuffer* key, const DerBuffer* mask)
Copy link
Member

@julek-wolfssl julek-wolfssl Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'd prefer wolfssl_der_key_xor_mask.

Copy link
Contributor Author

@douzzer douzzer Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xor isn't the point here (blinding could be implemented with barrel shifts or other ops), and we're not gonna bikeshed the terminology for present purposes.

Copy link
Member

@julek-wolfssl julek-wolfssl Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the "toggle" part of the name. Maybe "apply" would be better but I won't block the pr over this.

{
if (key != NULL) {
if ((key != NULL) && (mask != NULL)) {
xorbuf(key->buffer, mask->buffer, mask->length);
}
}

DerBuffer *wolfssl_priv_der_unblind(const DerBuffer* key, const DerBuffer* mask)
{
DerBuffer *ret;
if ((key == NULL) || (mask == NULL))
return NULL;
if (mask->length > key->length)
return NULL;
if (AllocDer(&ret, key->length, key->type, key->heap) != 0)
return NULL;
xorbufout(ret->buffer, key->buffer, mask->buffer, mask->length);
return ret;
}

void wolfssl_priv_der_unblind_free(DerBuffer* key)
{
if (key != NULL)
FreeDer(&key);
}

#endif /* !NO_CERT && WOLFSSL_BLIND_PRIVATE_KEY */


Expand Down Expand Up @@ -7090,7 +7110,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
}
ssl->buffers.weOwnKey = 1;
/* Blind the private key for the SSL with new random mask. */
wolfssl_priv_der_unblind(ssl->buffers.key, ctx->privateKeyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ctx->privateKeyMask);
ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
&ssl->buffers.keyMask);
if (ret != 0) {
Expand All @@ -7115,7 +7135,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
return ret;
}
/* Blind the private key for the SSL with new random mask. */
wolfssl_priv_der_unblind(ssl->buffers.altKey, ctx->altPrivateKeyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.altKey,
ctx->altPrivateKeyMask);
ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey,
&ssl->buffers.altKeyMask);
if (ret != 0) {
Expand Down Expand Up @@ -30281,7 +30302,7 @@ int DecodeAltPrivateKey(WOLFSSL *ssl, word32* length)
}

#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.altKey, ssl->buffers.altKeyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.altKey, ssl->buffers.altKeyMask);
#endif

#ifdef WOLF_PRIVATE_KEY_ID
Expand Down Expand Up @@ -30691,7 +30712,7 @@ int DecodeAltPrivateKey(WOLFSSL *ssl, word32* length)
&ssl->buffers.altKeyMask);
}
else {
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
}
#endif

Expand Down Expand Up @@ -34386,7 +34407,7 @@ int SendCertificateVerify(WOLFSSL* ssl)
WOLFSSL_ENTER("SendCertificateVerify");

#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
#endif

#ifdef WOLFSSL_ASYNC_IO
Expand Down Expand Up @@ -34436,7 +34457,7 @@ int SendCertificateVerify(WOLFSSL* ssl)
{
if (ssl->options.sendVerify == SEND_BLANK_CERT) {
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.key,
wolfssl_priv_der_blind_toggle(ssl->buffers.key,
ssl->buffers.keyMask);
#endif
return 0; /* sent blank cert, can't verify */
Expand Down Expand Up @@ -34864,7 +34885,7 @@ int SendCertificateVerify(WOLFSSL* ssl)
&ssl->buffers.keyMask);
}
else {
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
}
#endif

Expand Down Expand Up @@ -35538,7 +35559,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_ENTER("SendServerKeyExchange");

#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
#endif

#ifdef WOLFSSL_ASYNC_IO
Expand Down Expand Up @@ -37123,7 +37144,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
&ssl->buffers.keyMask);
}
else {
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key,
ssl->buffers.keyMask);
}
#endif

Expand Down Expand Up @@ -41041,7 +41063,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
WOLFSSL_ENTER("DoClientKeyExchange");

#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
#endif

#ifdef WOLFSSL_ASYNC_CRYPT
Expand Down Expand Up @@ -41848,7 +41870,8 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
&ssl->buffers.keyMask);
}
else {
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key,
ssl->buffers.keyMask);
}
#endif

Expand Down
101 changes: 60 additions & 41 deletions src/ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7361,9 +7361,9 @@ static int check_cert_key_dev(word32 keyOID, byte* privKey, word32 privSz,
*
* Returns WOLFSSL_SUCCESS on good private key
* WOLFSSL_FAILURE if mismatched */
static int check_cert_key(DerBuffer* cert, DerBuffer* key, DerBuffer* altKey,
void* heap, int devId, int isKeyLabel, int isKeyId, int altDevId,
int isAltKeyLabel, int isAltKeyId)
static int check_cert_key(const DerBuffer* cert, const DerBuffer* key,
const DerBuffer* altKey, void* heap, int devId, int isKeyLabel, int isKeyId,
int altDevId, int isAltKeyLabel, int isAltKeyId)
{
WC_DECLARE_VAR(der, DecodedCert, 1, 0);
word32 size;
Expand Down Expand Up @@ -7498,50 +7498,61 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, DerBuffer* altKey,
* WOLFSSL_FAILURE if mismatched. */
int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
{
int res;
int res = WOLFSSL_SUCCESS;
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
DerBuffer *privateKey;
#ifdef WOLFSSL_DUAL_ALG_CERTS
DerBuffer *altPrivateKey;
#endif
#else
const DerBuffer *privateKey;
#ifdef WOLFSSL_DUAL_ALG_CERTS
const DerBuffer *altPrivateKey;
#endif
#endif

if (ctx == NULL) {
return WOLFSSL_FAILURE;
}

#ifdef WOLFSSL_DUAL_ALG_CERTS
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
wolfssl_priv_der_unblind(ctx->altPrivateKey, ctx->altPrivateKeyMask);
privateKey = wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
altPrivateKey = wolfssl_priv_der_unblind(ctx->altPrivateKey,
ctx->altPrivateKeyMask);
if ((privateKey == NULL) || (altPrivateKey == NULL)) {
res = WOLFSSL_FAILURE;
}
#else
privateKey = ctx->privateKey;
altPrivateKey = ctx->altPrivateKey;
#endif
res = check_cert_key(ctx->certificate, ctx->privateKey, ctx->altPrivateKey,
ctx->heap, ctx->privateKeyDevId, ctx->privateKeyLabel,
ctx->privateKeyId, ctx->altPrivateKeyDevId, ctx->altPrivateKeyLabel,
ctx->altPrivateKeyId) != 0;
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
{
int ret;
ret = wolfssl_priv_der_blind(NULL, ctx->privateKey,
(DerBuffer**)&ctx->privateKeyMask);
if (ret == 0) {
ret = wolfssl_priv_der_blind(NULL, ctx->altPrivateKey,
(DerBuffer**)&ctx->altPrivateKeyMask);
}
if (ret != 0) {
res = WOLFSSL_FAILURE;
}
if (res == WOLFSSL_SUCCESS) {
res = check_cert_key(ctx->certificate, privateKey, altPrivateKey,
ctx->heap, ctx->privateKeyDevId, ctx->privateKeyLabel,
ctx->privateKeyId, ctx->altPrivateKeyDevId,
ctx->altPrivateKeyLabel, ctx->altPrivateKeyId) != 0;
}
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind_free(privateKey);
wolfssl_priv_der_unblind_free(altPrivateKey);
#endif
#else
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
privateKey = wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
if (privateKey == NULL) {
res = WOLFSSL_FAILURE;
}
#else
privateKey = ctx->privateKey;
#endif
res = check_cert_key(ctx->certificate, ctx->privateKey, NULL, ctx->heap,
ctx->privateKeyDevId, ctx->privateKeyLabel, ctx->privateKeyId,
INVALID_DEVID, 0, 0);
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
{
int ret = wolfssl_priv_der_blind(NULL, ctx->privateKey,
(DerBuffer**)&ctx->privateKeyMask);
if (ret != 0) {
res = WOLFSSL_FAILURE;
}
if (res == WOLFSSL_SUCCESS) {
res = check_cert_key(ctx->certificate, privateKey, NULL, ctx->heap,
ctx->privateKeyDevId, ctx->privateKeyLabel,
ctx->privateKeyId, INVALID_DEVID, 0, 0);
}
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind_free(privateKey);
#endif
#endif

Expand All @@ -7558,8 +7569,12 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
/**
* Return the private key of the WOLFSSL_CTX struct
* @return WOLFSSL_EVP_PKEY* The caller doesn *NOT*` free the returned object.
*
* Note, even though the supplied ctx pointer is designated const, on success
* ctx->privateKeyPKey is changed by this call. The change is done safely using
* a hardware-synchronized store.
*/
WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(WOLFSSL_CTX* ctx)
WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX* ctx)
{
WOLFSSL_EVP_PKEY* res;
const unsigned char *key;
Expand Down Expand Up @@ -7596,19 +7611,23 @@ WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(WOLFSSL_CTX* ctx)
return NULL;
}

key = ctx->privateKey->buffer;

if (ctx->privateKeyPKey != NULL) {
res = ctx->privateKeyPKey;
}
else {
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
DerBuffer *unblinded_privateKey =
wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
if (unblinded_privateKey == NULL)
return NULL;
key = unblinded_privateKey->buffer;
#else
key = ctx->privateKey->buffer;
#endif
res = wolfSSL_d2i_PrivateKey(type, NULL, &key,
(long)ctx->privateKey->length);
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask);
wolfssl_priv_der_unblind_free(unblinded_privateKey);
#endif
if (res) {
#ifdef WOLFSSL_ATOMIC_OPS
Expand All @@ -7621,7 +7640,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(WOLFSSL_CTX* ctx)
res = current_pkey;
}
#else
ctx->privateKeyPKey = res;
((WOLFSSL_CTX *)ctx)->privateKeyPKey = res;
#endif
}
}
Expand Down Expand Up @@ -8874,7 +8893,7 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
#endif
#else
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
#endif
res = check_cert_key(ssl->buffers.certificate, ssl->buffers.key, NULL,
ssl->heap, ssl->buffers.keyDevId, ssl->buffers.keyLabel,
Expand Down Expand Up @@ -20971,7 +20990,7 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
return NULL;
}
/* Blind the private key for the SSL with new random mask. */
wolfssl_priv_der_unblind(ssl->buffers.key, ctx->privateKeyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ctx->privateKeyMask);
ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
&ssl->buffers.keyMask);
if (ret != 0) {
Expand Down
6 changes: 3 additions & 3 deletions src/tls13.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9131,7 +9131,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
WOLFSSL_ENTER("SendTls13CertificateVerify");

#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
#endif

ssl->options.buildingMsg = 1;
Expand Down Expand Up @@ -9187,7 +9187,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
{
if (ssl->options.sendVerify == SEND_BLANK_CERT) {
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_unblind(ssl->buffers.key,
wolfssl_priv_der_blind_toggle(ssl->buffers.key,
ssl->buffers.keyMask);
#endif
return 0; /* sent blank cert, can't verify */
Expand Down Expand Up @@ -9882,7 +9882,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
&ssl->buffers.keyMask);
}
else {
wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask);
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
}
#endif

Expand Down
6 changes: 5 additions & 1 deletion wolfssl/internal.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2183,7 +2183,11 @@ WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length,
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
WOLFSSL_LOCAL int wolfssl_priv_der_blind(WC_RNG* rng, DerBuffer* key,
DerBuffer** mask);
WOLFSSL_LOCAL void wolfssl_priv_der_unblind(DerBuffer* key, DerBuffer* mask);
WOLFSSL_LOCAL void wolfssl_priv_der_blind_toggle(DerBuffer* key,
const DerBuffer* mask);
WOLFSSL_LOCAL WARN_UNUSED_RESULT DerBuffer *wolfssl_priv_der_unblind(
const DerBuffer* key, const DerBuffer* mask);
WOLFSSL_LOCAL void wolfssl_priv_der_unblind_free(DerBuffer* key);
#endif
WOLFSSL_LOCAL int DecodePrivateKey(WOLFSSL *ssl, word32* length);
#ifdef WOLFSSL_DUAL_ALG_CERTS
Expand Down
2 changes: 1 addition & 1 deletion wolfssl/ssl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3228,7 +3228,7 @@ WOLFSSL_API int wolfSSL_want_write(WOLFSSL* ssl);
#ifdef OPENSSL_EXTRA
WOLFSSL_API int wolfSSL_want(WOLFSSL* ssl);

WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(WOLFSSL_CTX* ctx);
WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX* ctx);

#include <stdarg.h> /* var_arg */
WOLFSSL_API int wolfSSL_BIO_vprintf(WOLFSSL_BIO* bio, const char* format,
Expand Down