From 183a31c884036cd9c1f5359067c26a9762bd55dd Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Thu, 4 Aug 2022 11:08:54 +0530
Subject: [PATCH] mlock() the returned private key to prevent it from being
 saved to swap

---
 kitty/crypto.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/kitty/crypto.c b/kitty/crypto.c
index b4f5782f9..0e01b5ca7 100644
--- a/kitty/crypto.c
+++ b/kitty/crypto.c
@@ -12,6 +12,7 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/bio.h>
+#include <sys/mman.h>
 
 typedef struct {
     PyObject_HEAD
@@ -72,10 +73,10 @@ static PyObject*
 elliptic_curve_key_get_public(EllipticCurveKey *self, void UNUSED *closure) {
     /* PEM_write_PUBKEY(stdout, pkey); */
     size_t len = 0;
-    if (1 != EVP_PKEY_get_raw_public_key(self->key, NULL, &len)) return set_error_from_openssl("Could not get public key from EVP_KEY");
+    if (1 != EVP_PKEY_get_raw_public_key(self->key, NULL, &len)) return set_error_from_openssl("Could not get public key from EVP_PKEY");
     PyObject *ans = PyBytes_FromStringAndSize(NULL, len);
     if (!ans) return NULL;
-    if (1 != EVP_PKEY_get_raw_public_key(self->key, (unsigned char*)PyBytes_AS_STRING(ans), &len)) return set_error_from_openssl("Could not get public key from EVP_KEY");
+    if (1 != EVP_PKEY_get_raw_public_key(self->key, (unsigned char*)PyBytes_AS_STRING(ans), &len)) { Py_CLEAR(ans); return set_error_from_openssl("Could not get public key from EVP_PKEY"); }
     return ans;
 
 }
@@ -84,10 +85,11 @@ elliptic_curve_key_get_public(EllipticCurveKey *self, void UNUSED *closure) {
 static PyObject*
 elliptic_curve_key_get_private(EllipticCurveKey *self, void UNUSED *closure) {
     size_t len = 0;
-    if (1 != EVP_PKEY_get_raw_private_key(self->key, NULL, &len)) return set_error_from_openssl("Could not get public key from EVP_KEY");
+    if (1 != EVP_PKEY_get_raw_private_key(self->key, NULL, &len)) return set_error_from_openssl("Could not get public key from EVP_PKEY");
     PyObject *ans = PyBytes_FromStringAndSize(NULL, len);
     if (!ans) return NULL;
-    if (1 != EVP_PKEY_get_raw_private_key(self->key, (unsigned char*)PyBytes_AS_STRING(ans), &len)) return set_error_from_openssl("Could not get public key from EVP_KEY");
+    mlock(PyBytes_AS_STRING(ans), len);
+    if (1 != EVP_PKEY_get_raw_private_key(self->key, (unsigned char*)PyBytes_AS_STRING(ans), &len)) { Py_CLEAR(ans); return set_error_from_openssl("Could not get public key from EVP_PKEY"); }
     return ans;
 
 }