Fix segfault in EVP_PKEY_Q_keygen()

When OpenSSL was not previously initialized, EVP_PKEY_Q_keygen() would
cause a segmentation fault. Avoid this by backporting a fix from
upstream.

Resolves: rhbz#2103289
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2022-07-14 14:49:46 +02:00
parent 5901637dea
commit c64694b961
2 changed files with 64 additions and 1 deletions

View File

@ -0,0 +1,56 @@
From edceec7fe0c9a5534ae155c8398c63dd7dd95483 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 5 May 2022 08:11:24 +0200
Subject: [PATCH] EVP_PKEY_Q_keygen: Call OPENSSL_init_crypto to init
strcasecmp
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18247)
(cherry picked from commit b807c2fbab2128cf3746bb2ebd51cbe3bb6914a9)
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483]
---
crypto/evp/evp_lib.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 3fe4743761..d9b8c0af41 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -24,6 +24,7 @@
#include <openssl/dh.h>
#include <openssl/ec.h>
#include "crypto/evp.h"
+#include "crypto/cryptlib.h"
#include "internal/provider.h"
#include "evp_local.h"
@@ -1094,6 +1095,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
return (ctx->flags & flags);
}
+#if !defined(FIPS_MODULE)
+
int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name)
{
OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
@@ -1169,6 +1172,8 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq,
va_start(args, type);
+ OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL);
+
if (OPENSSL_strcasecmp(type, "RSA") == 0) {
bits = va_arg(args, size_t);
params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits);
@@ -1189,3 +1194,5 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq,
va_end(args);
return ret;
}
+
+#endif /* !defined(FIPS_MODULE) */
--
2.35.3

View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.1
Release: 37%{?dist}
Release: 38%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -138,6 +138,8 @@ Patch68: 0068-CVE-2022-2068.patch
# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
Patch69: 0069-CVE-2022-2097.patch
# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483
Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch
License: ASL 2.0
URL: http://www.openssl.org/
@ -468,6 +470,11 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Thu Jul 14 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-38
- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously
initialized.
Resolves: rhbz#2103289
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-37
- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
Resolves: CVE-2022-2097