Fix segfault in EVP_PKEY_Q_keygen()

When OpenSSL was not previously initialized, EVP_PKEY_Q_keygen() would
cause a segmentation fault. Avoid this by backporting a fix from
upstream.

Resolves: rhbz#2103289
Signed-off-by: Clemens Lang <cllang@redhat.com>

0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch

@@ -0,0 +1,56 @@
+From edceec7fe0c9a5534ae155c8398c63dd7dd95483 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Thu, 5 May 2022 08:11:24 +0200
+Subject: [PATCH] EVP_PKEY_Q_keygen: Call OPENSSL_init_crypto to init
+ strcasecmp
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/18247)
+
+(cherry picked from commit b807c2fbab2128cf3746bb2ebd51cbe3bb6914a9)
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483]
+---
+ crypto/evp/evp_lib.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
+index 3fe4743761..d9b8c0af41 100644
+--- a/crypto/evp/evp_lib.c
++++ b/crypto/evp/evp_lib.c
+@@ -24,6 +24,7 @@
+ #include <openssl/dh.h>
+ #include <openssl/ec.h>
+ #include "crypto/evp.h"
++#include "crypto/cryptlib.h"
+ #include "internal/provider.h"
+ #include "evp_local.h"
+ 
+@@ -1094,6 +1095,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
+     return (ctx->flags & flags);
+ }
+ 
++#if !defined(FIPS_MODULE)
++
+ int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name)
+ {
+     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
+@@ -1169,6 +1172,8 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq,
+ 
+     va_start(args, type);
+ 
++    OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL);
++
+     if (OPENSSL_strcasecmp(type, "RSA") == 0) {
+         bits = va_arg(args, size_t);
+         params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits);
+@@ -1189,3 +1194,5 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq,
+     va_end(args);
+     return ret;
+ }
++
++#endif /* !defined(FIPS_MODULE) */
+-- 
+2.35.3
+

openssl.spec

@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 37%{?dist}
+Release: 38%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -138,6 +138,8 @@ Patch68: 0068-CVE-2022-2068.patch
 # https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
 # https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
 Patch69: 0069-CVE-2022-2097.patch
+# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483
+Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -468,6 +470,11 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Jul 14 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-38
+- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously
+  initialized.
+  Resolves: rhbz#2103289
+
 * Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-37
 - CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
   Resolves: CVE-2022-2097