- add workaround for segfault in PEM_write_bio() on OpenSSL 1.1.1

Related: #2159741
2023-07-05 10:00:16 +02:00 · 2023-07-05 10:00:16 +02:00 · 19af14b3a5
commit 19af14b3a5
parent a4b916ba16
2 changed files with 44 additions and 1 deletions
--- a/opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
+++ b/opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
@ -0,0 +1,37 @@
+commit f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue May 23 15:07:02 2023 +0200
+
+    p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
+    
+    On OpenSSL version before 1.1.1r function PEM_write_bio() segfaults when the
+    'header' argument is NULL. This was fixed in OpenSSL 1.1.1r with commit
+    https://github.com/openssl/openssl/commit/3b9082c844913d3a0efada9fac0bd2924ce1a8f2
+    
+    As a workaround, specify an empty string instead of NULL, which results in the
+    same output.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index 5b54b538..3baae560 100644
+--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
+@@ -6794,7 +6794,7 @@ static CK_RV p11sak_export_spki(const struct p11sak_keytype *keytype,
+         return rc;
+     }
+ 
+-    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, NULL,
+    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, "",
+                         attr.pValue, attr.ulValueLen);
+     if (ret <= 0) {
+         warnx("Failed to write SPKI of %s key object \"%s\" to PEM file '%s'.",
+@@ -6888,7 +6888,7 @@ static CK_RV p11sak_export_asym_key(const struct p11sak_keytype *keytype,
+         ret = PEM_write_bio(bio, private ?
+                                     keytype->pem_name_private :
+                                     keytype->pem_name_public,
+-                            NULL, data, data_len);
+                            "", data, data_len);
+         if (ret <= 0) {
+             warnx("Failed to write %s key object \"%s\" to PEM file '%s'.",
+                   typestr, label, opt_file);
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.21.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@ -19,6 +19,8 @@ Patch3: opencryptoki-3.21-sandboxing.patch
 Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
 # p11sak: Fix user confirmation prompt behavior when stdin is closed
 Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
+# p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
+Patch102: opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch

 Requires(pre): coreutils diffutils
 Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted)
@ -377,6 +379,10 @@ fi


 %changelog
+* Tue Jul 04 2023 Than Ngo <than@redhat.com> - 3.21.0-6
+- add workaround for segfault in PEM_write_bio() on OpenSSL 1.1.1
+Related: #2159741
+
 * Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
 - add requirement on selinux-policy >= 3.14.3-121 for pkcsslotd policy sandboxing
 Related: #2159697