From 19af14b3a5dc79dd1649d98c7881769d7ff21408 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Wed, 5 Jul 2023 10:00:16 +0200
Subject: [PATCH] - add workaround for segfault in PEM_write_bio() on OpenSSL
 1.1.1 Related: #2159741

---
 ...cd5ba7e5b0bab00dedc89021147ec55b41b3.patch | 37 +++++++++++++++++++
 opencryptoki.spec                             |  8 +++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch

diff --git a/opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch b/opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
new file mode 100644
index 0000000..6363603
--- /dev/null
+++ b/opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
@@ -0,0 +1,37 @@
+commit f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue May 23 15:07:02 2023 +0200
+
+    p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
+    
+    On OpenSSL version before 1.1.1r function PEM_write_bio() segfaults when the
+    'header' argument is NULL. This was fixed in OpenSSL 1.1.1r with commit
+    https://github.com/openssl/openssl/commit/3b9082c844913d3a0efada9fac0bd2924ce1a8f2
+    
+    As a workaround, specify an empty string instead of NULL, which results in the
+    same output.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index 5b54b538..3baae560 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -6794,7 +6794,7 @@ static CK_RV p11sak_export_spki(const struct p11sak_keytype *keytype,
+         return rc;
+     }
+ 
+-    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, NULL,
++    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, "",
+                         attr.pValue, attr.ulValueLen);
+     if (ret <= 0) {
+         warnx("Failed to write SPKI of %s key object \"%s\" to PEM file '%s'.",
+@@ -6888,7 +6888,7 @@ static CK_RV p11sak_export_asym_key(const struct p11sak_keytype *keytype,
+         ret = PEM_write_bio(bio, private ?
+                                     keytype->pem_name_private :
+                                     keytype->pem_name_public,
+-                            NULL, data, data_len);
++                            "", data, data_len);
+         if (ret <= 0) {
+             warnx("Failed to write %s key object \"%s\" to PEM file '%s'.",
+                   typestr, label, opt_file);
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 2d05033..e10aa19 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.21.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@@ -19,6 +19,8 @@ Patch3: opencryptoki-3.21-sandboxing.patch
 Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
 # p11sak: Fix user confirmation prompt behavior when stdin is closed
 Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
+# p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
+Patch102: opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
 
 Requires(pre): coreutils diffutils
 Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted)
@@ -377,6 +379,10 @@ fi
 
 
 %changelog
+* Tue Jul 04 2023 Than Ngo <than@redhat.com> - 3.21.0-6
+- add workaround for segfault in PEM_write_bio() on OpenSSL 1.1.1
+Related: #2159741
+
 * Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
 - add requirement on selinux-policy >= 3.14.3-121 for pkcsslotd policy sandboxing
 Related: #2159697