From 522d98f27108dd8c9dca4fd9d452ede27030559e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 4 Nov 2021 08:35:15 +0100
Subject: [PATCH] Initialize crypto API only once

Resolves: rhbz#2020044
---
 ...-1.3.6-initialize-crapi-once-pr-1779.patch | 136 ++++++++++++++++++
 openscap-1.3.6-test-rhbz1959570-pr-1788.patch |  97 +++++++++++++
 openscap.spec                                 |   7 +-
 3 files changed, 239 insertions(+), 1 deletion(-)
 create mode 100644 openscap-1.3.6-initialize-crapi-once-pr-1779.patch
 create mode 100644 openscap-1.3.6-test-rhbz1959570-pr-1788.patch

diff --git a/openscap-1.3.6-initialize-crapi-once-pr-1779.patch b/openscap-1.3.6-initialize-crapi-once-pr-1779.patch
new file mode 100644
index 0000000..94cc375
--- /dev/null
+++ b/openscap-1.3.6-initialize-crapi-once-pr-1779.patch
@@ -0,0 +1,136 @@
+From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 8 Jul 2021 14:28:16 +0200
+Subject: [PATCH 1/3] Initialize crypto API only once
+
+The function `crapi_init` calls `gcry_check_version` which must be
+called before any other function from the Libgcrypt library. That might
+be violated when multiple threads executing multiple probes are running.
+The mitigation proposed in this PR is to call `crapi_init` only once
+when the session is initialized which means before any threads are
+spawned.
+
+See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
+
+Resolves: RHBZ#1959570
+---
+ src/OVAL/oval_probe_session.c                  | 5 +++++
+ src/OVAL/probes/independent/filehash58_probe.c | 6 ------
+ src/OVAL/probes/independent/filehash_probe.c   | 6 ------
+ src/OVAL/probes/independent/filemd5_probe.c    | 6 ------
+ 4 files changed, 5 insertions(+), 18 deletions(-)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 435ca148fd..6f6d7ad426 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
+ 	SEXP_free((SEXP_t *)exp);
+ 
+         ncache_libinit();
++	/*
++	 * Initialize crypto API
++	 */
++	if (crapi_init (NULL) != 0)
++		return (NULL);
+ }
+ 
+ /**
+diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
+index ff1e065746..32a38562bd 100644
+--- a/src/OVAL/probes/independent/filehash58_probe.c
++++ b/src/OVAL/probes/independent/filehash58_probe.c
+@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
+ 
+ void *filehash58_probe_init(void)
+ {
+-	/*
+-	 * Initialize crypto API
+-	 */
+-	if (crapi_init (NULL) != 0)
+-		return (NULL);
+-
+ 	/*
+ 	 * Initialize mutex.
+ 	 */
+diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
+index 522d976512..6d8780dc95 100644
+--- a/src/OVAL/probes/independent/filehash_probe.c
++++ b/src/OVAL/probes/independent/filehash_probe.c
+@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
+ 
+ void *filehash_probe_init(void)
+ {
+-        /*
+-         * Initialize crypto API
+-         */
+-        if (crapi_init (NULL) != 0)
+-                return (NULL);
+-
+         /*
+          * Initialize mutex.
+          */
+diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
+index d0de402d8b..99913581f0 100644
+--- a/src/OVAL/probes/independent/filemd5_probe.c
++++ b/src/OVAL/probes/independent/filemd5_probe.c
+@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
+ 
+ void *probe_init (void)
+ {
+-        /*
+-         * Initialize crypto API
+-         */
+-        if (crapi_init (NULL) != 0)
+-                return (NULL);
+-
+         /*
+          * Initialize mutex.
+          */
+
+From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 13 Jul 2021 13:03:21 +0200
+Subject: [PATCH 2/3] Add a missing include
+
+---
+ src/OVAL/oval_probe_session.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 6f6d7ad426..295782b536 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -48,6 +48,7 @@
+ #include "oval_probe_ext.h"
+ #include "probe-table.h"
+ #include "oval_types.h"
++#include "crapi/crapi.h"
+ 
+ #if defined(OSCAP_THREAD_SAFE)
+ #include <pthread.h>
+
+From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 15 Jul 2021 14:21:00 +0200
+Subject: [PATCH 3/3] Don't initialize crypto on Windows
+
+---
+ src/OVAL/oval_probe_session.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 295782b536..b443cbcc80 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
+ 	/*
+ 	 * Initialize crypto API
+ 	 */
++#ifndef OS_WINDOWS
+ 	if (crapi_init (NULL) != 0)
+ 		return (NULL);
++#endif
+ }
+ 
+ /**
diff --git a/openscap-1.3.6-test-rhbz1959570-pr-1788.patch b/openscap-1.3.6-test-rhbz1959570-pr-1788.patch
new file mode 100644
index 0000000..2c175b8
--- /dev/null
+++ b/openscap-1.3.6-test-rhbz1959570-pr-1788.patch
@@ -0,0 +1,97 @@
+From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 28 Jul 2021 13:06:25 +0200
+Subject: [PATCH] Add a regression test for rhbz#1959570
+
+The bug was a segmentation fault in filehash58 probe which happened
+in openscap-1.3.3-6.el8_3.
+
+The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
+and this patch adds a very small test.
+---
+ tests/probes/filehash58/CMakeLists.txt        |  1 +
+ .../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
+ .../rhbz1959570_segfault_reproducer.xml       | 39 +++++++++++++++++++
+ 3 files changed, 59 insertions(+)
+ create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
+ create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+
+diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
+index b26d8171fb..cdec0792eb 100644
+--- a/tests/probes/filehash58/CMakeLists.txt
++++ b/tests/probes/filehash58/CMakeLists.txt
+@@ -1,3 +1,4 @@
+ if(ENABLE_PROBES_INDEPENDENT)
+ 	add_oscap_test("test_probes_filehash58.sh")
++	add_oscap_test("rhbz1959570_segfault.sh")
+ endif()
+diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
+new file mode 100755
+index 0000000000..0c32cc79f1
+--- /dev/null
++++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
+@@ -0,0 +1,19 @@
++#!/usr/bin/env bash
++
++# Copyright 2021 Red Hat Inc., Durham, North Carolina.
++# All Rights Reserved.
++#
++# OpenSCAP Probes Test Suite.
++#
++# Authors:
++#      Jan Černý, <jcerny@redhat.com>
++
++set -e -o pipefail
++. $builddir/tests/test_common.sh
++
++# Test Cases
++
++stderr="$(mktemp)"
++$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
++[ ! -s "$stderr" ]
++rm "$stderr"
+diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+new file mode 100644
+index 0000000000..4b3fc4863a
+--- /dev/null
++++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+@@ -0,0 +1,39 @@
++<?xml version="1.0"?>
++<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
++  <oval-def:generator>
++    <oval:product_name>jcerny</oval:product_name>
++    <oval:product_version>1</oval:product_version>
++    <oval:schema_version>5.11</oval:schema_version>
++    <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
++  </oval-def:generator>
++  <oval-def:definitions>
++    <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
++      <oval-def:metadata>
++        <oval-def:title>title</oval-def:title>
++        <oval-def:description>description</oval-def:description>
++      </oval-def:metadata>
++      <oval-def:criteria>
++        <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
++      </oval-def:criteria>
++    </oval-def:definition>
++  </oval-def:definitions>
++  <oval-def:tests>
++    <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
++      <ind:object object_ref="oval:x:obj:1"/>
++      <ind:state state_ref="oval:x:ste:1"/>
++    </ind:filehash58_test>
++  </oval-def:tests>
++  <oval-def:objects>
++    <ind:filehash58_object id="oval:x:obj:1" version="1">
++      <ind:filepath>/etc/os-release</ind:filepath>
++      <ind:hash_type>SHA-256</ind:hash_type>
++    </ind:filehash58_object>
++  </oval-def:objects>
++  <oval-def:states>
++    <ind:filehash58_state id="oval:x:ste:1" version="1">
++      <ind:filepath>/etc/os-release</ind:filepath>
++      <ind:hash_type>SHA-256</ind:hash_type>
++      <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
++    </ind:filehash58_state>
++  </oval-def:states>
++</oval-def:oval_definitions>
diff --git a/openscap.spec b/openscap.spec
index 1ef7163..4a95e91 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.5
-Release:        10%{?dist}
+Release:        11%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
@@ -18,6 +18,8 @@ Patch9:         openscap-1.3.6-coverity-issues-pr-1778.patch
 Patch10:        openscap-1.3.6-disable-sha1-md5-pr-1781.patch
 Patch11:        openscap-1.3.6-http_error_fix-PR_1805.patch
 Patch12:        openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
+Patch13:        openscap-1.3.6-initialize-crapi-once-pr-1779.patch
+Patch14:        openscap-1.3.6-test-rhbz1959570-pr-1788.patch
 BuildRequires:  make
 BuildRequires:  cmake >= 2.6
 BuildRequires:  gcc
@@ -208,6 +210,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Thu Nov 04 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-11
+- Initialize crypto API only once (rhbz#2020044)
+
 * Mon Nov 01 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-10
 - Fix process58 probe errors when scanning minimalist filesystem in offline mode (rhbz#2019054)