From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 8 Jul 2021 14:28:16 +0200 Subject: [PATCH 1/3] Initialize crypto API only once The function `crapi_init` calls `gcry_check_version` which must be called before any other function from the Libgcrypt library. That might be violated when multiple threads executing multiple probes are running. The mitigation proposed in this PR is to call `crapi_init` only once when the session is initialized which means before any threads are spawned. See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading Resolves: RHBZ#1959570 --- src/OVAL/oval_probe_session.c | 5 +++++ src/OVAL/probes/independent/filehash58_probe.c | 6 ------ src/OVAL/probes/independent/filehash_probe.c | 6 ------ src/OVAL/probes/independent/filemd5_probe.c | 6 ------ 4 files changed, 5 insertions(+), 18 deletions(-) diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c index 435ca148fd..6f6d7ad426 100644 --- a/src/OVAL/oval_probe_session.c +++ b/src/OVAL/oval_probe_session.c @@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void) SEXP_free((SEXP_t *)exp); ncache_libinit(); + /* + * Initialize crypto API + */ + if (crapi_init (NULL) != 0) + return (NULL); } /** diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c index ff1e065746..32a38562bd 100644 --- a/src/OVAL/probes/independent/filehash58_probe.c +++ b/src/OVAL/probes/independent/filehash58_probe.c @@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported() void *filehash58_probe_init(void) { - /* - * Initialize crypto API - */ - if (crapi_init (NULL) != 0) - return (NULL); - /* * Initialize mutex. */ diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c index 522d976512..6d8780dc95 100644 --- a/src/OVAL/probes/independent/filehash_probe.c +++ b/src/OVAL/probes/independent/filehash_probe.c @@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported() void *filehash_probe_init(void) { - /* - * Initialize crypto API - */ - if (crapi_init (NULL) != 0) - return (NULL); - /* * Initialize mutex. */ diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c index d0de402d8b..99913581f0 100644 --- a/src/OVAL/probes/independent/filemd5_probe.c +++ b/src/OVAL/probes/independent/filemd5_probe.c @@ -163,12 +163,6 @@ int probe_offline_mode_supported() void *probe_init (void) { - /* - * Initialize crypto API - */ - if (crapi_init (NULL) != 0) - return (NULL); - /* * Initialize mutex. */ From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 13 Jul 2021 13:03:21 +0200 Subject: [PATCH 2/3] Add a missing include --- src/OVAL/oval_probe_session.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c index 6f6d7ad426..295782b536 100644 --- a/src/OVAL/oval_probe_session.c +++ b/src/OVAL/oval_probe_session.c @@ -48,6 +48,7 @@ #include "oval_probe_ext.h" #include "probe-table.h" #include "oval_types.h" +#include "crapi/crapi.h" #if defined(OSCAP_THREAD_SAFE) #include From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 15 Jul 2021 14:21:00 +0200 Subject: [PATCH 3/3] Don't initialize crypto on Windows --- src/OVAL/oval_probe_session.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c index 295782b536..b443cbcc80 100644 --- a/src/OVAL/oval_probe_session.c +++ b/src/OVAL/oval_probe_session.c @@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void) /* * Initialize crypto API */ +#ifndef OS_WINDOWS if (crapi_init (NULL) != 0) return (NULL); +#endif } /**