openscap/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch
2021-09-09 23:17:08 +00:00

137 lines
4.1 KiB
Diff

From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 8 Jul 2021 14:28:16 +0200
Subject: [PATCH 1/3] Initialize crypto API only once
The function `crapi_init` calls `gcry_check_version` which must be
called before any other function from the Libgcrypt library. That might
be violated when multiple threads executing multiple probes are running.
The mitigation proposed in this PR is to call `crapi_init` only once
when the session is initialized which means before any threads are
spawned.
See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
Resolves: RHBZ#1959570
---
src/OVAL/oval_probe_session.c | 5 +++++
src/OVAL/probes/independent/filehash58_probe.c | 6 ------
src/OVAL/probes/independent/filehash_probe.c | 6 ------
src/OVAL/probes/independent/filemd5_probe.c | 6 ------
4 files changed, 5 insertions(+), 18 deletions(-)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 435ca148fd..6f6d7ad426 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
SEXP_free((SEXP_t *)exp);
ncache_libinit();
+ /*
+ * Initialize crypto API
+ */
+ if (crapi_init (NULL) != 0)
+ return (NULL);
}
/**
diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
index ff1e065746..32a38562bd 100644
--- a/src/OVAL/probes/independent/filehash58_probe.c
+++ b/src/OVAL/probes/independent/filehash58_probe.c
@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
void *filehash58_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
index 522d976512..6d8780dc95 100644
--- a/src/OVAL/probes/independent/filehash_probe.c
+++ b/src/OVAL/probes/independent/filehash_probe.c
@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
void *filehash_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
index d0de402d8b..99913581f0 100644
--- a/src/OVAL/probes/independent/filemd5_probe.c
+++ b/src/OVAL/probes/independent/filemd5_probe.c
@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
void *probe_init (void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 13 Jul 2021 13:03:21 +0200
Subject: [PATCH 2/3] Add a missing include
---
src/OVAL/oval_probe_session.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 6f6d7ad426..295782b536 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -48,6 +48,7 @@
#include "oval_probe_ext.h"
#include "probe-table.h"
#include "oval_types.h"
+#include "crapi/crapi.h"
#if defined(OSCAP_THREAD_SAFE)
#include <pthread.h>
From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 15 Jul 2021 14:21:00 +0200
Subject: [PATCH 3/3] Don't initialize crypto on Windows
---
src/OVAL/oval_probe_session.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 295782b536..b443cbcc80 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
/*
* Initialize crypto API
*/
+#ifndef OS_WINDOWS
if (crapi_init (NULL) != 0)
return (NULL);
+#endif
}
/**