From c2ee7fde900e7268f6e4b5d567cd31024434295f Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Tue, 12 May 2020 11:04:54 -0400
Subject: [PATCH] - Resolves: rhbz#1831086 softhsm use-after-free on process
 exit

---
 softhsm-2.6.1-rh1831086-exit.patch | 103 +++++++++++++++++++++++++++++
 softhsm.spec                       |   8 ++-
 2 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 softhsm-2.6.1-rh1831086-exit.patch

diff --git a/softhsm-2.6.1-rh1831086-exit.patch b/softhsm-2.6.1-rh1831086-exit.patch
new file mode 100644
index 0000000..a46c8f3
--- /dev/null
+++ b/softhsm-2.6.1-rh1831086-exit.patch
@@ -0,0 +1,103 @@
+diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp
+index 32daca2f..81d080a5 100644
+--- a/src/lib/crypto/OSSLCryptoFactory.cpp
++++ b/src/lib/crypto/OSSLCryptoFactory.cpp
+@@ -77,6 +77,7 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false;
+ 
+ static unsigned nlocks;
+ static Mutex** locks;
++static bool ossl_shutdown;
+ 
+ // Mutex callback
+ void lock_callback(int mode, int n, const char* file, int line)
+@@ -101,6 +102,26 @@ void lock_callback(int mode, int n, const char* file, int line)
+ 	}
+ }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++void ossl_factory_shutdown(void)
++{
++	/*
++	 * As of 1.1.0, OpenSSL registers its own atexit() handler
++	 * to call OPENSSL_cleanup(). If our own atexit() handler
++	 * subsequently tries to, for example, unreference an
++	 * ENGINE, then it'll crash or deadlock with a use-after-free.
++	 *
++	 * This hook into the OpenSSL_atexit() handlers will get called
++	 * when OPENSSL_cleanup() is called, and sets a flag which
++	 * prevents any further touching of OpenSSL objects — which
++	 * would otherwise happen fairly much immediately thereafter
++	 * when our own OSSLCryptoFactory destructor gets called by
++	 * the C++ runtime's own atexit() handler.
++	 */
++	ossl_shutdown = true;
++}
++#endif
++
+ // Constructor
+ OSSLCryptoFactory::OSSLCryptoFactory()
+ {
+@@ -119,6 +140,9 @@ OSSLCryptoFactory::OSSLCryptoFactory()
+ 		CRYPTO_set_locking_callback(lock_callback);
+ 		setLockingCallback = true;
+ 	}
++#else
++	// Mustn't dereference engines after OpenSSL itself has shut down
++	OPENSSL_atexit(ossl_factory_shutdown);
+ #endif
+ 
+ #ifdef WITH_FIPS
+@@ -226,31 +250,35 @@ OSSLCryptoFactory::OSSLCryptoFactory()
+ // Destructor
+ OSSLCryptoFactory::~OSSLCryptoFactory()
+ {
+-#ifdef WITH_GOST
+-	// Finish the GOST engine
+-	if (eg != NULL)
++	// Don't do this if OPENSSL_cleanup() has already happened
++	if (!ossl_shutdown)
+ 	{
+-		ENGINE_finish(eg);
+-		ENGINE_free(eg);
+-		eg = NULL;
+-	}
++#ifdef WITH_GOST
++		// Finish the GOST engine
++		if (eg != NULL)
++		{
++			ENGINE_finish(eg);
++			ENGINE_free(eg);
++			eg = NULL;
++		}
+ #endif
+ 
+-	// Finish the rd_rand engine
+-	ENGINE_finish(rdrand_engine);
+-	ENGINE_free(rdrand_engine);
+-	rdrand_engine = NULL;
++		// Finish the rd_rand engine
++		ENGINE_finish(rdrand_engine);
++		ENGINE_free(rdrand_engine);
++		rdrand_engine = NULL;
+ 
++		// Recycle locks
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++		if (setLockingCallback)
++		{
++			CRYPTO_set_locking_callback(NULL);
++		}
++#endif
++	}
+ 	// Destroy the one-and-only RNG
+ 	delete rng;
+ 
+-	// Recycle locks
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+-	if (setLockingCallback)
+-	{
+-		CRYPTO_set_locking_callback(NULL);
+-	}
+-#endif
+ 	for (unsigned i = 0; i < nlocks; i++)
+ 	{
+ 		MutexFactory::i()->recycleMutex(locks[i]);
diff --git a/softhsm.spec b/softhsm.spec
index eb59251..cfe9e6b 100644
--- a/softhsm.spec
+++ b/softhsm.spec
@@ -4,12 +4,14 @@
 Summary: Software version of a PKCS#11 Hardware Security Module
 Name: softhsm
 Version: 2.6.1
-Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
 Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig
 
+Patch1: softhsm-2.6.1-rh1831086-exit.patch
+
 BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
 BuildRequires: gcc-c++, pkgconfig, p11-kit-devel
 
@@ -39,6 +41,7 @@ The devel package contains the libsofthsm include files
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
+%patch1 -p1
 
 %if 0%{?prever:1} || 0%{?prerelease:1}
    # pre-release or post-release snapshots fixup
@@ -108,6 +111,9 @@ if [ -f /var/softhsm/slot0.db ]; then
 fi
 
 %changelog
+* Tue May 12 2020 Paul Wouters <pwouters@redhat.com> - 2.6.1-2
+- Resolves: rhbz#1831086 softhsm use-after-free on process exit
+
 * Thu Apr 30 2020 Paul Wouters <pwouters@redhat.com> - 2.6.1-1
 - Resolves: rhbz#1814324 -softhsm-2.6.1 is available