- Fixes core dump in openssl req -modulus

- Fixes 'openssl req' to not ask for password when non-encrypted private key
  is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137

Signed-off-by: Sahana Prasad <sahana@redhat.com>

0021-fix-core-dump-req.patch

@@ -0,0 +1,38 @@
+diff -up openssl-3.0.0-beta2/apps/req.c.req-segfault openssl-3.0.0-beta2/apps/req.c
+--- openssl-3.0.0-beta2/apps/req.c.req-segfault	2021-08-10 16:24:58.784384336 +0200
++++ openssl-3.0.0-beta2/apps/req.c	2021-08-10 16:26:38.347688172 +0200
+@@ -996,8 +996,8 @@ int req_main(int argc, char **argv)
+         if (EVP_PKEY_is_a(tpubkey, "RSA")) {
+             BIGNUM *n = NULL;
+ 
+-            /* Every RSA key has an 'n' */
+-            EVP_PKEY_get_bn_param(pkey, "n", &n);
++            if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n))
++                goto end;
+             BN_print(out, n);
+             BN_free(n);
+         } else {
+diff -up openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault openssl-3.0.0-beta2/test/recipes/25-test_req.t
+--- openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault	2021-08-10 16:26:53.305884053 +0200
++++ openssl-3.0.0-beta2/test/recipes/25-test_req.t	2021-08-10 16:28:33.674221058 +0200
+@@ -78,7 +78,7 @@ subtest "generating alt certificate requ
+ 
+ 
+ subtest "generating certificate requests with RSA" => sub {
+-    plan tests => 7;
++    plan tests => 8;
+ 
+     SKIP: {
+         skip "RSA is not supported by this OpenSSL build", 2
+@@ -105,6 +105,11 @@ subtest "generating certificate requests
+ 
+         ok(run(app(["openssl", "req",
+                     "-config", srctop_file("test", "test.cnf"),
++                    "-modulus", "-in", "testreq-rsa.pem", "-noout"])),
++           "Printing a modulus of the request key");
++
++        ok(run(app(["openssl", "req",
++                    "-config", srctop_file("test", "test.cnf"),
+                     "-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
+                     "-key", srctop_file("test", "testrsa_withattrs.pem")])),
+            "Generating request from a key with extra attributes - PEM");

0022-fix-openssl-req-password.patch

@@ -0,0 +1,33 @@
+diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c
+--- openssl-3.0.0-beta2/apps/req.c.req-password	2021-08-10 16:31:04.726233653 +0200
++++ openssl-3.0.0-beta2/apps/req.c	2021-08-10 16:31:58.286947297 +0200
+@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
+         EVP_PKEY_CTX_free(genctx);
+         genctx = NULL;
+     }
+-    if (keyout == NULL) {
++    if (keyout == NULL && keyfile == NULL) {
+         keyout = NCONF_get_string(req_conf, section, KEYFILE);
+         if (keyout == NULL)
+             ERR_clear_error();
+diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in
+--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password	2021-08-10 16:32:21.863261416 +0200
++++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in	2021-08-10 16:33:19.173025012 +0200
+@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for det
+ =item B<-keyout> I<filename>
+ 
+ This gives the filename to write any private key to that has been newly created
+-or read from B<-key>.
+-If the B<-keyout> option is not given the filename specified in the
+-configuration file with the B<default_keyfile> option is used, if present.
+-If a new key is generated and no filename is specified
+-the key is written to standard output.
++or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option
++are given then the filename specified in the configuration file with the
++B<default_keyfile> option is used, if present.  Thus, if you want to write the
++private key and the B<-key> option is provided, you should provide the
++B<-keyout> option explicitly.  If a new key is generated and no filename is
++specified the key is written to standard output.
+ 
+ =item B<-noenc>
+ 

0023-cms-stdin.patch

@@ -0,0 +1,38 @@
+diff -up openssl-3.0.0-beta2/apps/cms.c.cms-stdin openssl-3.0.0-beta2/apps/cms.c
+--- openssl-3.0.0-beta2/apps/cms.c.cms-stdin	2021-08-10 16:20:07.787573587 +0200
++++ openssl-3.0.0-beta2/apps/cms.c	2021-08-10 16:23:08.500940124 +0200
+@@ -278,6 +278,8 @@ static void warn_binary(const char *file
+     unsigned char linebuf[1024], *cur, *end;
+     int len;
+ 
++    if (file == NULL)
++        return; /* cannot give a warning for stdin input */
+     if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
+         return; /* cannot give a proper warning since there is an error */
+     while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
+@@ -482,13 +484,9 @@ int cms_main(int argc, char **argv)
+             rr_allorfirst = 1;
+             break;
+         case OPT_RCTFORM:
+-            if (rctformat == FORMAT_ASN1) {
+-                if (!opt_format(opt_arg(),
+-                                OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
+-                    goto opthelp;
+-            } else {
+-                rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
+-            }
++            if (!opt_format(opt_arg(),
++                            OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
++                goto opthelp;
+             break;
+         case OPT_CERTFILE:
+             certfile = opt_arg();
+@@ -954,7 +952,7 @@ int cms_main(int argc, char **argv)
+             goto end;
+         }
+ 
+-        rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
++        rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt");
+         if (rcms == NULL)
+             goto end;
+     }

openssl.spec

@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.0
-Release: 0.beta2.2%{?dist}.1
+Release: 0.beta2.3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -56,6 +56,12 @@ Patch11: 0011-Remove-EC-curves.patch
 Patch19: 0019-dual-abi.patch
 # Update alerts according to #1965017
 Patch20: 0020-sigalgs-fix-alerts.patch
+# Fixes core dump in openssl req -modulus
+Patch21: 0021-fix-core-dump-req.patch
+# Fixes 'openssl req' to not ask for password when non-encrypted key
+Patch22: 0022-fix-openssl-req-password.patch
+# cms: Do not try to check binary format on stdin and -rctform fix
+Patch23: 0023-cms-stdin.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -378,6 +384,13 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3
+- Fixes core dump in openssl req -modulus
+- Fixes 'openssl req' to not ask for password when non-encrypted private key
+  is used
+- cms: Do not try to check binary format on stdin and -rctform fix
+- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688