From 40ddd8c2ceb8aa89867eb2d7a61bf93abf3af404 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 4 Apr 2013 14:26:59 +0200
Subject: [PATCH] Check for error returns which cause segfaults in FIPS mode

- Fix missing error check and leak found by gcc-with-cpychecker (#800086)
---
 pyOpenSSL-0.13-check-error.patch | 77 ++++++++++++++++++++++++++++++++
 pyOpenSSL.spec                   | 10 ++++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 pyOpenSSL-0.13-check-error.patch

diff --git a/pyOpenSSL-0.13-check-error.patch b/pyOpenSSL-0.13-check-error.patch
new file mode 100644
index 0000000..3c7f01c
--- /dev/null
+++ b/pyOpenSSL-0.13-check-error.patch
@@ -0,0 +1,77 @@
+diff -up pyOpenSSL-0.13/OpenSSL/crypto/crypto.c.error pyOpenSSL-0.13/OpenSSL/crypto/crypto.c
+--- pyOpenSSL-0.13/OpenSSL/crypto/crypto.c.error	2011-09-02 17:46:13.000000000 +0200
++++ pyOpenSSL-0.13/OpenSSL/crypto/crypto.c	2013-04-04 14:25:17.405118204 +0200
+@@ -45,12 +45,15 @@ global_passphrase_callback(char *buf, in
+ 
+     func = (PyObject *)cb_arg;
+     argv = Py_BuildValue("(i)", rwflag);
++    if (argv == NULL)
++        return 0;
+     ret = PyEval_CallObject(func, argv);
+     Py_DECREF(argv);
+     if (ret == NULL)
+         return 0;
+     if (!PyBytes_Check(ret))
+     {
++        Py_DECREF(ret);
+         PyErr_SetString(PyExc_ValueError, "String expected");
+         return 0;
+     }
+@@ -58,6 +61,7 @@ global_passphrase_callback(char *buf, in
+     if (nchars > len)
+         nchars = len;
+     strncpy(buf, PyBytes_AsString(ret), nchars);
++    Py_DECREF(ret);
+     return nchars;
+ }
+ 
+@@ -637,7 +641,10 @@ crypto_sign(PyObject *spam, PyObject *ar
+         return NULL;
+     }
+ 
+-    EVP_SignInit(&md_ctx, digest);
++    if (EVP_SignInit(&md_ctx, digest) <= 0) {
++        exception_from_error_queue(crypto_Error);
++        return NULL;
++    }
+     EVP_SignUpdate(&md_ctx, data, data_len);
+     sig_len = sizeof(sig_buf);
+     err = EVP_SignFinal(&md_ctx, sig_buf, &sig_len, pkey->pkey);
+@@ -692,7 +699,11 @@ crypto_verify(PyObject *spam, PyObject *
+         return NULL;
+     }
+ 
+-    EVP_VerifyInit(&md_ctx, digest);
++    if (EVP_VerifyInit(&md_ctx, digest) <= 0) {
++        exception_from_error_queue(crypto_Error);
++        EVP_PKEY_free(pkey);
++        return NULL;
++    }
+     EVP_VerifyUpdate(&md_ctx, data, data_len);
+     err = EVP_VerifyFinal(&md_ctx, signature, sig_len, pkey);
+     EVP_PKEY_free(pkey);
+diff -up pyOpenSSL-0.13/OpenSSL/crypto/x509.c.error pyOpenSSL-0.13/OpenSSL/crypto/x509.c
+--- pyOpenSSL-0.13/OpenSSL/crypto/x509.c.error	2011-09-02 17:46:13.000000000 +0200
++++ pyOpenSSL-0.13/OpenSSL/crypto/x509.c	2013-04-04 14:02:34.932847551 +0200
+@@ -656,6 +656,7 @@ crypto_X509_digest(crypto_X509Obj *self,
+     if (!X509_digest(self->x509,digest,fp,&len))
+     {
+         exception_from_error_queue(crypto_Error);
++        return NULL;
+     }
+     tmp = malloc(3*len+1);
+     memset(tmp, 0, 3*len+1);
+diff -up pyOpenSSL-0.13/OpenSSL/ssl/context.c.error pyOpenSSL-0.13/OpenSSL/ssl/context.c
+--- pyOpenSSL-0.13/OpenSSL/ssl/context.c.error	2011-09-02 17:46:13.000000000 +0200
++++ pyOpenSSL-0.13/OpenSSL/ssl/context.c	2013-04-04 14:02:34.932847551 +0200
+@@ -1215,6 +1215,10 @@ ssl_Context_init(ssl_ContextObj *self, i
+     }
+ 
+     self->ctx = SSL_CTX_new(method);
++    if (self->ctx == NULL) {
++        exception_from_error_queue(ssl_Error);
++        return NULL;
++    }
+     Py_INCREF(Py_None);
+     self->passphrase_callback = Py_None;
+     Py_INCREF(Py_None);
diff --git a/pyOpenSSL.spec b/pyOpenSSL.spec
index b2f65b8..dfa2a15 100644
--- a/pyOpenSSL.spec
+++ b/pyOpenSSL.spec
@@ -1,13 +1,16 @@
 Summary: Python wrapper module around the OpenSSL library
 Name: pyOpenSSL
 Version: 0.13
-Release: 5%{?dist}
+Release: 6%{?dist}
 Source0: http://pypi.python.org/packages/source/p/pyOpenSSL/%{name}-%{version}.tar.gz
 
 # Fedora specific patches
 
 Patch2: pyOpenSSL-elinks.patch
 Patch3: pyOpenSSL-nopdfout.patch
+
+Patch10: pyOpenSSL-0.13-check-error.patch
+
 License: ASL 2.0
 Group: Development/Libraries
 Url: http://pyopenssl.sourceforge.net/
@@ -32,6 +35,7 @@ High-level wrapper around a subset of the OpenSSL library, includes among others
 %setup -q
 %patch2 -p1 -b .elinks
 %patch3 -p1 -b .nopdfout
+%patch10 -p1 -b .error
 
 # Fix permissions for debuginfo package
 %{__chmod} -x OpenSSL/ssl/connection.c
@@ -53,6 +57,10 @@ find doc/ -name pyOpenSSL.\*
 %{python_sitearch}/%{name}*.egg-info
 
 %changelog
+* Thu Apr  4 2013 Tomáš Mráz <tmraz@redhat.com> - 0.13-6
+- Check for error returns which cause segfaults in FIPS mode
+- Fix missing error check and leak found by gcc-with-cpychecker (#800086)
+
 * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild