| From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001 |
| From: Tobias Brunner <tobias@strongswan.org> |
| Date: Wed, 23 Feb 2022 17:29:02 +0100 |
| Subject: [PATCH] openssl: Don't unload providers |
| |
| There is a conflict between atexit() handlers registered by OpenSSL and |
| some executables (e.g. swanctl or pki) to deinitialize libstrongswan. |
| Because plugins are usually loaded after atexit() has been called, the |
| handler registered by OpenSSL will run before our handler. So when the |
| latter destroys the plugins it's a bad idea to try to access any OpenSSL |
| objects as they might already be invalid. |
| |
| Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") |
| Closes strongswan/strongswan#921 |
| |
| Upstream-Status: Backport |
| [https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524] |
| |
| Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| --- |
| .../plugins/openssl/openssl_plugin.c | 27 +++---------------- |
| 1 file changed, 3 insertions(+), 24 deletions(-) |
| |
| diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c |
| index 6b4923649..1491d5cf8 100644 |
| --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c |
| +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c |
| @@ -16,7 +16,6 @@ |
| |
| #include <library.h> |
| #include <utils/debug.h> |
| -#include <collections/array.h> |
| #include <threading/thread.h> |
| #include <threading/mutex.h> |
| #include <threading/thread_value.h> |
| @@ -74,13 +73,6 @@ struct private_openssl_plugin_t { |
| * public functions |
| */ |
| openssl_plugin_t public; |
| - |
| -#if OPENSSL_VERSION_NUMBER >= 0x30000000L |
| - /** |
| - * Loaded providers |
| - */ |
| - array_t *providers; |
| -#endif |
| }; |
| |
| /** |
| @@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int, |
| METHOD(plugin_t, destroy, void, |
| private_openssl_plugin_t *this) |
| { |
| -#if OPENSSL_VERSION_NUMBER >= 0x30000000L |
| - OSSL_PROVIDER *provider; |
| - while (array_remove(this->providers, ARRAY_TAIL, &provider)) |
| - { |
| - OSSL_PROVIDER_unload(provider); |
| - } |
| - array_destroy(this->providers); |
| -#endif /* OPENSSL_VERSION_NUMBER */ |
| - |
| /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we |
| * can't call it as we couldn't re-initialize the library (as required by the |
| * unit tests and the Android app) */ |
| @@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create() |
| DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); |
| return NULL; |
| } |
| - array_insert_create(&this->providers, ARRAY_TAIL, fips); |
| /* explicitly load the base provider containing encoding functions */ |
| - array_insert_create(&this->providers, ARRAY_TAIL, |
| - OSSL_PROVIDER_load(NULL, "base")); |
| + OSSL_PROVIDER_load(NULL, "base"); |
| } |
| else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", |
| TRUE, lib->ns)) |
| { |
| /* load the legacy provider for algorithms like MD4, DES, BF etc. */ |
| - array_insert_create(&this->providers, ARRAY_TAIL, |
| - OSSL_PROVIDER_load(NULL, "legacy")); |
| + OSSL_PROVIDER_load(NULL, "legacy"); |
| /* explicitly load the default provider, as mentioned by crypto(7) */ |
| - array_insert_create(&this->providers, ARRAY_TAIL, |
| - OSSL_PROVIDER_load(NULL, "default")); |
| + OSSL_PROVIDER_load(NULL, "default"); |
| } |
| ossl_provider_names_t data = {}; |
| OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); |
| -- |
| 2.25.1 |
| |