Patrick Williams | 4585273 | 2022-04-02 08:58:32 -0500 | [diff] [blame] | 1 | From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001 |
| 2 | From: Tobias Brunner <tobias@strongswan.org> |
| 3 | Date: Wed, 23 Feb 2022 17:29:02 +0100 |
| 4 | Subject: [PATCH] openssl: Don't unload providers |
| 5 | |
| 6 | There is a conflict between atexit() handlers registered by OpenSSL and |
| 7 | some executables (e.g. swanctl or pki) to deinitialize libstrongswan. |
| 8 | Because plugins are usually loaded after atexit() has been called, the |
| 9 | handler registered by OpenSSL will run before our handler. So when the |
| 10 | latter destroys the plugins it's a bad idea to try to access any OpenSSL |
| 11 | objects as they might already be invalid. |
| 12 | |
| 13 | Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") |
| 14 | Closes strongswan/strongswan#921 |
| 15 | |
| 16 | Upstream-Status: Backport |
| 17 | [https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524] |
| 18 | |
| 19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| 20 | --- |
| 21 | .../plugins/openssl/openssl_plugin.c | 27 +++---------------- |
| 22 | 1 file changed, 3 insertions(+), 24 deletions(-) |
| 23 | |
| 24 | diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c |
| 25 | index 6b4923649..1491d5cf8 100644 |
| 26 | --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c |
| 27 | +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c |
| 28 | @@ -16,7 +16,6 @@ |
| 29 | |
| 30 | #include <library.h> |
| 31 | #include <utils/debug.h> |
| 32 | -#include <collections/array.h> |
| 33 | #include <threading/thread.h> |
| 34 | #include <threading/mutex.h> |
| 35 | #include <threading/thread_value.h> |
| 36 | @@ -74,13 +73,6 @@ struct private_openssl_plugin_t { |
| 37 | * public functions |
| 38 | */ |
| 39 | openssl_plugin_t public; |
| 40 | - |
| 41 | -#if OPENSSL_VERSION_NUMBER >= 0x30000000L |
| 42 | - /** |
| 43 | - * Loaded providers |
| 44 | - */ |
| 45 | - array_t *providers; |
| 46 | -#endif |
| 47 | }; |
| 48 | |
| 49 | /** |
| 50 | @@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int, |
| 51 | METHOD(plugin_t, destroy, void, |
| 52 | private_openssl_plugin_t *this) |
| 53 | { |
| 54 | -#if OPENSSL_VERSION_NUMBER >= 0x30000000L |
| 55 | - OSSL_PROVIDER *provider; |
| 56 | - while (array_remove(this->providers, ARRAY_TAIL, &provider)) |
| 57 | - { |
| 58 | - OSSL_PROVIDER_unload(provider); |
| 59 | - } |
| 60 | - array_destroy(this->providers); |
| 61 | -#endif /* OPENSSL_VERSION_NUMBER */ |
| 62 | - |
| 63 | /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we |
| 64 | * can't call it as we couldn't re-initialize the library (as required by the |
| 65 | * unit tests and the Android app) */ |
| 66 | @@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create() |
| 67 | DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); |
| 68 | return NULL; |
| 69 | } |
| 70 | - array_insert_create(&this->providers, ARRAY_TAIL, fips); |
| 71 | /* explicitly load the base provider containing encoding functions */ |
| 72 | - array_insert_create(&this->providers, ARRAY_TAIL, |
| 73 | - OSSL_PROVIDER_load(NULL, "base")); |
| 74 | + OSSL_PROVIDER_load(NULL, "base"); |
| 75 | } |
| 76 | else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", |
| 77 | TRUE, lib->ns)) |
| 78 | { |
| 79 | /* load the legacy provider for algorithms like MD4, DES, BF etc. */ |
| 80 | - array_insert_create(&this->providers, ARRAY_TAIL, |
| 81 | - OSSL_PROVIDER_load(NULL, "legacy")); |
| 82 | + OSSL_PROVIDER_load(NULL, "legacy"); |
| 83 | /* explicitly load the default provider, as mentioned by crypto(7) */ |
| 84 | - array_insert_create(&this->providers, ARRAY_TAIL, |
| 85 | - OSSL_PROVIDER_load(NULL, "default")); |
| 86 | + OSSL_PROVIDER_load(NULL, "default"); |
| 87 | } |
| 88 | ossl_provider_names_t data = {}; |
| 89 | OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); |
| 90 | -- |
| 91 | 2.25.1 |
| 92 | |