diff options
Diffstat (limited to 'meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch')
-rw-r--r-- | meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch new file mode 100644 index 0000000000..7da48cd2cf --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch @@ -0,0 +1,92 @@ +From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Wed, 23 Feb 2022 17:29:02 +0100 +Subject: [PATCH] openssl: Don't unload providers + +There is a conflict between atexit() handlers registered by OpenSSL and +some executables (e.g. swanctl or pki) to deinitialize libstrongswan. +Because plugins are usually loaded after atexit() has been called, the +handler registered by OpenSSL will run before our handler. So when the +latter destroys the plugins it's a bad idea to try to access any OpenSSL +objects as they might already be invalid. + +Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") +Closes strongswan/strongswan#921 + +Upstream-Status: Backport +[https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + .../plugins/openssl/openssl_plugin.c | 27 +++---------------- + 1 file changed, 3 insertions(+), 24 deletions(-) + +diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c +index 6b4923649..1491d5cf8 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c ++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c +@@ -16,7 +16,6 @@ + + #include <library.h> + #include <utils/debug.h> +-#include <collections/array.h> + #include <threading/thread.h> + #include <threading/mutex.h> + #include <threading/thread_value.h> +@@ -74,13 +73,6 @@ struct private_openssl_plugin_t { + * public functions + */ + openssl_plugin_t public; +- +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- /** +- * Loaded providers +- */ +- array_t *providers; +-#endif + }; + + /** +@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int, + METHOD(plugin_t, destroy, void, + private_openssl_plugin_t *this) + { +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- OSSL_PROVIDER *provider; +- while (array_remove(this->providers, ARRAY_TAIL, &provider)) +- { +- OSSL_PROVIDER_unload(provider); +- } +- array_destroy(this->providers); +-#endif /* OPENSSL_VERSION_NUMBER */ +- + /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we + * can't call it as we couldn't re-initialize the library (as required by the + * unit tests and the Android app) */ +@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create() + DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); + return NULL; + } +- array_insert_create(&this->providers, ARRAY_TAIL, fips); + /* explicitly load the base provider containing encoding functions */ +- array_insert_create(&this->providers, ARRAY_TAIL, +- OSSL_PROVIDER_load(NULL, "base")); ++ OSSL_PROVIDER_load(NULL, "base"); + } + else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", + TRUE, lib->ns)) + { + /* load the legacy provider for algorithms like MD4, DES, BF etc. */ +- array_insert_create(&this->providers, ARRAY_TAIL, +- OSSL_PROVIDER_load(NULL, "legacy")); ++ OSSL_PROVIDER_load(NULL, "legacy"); + /* explicitly load the default provider, as mentioned by crypto(7) */ +- array_insert_create(&this->providers, ARRAY_TAIL, +- OSSL_PROVIDER_load(NULL, "default")); ++ OSSL_PROVIDER_load(NULL, "default"); + } + ossl_provider_names_t data = {}; + OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); +-- +2.25.1 + |