openssl: Don't unload providers

There is a conflict between atexit() handlers registered by OpenSSL and
some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
Because plugins are usually loaded after atexit() has been called, the
handler registered by OpenSSL will run before our handler.  So when the
latter destroys the plugins it's a bad idea to try to access any OpenSSL
objects as they might already be invalid.

Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
Closes strongswan/strongswan#921

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 6b4923649057cfe08598713d574b8482a52fc9fa..1491d5cf83490e554fe255083f40bd84c05e5cc3 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -16,7 +16,6 @@
 
 #include <library.h>
 #include <utils/debug.h>
-#include <collections/array.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <threading/thread_value.h>
@@ -74,13 +73,6 @@ struct private_openssl_plugin_t {
         * public functions
         */
        openssl_plugin_t public;
-
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-       /**
-        * Loaded providers
-        */
-       array_t *providers;
-#endif
 };
 
 /**
@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
        private_openssl_plugin_t *this)
 {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-       OSSL_PROVIDER *provider;
-       while (array_remove(this->providers, ARRAY_TAIL, &provider))
-       {
-               OSSL_PROVIDER_unload(provider);
-       }
-       array_destroy(this->providers);
-#endif /* OPENSSL_VERSION_NUMBER */
-
 /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
  * can't call it as we couldn't re-initialize the library (as required by the
  * unit tests and the Android app) */
@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create()
                        DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
                        return NULL;
                }
-               array_insert_create(&this->providers, ARRAY_TAIL, fips);
                /* explicitly load the base provider containing encoding functions */
-               array_insert_create(&this->providers, ARRAY_TAIL,
-                                                       OSSL_PROVIDER_load(NULL, "base"));
+               OSSL_PROVIDER_load(NULL, "base");
        }
        else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
                                                                         TRUE, lib->ns))
        {
                /* load the legacy provider for algorithms like MD4, DES, BF etc. */
-               array_insert_create(&this->providers, ARRAY_TAIL,
-                                                       OSSL_PROVIDER_load(NULL, "legacy"));
+               OSSL_PROVIDER_load(NULL, "legacy");
                /* explicitly load the default provider, as mentioned by crypto(7) */
-               array_insert_create(&this->providers, ARRAY_TAIL,
-                                                       OSSL_PROVIDER_load(NULL, "default"));
+               OSSL_PROVIDER_load(NULL, "default");
        }
        ossl_provider_names_t data = {};
        OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);