strongswan: 5.9.4 -> 5.9.5

* Backport a patch to fix the segfault with swanctl:

  $ /usr/sbin/charon-systemd &
  $ /usr/sbin/swanctl --load-all --noprompt
  no files found matching '/etc/swanctl/conf.d/*.conf'
  no authorities found, 0 unloaded
  no pools found, 0 unloaded
  no connections found, 0 unloaded
  Segmentation fault

* Drop fix-funtion-parameter.patch and
  0001-memory.h-Include-stdint.h-for-uintptr_t.patch as the issues have
  been fixed upstream.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

4 files changed, 94 insertions, 124 deletions

diff --git a/meta-networking/recipes-support/strongswan/files/0001-memory.h-Include-stdint.h-for-uintptr_t.patch b/meta-networking/recipes-support/strongswan/files/0001-memory.h-Include-stdint.h-for-uintptr_t.patch
deleted file mode 100644
index 2d17507b17..0000000000
--- a/meta-networking/recipes-support/strongswan/files/0001-memory.h-Include-stdint.h-for-uintptr_t.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 33a53dc13fd924949a582109b45fedd8d0bed59b Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Tue, 27 Jun 2017 07:42:11 -0700
-Subject: [PATCH] memory.h: Include stdint.h for uintptr_t
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
----
- src/libstrongswan/utils/utils/memory.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/src/libstrongswan/utils/utils/memory.h
-+++ b/src/libstrongswan/utils/utils/memory.h
-@@ -26,6 +26,8 @@
- #include <string.h>
- #endif
- 
-+#include <stdint.h>
-+
- /**
-  * Helper function that compares two binary blobs for equality
-  */
diff --git a/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch b/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch
new file mode 100644
index 0000000000..7da48cd2cf
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch
@@ -0,0 +1,92 @@
+From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Wed, 23 Feb 2022 17:29:02 +0100
+Subject: [PATCH] openssl: Don't unload providers
+
+There is a conflict between atexit() handlers registered by OpenSSL and
+some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
+Because plugins are usually loaded after atexit() has been called, the
+handler registered by OpenSSL will run before our handler.  So when the
+latter destroys the plugins it's a bad idea to try to access any OpenSSL
+objects as they might already be invalid.
+
+Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
+Closes strongswan/strongswan#921
+
+Upstream-Status: Backport
+[https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ .../plugins/openssl/openssl_plugin.c          | 27 +++----------------
+ 1 file changed, 3 insertions(+), 24 deletions(-)
+
+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+index 6b4923649..1491d5cf8 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -74,13 +73,6 @@ struct private_openssl_plugin_t {
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int,
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create()
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
++		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
++		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
++		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/files/fix-funtion-parameter.patch b/meta-networking/recipes-support/strongswan/files/fix-funtion-parameter.patch
deleted file mode 100644
index 5945507bf1..0000000000
--- a/meta-networking/recipes-support/strongswan/files/fix-funtion-parameter.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 9f97479373f3fceedc471074b81486d77a49618d Mon Sep 17 00:00:00 2001
-From: "Roy.Li" <rongqing.li@windriver.com>
-Date: Tue, 4 Mar 2014 14:38:42 +0800
-Subject: [PATCH] fix the function parameter
-
-Upstream-Status: Pending
-
-Original openssl_diffie_hellman_create has three parameters, but
-it is reassigned a function pointer which has one parameter, and
-is called with one parameter, which will lead to segment fault
-on PPC, Now we simply correct the number of parameters.
-
-    #0  0x484d4aa0 in __GI_raise (sig=6)
-         at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
-    #1  0x484d9930 in __GI_abort () at abort.c:91
-    #2  0x10002064 in segv_handler (signal=11) at charon.c:224
-    #3  <signal handler called>
-    #4  0x48d89630 in openssl_diffie_hellman_create (group=MODP_1024_BIT, g=...,
-         p=<error reading variable: Cannot access memory at address 0x0>)
-         at openssl_diffie_hellman.c:143
-    #5  0x482c54f8 in create_dh (this=0x11ac6e68, group=MODP_1024_BIT)
-         at crypto/crypto_factory.c:358
-    #6  0x48375884 in create_dh (this=<optimized out>, group=<optimized out>)
-         at sa/keymat.c:132
-    #7  0x483843b8 in process_payloads (this=0x51400a78, message=<optimized
-    out>)
-         at sa/tasks/ike_init.c:200
-    #8  0x483844d0 in process_r (this=0x51400a78, message=0x51500778)
-         at sa/tasks/ike_init.c:319
-    #9  0x48374c9c in process_request (message=0x51500778, this=0x51400d20)
-         at sa/task_manager.c:870
-    #10 process_message (this=0x51400d20, msg=0x51500778) at
-    sa/task_manager.c:925
-    #11 0x4836c378 in process_message (this=0x514005f0, message=0x51500778)
-         at sa/ike_sa.c:1317
-    #12 0x48362270 in execute (this=0x515008d0)
-         at processing/jobs/process_message_job.c:74
-
-Signed-off-by: Roy.Li <rongqing.li@windriver.com>
-
----
- src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 8 +++++++-
- src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h | 4 +++-
- src/libstrongswan/plugins/openssl/openssl_plugin.c         | 1 +
- 3 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
-index 8e9c118..a73b038 100644
---- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
-+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
-@@ -192,7 +192,7 @@ METHOD(diffie_hellman_t, destroy, void,
- /*
-  * Described in header.
-  */
--openssl_diffie_hellman_t *openssl_diffie_hellman_create(
-+openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom(
- 											diffie_hellman_group_t group, ...)
- {
- 	private_openssl_diffie_hellman_t *this;
-@@ -255,5 +255,11 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(
- 	DBG2(DBG_LIB, "size of DH secret exponent: %d bits", BN_num_bits(privkey));
- 	return &this->public;
- }
-+openssl_diffie_hellman_t *openssl_diffie_hellman_create( diffie_hellman_group_t group)
-+{
-+	chunk_t g;
-+	chunk_t p;
-+	openssl_diffie_hellman_create_custom(group, g, p);
-+}
- 
- #endif /* OPENSSL_NO_DH */
-diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
-index 5de5520..22586e0 100644
---- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
-+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
-@@ -43,8 +43,10 @@ struct openssl_diffie_hellman_t {
-  * @param ...			expects generator and prime as chunk_t if MODP_CUSTOM
-  * @return				openssl_diffie_hellman_t object, NULL if not supported
-  */
--openssl_diffie_hellman_t *openssl_diffie_hellman_create(
-+openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom(
- 											diffie_hellman_group_t group, ...);
-+openssl_diffie_hellman_t *openssl_diffie_hellman_create(
-+							diffie_hellman_group_t group);
- 
- #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/
- 
-diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
-index 8b0a7c5..114d575 100644
---- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
-+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
-@@ -609,6 +609,7 @@ METHOD(plugin_t, get_features, int,
- 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
- 			PLUGIN_PROVIDE(DH, MODP_1024_160),
- 			PLUGIN_PROVIDE(DH, MODP_768_BIT),
-+		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create_custom),
- 			PLUGIN_PROVIDE(DH, MODP_CUSTOM),
- #endif
- #ifndef OPENSSL_NO_RSA
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb
index babfe17d29..cfb7b41fa4 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.4.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb
@@ -9,11 +9,10 @@ DEPENDS = "flex-native flex bison-native"
 DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '  tpm2-tss', '', d)}"
 
 SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
-           file://fix-funtion-parameter.patch \
-           file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \
+           file://0001-openssl-Don-t-unload-providers.patch \
            "
 
-SRC_URI[sha256sum] = "45fdf1a4c2af086d8ff5b76fd7b21d3b6f0890f365f83bf4c9a75dda26887518"
+SRC_URI[sha256sum] = "983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd"
 
 UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar"