<pre style='margin:0'>
Rainer Müller (raimue) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/f63b8bbdb02106107c498271f0c23ea7ae8b4256">https://github.com/macports/macports-ports/commit/f63b8bbdb02106107c498271f0c23ea7ae8b4256</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new f63b8bbdb02 softhsm: fix segment violation at application end
</span>f63b8bbdb02 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit f63b8bbdb02106107c498271f0c23ea7ae8b4256
</span>Author: Ian Young <ian@iay.org.uk>
AuthorDate: Mon May 22 16:40:57 2023 +0100
<span style='display:block; white-space:pre;color:#404040;'> softhsm: fix segment violation at application end
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Fix a segmentation violation at application termination
</span><span style='display:block; white-space:pre;color:#404040;'> through a combination of a couple of commits cherry-picked
</span><span style='display:block; white-space:pre;color:#404040;'> from upstream post-2.6.1 and a contribution from mouse07410
</span><span style='display:block; white-space:pre;color:#404040;'> directed at the same issue.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Closes: https://trac.macports.org/ticket/64036
</span>---
security/softhsm/Portfile | 6 +-
...on-t-clean-up-engines-after-OpenSSL-has-a.patch | 128 +++++++++++++++++++++
..._cleanup-detection-without-using-our-own-.patch | 93 +++++++++++++++
.../files/0003-mouse07410-OSSLCryptoFactory.patch | 21 ++++
4 files changed, 247 insertions(+), 1 deletion(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/security/softhsm/Portfile b/security/softhsm/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 58136587206..685f86bf1fc 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/security/softhsm/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/security/softhsm/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4,7 +4,7 @@ PortSystem 1.0
</span>
name softhsm
version 2.6.1
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 2
</span> categories security
platforms darwin
license BSD
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -23,6 +23,10 @@ checksums rmd160 73b116b9513d1afcd241431e967a582de1cb737f \
</span> sha256 61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2 \
size 1066766
<span style='display:block; white-space:pre;background:#e0ffe0;'>+patchfiles 0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0003-mouse07410-OSSLCryptoFactory.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> depends_build port:libtool port:pkgconfig port:cppunit
depends_lib path:lib/libssl.dylib:openssl \
port:sqlite3
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/security/softhsm/files/0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch b/security/softhsm/files/0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..649b695947f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/security/softhsm/files/0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,128 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From c2cc0652b4c4829fc6ba186469f4e324af77dfe8 Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: David Woodhouse <dwmw2@infradead.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Mon, 4 May 2020 17:36:22 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH 1/2] Issue #548: Don't clean up engines after OpenSSL has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ already shut down
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+MIME-Version: 1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Content-Type: text/plain; charset=UTF-8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Content-Transfer-Encoding: 8bit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+As of 1.1.0, OpenSSL registers its own atexit() handler to call
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+OPENSSL_cleanup(). If our own code subsequently tries to, for example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+unreference an ENGINE, then it'll crash or deadlock with a use after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+free.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fix it by registering a callback with OPENSSL_atexit() to be called when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+OPENSSL_cleanup() is called. It sets a flag which prevents any further
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+touching of OpenSSL objects — which would otherwise happen fairly much
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+immediately thereafter when our own OSSLCryptoFactory destructor gets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+called by the C++ runtime's own atexit() handler.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fixes: #548
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 32daca2..81d080a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -77,6 +77,7 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static unsigned nlocks;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static Mutex** locks;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static bool ossl_shutdown;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Mutex callback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void lock_callback(int mode, int n, const char* file, int line)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -101,6 +102,26 @@ void lock_callback(int mode, int n, const char* file, int line)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void ossl_factory_shutdown(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * As of 1.1.0, OpenSSL registers its own atexit() handler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * to call OPENSSL_cleanup(). If our own atexit() handler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * subsequently tries to, for example, unreference an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ENGINE, then it'll crash or deadlock with a use-after-free.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * This hook into the OpenSSL_atexit() handlers will get called
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * when OPENSSL_cleanup() is called, and sets a flag which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * prevents any further touching of OpenSSL objects — which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * would otherwise happen fairly much immediately thereafter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * when our own OSSLCryptoFactory destructor gets called by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the C++ runtime's own atexit() handler.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ossl_shutdown = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Constructor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OSSLCryptoFactory::OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -119,6 +140,9 @@ OSSLCryptoFactory::OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CRYPTO_set_locking_callback(lock_callback);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ setLockingCallback = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Mustn't dereference engines after OpenSSL itself has shut down
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OPENSSL_atexit(ossl_factory_shutdown);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WITH_FIPS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -226,31 +250,35 @@ err:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Destructor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OSSLCryptoFactory::~OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#ifdef WITH_GOST
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- // Finish the GOST engine
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (eg != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Don't do this if OPENSSL_cleanup() has already happened
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ossl_shutdown)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ENGINE_finish(eg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ENGINE_free(eg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- eg = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef WITH_GOST
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Finish the GOST engine
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (eg != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ENGINE_finish(eg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ENGINE_free(eg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ eg = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- // Finish the rd_rand engine
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ENGINE_finish(rdrand_engine);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ENGINE_free(rdrand_engine);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- rdrand_engine = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Finish the rd_rand engine
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ENGINE_finish(rdrand_engine);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ENGINE_free(rdrand_engine);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ rdrand_engine = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Recycle locks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (setLockingCallback)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CRYPTO_set_locking_callback(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Destroy the one-and-only RNG
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ delete rng;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- // Recycle locks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (setLockingCallback)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CRYPTO_set_locking_callback(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (unsigned i = 0; i < nlocks; i++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MutexFactory::i()->recycleMutex(locks[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+2.40.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/security/softhsm/files/0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch b/security/softhsm/files/0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..02e879af974
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/security/softhsm/files/0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,93 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From 2793f3cafb3ea22fe61ad4fc1c626c8121cd4124 Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: David Woodhouse <dwmw2@infradead.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Wed, 13 May 2020 13:13:34 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH 2/2] Fix OPENSSL_cleanup() detection without using our own
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ atexit() handler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+We can't register our own atexit() or OPENSSL_atexit() handler because
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+there's no way to unregister it when the SoftHSM DSO is unloaded. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+causes the crash reported at https://bugzilla.redhat.com/1831086#c8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Instead of using that method to set a flag showing that OPENSSL_cleanup()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+has occurred, instead test directly by calling OPENSSL_init_crypto() for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+something that *would* do nothing, but will fail if OPENSSL_cleanup()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+has indeed been run already.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fixes: c2cc0652b4 "Issue #548: Don't clean up engines after OpenSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ has already shut down"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 81d080a..ace4bcb 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -77,7 +77,6 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static unsigned nlocks;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static Mutex** locks;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static bool ossl_shutdown;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Mutex callback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void lock_callback(int mode, int n, const char* file, int line)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -102,26 +101,6 @@ void lock_callback(int mode, int n, const char* file, int line)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-void ossl_factory_shutdown(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * As of 1.1.0, OpenSSL registers its own atexit() handler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * to call OPENSSL_cleanup(). If our own atexit() handler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * subsequently tries to, for example, unreference an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * ENGINE, then it'll crash or deadlock with a use-after-free.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * This hook into the OpenSSL_atexit() handlers will get called
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * when OPENSSL_cleanup() is called, and sets a flag which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * prevents any further touching of OpenSSL objects — which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * would otherwise happen fairly much immediately thereafter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * when our own OSSLCryptoFactory destructor gets called by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * the C++ runtime's own atexit() handler.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ossl_shutdown = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Constructor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OSSLCryptoFactory::OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -140,9 +119,6 @@ OSSLCryptoFactory::OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CRYPTO_set_locking_callback(lock_callback);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ setLockingCallback = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- // Mustn't dereference engines after OpenSSL itself has shut down
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- OPENSSL_atexit(ossl_factory_shutdown);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WITH_FIPS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -250,7 +226,21 @@ err:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Destructor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OSSLCryptoFactory::~OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- // Don't do this if OPENSSL_cleanup() has already happened
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool ossl_shutdown = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // OpenSSL 1.1.0+ will register an atexit() handler to run
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // OPENSSL_cleanup(). If that has already happened we must
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // not attempt to free any ENGINEs because they'll already
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // have been destroyed and the use-after-free would cause
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // a deadlock or crash.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ //
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Detect that situation because reinitialisation will fail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // after OPENSSL_cleanup() has run.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (void)ERR_set_mark();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (void)ERR_pop_to_mark();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!ossl_shutdown)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WITH_GOST
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+2.40.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/security/softhsm/files/0003-mouse07410-OSSLCryptoFactory.patch b/security/softhsm/files/0003-mouse07410-OSSLCryptoFactory.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..3d36d325834
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/security/softhsm/files/0003-mouse07410-OSSLCryptoFactory.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,21 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index ace4bcb..b5456d4 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/lib/crypto/OSSLCryptoFactory.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -175,6 +175,7 @@ OSSLCryptoFactory::OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OPENSSL_INIT_LOAD_CRYPTO_STRINGS |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OPENSSL_INIT_ADD_ALL_CIPHERS |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OPENSSL_INIT_ADD_ALL_DIGESTS |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OPENSSL_INIT_NO_ATEXIT |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OPENSSL_INIT_LOAD_CONFIG, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -238,7 +239,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Detect that situation because reinitialisation will fail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // after OPENSSL_cleanup() has run.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (void)ERR_set_mark();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND | OPENSSL_INIT_NO_ATEXIT, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (void)ERR_pop_to_mark();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!ossl_shutdown)
</span></pre><pre style='margin:0'>
</pre>