From patchwork Mon May 30 17:19:40 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Schaller X-Patchwork-Id: 627952 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3rJStp6Cr3z9t5T for ; Tue, 31 May 2016 06:30:58 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b=dsvPL7/6; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1b7Tpn-0001Qn-8V; Mon, 30 May 2016 20:30:47 +0000 Received: from mail-wm0-x236.google.com ([2a00:1450:400c:c09::236]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1b7Qrq-0000On-RM for hostap@lists.infradead.org; Mon, 30 May 2016 17:20:43 +0000 Received: by mail-wm0-x236.google.com with SMTP id a136so95699189wme.0 for ; Mon, 30 May 2016 10:20:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=Q4FGeRhuJkd5nkEgx6PGQ6Y/Dj/lOAVUtaCz5F2Grug=; b=dsvPL7/6nmgtG6HjAJT2tg4fgc2bfetFbDEQavBAc5aZlMUUzzl4mH2FLy9CK5SERs zVh4gWMmAZl33eQNZWlI5Ys32QAgw4sVZrBLi7EN7HdEKF2MsbiiVYAGeTN0F7dgvgc9 WJC7bdNMp9FSWDFXrBaA0qJUkuLDgTXjWLfhKaHEEvxpRQML/Q5deLPGCubXPntkSiRL PZO/kFyXi1hcOFrxwsoasWM9xoSaU86Zi3Mo0HJYru/b3vxFPoKsQq33RLRgibvk18Rt rg+0sXtZ8GkYtDLbvT+m0yEang+bwqFmaq5ZuWJnVXm2+xKAIiUaez8Q1JmRXKeFKNiN GmIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Q4FGeRhuJkd5nkEgx6PGQ6Y/Dj/lOAVUtaCz5F2Grug=; b=l+jIDfQgyYcvyUiTGz1lz3yvpycnPeH1ehLDuUeaxY1505Du6wjUUzdkK7AJxXe0CM GeubuqkOfMXrwwOnbGx7CxtPgFlU1kWBwNlSoKNmTuqhExJiEzUM7132ECUEo9s6qTu2 OWd3QVYk2idLxzFCR3WCYVSGRn9eZFE4PkWAEJFfVxUeD9cowy1JYfa4HqhitZbm7kDz EpJS9BbNI5cOvnrNIVX6cjxm3xahhAEiV6NHj9lEx/wb207z8A67rcEwBNrZxLv9eu60 ylJ8piv7178DjcSv1wRCZB2glO2RMa/PBSigiA1FjPkebsSG+48ctdOdye+475oIG4oW C8eA== X-Gm-Message-State: ALyK8tKydJ5LHLYG5n/hd39FrYOSH0LmPw6gMSGRNoC7vu536pLSHjth0Hc4LhfpCCawZJy6LhfvN1B0LrZaofMf X-Received: by 10.28.210.75 with SMTP id j72mr11262148wmg.31.1464628820336; Mon, 30 May 2016 10:20:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.152.137 with HTTP; Mon, 30 May 2016 10:19:40 -0700 (PDT) From: Michael Schaller Date: Mon, 30 May 2016 19:19:40 +0200 Message-ID: Subject: Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic To: hostap@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160530_102043_057605_F7D53BC0 X-CRM114-Status: UNSURE ( 9.50 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -4.1 (----) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-4.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a00:1450:400c:c09:0:0:0:236 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Mailman-Approved-At: Mon, 30 May 2016 13:30:45 -0700 X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Hi everyone, The first ENGINE_by_id call (line 730) in tls_engine_load_dynamic_generic is used to check if a certain OpenSSL engine is already loaded: https://w1.fi/cgit/hostap/tree/src/crypto/tls_openssl.c#n730 This ENGINE_by_id call has a side effect though that it automatically loads that engine with the default options if the shared object of that engine can be found by openssl. This means that if the autoload succeeds then this check will always be true and hence this engine can't ever be loaded with the specific options for WPA supplicant as specified in the configuration. The autoload code in OpenSSL was introduced in 2002 with this commit: https://github.com/openssl/openssl/commit/aae329c447025eb87dab294d909f9fbc48f7174c I'm not sure what's the best way to fix this issue but you'll find a patch proposal in the end that iterates over the available engines instead of using ENGINE_by_id to avoid the engine autoload. Best, Michael Schaller Proposed patch: --- ./src/crypto/tls_openssl.c.old 2016-05-30 13:35:15.341868226 +0000 +++ ./src/crypto/tls_openssl.c 2016-05-30 16:56:29.880912599 +0000 @@ -617,7 +617,14 @@ ENGINE *engine; const char *dynamic_id = "dynamic"; - engine = ENGINE_by_id(id); + /* + * Check if engine is already loaded. This intentionally doesn't use + * ENGINE_by_id as this would autoload an engine if it isn't loaded yet. + */ + for (engine = ENGINE_get_first(); engine; engine = ENGINE_get_next(engine)) { + if(!strcmp(id, ENGINE_get_id(engine))) + break; + } if (engine) { ENGINE_free(engine); wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "