Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everyone,

The first ENGINE_by_id call (line 730) in
tls_engine_load_dynamic_generic is used to check if a certain OpenSSL
engine is already loaded:
https://w1.fi/cgit/hostap/tree/src/crypto/tls_openssl.c#n730

This ENGINE_by_id call has a side effect though that it automatically
loads that engine with the default options if the shared object of
that engine can be found by openssl. This means that if the autoload
succeeds then this check will always be true and hence this engine
can't ever be loaded with the specific options for WPA supplicant as
specified in the configuration.

The autoload code in OpenSSL was introduced in 2002 with this commit:
https://github.com/openssl/openssl/commit/aae329c447025eb87dab294d909f9fbc48f7174c

I'm not sure what's the best way to fix this issue but you'll find a
patch proposal in the end that iterates over the available engines
instead of using ENGINE_by_id to avoid the engine autoload.

Best,

Michael Schaller



Proposed patch:

--- ./src/crypto/tls_openssl.c.old 2016-05-30 13:35:15.341868226 +0000
+++ ./src/crypto/tls_openssl.c 2016-05-30 16:56:29.880912599 +0000
@@ -617,7 +617,14 @@
  ENGINE *engine;
  const char *dynamic_id = "dynamic";

- engine = ENGINE_by_id(id);
+ /*
+ * Check if engine is already loaded. This intentionally doesn't use
+ * ENGINE_by_id as this would autoload an engine if it isn't loaded yet.
+ */
+ for (engine = ENGINE_get_first(); engine; engine = ENGINE_get_next(engine)) {
+ if(!strcmp(id, ENGINE_get_id(engine)))
+ break;
+ }
  if (engine) {
  ENGINE_free(engine);
  wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux