[openssl-dev] OpenSSL version 1.1.0 pre release 3 published
Jouni Malinen
j at w1.fi
Mon Feb 15 21:25:30 UTC 2016
On Mon, Feb 15, 2016 at 10:52:27PM +0200, Jouni Malinen wrote:
> On Mon, Feb 15, 2016 at 07:04:20PM +0000, OpenSSL wrote:
> > OpenSSL version 1.1.0 pre release 3 (alpha)
> It looks like something in pre release 3 has changed behavior in a way
> that results in SSL_CTX_new(SSLv23_method()) failing in some cases. I've
> never seen this with earlier releases. It looks like the error within
> SSL_CTX_new() is in EVP_get_digestbyname("ssl3-md5") returning NULL
> suddenly after a process has called SSL_CTX_new() and SSL_CTX_free()
> multiple times.
Found the trigger.. When adding and removing a network interface,
wpa_supplicant ends up going through OpenSSL library init and deinit.
One part of that deinit is a call to EVP_cleanup(). Init on the other
hand is calling SSL_library_init(). The difference between pre release 2
and 3 is in the SSL_library_init() call after EVP_cleanup() call not
adding back the needed digest registration.
Is this change in OpenSSL behavior expected? Is it not allowed to call
EVP_cleanup() and then re-initialize OpenSSL digests with
SSL_library_init()?
I can "fix" this by removing the EVP_cleanup() call in wpa_supplicant,
but that does not sound like the best thing to do here since it was
needed to avoid leaving allocated memory behind during process deinit
(i.e., getting memory leak reports from valgrind).
The way the ossl_init_ssl_base() function is "hidden" within
ssl_init.c, the application cannot even call it again, so other than
duplicating the contents of that function after that EVP_cleanup() call,
I don't see how this could be fixed cleanly without an OpenSSL change.
--
Jouni Malinen PGP id EFC895FA
More information about the openssl-dev
mailing list