Bug 538851
Summary: | EVP_PBE_CipherInit() passes NULL cipher to keygen function | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marius Andreiana <marius.andreiana> |
Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 12 | CC: | danielsun3164, dcbw, dougsland, francisco.moraes, gansalmon, itamar, kernel-maint, matthias.andree, tmraz, walicki |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl-1.0.0-4.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-05-25 18:42:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Marius Andreiana
2009-11-19 15:09:51 UTC
Confirmed on up-to-date F12 x86_64. This happens when setting up a network with WPA2-Enterprise authentication with EAP-TLS, and I'm providing my username, no user certificate, the server root signing (CA) certificate and a .p12 package (along with matching password) of user private key and user certificate. This is an "eduroam"-style network, albeit with the less-common client certificate authentication (many eduroam sites use TTLS = Tunneled TLS instead -- we don't). Created attachment 373406 [details]
stack backtrace of wpa_supplicant-0.6.8-6.fc12.x86_64
This should be reassigned to wpa_supplicant.
I'm attaching a (modified) backtrace of my wpa_supplicant crash. The "classified" were the password I need to decrypt the .p12 PKCS#12 package, the "xxxx" was a four-character string in the \3xx octal range.
Based on your backtrace, it looks like openssl isn't returning a failure code when it can't find the cipher it needs to decrypt the PKCS12 file; why it can't find the cipher I don't know. But it certainly shouldn't segfault when it can't do so... How do I analyze the PKCS12 file to figure out the ciphers used for keys/certs? openssl pkcs12 -info -noout -in <keyfile> Does the openssl segfault/crash if you call the openssl pkcs12 command? It does not crash. It prints (this is retyped from a different machine): MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1and3-KeyTripleDES-CBC, Iteration 2048 I can extract key and certficiate to PEM files just fine. (Does this mean that OpenSSL itself isn't at fault but the way it's used in wpa_supplicant? Looks like that to me.) (In reply to comment #7) > It does not crash. It prints (this is retyped from a different machine): Note that I only retyped the screen output, but had run the openssl pkcs12 command on the computer affected by the problem. BTW, Marius, you haven't been let off the hook, so may want to provide your input too so maintainers can see a pattern sooner perhaps. (In reply to comment #7) > I can extract key and certficiate to PEM files just fine. (Does this mean that > OpenSSL itself isn't at fault but the way it's used in wpa_supplicant? Looks > like that to me.) OpenSSL still shouldn't segfault... it should return some error that upper layers can handle. Yes, I'll look at the crash and try to handle the error properly. However my current guess is that wpa_supplicant does not properly initialize the openssl library. Dan, can you please look at the initialization of openssl in wpa_supplicant and compare it to the calls in the openssl app source code? Any updates to this? I am holding upgrading to F12 because of this bug. I have a patch for the crash now. However wpa_supplicant has to be modified to add call to OpenSSL_add_all_algorithms() before the SSL_library_init() call to be able to load the PKCS12 file. Would this be F12-specific? Otherwise, what's the upstream status? (In reply to comment #12) > I have a patch for the crash now. However wpa_supplicant has to be modified to > add call to OpenSSL_add_all_algorithms() before the SSL_library_init() call to > be able to load the PKCS12 file. Could you please post the patch file here? Created attachment 378440 [details]
The patch fixing the crash in openssl if algorithms are not available
This crash is only in openssl-1.0.0 branch. I've submitted it to upstream tracker.
(In reply to comment #15) > Created an attachment (id=378440) [details] > The patch fixing the crash in openssl if algorithms are not available > > This crash is only in openssl-1.0.0 branch. I've submitted it to upstream > tracker. Thank you very much for your patch file. I confirmed that the segfault message of wpa_suppliant has been disappeared. But I still cannot connect to the wireless LAN :-( Created attachment 378461 [details]
Add algorithms necessary for reading some PKCS-12 files
Please try this patch.
(In reply to comment #17) > Created an attachment (id=378461) [details] > Add algorithms necessary for reading some PKCS-12 files > > Please try this patch. Thank you very much for your patch file. I can connect to my wireless LAN now. :-) Thanks again for your rapid response and hard work. I'll keep this bug for the crash in libcrypto, the wpa_supplicant change will be tracked in bug 541924. openssl-1.0.0-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc12 openssl-1.0.0-4.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openssl-1.0.0-4.fc12 openssl-1.0.0-4.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openssl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/openssl-1.0.0-4.fc12 openssl-1.0.0-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |