<div dir="ltr"><pre class="" id="comment_text_0">Hi,<br><br>When strongswan is run at client side with wpa_supplicant, after the TNC <br>negotiation is over and wpa_supplicant is stopped either using ctrl-c or <br>"killall wpa_supplicant", wpa_supplicant segfaults. Backtrace is here:
(gdb) bt
#0 0x00007f1ba4aac5a0 in ?? ()
#1 0x00007f1ba835a9d7 in CRYPTO_add_lock (pointer=0x7f1baae8f188, amount=-1, type=16, file=0x7f1ba872aaca "ssl_lib.c", line=512) at cryptlib.c:632
#2 0x00007f1ba871b9bc in SSL_free (s=0x7f1baae8efe0) at ssl_lib.c:512
#3 0x00007f1ba922d631 in tls_connection_deinit (ssl_ctx=<optimized out>, conn=0x7f1baae8ef40) at ../src/crypto/tls_openssl.c:972
#4 0x00007f1ba922ae20 in eap_peer_tls_ssl_deinit (sm=sm@entry=0x7f1baae6d4c0, data=data@entry=0x7f1baae8ee50) at ../src/eap_peer/eap_tls_common.c:269
#5 0x00007f1ba91d94cd in eap_ttls_deinit (sm=0x7f1baae6d4c0, priv=0x7f1baae8ee50) at ../src/eap_peer/eap_ttls.c:141
#6 0x00007f1ba9204780 in eap_deinit_prev_method (sm=sm@entry=0x7f1baae6d4c0, txt=txt@entry=0x7f1ba9296ad0 "EAP deinit") at ../src/eap_peer/eap.c:105
#7 0x00007f1ba92067c5 in eap_peer_sm_deinit (sm=0x7f1baae6d4c0) at ../src/eap_peer/eap.c:1418
#8 0x00007f1ba9204697 in eapol_sm_deinit (sm=0x7f1baae6d370) at ../src/eapol_supp/eapol_supp_sm.c:1917
#9 0x00007f1ba9253025 in wpa_supplicant_cleanup (wpa_s=0x7f1baae6bc00) at wpa_supplicant.c:412
#10 wpa_supplicant_deinit_iface (wpa_s=wpa_s@entry=0x7f1baae6bc00, notify=notify@entry=1, terminate=terminate@entry=1) at wpa_supplicant.c:2980
#11 0x00007f1ba92537fb in wpa_supplicant_remove_iface (global=global@entry=0x7f1baae6ba90, wpa_s=0x7f1baae6bc00, terminate=terminate@entry=1) at wpa_supplicant.c:3115
#12 0x00007f1ba925399d in wpa_supplicant_deinit (global=global@entry=0x7f1baae6ba90) at wpa_supplicant.c:3350
#13 0x00007f1ba91a2728 in main (argc=<optimized out>, argv=<optimized out>) at main.c:299<br><br>Here is my understanding after debugging openssl and wpa_supplicant code what might cause this segmentation fault:<br><br>strongswan's openssl plugin is deigned for multi-threaded environment, whereas <br>wpa_supplicant uses non-threaded architecture. Both of these, strongswan's <br>openssl pluging and wpa_supplicant uses openssl as their crypto and TLS library. <br>Locking and thread clean up used in strongswan's openssl plugin conflict with <br>wpa_supplicant's TLS clean up. When strongswan's openssl plugin is unloaded, it <br>clears its thread and locking state. wpa_supplicant's TLS SSL_free operation <br>conflicts with it and segfaults. Even if locking is modified in strongswan's <br>openssl plugin for non-threaded use, the segfaults happens at different location <br>as follows:
(gdb) bt
#0 0x00007f20372f3550 in ?? ()
#1 0x00007f203ac1dce8 in ERR_remove_thread_state (id=id@entry=0x0) at err.c:990
#2 0x00007f203ac1dd17 in ERR_remove_state (pid=pid@entry=0) at err.c:1000
#3 0x00007f203ba73e93 in tls_deinit (ssl_ctx=<optimized out>) at ../src/crypto/tls_openssl.c:795
#4 0x00007f203ba4d7ea in eap_peer_sm_deinit (sm=0x7f203c94c4c0) at ../src/eap_peer/eap.c:1422
#5 0x00007f203ba4b697 in eapol_sm_deinit (sm=0x7f203c94c370) at ../src/eapol_supp/eapol_supp_sm.c:1917
#6 0x00007f203ba9a025 in wpa_supplicant_cleanup (wpa_s=0x7f203c94ac00) at wpa_supplicant.c:412
#7 wpa_supplicant_deinit_iface (wpa_s=wpa_s@entry=0x7f203c94ac00, notify=notify@entry=1, terminate=terminate@entry=1) at wpa_supplicant.c:2980
#8 0x00007f203ba9a7fb in wpa_supplicant_remove_iface (global=global@entry=0x7f203c94aa90, wpa_s=0x7f203c94ac00, terminate=terminate@entry=1) at wpa_supplicant.c:3115
#9 0x00007f203ba9a99d in wpa_supplicant_deinit (global=global@entry=0x7f203c94aa90) at wpa_supplicant.c:3350
#10 0x00007f203b9e9728 in main (argc=<optimized out>, argv=<optimized out>) at main.c:299
<br></pre><pre class="" id="comment_text_0">I have created a very simple patch to address this issue which basically allows <br>disabling mult-thread uses in strongswan's openssl plugin when wpa_supplicant is used. <br>It may not be a right solution but this is what I have for right now to address this which works. <br>I am sure you guys would have a better solution which I would love to see, so your feedback is <br>really welcome. <br><br></pre><pre class="" id="comment_text_0">Patch is here: <br><br>diff -urNp strongswan-5.2.0/src/libstrongswan/plugins/openssl/openssl_plugin.c strongswan-5.2.0-current/src/libstrongswan/plugins/openssl/openssl_plugin.c<br>--- strongswan-5.2.0/src/libstrongswan/plugins/openssl/openssl_plugin.c 2014-06-05 03:50:30.000000000 -0400<br>+++ strongswan-5.2.0-current/src/libstrongswan/plugins/openssl/openssl_plugin.c 2014-09-18 16:12:39.171174020 -0400<br>@@ -70,6 +70,7 @@ struct private_openssl_plugin_t {<br> */<br> static mutex_t **mutex = NULL;<br><br>+static bool multi_thread = TRUE;<br> /**<br> * Locking callback for static locks<br> */<br>@@ -507,7 +508,10 @@ METHOD(plugin_t, destroy, void,<br> ENGINE_cleanup();<br> #endif /* OPENSSL_NO_ENGINE */<br> CRYPTO_cleanup_all_ex_data();<br>+ if(multi_thread)<br>+ {<br> threading_cleanup();<br>+ }<br> ERR_free_strings();<br><br> free(this);<br>@@ -523,6 +527,8 @@ plugin_t *openssl_plugin_create()<br><br> fips_mode = lib->settings->get_int(lib->settings,<br> "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);<br>+ multi_thread = lib->settings->get_bool(lib->settings,<br>+ "%s.plugins.openssl.multi_thread", TRUE, lib->ns);<br> #ifdef OPENSSL_FIPS<br> if (fips_mode)<br> {<br>@@ -551,7 +557,10 @@ plugin_t *openssl_plugin_create()<br> },<br> );<br><br>+ if (multi_thread) <br>+ {<br> threading_init();<br>+ }<br><br> OPENSSL_config(NULL);<br> OpenSSL_add_all_algorithms();<br><br><br></pre><pre class="" id="comment_text_0">Thanks for your help.<br></pre><pre class="" id="comment_text_0">Regards<br>Avesh<br></pre></div>