[strongSwan-dev] strongswan's openssl plugin causes wpa_supplicant to segfault

Thu Oct 16 18:36:58 CEST 2014

Hi,

When strongswan is run at client side with wpa_supplicant, after the TNC
negotiation is over and wpa_supplicant is stopped either using ctrl-c or
"killall wpa_supplicant", wpa_supplicant segfaults. Backtrace is here:

(gdb) bt
#0  0x00007f1ba4aac5a0 in ?? ()
#1  0x00007f1ba835a9d7 in CRYPTO_add_lock (pointer=0x7f1baae8f188,
amount=-1, type=16, file=0x7f1ba872aaca "ssl_lib.c", line=512) at
cryptlib.c:632
#2  0x00007f1ba871b9bc in SSL_free (s=0x7f1baae8efe0) at ssl_lib.c:512
#3  0x00007f1ba922d631 in tls_connection_deinit (ssl_ctx=<optimized
out>, conn=0x7f1baae8ef40) at ../src/crypto/tls_openssl.c:972
#4  0x00007f1ba922ae20 in eap_peer_tls_ssl_deinit
(sm=sm at entry=0x7f1baae6d4c0, data=data at entry=0x7f1baae8ee50) at
../src/eap_peer/eap_tls_common.c:269
#5  0x00007f1ba91d94cd in eap_ttls_deinit (sm=0x7f1baae6d4c0,
priv=0x7f1baae8ee50) at ../src/eap_peer/eap_ttls.c:141
#6  0x00007f1ba9204780 in eap_deinit_prev_method
(sm=sm at entry=0x7f1baae6d4c0, txt=txt at entry=0x7f1ba9296ad0 "EAP
deinit") at ../src/eap_peer/eap.c:105
#7  0x00007f1ba92067c5 in eap_peer_sm_deinit (sm=0x7f1baae6d4c0) at
../src/eap_peer/eap.c:1418
#8  0x00007f1ba9204697 in eapol_sm_deinit (sm=0x7f1baae6d370) at
../src/eapol_supp/eapol_supp_sm.c:1917
#9  0x00007f1ba9253025 in wpa_supplicant_cleanup
(wpa_s=0x7f1baae6bc00) at wpa_supplicant.c:412
#10 wpa_supplicant_deinit_iface (wpa_s=wpa_s at entry=0x7f1baae6bc00,
notify=notify at entry=1, terminate=terminate at entry=1) at
wpa_supplicant.c:2980
#11 0x00007f1ba92537fb in wpa_supplicant_remove_iface
(global=global at entry=0x7f1baae6ba90, wpa_s=0x7f1baae6bc00,
terminate=terminate at entry=1) at wpa_supplicant.c:3115
#12 0x00007f1ba925399d in wpa_supplicant_deinit
(global=global at entry=0x7f1baae6ba90) at wpa_supplicant.c:3350
#13 0x00007f1ba91a2728 in main (argc=<optimized out>, argv=<optimized
out>) at main.c:299

Here is my understanding after debugging openssl and wpa_supplicant
code what might cause this segmentation fault:

strongswan's openssl plugin is deigned for multi-threaded environment, whereas
wpa_supplicant uses non-threaded architecture. Both of these, strongswan's
openssl pluging and wpa_supplicant uses openssl as their crypto and
TLS library.
Locking and thread clean up used in strongswan's openssl plugin conflict with
wpa_supplicant's TLS clean up. When strongswan's openssl plugin is unloaded, it
clears its thread and locking state. wpa_supplicant's TLS SSL_free operation
conflicts with it and segfaults. Even if locking is modified in strongswan's
openssl plugin for non-threaded use, the segfaults happens at
different location
as follows:

(gdb) bt
#0  0x00007f20372f3550 in ?? ()
#1  0x00007f203ac1dce8 in ERR_remove_thread_state (id=id at entry=0x0) at err.c:990
#2  0x00007f203ac1dd17 in ERR_remove_state (pid=pid at entry=0) at err.c:1000
#3  0x00007f203ba73e93 in tls_deinit (ssl_ctx=<optimized out>) at
../src/crypto/tls_openssl.c:795
#4  0x00007f203ba4d7ea in eap_peer_sm_deinit (sm=0x7f203c94c4c0) at
../src/eap_peer/eap.c:1422
#5  0x00007f203ba4b697 in eapol_sm_deinit (sm=0x7f203c94c370) at
../src/eapol_supp/eapol_supp_sm.c:1917
#6  0x00007f203ba9a025 in wpa_supplicant_cleanup
(wpa_s=0x7f203c94ac00) at wpa_supplicant.c:412
#7  wpa_supplicant_deinit_iface (wpa_s=wpa_s at entry=0x7f203c94ac00,
notify=notify at entry=1, terminate=terminate at entry=1) at
wpa_supplicant.c:2980
#8  0x00007f203ba9a7fb in wpa_supplicant_remove_iface
(global=global at entry=0x7f203c94aa90, wpa_s=0x7f203c94ac00,
terminate=terminate at entry=1) at wpa_supplicant.c:3115
#9  0x00007f203ba9a99d in wpa_supplicant_deinit
(global=global at entry=0x7f203c94aa90) at wpa_supplicant.c:3350
#10 0x00007f203b9e9728 in main (argc=<optimized out>, argv=<optimized
out>) at main.c:299

I have created a very simple patch to address this issue which basically allows
disabling mult-thread uses in strongswan's openssl plugin when
wpa_supplicant is used.
It may not be a right solution but this is what I have for right now
to address this which works.
I am sure you guys would have a better solution which I would love to
see, so your feedback is
really welcome.

Patch is here:

diff -urNp strongswan-5.2.0/src/libstrongswan/plugins/openssl/openssl_plugin.c
strongswan-5.2.0-current/src/libstrongswan/plugins/openssl/openssl_plugin.c

--- strongswan-5.2.0/src/libstrongswan/plugins/openssl/openssl_plugin.c
2014-06-05 03:50:30.000000000 -0400
+++ strongswan-5.2.0-current/src/libstrongswan/plugins/openssl/openssl_plugin.c
2014-09-18 16:12:39.171174020 -0400
@@ -70,6 +70,7 @@ struct private_openssl_plugin_t {
  */
 static mutex_t **mutex = NULL;

+static bool multi_thread = TRUE;
 /**
  * Locking callback for static locks
  */
@@ -507,7 +508,10 @@ METHOD(plugin_t, destroy, void,
        ENGINE_cleanup();
 #endif /* OPENSSL_NO_ENGINE */
        CRYPTO_cleanup_all_ex_data();
+       if(multi_thread)
+       {
        threading_cleanup();
+       }
        ERR_free_strings();

        free(this);
@@ -523,6 +527,8 @@ plugin_t *openssl_plugin_create()

        fips_mode = lib->settings->get_int(lib->settings,

"%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
+       multi_thread = lib->settings->get_bool(lib->settings,
+
"%s.plugins.openssl.multi_thread", TRUE, lib->ns);
 #ifdef OPENSSL_FIPS
        if (fips_mode)
        {
@@ -551,7 +557,10 @@ plugin_t *openssl_plugin_create()
                },
        );

+       if (multi_thread)
+       {
        threading_init();
+       }

        OPENSSL_config(NULL);
        OpenSSL_add_all_algorithms();


Thanks for your help.

Regards
Avesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141016/15fb4503/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan-openssl-threading.patch
Type: text/x-patch
Size: 1327 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141016/15fb4503/attachment.bin>
