]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 33c4dd2)
OpenSSL: Unload providers only at process exit
authorJouni Malinen <j@w1.fi>
Sat, 16 Apr 2022 15:48:29 +0000 (18:48 +0300)
committerJouni Malinen <j@w1.fi>
Sat, 16 Apr 2022 15:51:32 +0000 (18:51 +0300)
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.

Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.

Fixes: 097ca6bf0b6f ("OpenSSL: Unload providers on deinit")
Signed-off-by: Jouni Malinen <j@w1.fi>
14 files changed:
hostapd/main.c patch | blob | blame | history
src/crypto/crypto.h patch | blob | blame | history
src/crypto/crypto_gnutls.c patch | blob | blame | history
src/crypto/crypto_internal.c patch | blob | blame | history
src/crypto/crypto_libtomcrypt.c patch | blob | blame | history
src/crypto/crypto_linux.c patch | blob | blame | history
src/crypto/crypto_nettle.c patch | blob | blame | history
src/crypto/crypto_none.c patch | blob | blame | history
src/crypto/crypto_openssl.c patch | blob | blame | history
src/crypto/crypto_wolfssl.c patch | blob | blame | history
src/crypto/tls_openssl.c patch | blob | blame | history
wpa_supplicant/eapol_test.c patch | blob | blame | history
wpa_supplicant/main.c patch | blob | blame | history
wpa_supplicant/preauth_test.c patch | blob | blame | history

diff --git a/hostapd/main.c b/hostapd/main.c
index 7c347f90558c9ee6e578ecfba164a907aaaf46c4..4503d24ae4d3d3fb87927de4ed9f6e8da39045ac 100644 (file)
--- a/hostapd/main.c
+++ b/hostapd/main.c
@@ -15,6 +15,7 @@
 #include "utils/common.h"
 #include "utils/eloop.h"
 #include "utils/uuid.h"
+#include "crypto/crypto.h"
 #include "crypto/random.h"
 #include "crypto/tls.h"
 #include "common/version.h"
@@ -933,6 +934,7 @@ int main(int argc, char *argv[])
 
        fst_global_deinit();
 
+       crypto_unload();
        os_program_deinit();
 
        return ret;
diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
index e6150b0cf16ee1dee6d3f8bf430c9d620f4690b4..41019659789543a8ea3e4647101ceba238ee5510 100644 (file)
--- a/src/crypto/crypto.h
+++ b/src/crypto/crypto.h
@@ -1275,4 +1275,12 @@ struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
                                struct crypto_ec_key *key,
                                enum crypto_hash_alg algo);
 
+/**
+ * crypto_unload - Unload crypto resources
+ *
+ * This function is called just before the process exits to allow dynamic
+ * resource allocations to be freed.
+ */
+void crypto_unload(void);
+
 #endif /* CRYPTO_H */
diff --git a/src/crypto/crypto_gnutls.c b/src/crypto/crypto_gnutls.c
index 4ef11462b36e82d7dd5e5cfabb4496c681e4d179..a7a163f5cb2a3bb35255adf48ec14d2d42f4ae57 100644 (file)
--- a/src/crypto/crypto_gnutls.c
+++ b/src/crypto/crypto_gnutls.c
@@ -504,3 +504,8 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
        gcry_cipher_close(ctx->dec);
        os_free(ctx);
 }
+
+
+void crypto_unload(void)
+{
+}
diff --git a/src/crypto/crypto_internal.c b/src/crypto/crypto_internal.c
index aad40af16e06e3cc9e7c1b53b2bacbabf1bb5412..d15c363c9ef66d22f0800befe17361552fa61de0 100644 (file)
--- a/src/crypto/crypto_internal.c
+++ b/src/crypto/crypto_internal.c
@@ -326,3 +326,8 @@ int crypto_global_init(void)
 void crypto_global_deinit(void)
 {
 }
+
+
+void crypto_unload(void)
+{
+}
diff --git a/src/crypto/crypto_libtomcrypt.c b/src/crypto/crypto_libtomcrypt.c
index ed30efa021d76d4bde3df91c3355183580997024..fd79c1a40337ab10404dcb64cb1b4a9f7c2ef11e 100644 (file)
--- a/src/crypto/crypto_libtomcrypt.c
+++ b/src/crypto/crypto_libtomcrypt.c
@@ -766,3 +766,8 @@ fail:
 }
 
 #endif /* CONFIG_MODEXP */
+
+
+void crypto_unload(void)
+{
+}
diff --git a/src/crypto/crypto_linux.c b/src/crypto/crypto_linux.c
index 17244561b372f7612faa7b63c6db29f06766762e..9278e279795f791a33bdbede078137a2dd5d6808 100644 (file)
--- a/src/crypto/crypto_linux.c
+++ b/src/crypto/crypto_linux.c
@@ -1007,3 +1007,8 @@ int crypto_global_init(void)
 void crypto_global_deinit(void)
 {
 }
+
+
+void crypto_unload(void)
+{
+}
diff --git a/src/crypto/crypto_nettle.c b/src/crypto/crypto_nettle.c
index f85d36532ea1921b0373f177765e8ad070a584f0..d745027727cd5ee12d3016871a7223df4b2a32f5 100644 (file)
--- a/src/crypto/crypto_nettle.c
+++ b/src/crypto/crypto_nettle.c
@@ -467,3 +467,8 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
 {
        bin_clear_free(ctx, sizeof(*ctx));
 }
+
+
+void crypto_unload(void)
+{
+}
diff --git a/src/crypto/crypto_none.c b/src/crypto/crypto_none.c
index 547919418af998f7d86f3f608951954342c2ec0e..a0dc0f52b00c76f4c75f2a0bc1c03bc67b10ecd6 100644 (file)
--- a/src/crypto/crypto_none.c
+++ b/src/crypto/crypto_none.c
@@ -22,3 +22,8 @@ int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
 {
        return 0;
 }
+
+
+void crypto_unload(void)
+{
+}
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index e1b3d15fc4499072687c6a5e70c1cfe19fd0fea2..cd7ebf0d9a49511623d4dcd3b44d64cefce89dfd 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -152,7 +152,7 @@ void openssl_load_legacy_provider(void)
 }
 
 
-void openssl_unload_legacy_provider(void)
+static void openssl_unload_legacy_provider(void)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
        if (openssl_legacy_provider) {
@@ -3797,3 +3797,9 @@ struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
 }
 
 #endif /* CONFIG_ECC */
+
+
+void crypto_unload(void)
+{
+       openssl_unload_legacy_provider();
+}
diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index 00ecf61352a18e858216292c0bf8e5dc2a97bb76..4ae85e0830ded2d24b737a7d12568edcefb9f400 100644 (file)
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -1823,3 +1823,8 @@ size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
 }
 
 #endif /* CONFIG_ECC */
+
+
+void crypto_unload(void)
+{
+}
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 270d45fa2020f7fc67ca0259c05fc7c648683dd5..e539cbae0921e6aa7a7de9f50a1a422a09ab142e 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1128,8 +1128,6 @@ void tls_deinit(void *ssl_ctx)
 
        tls_openssl_ref_count--;
        if (tls_openssl_ref_count == 0) {
-               void openssl_unload_legacy_provider(void);
-
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
        (defined(LIBRESSL_VERSION_NUMBER) && \
         LIBRESSL_VERSION_NUMBER < 0x20700000L)
@@ -1145,7 +1143,6 @@ void tls_deinit(void *ssl_ctx)
                tls_global->ocsp_stapling_response = NULL;
                os_free(tls_global);
                tls_global = NULL;
-               openssl_unload_legacy_provider();
        }
 
        os_free(data->check_cert_subject);
diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c
index e256ac50eec425c3c456961bdcb77a6125e5e856..2289de8e6cea2036f26c4ab3d777b9607e475eb9 100644 (file)
--- a/wpa_supplicant/eapol_test.c
+++ b/wpa_supplicant/eapol_test.c
@@ -15,6 +15,7 @@
 #include "common.h"
 #include "utils/ext_password.h"
 #include "common/version.h"
+#include "crypto/crypto.h"
 #include "crypto/tls.h"
 #include "config.h"
 #include "eapol_supp/eapol_supp_sm.h"
@@ -1549,6 +1550,7 @@ int main(int argc, char *argv[])
        else
                printf("SUCCESS\n");
 
+       crypto_unload();
        os_program_deinit();
 
        return ret;
diff --git a/wpa_supplicant/main.c b/wpa_supplicant/main.c
index 51a8a0298a9b8b2ea5a640280501ead931b5cf87..9229eb51f3908a9f95a6135da6fca41a3cd8b4e8 100644 (file)
--- a/wpa_supplicant/main.c
+++ b/wpa_supplicant/main.c
@@ -12,6 +12,7 @@
 #endif /* __linux__ */
 
 #include "common.h"
+#include "crypto/crypto.h"
 #include "fst/fst.h"
 #include "wpa_supplicant_i.h"
 #include "driver_i.h"
@@ -403,6 +404,7 @@ out:
 #endif /* CONFIG_MATCH_IFACE */
        os_free(params.pid_file);
 
+       crypto_unload();
        os_program_deinit();
 
        return exitcode;
diff --git a/wpa_supplicant/preauth_test.c b/wpa_supplicant/preauth_test.c
index 31b55325f7f7d668934173fb586f3707770f6b6c..3ae99da04203243af417cc65d5a040036d6034ec 100644 (file)
--- a/wpa_supplicant/preauth_test.c
+++ b/wpa_supplicant/preauth_test.c
@@ -13,6 +13,7 @@
 #include <assert.h>
 
 #include "common.h"
+#include "crypto/crypto.h"
 #include "config.h"
 #include "eapol_supp/eapol_supp_sm.h"
 #include "eloop.h"
@@ -365,6 +366,7 @@ int main(int argc, char *argv[])
 
        eloop_destroy();
 
+       crypto_unload();
        os_program_deinit();
 
        return ret;
Unnamed repository; edit this file 'description' to name the repository.