OpenSSL problems
Alan DeKok
aland at deployingradius.com
Fri Jun 12 18:22:25 CEST 2015
A sad note from the HostAP mailing list. OpenSSL has broken the most recent release.
The good news is that we've put changes into v3 to detect this kind of nonsense. It refuses to start with a broken OpenSSL. But, this means that if your system auto-upgrades OpenSSL, FreeRADIUS will refuse to start.
If you upgrade OpenSSL, you MUST REBUILD FreeRADIUS.
This requirement is made because the OpenSSL people hate their end users, and break binary compatibility.
---
Please note that the OpenSSL versions released yesterday are not binary
compatible with the prior releases due to a quite undesired ABI change
(HMAC_CTX size changes). This affects multiple programs using OpenSSL
shared libraries, including wpa_supplicant.
If you are using wpa_supplicant with OpenSSL as a shared library and
update the OpenSSL shared library without rebuilding the wpa_supplicant
binary against the new header files from the new OpenSSL version, you
may hit memory corruption issues at runtime. Rebuilding wpa_supplicant
against the matching OpenSSL version will fix those.
Based on a quick test, this issue did not show up in practice for me on
64-bit Ubuntu 14.04 with gcc build due to the HMAC_CTX struct padding
done by the compiler. However, on 32-bit Ubuntu 14.04, this did result
in memory corruption and process termination due to malloc() memory
corruption and/or stack smashing detection.
This is an OpenSSL issue and I hope that the previous ABI will be
restored in a new release shortly. There is not really anything that
wpa_supplicant can do about this apart from doing that rebuild with new
OpenSSL header files.
More information about the Freeradius-Users
mailing list