Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic

Michael Schaller misch at google.com
Mon May 30 10:19:40 PDT 2016

Hi everyone,

The first ENGINE_by_id call (line 730) in
tls_engine_load_dynamic_generic is used to check if a certain OpenSSL
engine is already loaded:

This ENGINE_by_id call has a side effect though that it automatically
loads that engine with the default options if the shared object of
that engine can be found by openssl. This means that if the autoload
succeeds then this check will always be true and hence this engine
can't ever be loaded with the specific options for WPA supplicant as
specified in the configuration.

The autoload code in OpenSSL was introduced in 2002 with this commit:

I'm not sure what's the best way to fix this issue but you'll find a
patch proposal in the end that iterates over the available engines
instead of using ENGINE_by_id to avoid the engine autoload.


Michael Schaller

Proposed patch:

--- ./src/crypto/tls_openssl.c.old 2016-05-30 13:35:15.341868226 +0000
+++ ./src/crypto/tls_openssl.c 2016-05-30 16:56:29.880912599 +0000
@@ -617,7 +617,14 @@
  ENGINE *engine;
  const char *dynamic_id = "dynamic";

- engine = ENGINE_by_id(id);
+ /*
+ * Check if engine is already loaded. This intentionally doesn't use
+ * ENGINE_by_id as this would autoload an engine if it isn't loaded yet.
+ */
+ for (engine = ENGINE_get_first(); engine; engine = ENGINE_get_next(engine)) {
+ if(!strcmp(id, ENGINE_get_id(engine)))
+ break;
+ }
  if (engine) {
  wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "

More information about the Hostap mailing list