Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

engine: use-after-free with multiple objects on the same token #141

Closed
lkundrak opened this issue Jan 11, 2017 · 2 comments
Closed

engine: use-after-free with multiple objects on the same token #141

lkundrak opened this issue Jan 11, 2017 · 2 comments
Labels
bug

Comments

@lkundrak
Copy link

With the following supplicant configuration the log-in for the private key invalidates the x509 certificate loaded previously; resulting in an use-after-free attempt when trying to get the certificate:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
        ssid="wlan"

        key_mgmt=WPA-EAP
        eap=TLS

        proto=RSN
        pairwise=CCMP TKIP
        group=CCMP TKIP
        identity="user@example.com"

        private_key="pkcs11:token=test-token;object=client;type=private;pin-value=123456"
        client_cert="pkcs11:token=test-token;object=client;type=cert"
}

The valgrind log follows:

==29288== Memcheck, a memory error detector
==29288== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==29288== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==29288== Command: /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf.broken1 -iwlan4 -d
==29288== 
wpa_supplicant v2.6
random: Trying to read entropy from /dev/random
Successfully initialized wpa_supplicant
Initializing interface 'wlan4' conf '/etc/wpa_supplicant/wpa_supplicant.conf.broken1' driver 'default' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf.broken1' -> '/etc/wpa_supplicant/wpa_supplicant.conf.broken1'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf.broken1'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel'
Priority group 0
   id=0 ssid='wlan'
nl80211: TDLS supported
nl80211: TDLS external setup
nl80211: Supported cipher 00-0f-ac:1
nl80211: Supported cipher 00-0f-ac:5
nl80211: Supported cipher 00-0f-ac:2
nl80211: Supported cipher 00-0f-ac:4
nl80211: Supported cipher 00-0f-ac:10
nl80211: Supported cipher 00-0f-ac:8
nl80211: Supported cipher 00-0f-ac:9
nl80211: Supported cipher 00-0f-ac:6
nl80211: Supported cipher 00-0f-ac:13
nl80211: Supported cipher 00-0f-ac:11
nl80211: Supported cipher 00-0f-ac:12
nl80211: Using driver-based off-channel TX
nl80211: Driver-advertised extended capabilities (default) - hexdump(len=8): 04 00 00 00 00 00 00 40
nl80211: Driver-advertised extended capabilities mask (default) - hexdump(len=8): 04 00 00 00 00 00 00 40
nl80211: Supported vendor command: vendor_id=0x1374 subcmd=1
nl80211: Supported vendor event: vendor_id=0x1374 subcmd=1
nl80211: Use separate P2P group interface (driver advertised support)
nl80211: use P2P_DEVICE support
nl80211: interface wlan4 in phy phy4
nl80211: Set mode ifindex 307 iftype 2 (STATION)
nl80211: Subscribe to mgmt frames with non-AP handle 0x7d75640
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=040a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=040b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=040c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=040d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=090a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=090b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=090c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=090d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=0409506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=7f506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=06
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=0a07
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=0a11
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=1101
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=1102
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=0505
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7d75640 match=0500
rfkill: Cannot open RFKILL control device
nl80211: RFKILL status not available
netlink: Operstate: ifindex=307 linkmode=1 (userspace-control), operstate=5 (IF_OPER_DORMANT)
Add interface wlan4 to a new radio phy4
nl80211: Regulatory information - country=CZ (DFS-ETSI)
nl80211: 2400-2483 @ 40 MHz 20 mBm
nl80211: 5150-5250 @ 80 MHz 23 mBm (no outdoor)
nl80211: 5250-5350 @ 80 MHz 20 mBm (no outdoor) (DFS)
nl80211: 5470-5725 @ 160 MHz 26 mBm (DFS)
nl80211: 57000-66000 @ 2160 MHz 40 mBm
nl80211: Added 802.11b mode based on 802.11g information
wlan4: Own MAC address: fa:e2:13:52:5e:0d
wpa_driver_nl80211_set_key: ifindex=307 (wlan4) alg=0 addr=(nil) key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=307 (wlan4) alg=0 addr=(nil) key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=307 (wlan4) alg=0 addr=(nil) key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_nl80211_set_key: ifindex=307 (wlan4) alg=0 addr=(nil) key_idx=3 set_tx=0 seq_len=0 key_len=0
wlan4: RSN: flushing PMKID list in the driver
nl80211: Flush PMKIDs
wlan4: Setting scan request: 0.100000 sec
wlan4: WPS: UUID based on MAC address: 6fbcfb37-2f60-5745-8581-e5ab7fec151a
ENGINE: Loading dynamic engine
ENGINE: Loading dynamic engine
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
nl80211: Skip set_supp_port(unauthorized) while not associated
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
Using existing control interface directory.
ctrl_interface_group=10 (from group name 'wheel')
ctrl_iface bind(PF_UNIX) failed: Address already in use
ctrl_iface exists, but does not allow connections - assuming it was leftover from forced program termination
Successfully replaced leftover ctrl_iface socket '/var/run/wpa_supplicant/wlan4'
wlan4: Added interface wlan4
wlan4: State: DISCONNECTED -> DISCONNECTED
nl80211: Set wlan4 operstate 0->0 (DORMANT)
netlink: Operstate: ifindex=307 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
nl80211: Create interface iftype 10 (P2P_DEVICE)
nl80211: New P2P Device interface p2p-dev-wlan4 (0x40000006c) created
Initializing interface 'p2p-dev-wlan4' conf '/etc/wpa_supplicant/wpa_supplicant.conf.broken1' driver 'nl80211' ctrl_interface '/var/run/wpa_supplicant' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf.broken1' -> '/etc/wpa_supplicant/wpa_supplicant.conf.broken1'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf.broken1'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel'
Priority group 0
   id=0 ssid='wlan'
nl80211: TDLS supported
nl80211: TDLS external setup
nl80211: Supported cipher 00-0f-ac:1
nl80211: Supported cipher 00-0f-ac:5
nl80211: Supported cipher 00-0f-ac:2
nl80211: Supported cipher 00-0f-ac:4
nl80211: Supported cipher 00-0f-ac:10
nl80211: Supported cipher 00-0f-ac:8
nl80211: Supported cipher 00-0f-ac:9
nl80211: Supported cipher 00-0f-ac:6
nl80211: Supported cipher 00-0f-ac:13
nl80211: Supported cipher 00-0f-ac:11
nl80211: Supported cipher 00-0f-ac:12
nl80211: Using driver-based off-channel TX
nl80211: Driver-advertised extended capabilities (default) - hexdump(len=8): 04 00 00 00 00 00 00 40
nl80211: Driver-advertised extended capabilities mask (default) - hexdump(len=8): 04 00 00 00 00 00 00 40
nl80211: Supported vendor command: vendor_id=0x1374 subcmd=1
nl80211: Supported vendor event: vendor_id=0x1374 subcmd=1
nl80211: Use separate P2P group interface (driver advertised support)
nl80211: use P2P_DEVICE support
nl80211: interface p2p-dev-wlan4 in phy phy4
nl80211: Set mode ifindex 0 iftype 10 (P2P_DEVICE)
nl80211: Failed to set interface 0 to mode 10: -22 (Invalid argument)
nl80211: Subscribe to mgmt frames with non-AP handle 0x7f23620
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=040a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=040b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=040c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=040d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=090a
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=090b
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=090c
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=090d
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=0409506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=7f506f9a09
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=06
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=0a07
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=0a11
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=1101
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=1102
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=0505
nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x7f23620 match=0500
rfkill: Cannot get wiphy information
nl80211: RFKILL status not available
nl80211: Start P2P Device p2p-dev-wlan4 (0x40000006c): Device or resource busy
nl80211: Could not set interface 'p2p-dev-wlan4' UP
nl80211: deinit ifname=p2p-dev-wlan4 disabled_11b_rates=0
nl80211: Remove monitor interface: refcount=0
netlink: Operstate: ifindex=0 linkmode=0 (kernel-control), operstate=6 (IF_OPER_UP)
nl80211: Stop P2P Device p2p-dev-wlan4 (0x40000006c): Network is down
nl80211: Unsubscribe mgmt frames handle 0x888888888f7abea9 (deinit)
nl80211: Delete P2P Device p2p-dev-wlan4 (0x40000006c): Success
p2p-dev-wlan4: Failed to initialize driver interface
Failed to add interface p2p-dev-wlan4
p2p-dev-wlan4: Cancelling scan request
p2p-dev-wlan4: Cancelling authentication timeout
Off-channel: Clear pending Action frame TX (pending_action_tx=(nil)
P2P: Failed to add P2P Device interface
P2P: Failed to enable P2P Device interface
wlan4: State: DISCONNECTED -> SCANNING
wlan4: Starting AP scan for wildcard SSID
wlan4: Add radio work 'scan'@0x7fa8eb0
wlan4: First radio work item in the queue - schedule start immediately
random: Got 20/20 bytes from /dev/random
wlan4: Starting radio work 'scan'@0x7fa8eb0 after 0.003769 second wait
wlan4: nl80211: scan request
Scan requested (ret=0) - scan timeout 10 seconds
nl80211: Drv Event 33 (NL80211_CMD_TRIGGER_SCAN) received for wlan4
wlan4: nl80211: Scan trigger
wlan4: Event SCAN_STARTED (47) received
wlan4: Own scan request started a scan in 0.003607 seconds
EAPOL: disable timer tick
RTM_NEWLINK: ifi_index=307 ifname=wlan4 wext ifi_family=0 ifi_flags=0x1003 ([UP])
nl80211: Drv Event 34 (NL80211_CMD_NEW_SCAN_RESULTS) received for wlan4
wlan4: nl80211: New scan results available
nl80211: Scan probed for SSID ''
nl80211: Scan included frequencies: 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 5180 5200 5220 5240 5260 5280 5300 5320 5500 5520 5540 5560 5580 5600 5620 5640 5660 5680 5700
wlan4: Event SCAN_RESULTS (3) received
wlan4: Scan completed in 2.736310 seconds
nl80211: Received scan results (1 BSSes)
wlan4: BSS: Start scan result update 1
wlan4: BSS: Add new id 0 BSSID ea:be:a9:38:42:9e SSID 'wlan' freq 2412
BSS: last_scan_res_used=1/32
wlan4: New scan results available (own=1 ext=0)
wlan4: Radio work 'scan'@0x7fa8eb0 done in 2.761469 seconds
wlan4: radio_work_free('scan'@0x7fa8eb0: num_active_works --> 0
wlan4: Selecting BSS from priority group 0
wlan4: 0: ea:be:a9:38:42:9e ssid='wlan' wpa_ie_len=0 rsn_ie_len=24 caps=0x411 level=-30 freq=2412 
wlan4:    selected based on RSN IE
wlan4:    selected BSS ea:be:a9:38:42:9e ssid='wlan'
wlan4: Considering connect request: reassociate: 0  selected: ea:be:a9:38:42:9e  bssid: 00:00:00:00:00:00  pending: 00:00:00:00:00:00  wpa_state: SCANNING  ssid=0x7cdbcf0  current_ssid=(nil)
wlan4: Request association with ea:be:a9:38:42:9e
wlan4: Add radio work 'sme-connect'@0x7fca290
wlan4: First radio work item in the queue - schedule start immediately
wlan4: Starting radio work 'sme-connect'@0x7fca290 after 0.001298 second wait
wlan4: Automatic auth_alg selection: 0x1
RSN: PMKSA cache search - network_ctx=(nil) try_opportunistic=0
RSN: Search for BSSID ea:be:a9:38:42:9e
RSN: No PMKSA cache entry found
wlan4: RSN: using IEEE 802.11i/D9.0
wlan4: WPA: Selected cipher suites: group 8 pairwise 24 key_mgmt 1 proto 2
wlan4: WPA: clearing AP WPA IE
WPA: set AP RSN IE - hexdump(len=26): 30 18 01 00 00 0f ac 02 02 00 00 0f ac 04 00 0f ac 02 01 00 00 0f ac 01 00 00
wlan4: WPA: using GTK TKIP
wlan4: WPA: using PTK CCMP
wlan4: WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
RRM: Determining whether RRM can be used - device support: 0x10
RRM: No RRM in network
wlan4: Cancelling scan request
wlan4: SME: Trying to authenticate with ea:be:a9:38:42:9e (SSID='wlan' freq=2412 MHz)
wlan4: State: SCANNING -> AUTHENTICATING
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
wlan4: Determining shared radio frequencies (max len 1)
wlan4: Shared frequencies (len=0): completed iteration
nl80211: Authenticate (ifindex=307)
  * bssid=ea:be:a9:38:42:9e
  * freq=2412
  * SSID - hexdump_ascii(len=4):
     77 6c 61 6e                                       wlan            
  * IEs - hexdump(len=0): [NULL]
  * Auth Type 0
nl80211: Authentication request send successfully
nl80211: Drv Event 19 (NL80211_CMD_NEW_STATION) received for wlan4
nl80211: New station ea:be:a9:38:42:9e
nl80211: Drv Event 37 (NL80211_CMD_AUTHENTICATE) received for wlan4
nl80211: Authenticate event
wlan4: Event AUTH (11) received
wlan4: SME: Authentication response: peer=ea:be:a9:38:42:9e auth_type=0 auth_transaction=2 status_code=0
wlan4: Trying to associate with ea:be:a9:38:42:9e (SSID='wlan' freq=2412 MHz)
wlan4: State: AUTHENTICATING -> ASSOCIATING
nl80211: Set wlan4 operstate 0->0 (DORMANT)
netlink: Operstate: ifindex=307 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
WPA: set own WPA/RSN IE - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
nl80211: Associate (ifindex=307)
  * bssid=ea:be:a9:38:42:9e
  * freq=2412
  * SSID - hexdump_ascii(len=4):
     77 6c 61 6e                                       wlan            
  * IEs - hexdump(len=32): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00 7f 08 04 00 00 00 00 00 00 40
  * WPA Versions 0x2
  * pairwise=0xfac04
  * group=0xfac02
  * akm=0xfac01
nl80211: Association request send successfully
RTM_NEWLINK: ifi_index=307 ifname=wlan4 wext ifi_family=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK: ifi_index=307 ifname=wlan4 wext ifi_family=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK: ifi_index=307 ifname=wlan4 operstate=5 linkmode=1 ifi_family=0 ifi_flags=0x11003 ([UP][LOWER_UP])
nl80211: Drv Event 38 (NL80211_CMD_ASSOCIATE) received for wlan4
nl80211: Associate event
wlan4: Event ASSOC (0) received
wlan4: Association info event
resp_ies - hexdump(len=26): 01 08 82 84 8b 96 0c 12 18 24 32 04 30 48 60 6c 7f 08 04 00 00 00 00 00 00 40
wlan4: freq=2412 MHz
wlan4: State: ASSOCIATING -> ASSOCIATED
nl80211: Set wlan4 operstate 0->0 (DORMANT)
netlink: Operstate: ifindex=307 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
wlan4: Associated to a new BSS: BSSID=ea:be:a9:38:42:9e
wlan4: Associated with ea:be:a9:38:42:9e
wlan4: WPA: Association event - clear replay counter
wlan4: WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: enable timer tick
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
wlan4: Setting authentication timeout: 10 sec 0 usec
wlan4: Cancelling scan request
WMM AC: No WMM IE
wlan4: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
l2_packet_receive: src=ea:be:a9:38:42:9e len=9
wlan4: RX EAPOL from ea:be:a9:38:42:9e
wlan4: Setting authentication timeout: 70 sec 0 usec
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=90 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
wlan4: CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=16):
     75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d   user@example.com
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=ea:be:a9:38:42:9e
EAPOL: SUPP_BE entering state RECEIVE
nl80211: Drv Event 46 (NL80211_CMD_CONNECT) received for wlan4
nl80211: Ignore connect event (cmd=46) when using userspace SME
l2_packet_receive: src=ea:be:a9:38:42:9e len=10
wlan4: RX EAPOL from ea:be:a9:38:42:9e
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=91 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 25
EAP: vendor 0 method 25 not allowed
wlan4: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK
EAP: Status notification: refuse proposed method (param=PEAP)
EAP: Building EAP-Nak (requested type 25 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 0d
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=ea:be:a9:38:42:9e
EAPOL: SUPP_BE entering state RECEIVE
l2_packet_receive: src=ea:be:a9:38:42:9e len=10
wlan4: RX EAPOL from ea:be:a9:38:42:9e
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=92 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
wlan4: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
SSL: Initializing TLS engine
ENGINE: engine initialized
ENGINE: SSL_use_certificate --> OK
TLS: Using private key from engine
wlan4: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before SSL initialization
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write client hello
SSL: SSL_connect - want more data
SSL: 172 bytes pending from ssl_out
SSL: 172 bytes left to be sent out (of total 172 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0xa4becd0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=ea:be:a9:38:42:9e
EAPOL: SUPP_BE entering state RECEIVE
l2_packet_receive: src=ea:be:a9:38:42:9e len=1407
wlan4: RX EAPOL from ea:be:a9:38:42:9e
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=93 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1403) - Flags 0xc0
SSL: TLS Message Length: 1804
SSL: Need 411 bytes more input data
SSL: Building ACK (type=13 id=93 ver=0)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0xa4bfdd0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=ea:be:a9:38:42:9e
EAPOL: SUPP_BE entering state RECEIVE
l2_packet_receive: src=ea:be:a9:38:42:9e len=421
wlan4: RX EAPOL from ea:be:a9:38:42:9e
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=94 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=417) - Flags 0x00
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello)
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate)
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=1 buf='/CN=Easy-RSA CA'
wlan4: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/CN=Easy-RSA CA' hash=8855130a6b33718f5acab33ca2101975a38fade40ae694a2d0ea42b5cc43b134
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=1 buf='/CN=Easy-RSA CA'
wlan4: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/CN=Easy-RSA CA' hash=8855130a6b33718f5acab33ca2101975a38fade40ae694a2d0ea42b5cc43b134
TLS: tls_verify_cb - preverify_ok=1 err=19 (self signed certificate in certificate chain) ca_cert_verify=0 depth=0 buf='/CN=server'
wlan4: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=server' hash=33a85e95a72d353d413e145951c3cf444ce0a88806fb5b6eda5fe906e33f69a2
EAP: Status notification: remote certificate verification (param=success)
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate request)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate request
OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello done)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server done
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client certificate
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: TX ver=0x303 content_type=22 (handshake/client key exchange)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client key exchange
==29288== Invalid read of size 8
==29288==    at 0x82F2FA1: check_key_fork (p11_front.c:150)
==29288==    by 0x82F397D: PKCS11_private_encrypt (p11_front.c:425)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==  Address 0xa3f18d8 is 40 bytes inside a block of size 48 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFD1: pkcs11_destroy_keys (p11_key.c:515)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF43F: pkcs11_init_key.isra.0 (p11_key.c:461)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F2FA8: check_key_fork (p11_front.c:150)
==29288==    by 0x82F397D: PKCS11_private_encrypt (p11_front.c:425)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==  Address 0xa3f1920 is 0 bytes inside a block of size 296 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFFC: pkcs11_destroy_keys (p11_key.c:512)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF4A7: pkcs11_init_key.isra.0 (p11_key.c:471)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F2FC7: UnknownInlinedFun (p11_front.c:83)
==29288==    by 0x82F2FC7: check_key_fork (p11_front.c:152)
==29288==    by 0x82F397D: PKCS11_private_encrypt (p11_front.c:425)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==  Address 0xa3f18d8 is 40 bytes inside a block of size 48 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFD1: pkcs11_destroy_keys (p11_key.c:515)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF43F: pkcs11_init_key.isra.0 (p11_key.c:461)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F2FCB: UnknownInlinedFun (p11_front.c:83)
==29288==    by 0x82F2FCB: check_key_fork (p11_front.c:152)
==29288==    by 0x82F397D: PKCS11_private_encrypt (p11_front.c:425)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==  Address 0xa3f1920 is 0 bytes inside a block of size 296 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFFC: pkcs11_destroy_keys (p11_key.c:512)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF4A7: pkcs11_init_key.isra.0 (p11_key.c:471)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 4
==29288==    at 0x82F2FE6: UnknownInlinedFun (p11_front.c:89)
==29288==    by 0x82F2FE6: check_key_fork (p11_front.c:152)
==29288==    by 0x82F397D: PKCS11_private_encrypt (p11_front.c:425)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==  Address 0xa3f1a40 is 288 bytes inside a block of size 296 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFFC: pkcs11_destroy_keys (p11_key.c:512)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF4A7: pkcs11_init_key.isra.0 (p11_key.c:471)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F0D61: pkcs11_private_encrypt (p11_rsa.c:82)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==    by 0x1A32CB: eap_peer_sm_step_received (eap.c:1010)
==29288==    by 0x1A32CB: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A32CB: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A32CB: eap_peer_sm_step (eap.c:2004)
==29288==  Address 0xa3f18d8 is 40 bytes inside a block of size 48 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFD1: pkcs11_destroy_keys (p11_key.c:515)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF43F: pkcs11_init_key.isra.0 (p11_key.c:461)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F0D81: pkcs11_private_encrypt (p11_rsa.c:82)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==    by 0x1A32CB: eap_peer_sm_step_received (eap.c:1010)
==29288==    by 0x1A32CB: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A32CB: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A32CB: eap_peer_sm_step (eap.c:2004)
==29288==  Address 0xa3f1920 is 0 bytes inside a block of size 296 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFFC: pkcs11_destroy_keys (p11_key.c:512)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF4A7: pkcs11_init_key.isra.0 (p11_key.c:471)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 1
==29288==    at 0x82F0884: pkcs11_rsa (p11_rsa.c:38)
==29288==    by 0x82F0D28: pkcs11_get_key_size (p11_rsa.c:304)
==29288==    by 0x82F0DA6: pkcs11_private_encrypt (p11_rsa.c:90)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==  Address 0xa3f18c8 is 24 bytes inside a block of size 48 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFD1: pkcs11_destroy_keys (p11_key.c:515)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF43F: pkcs11_init_key.isra.0 (p11_key.c:461)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 1
==29288==    at 0x82F0346: pkcs11_get_key (p11_key.c:296)
==29288==    by 0x82F088C: pkcs11_rsa (p11_rsa.c:38)
==29288==    by 0x82F0D28: pkcs11_get_key_size (p11_rsa.c:304)
==29288==    by 0x82F0DA6: pkcs11_private_encrypt (p11_rsa.c:90)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==  Address 0xa3f18c8 is 24 bytes inside a block of size 48 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFD1: pkcs11_destroy_keys (p11_key.c:515)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF43F: pkcs11_init_key.isra.0 (p11_key.c:461)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F035E: pkcs11_get_key (p11_key.c:300)
==29288==    by 0x82F088C: pkcs11_rsa (p11_rsa.c:38)
==29288==    by 0x82F0D28: pkcs11_get_key_size (p11_rsa.c:304)
==29288==    by 0x82F0DA6: pkcs11_private_encrypt (p11_rsa.c:90)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==  Address 0xa3f18d0 is 32 bytes inside a block of size 48 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFD1: pkcs11_destroy_keys (p11_key.c:515)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF43F: pkcs11_init_key.isra.0 (p11_key.c:461)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F036C: pkcs11_get_key (p11_key.c:317)
==29288==    by 0x82F088C: pkcs11_rsa (p11_rsa.c:38)
==29288==    by 0x82F0D28: pkcs11_get_key_size (p11_rsa.c:304)
==29288==    by 0x82F0DA6: pkcs11_private_encrypt (p11_rsa.c:90)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==  Address 0xa3f18d0 is 32 bytes inside a block of size 48 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFD1: pkcs11_destroy_keys (p11_key.c:515)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF43F: pkcs11_init_key.isra.0 (p11_key.c:461)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
==29288== Invalid read of size 8
==29288==    at 0x82F0DD7: pkcs11_private_encrypt (p11_rsa.c:97)
==29288==    by 0x5A64337: RSA_sign (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A632EC: ??? (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x5A2403C: EVP_SignFinal (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x56A7BC0: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x56A4265: ??? (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x569C6E0: SSL_do_handshake (in /usr/lib64/libssl.so.1.1.0c)
==29288==    by 0x1D9253: openssl_handshake (tls_openssl.c:3277)
==29288==    by 0x1D9253: openssl_connection_handshake (tls_openssl.c:3368)
==29288==    by 0x1D6AEB: eap_tls_process_input (eap_tls_common.c:515)
==29288==    by 0x1D6AEB: eap_peer_tls_process_helper (eap_tls_common.c:663)
==29288==    by 0x170940: eap_tls_process (eap_tls.c:261)
==29288==    by 0x1A2A62: sm_EAP_METHOD_Enter.constprop.25 (eap.c:676)
==29288==    by 0x1A32CB: eap_peer_sm_step_received (eap.c:1010)
==29288==    by 0x1A32CB: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A32CB: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A32CB: eap_peer_sm_step (eap.c:2004)
==29288==  Address 0xa3f1928 is 8 bytes inside a block of size 296 free'd
==29288==    at 0x4C2ED3A: free (vg_replace_malloc.c:530)
==29288==    by 0x82EFFFC: pkcs11_destroy_keys (p11_key.c:512)
==29288==    by 0x82F22F7: pkcs11_login (p11_slot.c:196)
==29288==    by 0x82ED3DF: pkcs11_load_cert (eng_back.c:442)
==29288==    by 0x82ED3DF: ctrl_load_cert (eng_back.c:495)
==29288==    by 0x82ED3DF: pkcs11_engine_ctrl (eng_back.c:917)
==29288==    by 0x5A06E08: ENGINE_ctrl_cmd (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1D95E2: tls_engine_get_cert.isra.10 (tls_openssl.c:2641)
==29288==    by 0x1DB81D: tls_connection_engine_client_cert (tls_openssl.c:2669)
==29288==    by 0x1DB81D: tls_connection_set_params (tls_openssl.c:4021)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288==  Block was alloc'd at
==29288==    at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
==29288==    by 0x82EF4A7: pkcs11_init_key.isra.0 (p11_key.c:471)
==29288==    by 0x82F01B5: UnknownInlinedFun (p11_key.c:422)
==29288==    by 0x82F01B5: pkcs11_find_keys (p11_key.c:400)
==29288==    by 0x82F01B5: pkcs11_enumerate_keys (p11_key.c:362)
==29288==    by 0x82EC3D9: pkcs11_load_key (eng_back.c:767)
==29288==    by 0x82ECD9B: pkcs11_load_private_key (eng_back.c:841)
==29288==    by 0x5A098CE: ENGINE_load_private_key (in /usr/lib64/libcrypto.so.1.1.0c)
==29288==    by 0x1DB656: tls_engine_init (tls_openssl.c:1155)
==29288==    by 0x1DB656: tls_connection_set_params (tls_openssl.c:3999)
==29288==    by 0x1D6579: eap_tls_init_connection (eap_tls_common.c:210)
==29288==    by 0x1D6579: eap_peer_tls_ssl_init (eap_tls_common.c:269)
==29288==    by 0x17070F: eap_tls_init (eap_tls.c:51)
==29288==    by 0x1A3E96: sm_EAP_GET_METHOD_Enter (eap.c:331)
==29288==    by 0x1A3E96: eap_peer_sm_step_received (eap.c:1006)
==29288==    by 0x1A3E96: eap_peer_sm_step_local (eap.c:1036)
==29288==    by 0x1A3E96: sm_EAP_Step (eap.c:1110)
==29288==    by 0x1A3E96: eap_peer_sm_step (eap.c:2004)
==29288==    by 0x1A0BA0: eapol_sm_step (eapol_supp_sm.c:961)
==29288==    by 0x1A1793: eapol_sm_rx_eapol (eapol_supp_sm.c:1346)
==29288== 
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write certificate verify
OpenSSL: openssl_handshake - SSL_connect error:80009082:Vendor defined:PKCS11_rsa_encrypt:Object handle invalid
OpenSSL: pending error: error:14166006:SSL routines:tls_construct_client_verify:EVP lib
SSL: 0 bytes pending from ssl_out
SSL: Failed - tls_out available to report error (len=0)
EAP-TLS: TLS processing failed
SSL: Building ACK (type=13 id=94 ver=0)
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL eapRespData=0xa4d6ca0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
@mtrojnar
Copy link
Member

mtrojnar commented Jan 12, 2017
edited
Loading

OpenSC/engine_pkcs11@091b78c causes LOAD_CERT_CTRL to free any previously allocated objects.

@mtrojnar mtrojnar added the bug label Jan 12, 2017
mtrojnar added a commit that referenced this issue Jan 12, 2017
@mtrojnar
Fixed re-login on LOAD_CERT_CTRL engine ctrl
7a70969 
This caused a state reset resulting in a use-after-free condition.
Addresses #141
@mtrojnar
Copy link
Member

This issue should be fixed now. Otherwise, please reopen it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lkundrak @mtrojnar