[pkg-wpa-devel] Bug#827253: wpasupplicant: Please add upstream patch to fix pkcs11 OpenSSL engine initialization

[Michael Schaller]

Package: wpasupplicant
Version: 2.3-2.3
Severity: normal
Tags: upstream patch

Dear Maintainer,

A recent change to the libengine-pkcs11-openssl package changed the libpkcs11.so location and this finally enabled autoloading of the pkcs11 OpenSSL engine on Debian.
Commit: https://anonscm.debian.org/cgit/pkg-opensc/engine-pkcs11.git/commit/?id=0f9adff289380caf2887276d6e979871dbe174ba

This change revealed a bug in WPA Supplicant on loading OpenSSL engines which resulted in WPA Supplicant ignoring the specified module path on engine initialization if engine autoload succeeded.
This has the effect that the OpenSSL engine initialization succeeds but instead of using the specified module, like for an instance opencryptoki, the p11-kit proxy module is used as it is the default.
In the WPA Supplicant logs this isn't obvious and the only noticable difference is that it always logs that the engine is already intialized because the engine autoload succeeds.
Then later the actual usage of the expected key material fails as the wrong module is in use and this is the only user visible error in the log.
The log doesn't contain any indication though why the key material couldn't be used and hence it isn't obvious to the user that the wrong pkcs11 module was in use.

As this issue is hard to debug and the logs can be misleading I kindly ask to add this upstream patch for the time being to the package:
Patch: http://w1.fi/cgit/hostap/commit/?id=c3d7fb7e2724150950e1a1eac29460ea255811c3

Best,

Michael Schaller

PS: For more context see the discussion thread with the upstream developers: http://www.spinics.net/lists/hostap/msg01733.html