diff options
Diffstat (limited to 'source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch')
| -rw-r--r-- | source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch | 127 |
1 files changed, 0 insertions, 127 deletions
diff --git a/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch b/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch deleted file mode 100644 index bee574a5..00000000 --- a/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001 -From: Beniamino Galvani <bgalvani@redhat.com> -Date: Sun, 9 Jul 2017 11:14:10 +0200 -Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL - >= 1.1.0f - -Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the -callback from the SSL object instead of the one from the CTX, so let's -set the callback on both SSL and CTX. Note that -SSL_set_default_passwd_cb*() is available only in 1.1.0. - -Signed-off-by: Beniamino Galvani <bgalvani@redhat.com> -(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f) ---- - src/crypto/tls_openssl.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index c4170b6..bceb8c3 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data, - } else - passwd = NULL; - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ /* -+ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback -+ * from the SSL object. See OpenSSL commit d61461a75253. -+ */ -+ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); -+ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); -+#endif /* >= 1.1.0f && !LibreSSL */ -+ /* Keep these for OpenSSL < 1.1.0f */ - SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); - SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); - -@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data, - return -1; - } - ERR_clear_error(); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ SSL_set_default_passwd_cb(conn->ssl, NULL); -+#endif /* >= 1.1.0f && !LibreSSL */ - SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); - os_free(passwd); - --- -2.9.3 - -From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Mon, 17 Jul 2017 12:06:17 +0300 -Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly - -Previously, the pointer to strdup passwd was left in OpenSSL library -default_passwd_cb_userdata and even the default_passwd_cb was left set -on an error path. To avoid unexpected behavior if something were to -manage to use there pointers, clear them explicitly once done with -loading of the private key. - -Signed-off-by: Jouni Malinen <j@w1.fi> -(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384) ---- - src/crypto/tls_openssl.c | 22 +++++++++++++++++----- - 1 file changed, 17 insertions(+), 5 deletions(-) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index bceb8c3..770af9e 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn) - } - - -+static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl) -+{ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ if (ssl) { -+ SSL_set_default_passwd_cb(ssl, NULL); -+ SSL_set_default_passwd_cb_userdata(ssl, NULL); -+ } -+#endif /* >= 1.1.0f && !LibreSSL */ -+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); -+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL); -+} -+ -+ - static int tls_connection_private_key(struct tls_data *data, - struct tls_connection *conn, - const char *private_key, -@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data, - if (!ok) { - tls_show_errors(MSG_INFO, __func__, - "Failed to load private key"); -+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); - os_free(passwd); - return -1; - } - ERR_clear_error(); --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- SSL_set_default_passwd_cb(conn->ssl, NULL); --#endif /* >= 1.1.0f && !LibreSSL */ -- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); -+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); - os_free(passwd); - - if (!SSL_check_private_key(conn->ssl)) { -@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data, - tls_read_pkcs12(data, NULL, private_key, passwd)) { - tls_show_errors(MSG_INFO, __func__, - "Failed to load private key"); -+ tls_clear_default_passwd_cb(ssl_ctx, NULL); - os_free(passwd); - ERR_clear_error(); - return -1; - } -+ tls_clear_default_passwd_cb(ssl_ctx, NULL); - os_free(passwd); - ERR_clear_error(); -- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); - - if (!SSL_CTX_check_private_key(ssl_ctx)) { - tls_show_errors(MSG_INFO, __func__, --- -2.9.3 - |