summaryrefslogtreecommitdiff
path: root/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch
diff options
context:
space:
mode:
Diffstat (limited to 'source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch')
-rw-r--r--source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch127
1 files changed, 0 insertions, 127 deletions
diff --git a/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch b/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch
deleted file mode 100644
index bee574a5..00000000
--- a/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001
-From: Beniamino Galvani <bgalvani@redhat.com>
-Date: Sun, 9 Jul 2017 11:14:10 +0200
-Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL
- >= 1.1.0f
-
-Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
-callback from the SSL object instead of the one from the CTX, so let's
-set the callback on both SSL and CTX. Note that
-SSL_set_default_passwd_cb*() is available only in 1.1.0.
-
-Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
-(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f)
----
- src/crypto/tls_openssl.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
-index c4170b6..bceb8c3 100644
---- a/src/crypto/tls_openssl.c
-+++ b/src/crypto/tls_openssl.c
-@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data,
- } else
- passwd = NULL;
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+ /*
-+ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
-+ * from the SSL object. See OpenSSL commit d61461a75253.
-+ */
-+ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
-+ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
-+#endif /* >= 1.1.0f && !LibreSSL */
-+ /* Keep these for OpenSSL < 1.1.0f */
- SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
- SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
-
-@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data,
- return -1;
- }
- ERR_clear_error();
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+ SSL_set_default_passwd_cb(conn->ssl, NULL);
-+#endif /* >= 1.1.0f && !LibreSSL */
- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
- os_free(passwd);
-
---
-2.9.3
-
-From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Mon, 17 Jul 2017 12:06:17 +0300
-Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly
-
-Previously, the pointer to strdup passwd was left in OpenSSL library
-default_passwd_cb_userdata and even the default_passwd_cb was left set
-on an error path. To avoid unexpected behavior if something were to
-manage to use there pointers, clear them explicitly once done with
-loading of the private key.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384)
----
- src/crypto/tls_openssl.c | 22 +++++++++++++++++-----
- 1 file changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
-index bceb8c3..770af9e 100644
---- a/src/crypto/tls_openssl.c
-+++ b/src/crypto/tls_openssl.c
-@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
- }
-
-
-+static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
-+{
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+ if (ssl) {
-+ SSL_set_default_passwd_cb(ssl, NULL);
-+ SSL_set_default_passwd_cb_userdata(ssl, NULL);
-+ }
-+#endif /* >= 1.1.0f && !LibreSSL */
-+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
-+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
-+}
-+
-+
- static int tls_connection_private_key(struct tls_data *data,
- struct tls_connection *conn,
- const char *private_key,
-@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data,
- if (!ok) {
- tls_show_errors(MSG_INFO, __func__,
- "Failed to load private key");
-+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
- os_free(passwd);
- return -1;
- }
- ERR_clear_error();
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-- SSL_set_default_passwd_cb(conn->ssl, NULL);
--#endif /* >= 1.1.0f && !LibreSSL */
-- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
-+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
- os_free(passwd);
-
- if (!SSL_check_private_key(conn->ssl)) {
-@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data,
- tls_read_pkcs12(data, NULL, private_key, passwd)) {
- tls_show_errors(MSG_INFO, __func__,
- "Failed to load private key");
-+ tls_clear_default_passwd_cb(ssl_ctx, NULL);
- os_free(passwd);
- ERR_clear_error();
- return -1;
- }
-+ tls_clear_default_passwd_cb(ssl_ctx, NULL);
- os_free(passwd);
- ERR_clear_error();
-- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
-
- if (!SSL_CTX_check_private_key(ssl_ctx)) {
- tls_show_errors(MSG_INFO, __func__,
---
-2.9.3
-