summaryrefslogtreecommitdiffstats
path: root/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2018-05-28 19:12:29 +0000
committer Eric Hameleers <alien@slackware.com>2018-05-31 23:39:35 +0200
commit646a5c1cbfd95873950a87b5f75d52073a967023 (patch)
treeb8b8d2ab3b0d432ea69ad1a64d1c789649d65020 /source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch
parentd31c50870d0bee042ce660e445c9294a59a3a65b (diff)
downloadcurrent-646a5c1cbfd95873950a87b5f75d52073a967023.tar.gz
current-646a5c1cbfd95873950a87b5f75d52073a967023.tar.xz
Mon May 28 19:12:29 UTC 201820180528191229
a/pkgtools-15.0-noarch-13.txz: Rebuilt. installpkg: default line length for --terselength is the number of columns. removepkg: added --terse mode. upgradepkg: default line length for --terselength is the number of columns. upgradepkg: accept -option in addition to --option. ap/vim-8.1.0026-x86_64-1.txz: Upgraded. d/bison-3.0.5-x86_64-1.txz: Upgraded. e/emacs-26.1-x86_64-1.txz: Upgraded. kde/kopete-4.14.3-x86_64-8.txz: Rebuilt. Recompiled against libidn-1.35. n/conntrack-tools-1.4.5-x86_64-1.txz: Upgraded. n/libnetfilter_conntrack-1.0.7-x86_64-1.txz: Upgraded. n/libnftnl-1.1.0-x86_64-1.txz: Upgraded. n/links-2.16-x86_64-2.txz: Rebuilt. Rebuilt to enable X driver for -g mode. n/lynx-2.8.9dev.19-x86_64-1.txz: Upgraded. n/nftables-0.8.5-x86_64-1.txz: Upgraded. n/p11-kit-0.23.11-x86_64-1.txz: Upgraded. n/ulogd-2.0.7-x86_64-1.txz: Upgraded. n/whois-5.3.1-x86_64-1.txz: Upgraded. xap/network-manager-applet-1.8.12-x86_64-1.txz: Upgraded. xap/vim-gvim-8.1.0026-x86_64-1.txz: Upgraded.
Diffstat (limited to 'source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch')
-rw-r--r--source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch127
1 files changed, 127 insertions, 0 deletions
diff --git a/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch b/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch
new file mode 100644
index 000000000..bee574a5c
--- /dev/null
+++ b/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch
@@ -0,0 +1,127 @@
+From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Sun, 9 Jul 2017 11:14:10 +0200
+Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL
+ >= 1.1.0f
+
+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
+callback from the SSL object instead of the one from the CTX, so let's
+set the callback on both SSL and CTX. Note that
+SSL_set_default_passwd_cb*() is available only in 1.1.0.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f)
+---
+ src/crypto/tls_openssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index c4170b6..bceb8c3 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data,
+ } else
+ passwd = NULL;
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ /*
++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
++ * from the SSL object. See OpenSSL commit d61461a75253.
++ */
++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
++#endif /* >= 1.1.0f && !LibreSSL */
++ /* Keep these for OpenSSL < 1.1.0f */
+ SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
+
+@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data,
+ return -1;
+ }
+ ERR_clear_error();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ SSL_set_default_passwd_cb(conn->ssl, NULL);
++#endif /* >= 1.1.0f && !LibreSSL */
+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+
+--
+2.9.3
+
+From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 17 Jul 2017 12:06:17 +0300
+Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly
+
+Previously, the pointer to strdup passwd was left in OpenSSL library
+default_passwd_cb_userdata and even the default_passwd_cb was left set
+on an error path. To avoid unexpected behavior if something were to
+manage to use there pointers, clear them explicitly once done with
+loading of the private key.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384)
+---
+ src/crypto/tls_openssl.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index bceb8c3..770af9e 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
+ }
+
+
++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ if (ssl) {
++ SSL_set_default_passwd_cb(ssl, NULL);
++ SSL_set_default_passwd_cb_userdata(ssl, NULL);
++ }
++#endif /* >= 1.1.0f && !LibreSSL */
++ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
++}
++
++
+ static int tls_connection_private_key(struct tls_data *data,
+ struct tls_connection *conn,
+ const char *private_key,
+@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data,
+ if (!ok) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to load private key");
++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ os_free(passwd);
+ return -1;
+ }
+ ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+- SSL_set_default_passwd_cb(conn->ssl, NULL);
+-#endif /* >= 1.1.0f && !LibreSSL */
+- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ os_free(passwd);
+
+ if (!SSL_check_private_key(conn->ssl)) {
+@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data,
+ tls_read_pkcs12(data, NULL, private_key, passwd)) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to load private key");
++ tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+ ERR_clear_error();
+ return -1;
+ }
++ tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+ ERR_clear_error();
+- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+
+ if (!SSL_CTX_check_private_key(ssl_ctx)) {
+ tls_show_errors(MSG_INFO, __func__,
+--
+2.9.3
+
generated by cgit v1.2.3-80-g2a13 (git 2.46.2) at 2024-09-25 23:29:11 +0000