From 3060fdc1de27c1b9603503d2443839158336779c Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 17 Jul 2017 18:53:53 +0200
Subject: [PATCH] OpenSSL: fix private key password callback (rh #1465138)

---
 ...Fix-openssl-1-1-private-key-callback.patch | 127 ++++++++++++++++++
 wpa_supplicant.spec                           |   7 +-
 2 files changed, 132 insertions(+), 2 deletions(-)
 create mode 100644 rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch

diff --git a/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch b/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
new file mode 100644
index 0000000..bee574a
--- /dev/null
+++ b/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
@@ -0,0 +1,127 @@
+From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Sun, 9 Jul 2017 11:14:10 +0200
+Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL
+ >= 1.1.0f
+
+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
+callback from the SSL object instead of the one from the CTX, so let's
+set the callback on both SSL and CTX. Note that
+SSL_set_default_passwd_cb*() is available only in 1.1.0.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f)
+---
+ src/crypto/tls_openssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index c4170b6..bceb8c3 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data,
+ 	} else
+ 		passwd = NULL;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	/*
++	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
++	 * from the SSL object. See OpenSSL commit d61461a75253.
++	 */
++	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
++	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
++#endif /* >= 1.1.0f && !LibreSSL */
++	/* Keep these for OpenSSL < 1.1.0f */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
+ 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
+ 
+@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data,
+ 		return -1;
+ 	}
+ 	ERR_clear_error();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	SSL_set_default_passwd_cb(conn->ssl, NULL);
++#endif /* >= 1.1.0f && !LibreSSL */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ 	os_free(passwd);
+ 
+-- 
+2.9.3
+
+From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 17 Jul 2017 12:06:17 +0300
+Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly
+
+Previously, the pointer to strdup passwd was left in OpenSSL library
+default_passwd_cb_userdata and even the default_passwd_cb was left set
+on an error path. To avoid unexpected behavior if something were to
+manage to use there pointers, clear them explicitly once done with
+loading of the private key.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384)
+---
+ src/crypto/tls_openssl.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index bceb8c3..770af9e 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
+ }
+ 
+ 
++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	if (ssl) {
++		SSL_set_default_passwd_cb(ssl, NULL);
++		SSL_set_default_passwd_cb_userdata(ssl, NULL);
++	}
++#endif /* >= 1.1.0f && !LibreSSL */
++	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
++}
++
++
+ static int tls_connection_private_key(struct tls_data *data,
+ 				      struct tls_connection *conn,
+ 				      const char *private_key,
+@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data,
+ 	if (!ok) {
+ 		tls_show_errors(MSG_INFO, __func__,
+ 				"Failed to load private key");
++		tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ 		os_free(passwd);
+ 		return -1;
+ 	}
+ 	ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+-	SSL_set_default_passwd_cb(conn->ssl, NULL);
+-#endif /* >= 1.1.0f && !LibreSSL */
+-	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++	tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ 	os_free(passwd);
+ 
+ 	if (!SSL_check_private_key(conn->ssl)) {
+@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data,
+ 	    tls_read_pkcs12(data, NULL, private_key, passwd)) {
+ 		tls_show_errors(MSG_INFO, __func__,
+ 				"Failed to load private key");
++		tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ 		os_free(passwd);
+ 		ERR_clear_error();
+ 		return -1;
+ 	}
++	tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ 	os_free(passwd);
+ 	ERR_clear_error();
+-	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ 
+ 	if (!SSL_CTX_check_private_key(ssl_ctx)) {
+ 		tls_show_errors(MSG_INFO, __func__,
+-- 
+2.9.3
+
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index 83a3ba3..80ea5b9 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -75,9 +75,10 @@ Patch44: macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
 Patch45: macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
 Patch46: macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
 Patch47: macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
-# upstream patch not in 2.6
+# upstream patches not in 2.6
 Patch48: rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
 Patch49: rh1462262-use-system-openssl-ciphers.patch
+Patch50: rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -169,6 +170,7 @@ Graphical User Interface for wpa_supplicant written using QT
 %patch47 -p1 -b .macsec-0039
 %patch48 -p1 -b .rh1447073-detect-mac-change
 %patch49 -p1 -b .rh1462262-system-ciphers
+%patch50 -p1 -b .rh1465138-openssl-cb
 
 %build
 pushd wpa_supplicant
@@ -269,8 +271,9 @@ chmod -R 0644 %{name}/examples/*.py
 %endif
 
 %changelog
-* Mon Jun 26 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:2.6-8
+* Mon Jul 17 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:2.6-8
 - OpenSSL: use system ciphers by default (rh #1462262)
+- OpenSSL: fix private key password callback (rh #1465138)
 
 * Wed May 17 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:2.6-7
 - nl80211: Fix race condition in detecting MAC change (rh #1451834)