OpenSSL: fix private key password callback (rh #1465138)
This commit is contained in:
Beniamino Galvani
parent
750ee3c11d
commit
3060fdc1de
127
rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
Normal file
127
rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
Normal file
@ -0,0 +1,127 @@
|
||||
From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001
|
||||
From: Beniamino Galvani <bgalvani@redhat.com>
|
||||
Date: Sun, 9 Jul 2017 11:14:10 +0200
|
||||
Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL
|
||||
>= 1.1.0f
|
||||
|
||||
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
|
||||
callback from the SSL object instead of the one from the CTX, so let's
|
||||
set the callback on both SSL and CTX. Note that
|
||||
SSL_set_default_passwd_cb*() is available only in 1.1.0.
|
||||
|
||||
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
|
||||
(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f)
|
||||
---
|
||||
src/crypto/tls_openssl.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
||||
index c4170b6..bceb8c3 100644
|
||||
--- a/src/crypto/tls_openssl.c
|
||||
+++ b/src/crypto/tls_openssl.c
|
||||
@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data,
|
||||
} else
|
||||
passwd = NULL;
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
+ /*
|
||||
+ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
|
||||
+ * from the SSL object. See OpenSSL commit d61461a75253.
|
||||
+ */
|
||||
+ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
|
||||
+ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
|
||||
+#endif /* >= 1.1.0f && !LibreSSL */
|
||||
+ /* Keep these for OpenSSL < 1.1.0f */
|
||||
SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
|
||||
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
|
||||
|
||||
@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data,
|
||||
return -1;
|
||||
}
|
||||
ERR_clear_error();
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
+ SSL_set_default_passwd_cb(conn->ssl, NULL);
|
||||
+#endif /* >= 1.1.0f && !LibreSSL */
|
||||
SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
|
||||
os_free(passwd);
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
||||
From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Mon, 17 Jul 2017 12:06:17 +0300
|
||||
Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly
|
||||
|
||||
Previously, the pointer to strdup passwd was left in OpenSSL library
|
||||
default_passwd_cb_userdata and even the default_passwd_cb was left set
|
||||
on an error path. To avoid unexpected behavior if something were to
|
||||
manage to use there pointers, clear them explicitly once done with
|
||||
loading of the private key.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384)
|
||||
---
|
||||
src/crypto/tls_openssl.c | 22 +++++++++++++++++-----
|
||||
1 file changed, 17 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
||||
index bceb8c3..770af9e 100644
|
||||
--- a/src/crypto/tls_openssl.c
|
||||
+++ b/src/crypto/tls_openssl.c
|
||||
@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
|
||||
}
|
||||
|
||||
|
||||
+static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
|
||||
+{
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
+ if (ssl) {
|
||||
+ SSL_set_default_passwd_cb(ssl, NULL);
|
||||
+ SSL_set_default_passwd_cb_userdata(ssl, NULL);
|
||||
+ }
|
||||
+#endif /* >= 1.1.0f && !LibreSSL */
|
||||
+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
|
||||
+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
|
||||
+}
|
||||
+
|
||||
+
|
||||
static int tls_connection_private_key(struct tls_data *data,
|
||||
struct tls_connection *conn,
|
||||
const char *private_key,
|
||||
@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data,
|
||||
if (!ok) {
|
||||
tls_show_errors(MSG_INFO, __func__,
|
||||
"Failed to load private key");
|
||||
+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
|
||||
os_free(passwd);
|
||||
return -1;
|
||||
}
|
||||
ERR_clear_error();
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
- SSL_set_default_passwd_cb(conn->ssl, NULL);
|
||||
-#endif /* >= 1.1.0f && !LibreSSL */
|
||||
- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
|
||||
+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
|
||||
os_free(passwd);
|
||||
|
||||
if (!SSL_check_private_key(conn->ssl)) {
|
||||
@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data,
|
||||
tls_read_pkcs12(data, NULL, private_key, passwd)) {
|
||||
tls_show_errors(MSG_INFO, __func__,
|
||||
"Failed to load private key");
|
||||
+ tls_clear_default_passwd_cb(ssl_ctx, NULL);
|
||||
os_free(passwd);
|
||||
ERR_clear_error();
|
||||
return -1;
|
||||
}
|
||||
+ tls_clear_default_passwd_cb(ssl_ctx, NULL);
|
||||
os_free(passwd);
|
||||
ERR_clear_error();
|
||||
- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
|
||||
|
||||
if (!SSL_CTX_check_private_key(ssl_ctx)) {
|
||||
tls_show_errors(MSG_INFO, __func__,
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -75,9 +75,10 @@ Patch44: macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
|
||||
Patch45: macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
|
||||
Patch46: macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
|
||||
Patch47: macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
|
||||
# upstream patch not in 2.6
|
||||
# upstream patches not in 2.6
|
||||
Patch48: rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
|
||||
Patch49: rh1462262-use-system-openssl-ciphers.patch
|
||||
Patch50: rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
|
||||
|
||||
URL: http://w1.fi/wpa_supplicant/
|
||||
|
||||
@ -169,6 +170,7 @@ Graphical User Interface for wpa_supplicant written using QT
|
||||
%patch47 -p1 -b .macsec-0039
|
||||
%patch48 -p1 -b .rh1447073-detect-mac-change
|
||||
%patch49 -p1 -b .rh1462262-system-ciphers
|
||||
%patch50 -p1 -b .rh1465138-openssl-cb
|
||||
|
||||
%build
|
||||
pushd wpa_supplicant
|
||||
@ -269,8 +271,9 @@ chmod -R 0644 %{name}/examples/*.py
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 26 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:2.6-8
|
||||
* Mon Jul 17 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:2.6-8
|
||||
- OpenSSL: use system ciphers by default (rh #1462262)
|
||||
- OpenSSL: fix private key password callback (rh #1465138)
|
||||
|
||||
* Wed May 17 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:2.6-7
|
||||
- nl80211: Fix race condition in detecting MAC change (rh #1451834)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user