diff mbox

OpenSSL: fix private key password handling with OpenSSL >= 1.1.0f

Message ID 20170627124358.32377-1-bgalvani@redhat.com
State Changes Requested
Headers show

Commit Message

Beniamino Galvani June 27, 2017, 12:43 p.m. UTC 
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.
---
 src/crypto/tls_openssl.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Jouni Malinen July 8, 2017, 12:44 p.m. UTC | #1 
On Tue, Jun 27, 2017 at 02:43:58PM +0200, Beniamino Galvani wrote:
> Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
> callback from the SSL object instead of the one from the CTX, so let's
> set the callback on both SSL and CTX. Note that
> SSL_set_default_passwd_cb*() is available only in 1.1.0.
> ---

Please read the toplevel CONTRIBUTIONS file (*) and resend the patch
with Signed-off-by: line added as described there.


(*) https://w1.fi/cgit/hostap/tree/CONTRIBUTIONS
diff mbox

Patch

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 07c6119..7b7dc50 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2796,6 +2796,15 @@  static int tls_connection_private_key(struct tls_data *data,
 	} else
 		passwd = NULL;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+	/*
+	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
+	 * from the SSL object. See OpenSSL commit d61461a75253.
+	 */
+	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
+	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
+#endif /* >= 1.1.0f && !LibreSSL */
+	/* Keep these for OpenSSL < 1.1.0f */
 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
 
@@ -2886,6 +2895,9 @@  static int tls_connection_private_key(struct tls_data *data,
 		return -1;
 	}
 	ERR_clear_error();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+	SSL_set_default_passwd_cb(conn->ssl, NULL);
+#endif /* >= 1.1.0f && !LibreSSL */
 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
 	os_free(passwd);