From patchwork Tue Jun 27 12:43:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Beniamino Galvani X-Patchwork-Id: 781197 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wxlyq2WkWz9s75 for ; Tue, 27 Jun 2017 22:45:55 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="TWIjYkvE"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=eKSEQ9c0RAljE7V45wZlo9LlTlMhL94CrwuL6no1Dik=; b=TWIjYkvEw3pIrdagJZ0VjyVsR6 40rVyHI7v3eCDtKKhdhRwtHEjSRiMUeCxb409h46bN2/f+QJDwy5UeJesGPCZAH/WCXM0Suna8MhT j2mcA4v/rnhfy0IVOogTqLLUkC/gCGG41qxL54bQvF1RLU3Ig9y+MB57WO2Is0TH9IjtA4Nkz/mju /rH2VtLVUWaknwz2H9BEIN8Kg6iiQ68yq1klTpcAWItbq+SpEWt6eGUVkZ0dDlLAnvsDajUgGk8Y1 sjKDpVVDB09X5yHPw6w9OEqJyZcdeEk/pXkExKWQPspPP6/1LRraJ7tKShz8Vl25oVdtSxdOjQ3uN TjWs6/Cw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dPps1-0007qg-JV; Tue, 27 Jun 2017 12:45:29 +0000 Received: from mx1.redhat.com ([209.132.183.28]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dPprd-0006bq-AK for hostap@lists.infradead.org; Tue, 27 Jun 2017 12:45:06 +0000 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E8BD85D4 for ; Tue, 27 Jun 2017 12:44:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E8BD85D4 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=bgalvani@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E8BD85D4 Received: from localhost.localdomain (ovpn-117-50.ams2.redhat.com [10.36.117.50]) by smtp.corp.redhat.com (Postfix) with ESMTP id 22F9083E84; Tue, 27 Jun 2017 12:44:41 +0000 (UTC) From: Beniamino Galvani To: hostap@lists.infradead.org Subject: [PATCH] OpenSSL: fix private key password handling with OpenSSL >= 1.1.0f Date: Tue, 27 Jun 2017 14:43:58 +0200 Message-Id: <20170627124358.32377-1-bgalvani@redhat.com> In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 27 Jun 2017 12:44:43 +0000 (UTC) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170627_054505_401073_46BB67D7 X-CRM114-Status: GOOD ( 10.49 ) X-Spam-Score: -6.4 (------) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-6.4 points) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [209.132.183.28 listed in list.dnswl.org] 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source [209.132.183.28 listed in dnsbl.sorbs.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.132.183.28 listed in wl.mailspike.net] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Beniamino Galvani MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the callback from the SSL object instead of the one from the CTX, so let's set the callback on both SSL and CTX. Note that SSL_set_default_passwd_cb*() is available only in 1.1.0. --- src/crypto/tls_openssl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 07c6119..7b7dc50 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data, } else passwd = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* + * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback + * from the SSL object. See OpenSSL commit d61461a75253. + */ + SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); + SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); +#endif /* >= 1.1.0f && !LibreSSL */ + /* Keep these for OpenSSL < 1.1.0f */ SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); @@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data, return -1; } ERR_clear_error(); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_set_default_passwd_cb(conn->ssl, NULL); +#endif /* >= 1.1.0f && !LibreSSL */ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); os_free(passwd);