Date: Monday, October 9, 2017 @ 08:52:08 Author: bpiotrowski Revision: 307215
1:2.6-10: bring back openssl-1.0, but use the new config Modified: wpa_supplicant/trunk/PKGBUILD Deleted: wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch --------------------------------------------------------------+ PKGBUILD | 24 - rh1462262-use-system-openssl-ciphers.patch | 122 --------- rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch | 127 ---------- 3 files changed, 9 insertions(+), 264 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-10-09 08:42:41 UTC (rev 307214) +++ PKGBUILD 2017-10-09 08:52:08 UTC (rev 307215) @@ -4,32 +4,24 @@ pkgname=wpa_supplicant pkgver=2.6 -pkgrel=9 +pkgrel=10 epoch=1 pkgdesc='A utility providing key negotiation for WPA wireless networks' url='http://hostap.epitest.fi/wpa_supplicant' arch=(i686 x86_64) license=(GPL) -depends=(openssl libdbus readline libnl) +depends=(openssl-1.0 libdbus readline libnl) optdepends=('wpa_supplicant_gui: wpa_gui program') install=wpa_supplicant.install source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} - config - rh1462262-use-system-openssl-ciphers.patch - rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch) + config) validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen sha256sums=('b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450' 'SKIP' - 'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2' - 'c52ee8bc67466cd662ebac4bad4b25dbb429526ba16fbc179a2ae014be01edfc' - 'ad2258313f06b04003dbbffe10bc3eab9deea9db400c57c3c01b08cfc0b0916b') + 'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2') prepare() { - cd "$srcdir/$pkgname-$pkgver" - patch -p1 -i "$srcdir/rh1462262-use-system-openssl-ciphers.patch" - patch -p1 -i "$srcdir/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch" - - cd $pkgname + cd "$srcdir/$pkgname-$pkgver/$pkgname" cp "$srcdir/config" ./.config } @@ -36,8 +28,10 @@ build() { cd "$srcdir/$pkgname-$pkgver/$pkgname" - # The Makefile does not pick up our CPPFLAGS - export CFLAGS="$CPPFLAGS $CFLAGS" + export CFLAGS="$CPPFLAGS $CFLAGS -I/usr/include/openssl-1.0" + export LIBS="-L/usr/lib/openssl-1.0" + export LIBS_p="-L/usr/lib/openssl-1.0" + make LIBDIR=/usr/lib BINDIR=/usr/bin make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test } Deleted: rh1462262-use-system-openssl-ciphers.patch =================================================================== --- rh1462262-use-system-openssl-ciphers.patch 2017-10-09 08:42:41 UTC (rev 307214) +++ rh1462262-use-system-openssl-ciphers.patch 2017-10-09 08:52:08 UTC (rev 307215) @@ -1,122 +0,0 @@ -From 61665e43b0509e3d05b2519bf10531bd2163ed66 Mon Sep 17 00:00:00 2001 -From: Beniamino Galvani <[email protected]> -Date: Sun, 9 Jul 2017 11:06:50 +0200 -Subject: [PATCH] OpenSSL: Add build option to select default ciphers - -Add a build option to select different default ciphers for OpenSSL -instead of the hardcoded default "DEFAULT:!EXP:!LOW". - -This new option is useful on distributions where the security level -should be consistent for all applications, as in Fedora [1]. In such -cases the new configuration option would be set to "" or -"PROFILE=SYSTEM" to select the global crypto policy by default. - -[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy - -Signed-off-by: Beniamino Galvani <[email protected]> -(cherry picked from commit 2b9891bd6e125d3e28f26afde32e153db658b7cc) ---- - src/crypto/tls_openssl.c | 2 +- - wpa_supplicant/Android.mk | 4 ++++ - wpa_supplicant/Makefile | 4 ++++ - wpa_supplicant/android.config | 4 ++++ - wpa_supplicant/defconfig | 4 ++++ - wpa_supplicant/wpa_supplicant.conf | 4 ++-- - 6 files changed, 19 insertions(+), 3 deletions(-) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index 23ac64b..c4170b6 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -1017,7 +1017,7 @@ void * tls_init(const struct tls_config *conf) - if (conf && conf->openssl_ciphers) - ciphers = conf->openssl_ciphers; - else -- ciphers = "DEFAULT:!EXP:!LOW"; -+ ciphers = TLS_DEFAULT_CIPHERS; - if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { - wpa_printf(MSG_ERROR, - "OpenSSL: Failed to set cipher string '%s'", -diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk -index a8d6a7f..a9dc086 100644 ---- a/wpa_supplicant/Android.mk -+++ b/wpa_supplicant/Android.mk -@@ -971,6 +971,10 @@ ifdef CONFIG_TLS_ADD_DL - LIBS += -ldl - LIBS_p += -ldl - endif -+ifndef CONFIG_TLS_DEFAULT_CIPHERS -+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW" -+endif -+L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\" - endif - - ifeq ($(CONFIG_TLS), gnutls) -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index 512052e..cc55a52 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -1020,6 +1020,10 @@ ifdef CONFIG_TLS_ADD_DL - LIBS += -ldl - LIBS_p += -ldl - endif -+ifndef CONFIG_TLS_DEFAULT_CIPHERS -+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW" -+endif -+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\" - endif - - ifeq ($(CONFIG_TLS), gnutls) -diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config -index 02505bb..f3cc838 100644 ---- a/wpa_supplicant/android.config -+++ b/wpa_supplicant/android.config -@@ -291,6 +291,10 @@ CONFIG_IEEE80211W=y - # will be used) - #CONFIG_TLSV12=y - -+# Select which ciphers to use by default with OpenSSL if the user does not -+# specify them. -+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" -+ - # If CONFIG_TLS=internal is used, additional library and include paths are - # needed for LibTomMath. Alternatively, an integrated, minimal version of - # LibTomMath can be used. See beginning of libtommath.c for details on benefits -diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig -index 1d05198..8b0eb87 100644 ---- a/wpa_supplicant/defconfig -+++ b/wpa_supplicant/defconfig -@@ -316,6 +316,10 @@ CONFIG_PEERKEY=y - # will be used) - #CONFIG_TLSV12=y - -+# Select which ciphers to use by default with OpenSSL if the user does not -+# specify them. -+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" -+ - # If CONFIG_TLS=internal is used, additional library and include paths are - # needed for LibTomMath. Alternatively, an integrated, minimal version of - # LibTomMath can be used. See beginning of libtommath.c for details on benefits -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf -index 1061c98..70989c0 100644 ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -183,13 +183,13 @@ fast_reauth=1 - # OpenSSL cipher string - # - # This is an OpenSSL specific configuration option for configuring the default --# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. -+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW" -+# by default) is used. - # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation - # on cipher suite configuration. This is applicable only if wpa_supplicant is - # built to use OpenSSL. - #openssl_ciphers=DEFAULT:!EXP:!LOW - -- - # Dynamic EAP methods - # If EAP methods were built dynamically as shared object files, they need to be - # loaded here before being used in the network blocks. By default, EAP methods --- -2.9.3 - Deleted: rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch =================================================================== --- rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch 2017-10-09 08:42:41 UTC (rev 307214) +++ rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch 2017-10-09 08:52:08 UTC (rev 307215) @@ -1,127 +0,0 @@ -From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001 -From: Beniamino Galvani <[email protected]> -Date: Sun, 9 Jul 2017 11:14:10 +0200 -Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL - >= 1.1.0f - -Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the -callback from the SSL object instead of the one from the CTX, so let's -set the callback on both SSL and CTX. Note that -SSL_set_default_passwd_cb*() is available only in 1.1.0. - -Signed-off-by: Beniamino Galvani <[email protected]> -(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f) ---- - src/crypto/tls_openssl.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index c4170b6..bceb8c3 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data, - } else - passwd = NULL; - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ /* -+ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback -+ * from the SSL object. See OpenSSL commit d61461a75253. -+ */ -+ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); -+ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); -+#endif /* >= 1.1.0f && !LibreSSL */ -+ /* Keep these for OpenSSL < 1.1.0f */ - SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); - SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); - -@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data, - return -1; - } - ERR_clear_error(); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ SSL_set_default_passwd_cb(conn->ssl, NULL); -+#endif /* >= 1.1.0f && !LibreSSL */ - SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); - os_free(passwd); - --- -2.9.3 - -From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <[email protected]> -Date: Mon, 17 Jul 2017 12:06:17 +0300 -Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly - -Previously, the pointer to strdup passwd was left in OpenSSL library -default_passwd_cb_userdata and even the default_passwd_cb was left set -on an error path. To avoid unexpected behavior if something were to -manage to use there pointers, clear them explicitly once done with -loading of the private key. - -Signed-off-by: Jouni Malinen <[email protected]> -(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384) ---- - src/crypto/tls_openssl.c | 22 +++++++++++++++++----- - 1 file changed, 17 insertions(+), 5 deletions(-) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index bceb8c3..770af9e 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn) - } - - -+static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl) -+{ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ if (ssl) { -+ SSL_set_default_passwd_cb(ssl, NULL); -+ SSL_set_default_passwd_cb_userdata(ssl, NULL); -+ } -+#endif /* >= 1.1.0f && !LibreSSL */ -+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); -+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL); -+} -+ -+ - static int tls_connection_private_key(struct tls_data *data, - struct tls_connection *conn, - const char *private_key, -@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data, - if (!ok) { - tls_show_errors(MSG_INFO, __func__, - "Failed to load private key"); -+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); - os_free(passwd); - return -1; - } - ERR_clear_error(); --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- SSL_set_default_passwd_cb(conn->ssl, NULL); --#endif /* >= 1.1.0f && !LibreSSL */ -- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); -+ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); - os_free(passwd); - - if (!SSL_check_private_key(conn->ssl)) { -@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data, - tls_read_pkcs12(data, NULL, private_key, passwd)) { - tls_show_errors(MSG_INFO, __func__, - "Failed to load private key"); -+ tls_clear_default_passwd_cb(ssl_ctx, NULL); - os_free(passwd); - ERR_clear_error(); - return -1; - } -+ tls_clear_default_passwd_cb(ssl_ctx, NULL); - os_free(passwd); - ERR_clear_error(); -- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); - - if (!SSL_CTX_check_private_key(ssl_ctx)) { - tls_show_errors(MSG_INFO, __func__, --- -2.9.3 -
