Hello community, here is the log from the commit of package wpa_supplicant for openSUSE:Factory checked in at 2018-07-23 17:57:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wpa_supplicant (Old) and /work/SRC/openSUSE:Factory/.wpa_supplicant.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wpa_supplicant" Mon Jul 23 17:57:32 2018 rev:71 rq:624261 version:2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/wpa_supplicant/wpa_supplicant.changes 2017-10-18 12:51:01.697684332 +0200 +++ /work/SRC/openSUSE:Factory/.wpa_supplicant.new/wpa_supplicant.changes 2018-07-23 17:57:36.249184828 +0200 @@ -1,0 +2,10 @@ +Fri Jul 20 13:48:52 CEST 2018 - [email protected] + +- add two patches from upstream to fix reading private key + passwords from the configuration file (bsc#1099835) + - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 + wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch + - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f + wpa_supplicant-bnc-1099835-fix-private-key-password.patch + +------------------------------------------------------------------- New: ---- wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch wpa_supplicant-bnc-1099835-fix-private-key-password.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wpa_supplicant.spec ++++++ --- /var/tmp/diff_new_pack.DJdbO3/_old 2018-07-23 17:57:38.337182221 +0200 +++ /var/tmp/diff_new_pack.DJdbO3/_new 2018-07-23 17:57:38.341182216 +0200 @@ -1,7 +1,7 @@ # # spec file for package wpa_supplicant # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Version: 2.6 Release: 0 Summary: WPA supplicant implementation -License: BSD-3-Clause and GPL-2.0+ +License: BSD-3-Clause AND GPL-2.0-or-later Group: Productivity/Networking/Other Url: http://hostap.epitest.fi/wpa_supplicant/ Source: http://hostap.epitest.fi/releases/wpa_supplicant-%{version}.tar.gz @@ -49,6 +49,8 @@ Patch15: rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch Patch16: rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch Patch17: rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch +Patch18: wpa_supplicant-bnc-1099835-fix-private-key-password.patch +Patch19: wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch BuildRequires: openssl-devel BuildRequires: pkgconfig @@ -95,6 +97,8 @@ %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 %build cd wpa_supplicant ++++++ wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch ++++++ commit 89971d8b1e328a2f79699c953625d1671fd40384 Author: Jouni Malinen <[email protected]> Date: Mon Jul 17 12:06:17 2017 +0300 OpenSSL: Clear default_passwd_cb more thoroughly Previously, the pointer to strdup passwd was left in OpenSSL library default_passwd_cb_userdata and even the default_passwd_cb was left set on an error path. To avoid unexpected behavior if something were to manage to use there pointers, clear them explicitly once done with loading of the private key. Signed-off-by: Jouni Malinen <[email protected]> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index c790b53ea..903c38cff 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2775,6 +2775,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn) } +static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl) +{ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (ssl) { + SSL_set_default_passwd_cb(ssl, NULL); + SSL_set_default_passwd_cb_userdata(ssl, NULL); + } +#endif /* >= 1.1.0f && !LibreSSL */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL); +} + + static int tls_connection_private_key(struct tls_data *data, struct tls_connection *conn, const char *private_key, @@ -2891,14 +2904,12 @@ static int tls_connection_private_key(struct tls_data *data, if (!ok) { tls_show_errors(MSG_INFO, __func__, "Failed to load private key"); + tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); os_free(passwd); return -1; } ERR_clear_error(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - SSL_set_default_passwd_cb(conn->ssl, NULL); -#endif /* >= 1.1.0f && !LibreSSL */ - SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); os_free(passwd); if (!SSL_check_private_key(conn->ssl)) { @@ -2941,13 +2952,14 @@ static int tls_global_private_key(struct tls_data *data, tls_read_pkcs12(data, NULL, private_key, passwd)) { tls_show_errors(MSG_INFO, __func__, "Failed to load private key"); + tls_clear_default_passwd_cb(ssl_ctx, NULL); os_free(passwd); ERR_clear_error(); return -1; } + tls_clear_default_passwd_cb(ssl_ctx, NULL); os_free(passwd); ERR_clear_error(); - SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); if (!SSL_CTX_check_private_key(ssl_ctx)) { tls_show_errors(MSG_INFO, __func__, ++++++ wpa_supplicant-bnc-1099835-fix-private-key-password.patch ++++++ commit f665c93e1d28fbab3d9127a8c3985cc32940824f Author: Beniamino Galvani <[email protected]> Date: Sun Jul 9 11:14:10 2017 +0200 OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the callback from the SSL object instead of the one from the CTX, so let's set the callback on both SSL and CTX. Note that SSL_set_default_passwd_cb*() is available only in 1.1.0. Signed-off-by: Beniamino Galvani <[email protected]> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index fd94eaf46..c790b53ea 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data, } else passwd = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* + * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback + * from the SSL object. See OpenSSL commit d61461a75253. + */ + SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); + SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); +#endif /* >= 1.1.0f && !LibreSSL */ + /* Keep these for OpenSSL < 1.1.0f */ SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); @@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data, return -1; } ERR_clear_error(); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_set_default_passwd_cb(conn->ssl, NULL); +#endif /* >= 1.1.0f && !LibreSSL */ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); os_free(passwd);
