aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorBeniamino Galvani <bgalvani@redhat.com>2017-07-09 09:14:10 (GMT)
committerJouni Malinen <j@w1.fi>2017-07-17 08:57:16 (GMT)
commitf665c93e1d28fbab3d9127a8c3985cc32940824f (patch)
tree6ebd71cfd6edc4b199a3f70033aa7a7ec6295a24 /src
parent2b9891bd6e125d3e28f26afde32e153db658b7cc (diff)
downloadhostap-f665c93e1d28fbab3d9127a8c3985cc32940824f.zip
hostap-f665c93e1d28fbab3d9127a8c3985cc32940824f.tar.gz
hostap-f665c93e1d28fbab3d9127a8c3985cc32940824f.tar.bz2
OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the callback from the SSL object instead of the one from the CTX, so let's set the callback on both SSL and CTX. Note that SSL_set_default_passwd_cb*() is available only in 1.1.0. Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Diffstat (limited to 'src')
-rw-r--r--src/crypto/tls_openssl.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index fd94eaf..c790b53 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,
} else
passwd = NULL;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /*
+ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
+ * from the SSL object. See OpenSSL commit d61461a75253.
+ */
+ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
+ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
+#endif /* >= 1.1.0f && !LibreSSL */
+ /* Keep these for OpenSSL < 1.1.0f */
SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,
return -1;
}
ERR_clear_error();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ SSL_set_default_passwd_cb(conn->ssl, NULL);
+#endif /* >= 1.1.0f && !LibreSSL */
SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
os_free(passwd);