[arch-commits] Commit in wpa_supplicant/trunk (3 files)

Bartłomiej Piotrowski bpiotrowski at archlinux.org
Mon Oct 9 08:52:09 UTC 2017 

    Date: Monday, October 9, 2017 @ 08:52:08
  Author: bpiotrowski
Revision: 307215

1:2.6-10: bring back openssl-1.0, but use the new config

Modified:
  wpa_supplicant/trunk/PKGBUILD
Deleted:
  wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch
  wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch

--------------------------------------------------------------+
 PKGBUILD                                                     |   24 -
 rh1462262-use-system-openssl-ciphers.patch                   |  122 ---------
 rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch |  127 ----------
 3 files changed, 9 insertions(+), 264 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-10-09 08:42:41 UTC (rev 307214)
+++ PKGBUILD	2017-10-09 08:52:08 UTC (rev 307215)
@@ -4,32 +4,24 @@
 
 pkgname=wpa_supplicant
 pkgver=2.6
-pkgrel=9
+pkgrel=10
 epoch=1
 pkgdesc='A utility providing key negotiation for WPA wireless networks'
 url='http://hostap.epitest.fi/wpa_supplicant'
 arch=(i686 x86_64)
 license=(GPL)
-depends=(openssl libdbus readline libnl)
+depends=(openssl-1.0 libdbus readline libnl)
 optdepends=('wpa_supplicant_gui: wpa_gui program')
 install=wpa_supplicant.install
 source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
-        config
-        rh1462262-use-system-openssl-ciphers.patch
-        rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch)
+        config)
 validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
 sha256sums=('b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450'
             'SKIP'
-            'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2'
-            'c52ee8bc67466cd662ebac4bad4b25dbb429526ba16fbc179a2ae014be01edfc'
-            'ad2258313f06b04003dbbffe10bc3eab9deea9db400c57c3c01b08cfc0b0916b')
+            'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2')
 
 prepare() {
-  cd "$srcdir/$pkgname-$pkgver"
-  patch -p1 -i "$srcdir/rh1462262-use-system-openssl-ciphers.patch"
-  patch -p1 -i "$srcdir/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch"
-
-  cd $pkgname
+  cd "$srcdir/$pkgname-$pkgver/$pkgname"
   cp "$srcdir/config" ./.config
 }
 
@@ -36,8 +28,10 @@
 build() {
   cd "$srcdir/$pkgname-$pkgver/$pkgname"
 
-  # The Makefile does not pick up our CPPFLAGS
-  export CFLAGS="$CPPFLAGS $CFLAGS"
+  export CFLAGS="$CPPFLAGS $CFLAGS -I/usr/include/openssl-1.0"
+  export LIBS="-L/usr/lib/openssl-1.0"
+  export LIBS_p="-L/usr/lib/openssl-1.0"
+
   make LIBDIR=/usr/lib BINDIR=/usr/bin
   make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test
 }

Deleted: rh1462262-use-system-openssl-ciphers.patch
===================================================================
--- rh1462262-use-system-openssl-ciphers.patch	2017-10-09 08:42:41 UTC (rev 307214)
+++ rh1462262-use-system-openssl-ciphers.patch	2017-10-09 08:52:08 UTC (rev 307215)
@@ -1,122 +0,0 @@
-From 61665e43b0509e3d05b2519bf10531bd2163ed66 Mon Sep 17 00:00:00 2001
-From: Beniamino Galvani <bgalvani at redhat.com>
-Date: Sun, 9 Jul 2017 11:06:50 +0200
-Subject: [PATCH] OpenSSL: Add build option to select default ciphers
-
-Add a build option to select different default ciphers for OpenSSL
-instead of the hardcoded default "DEFAULT:!EXP:!LOW".
-
-This new option is useful on distributions where the security level
-should be consistent for all applications, as in Fedora [1]. In such
-cases the new configuration option would be set to "" or
-"PROFILE=SYSTEM" to select the global crypto policy by default.
-
-[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
-
-Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
-(cherry picked from commit 2b9891bd6e125d3e28f26afde32e153db658b7cc)
----
- src/crypto/tls_openssl.c           | 2 +-
- wpa_supplicant/Android.mk          | 4 ++++
- wpa_supplicant/Makefile            | 4 ++++
- wpa_supplicant/android.config      | 4 ++++
- wpa_supplicant/defconfig           | 4 ++++
- wpa_supplicant/wpa_supplicant.conf | 4 ++--
- 6 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
-index 23ac64b..c4170b6 100644
---- a/src/crypto/tls_openssl.c
-+++ b/src/crypto/tls_openssl.c
-@@ -1017,7 +1017,7 @@ void * tls_init(const struct tls_config *conf)
- 	if (conf && conf->openssl_ciphers)
- 		ciphers = conf->openssl_ciphers;
- 	else
--		ciphers = "DEFAULT:!EXP:!LOW";
-+		ciphers = TLS_DEFAULT_CIPHERS;
- 	if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
- 		wpa_printf(MSG_ERROR,
- 			   "OpenSSL: Failed to set cipher string '%s'",
-diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
-index a8d6a7f..a9dc086 100644
---- a/wpa_supplicant/Android.mk
-+++ b/wpa_supplicant/Android.mk
-@@ -971,6 +971,10 @@ ifdef CONFIG_TLS_ADD_DL
- LIBS += -ldl
- LIBS_p += -ldl
- endif
-+ifndef CONFIG_TLS_DEFAULT_CIPHERS
-+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
-+endif
-+L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
- endif
- 
- ifeq ($(CONFIG_TLS), gnutls)
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index 512052e..cc55a52 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -1020,6 +1020,10 @@ ifdef CONFIG_TLS_ADD_DL
- LIBS += -ldl
- LIBS_p += -ldl
- endif
-+ifndef CONFIG_TLS_DEFAULT_CIPHERS
-+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
-+endif
-+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
- endif
- 
- ifeq ($(CONFIG_TLS), gnutls)
-diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config
-index 02505bb..f3cc838 100644
---- a/wpa_supplicant/android.config
-+++ b/wpa_supplicant/android.config
-@@ -291,6 +291,10 @@ CONFIG_IEEE80211W=y
- # will be used)
- #CONFIG_TLSV12=y
- 
-+# Select which ciphers to use by default with OpenSSL if the user does not
-+# specify them.
-+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
-+
- # If CONFIG_TLS=internal is used, additional library and include paths are
- # needed for LibTomMath. Alternatively, an integrated, minimal version of
- # LibTomMath can be used. See beginning of libtommath.c for details on benefits
-diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
-index 1d05198..8b0eb87 100644
---- a/wpa_supplicant/defconfig
-+++ b/wpa_supplicant/defconfig
-@@ -316,6 +316,10 @@ CONFIG_PEERKEY=y
- # will be used)
- #CONFIG_TLSV12=y
- 
-+# Select which ciphers to use by default with OpenSSL if the user does not
-+# specify them.
-+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
-+
- # If CONFIG_TLS=internal is used, additional library and include paths are
- # needed for LibTomMath. Alternatively, an integrated, minimal version of
- # LibTomMath can be used. See beginning of libtommath.c for details on benefits
-diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
-index 1061c98..70989c0 100644
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -183,13 +183,13 @@ fast_reauth=1
- # OpenSSL cipher string
- #
- # This is an OpenSSL specific configuration option for configuring the default
--# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
-+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
-+# by default) is used.
- # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
- # on cipher suite configuration. This is applicable only if wpa_supplicant is
- # built to use OpenSSL.
- #openssl_ciphers=DEFAULT:!EXP:!LOW
- 
--
- # Dynamic EAP methods
- # If EAP methods were built dynamically as shared object files, they need to be
- # loaded here before being used in the network blocks. By default, EAP methods
--- 
-2.9.3
-

Deleted: rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
===================================================================
--- rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch	2017-10-09 08:42:41 UTC (rev 307214)
+++ rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch	2017-10-09 08:52:08 UTC (rev 307215)
@@ -1,127 +0,0 @@
-From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001
-From: Beniamino Galvani <bgalvani at redhat.com>
-Date: Sun, 9 Jul 2017 11:14:10 +0200
-Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL
- >= 1.1.0f
-
-Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
-callback from the SSL object instead of the one from the CTX, so let's
-set the callback on both SSL and CTX. Note that
-SSL_set_default_passwd_cb*() is available only in 1.1.0.
-
-Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
-(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f)
----
- src/crypto/tls_openssl.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
-index c4170b6..bceb8c3 100644
---- a/src/crypto/tls_openssl.c
-+++ b/src/crypto/tls_openssl.c
-@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data,
- 	} else
- 		passwd = NULL;
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+	/*
-+	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
-+	 * from the SSL object. See OpenSSL commit d61461a75253.
-+	 */
-+	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
-+	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
-+#endif /* >= 1.1.0f && !LibreSSL */
-+	/* Keep these for OpenSSL < 1.1.0f */
- 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
- 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
- 
-@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data,
- 		return -1;
- 	}
- 	ERR_clear_error();
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+	SSL_set_default_passwd_cb(conn->ssl, NULL);
-+#endif /* >= 1.1.0f && !LibreSSL */
- 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
- 	os_free(passwd);
- 
--- 
-2.9.3
-
-From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j at w1.fi>
-Date: Mon, 17 Jul 2017 12:06:17 +0300
-Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly
-
-Previously, the pointer to strdup passwd was left in OpenSSL library
-default_passwd_cb_userdata and even the default_passwd_cb was left set
-on an error path. To avoid unexpected behavior if something were to
-manage to use there pointers, clear them explicitly once done with
-loading of the private key.
-
-Signed-off-by: Jouni Malinen <j at w1.fi>
-(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384)
----
- src/crypto/tls_openssl.c | 22 +++++++++++++++++-----
- 1 file changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
-index bceb8c3..770af9e 100644
---- a/src/crypto/tls_openssl.c
-+++ b/src/crypto/tls_openssl.c
-@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
- }
- 
- 
-+static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
-+{
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+	if (ssl) {
-+		SSL_set_default_passwd_cb(ssl, NULL);
-+		SSL_set_default_passwd_cb_userdata(ssl, NULL);
-+	}
-+#endif /* >= 1.1.0f && !LibreSSL */
-+	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
-+	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
-+}
-+
-+
- static int tls_connection_private_key(struct tls_data *data,
- 				      struct tls_connection *conn,
- 				      const char *private_key,
-@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data,
- 	if (!ok) {
- 		tls_show_errors(MSG_INFO, __func__,
- 				"Failed to load private key");
-+		tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
- 		os_free(passwd);
- 		return -1;
- 	}
- 	ERR_clear_error();
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
--	SSL_set_default_passwd_cb(conn->ssl, NULL);
--#endif /* >= 1.1.0f && !LibreSSL */
--	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
-+	tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
- 	os_free(passwd);
- 
- 	if (!SSL_check_private_key(conn->ssl)) {
-@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data,
- 	    tls_read_pkcs12(data, NULL, private_key, passwd)) {
- 		tls_show_errors(MSG_INFO, __func__,
- 				"Failed to load private key");
-+		tls_clear_default_passwd_cb(ssl_ctx, NULL);
- 		os_free(passwd);
- 		ERR_clear_error();
- 		return -1;
- 	}
-+	tls_clear_default_passwd_cb(ssl_ctx, NULL);
- 	os_free(passwd);
- 	ERR_clear_error();
--	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
- 
- 	if (!SSL_CTX_check_private_key(ssl_ctx)) {
- 		tls_show_errors(MSG_INFO, __func__,
--- 
-2.9.3
-

More information about the arch-commits mailing list