Fix net-wireless/wpa_supplicant and net-wireless/hostapd for OpenSSL 1.1 |
||
Issue descriptionnet-wireless/wpa_supplicant-2.5-r78 and net-wireless/hostapd-2.5-r75 fail to build with dev-libs/openssl-1.1.0f. At some point, these packages diverged from their upstream ebuilds and become a cros_workon ebuilds. Both packages point to the same repository (src/third_party/wpa_supplicant). The commit corresponding to the above versions is: 01d3dff8fef5ab4dbda4b961dc14e58d56f045cc hostapd: Remove STA entry immediately during Prune Association The base version from which the repository forked was tag [hostap_2_5], which is a release from 2015-09-27. The most recent upstream release is 2.6 was released 2016-10-02. According to the ChangeLo [0] version 2.6 has "support OpenSSL 1.1 API changes". [0] http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
,
Jul 7 2017
Latest ebuilds from upstream gentoo are both based on 2.6.
,
Aug 18 2017
Looks like all of the OpenSSL changes are isolated to the following two files: src/crypto/crypto_openssl.c src/crypto/tls_openssl.c So cherry-picking all changes to these two files from hostap_2_5..hostap_2_6 should get us closer: $ glo hostap_2_5..hostap_2_6 -- src/crypto/crypto_openssl.c src/crypto/tls_openssl.c 478441bf8 OpenSSL: Fix OpenSSL 1.1.0 compatibility functions 460e5cdf4 OpenSSL: Fix OpenSSL 1.1.0 DH operation e6804fef9 OpenSSL: Update to match the modified DH_get0_key() API 3787c91da OpenSSL: Pull in header files to check function prototypes c3d7fb7e2 OpenSSL: Initialise PKCS#11 engine even if found with ENGINE_by_id() 1cece2faf OpenSSL: Comment out tls_connection_get_eap_fast_key without EAP-FAST 735817078 TLS: Split tls_connection_prf() into two functions f150db6c8 OpenSSL: Remove two more accesses of ssl_ctx->cert_store 6a9681e90 OpenSSL: Make dh5_init() match the generic implementation e4471338c OpenSSL: BoringSSL has SSL_get_client_random(), etc. 49fe2ada2 OpenSSL: Support OpenSSL 1.1.0 DH opacity f73b167c6 tests: Add TEST_FAIL() calls into OpenSSL bignum operations 3a583e002 OpenSSL: Fix PKCS#12 parsing of extra certificates with OpenSSL 1.0.1 8bcf8de82 OpenSSL: Fix memory leak in PKCS12 additional certificate parsing 03e3ddf84 OpenSSL: Fix memory leak in HMAC_CTX compatibility wrapper function d9a0f6974 OpenSSL: Fix memory leak in OCSP parsing 29bc76e3d OpenSSL: Do not use library init/deinit functions with 1.1.0 0f0963700 OpenSSL: Fix memory leak in subjectAltName parsing 6014890bf OpenSSL: Fix memory leak with EVP_CIPHER_CTX_new() 1f1e599b3 OpenSSL: Fix memory leak on error path dda091cf5 OpenSSL: Fix server side PKCS#12 processing with extra certificates a8ef133f1 Android: Support multiple CA certs when connecting to EAP network ac2053b10 OpenSSL: Clean up openssl_digest_vector() to use a single implementation 5c9a33702 OpenSSL: Clean up crypto_hash_*() to use a single implementation 587b0457e LibreSSL: Fix build with LibreSSL 465196ebd tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAIL 1eb87ae48 OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0 3fb3bea8e OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 API 21cb63fff OpenSSL: Fix client certificate chain building after PKCS#12 use 750f5d996 EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL 1ebb24bbf OpenSSL: Share a single openssl_tls_prf() implementation dea20519a OpenSSL: Clean up function to fetch client/server random 9a42d859a OpenSSL: Drop support for OpenSSL 1.0.0 de213e84e OpenSSL: Drop support for OpenSSL 0.9.8 d6b536f7e Add ocsp=3 configuration parameter for multi-OCSP 3c108b757 EAP peer: External server certificate chain validation 36478a16e OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1 213e158ca BoringSSL: Move OCSP implementation into a separate file b34c623c0 OpenSSL: Fix build with current OpenSSL master branch snapshot 11c9ddb76 Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt() 36e820605 Check for LIBRESSL_VERSION_NUMBER in tls_openssl.c cc4f3d6ea tests: Add TEST_FAIL() condition to omac1_aes_vector() 8fd1d6236 OpenSSL: Add TEST_FAIL() checks to allow error path testing cbb154973 OpenSSL: Make msg_callback debug prints easier to read faf8f2937 OpenSSL: Recognize special write_p == 2 in msg_callback bdee6ca0e BoringSSL: Implement support for OCSP stapling aeeb0bca7 Android: Fix keystore-backed keys with BoringSSL As a side-effect, this will also make wpa_supplicant much more BoringSSL friendly.
,
Aug 18 2017
Is it worth it to try and cherry-pick these changes or should we consider just upreving the whole thing to 2.6?
,
Aug 18 2017
CLs: https://chromium-review.googlesource.com/621370 UPSTREAM: Android: Fix keystore-backed keys with BoringSSL https://chromium-review.googlesource.com/621371 UPSTREAM: BoringSSL: Implement support for OCSP stapling https://chromium-review.googlesource.com/621372 UPSTREAM: Check for LIBRESSL_VERSION_NUMBER in tls_openssl.c https://chromium-review.googlesource.com/621373 UPSTREAM: OpenSSL: Fix build with current OpenSSL master branch snapshot https://chromium-review.googlesource.com/621374 UPSTREAM: BoringSSL: Move OCSP implementation into a separate file https://chromium-review.googlesource.com/621375 UPSTREAM: OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1 https://chromium-review.googlesource.com/621376 UPSTREAM: OpenSSL: Drop support for OpenSSL 0.9.8 https://chromium-review.googlesource.com/621377 UPSTREAM: OpenSSL: Drop support for OpenSSL 1.0.0 https://chromium-review.googlesource.com/621378 UPSTREAM: OpenSSL: Clean up function to fetch client/server random https://chromium-review.googlesource.com/621379 UPSTREAM: OpenSSL: Share a single openssl_tls_prf() implementation https://chromium-review.googlesource.com/621380 UPSTREAM: OpenSSL: Fix client certificate chain building after PKCS#12 use https://chromium-review.googlesource.com/621381 UPSTREAM: OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 API https://chromium-review.googlesource.com/621382 UPSTREAM: OpenSSL: Add TEST_FAIL() checks to allow error path testing https://chromium-review.googlesource.com/621383 UPSTREAM: tests: Add TEST_FAIL() condition to omac1_aes_vector() https://chromium-review.googlesource.com/621384 UPSTREAM: Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt() https://chromium-review.googlesource.com/621385 UPSTREAM: OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0 https://chromium-review.googlesource.com/621906 UPSTREAM: tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAIL https://chromium-review.googlesource.com/621907 UPSTREAM: LibreSSL: Fix build with LibreSSL https://chromium-review.googlesource.com/621908 UPSTREAM: OpenSSL: Clean up crypto_hash_*() to use a single implementation https://chromium-review.googlesource.com/621909 UPSTREAM: OpenSSL: Clean up openssl_digest_vector() to use a single ... https://chromium-review.googlesource.com/621910 UPSTREAM: OpenSSL: Fix server side PKCS#12 processing with extra certificates https://chromium-review.googlesource.com/621911 UPSTREAM: OpenSSL: Fix memory leak on error path https://chromium-review.googlesource.com/621912 UPSTREAM: OpenSSL: Fix memory leak with EVP_CIPHER_CTX_new() https://chromium-review.googlesource.com/621913 UPSTREAM: OpenSSL: Fix memory leak in subjectAltName parsing https://chromium-review.googlesource.com/621914 UPSTREAM: OpenSSL: Do not use library init/deinit functions with 1.1.0 https://chromium-review.googlesource.com/621915 UPSTREAM: OpenSSL: Fix memory leak in OCSP parsing https://chromium-review.googlesource.com/621916 UPSTREAM: OpenSSL: Fix memory leak in HMAC_CTX compatibility wrapper function https://chromium-review.googlesource.com/621917 UPSTREAM: OpenSSL: Fix memory leak in PKCS12 additional certificate parsing https://chromium-review.googlesource.com/621918 UPSTREAM: OpenSSL: Fix PKCS#12 parsing of extra certificates with OpenSSL 1.0.1 https://chromium-review.googlesource.com/621919 UPSTREAM: tests: Add TEST_FAIL() calls into OpenSSL bignum operations https://chromium-review.googlesource.com/621920 UPSTREAM: OpenSSL: Support OpenSSL 1.1.0 DH opacity https://chromium-review.googlesource.com/621921 UPSTREAM: OpenSSL: BoringSSL has SSL_get_client_random(), etc. https://chromium-review.googlesource.com/621922 UPSTREAM: OpenSSL: Make dh5_init() match the generic implementation https://chromium-review.googlesource.com/621923 UPSTREAM: OpenSSL: Pull in header files to check function prototypes https://chromium-review.googlesource.com/621924 UPSTREAM: OpenSSL: Update to match the modified DH_get0_key() API https://chromium-review.googlesource.com/621925 UPSTREAM: OpenSSL: Fix OpenSSL 1.1.0 DH operation https://chromium-review.googlesource.com/621926 UPSTREAM: OpenSSL: Fix OpenSSL 1.1.0 compatibility functions
,
Aug 18 2017
@#4: I agree that an uprev might a better choice in the long run, but it seems non-trivial given the 138 local patches we've accumulated on top of hostap_2_5. The CLs in #5 all applied cleanly on cros/master, and the result builds with both openssl versions, so that's what I've done for now. Feel free to perform the uprev if you'd like; these CLs would then just fall out.
,
Aug 18 2017
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/f89ed579493539d1af208e89e0e0711646ae3be8 commit f89ed579493539d1af208e89e0e0711646ae3be8 Author: Adam Langley <agl@google.com> Date: Tue Sep 05 23:04:23 2017 UPSTREAM: Android: Fix keystore-backed keys with BoringSSL The switch to BoringSSL broke keystore-backed keys because wpa_supplicant was using the dynamic ENGINE loading to load the keystore module. The ENGINE-like functionality in BoringSSL is much simpler and this change should enable it. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com> (cherry picked from commit aeeb0bca712c5063c78c5294a4a669d975f35fa4) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I5b6ec48eeaa12078b4840ba2ecb88530136cfec6 Reviewed-on: https://chromium-review.googlesource.com/621370 Commit-Ready: Kirtika Ruchandani <kirtika@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/f89ed579493539d1af208e89e0e0711646ae3be8/wpa_supplicant/Android.mk [modify] https://crrev.com/f89ed579493539d1af208e89e0e0711646ae3be8/src/crypto/tls_openssl.c
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/5e70e3844953b094298d3f9f1e23e27f2e4c16a2 commit 5e70e3844953b094298d3f9f1e23e27f2e4c16a2 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Tue Sep 05 23:04:24 2017 UPSTREAM: BoringSSL: Implement support for OCSP stapling BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*() functions) and instead, provides only a minimal mechanism for include the status request extension and fetching the response from the server. As such, the previous OpenSSL-based implementation for OCSP stapling is not usable with BoringSSL. Add a new implementation that uses BoringSSL to request and fetch the OCSP stapling response and then parse and validate this with the new implementation within wpa_supplicant. While this may not have identical behavior with the OpenSSL-based implementation, this should be a good starting point for being able to use OCSP stapling with BoringSSL. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit bdee6ca0e0fb66c472a6dacb1415898fc54b7f35) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I8b885d94bacf997fbd42afc4e8719e25edd8447a Reviewed-on: https://chromium-review.googlesource.com/621371 Commit-Ready: Kirtika Ruchandani <kirtika@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/5e70e3844953b094298d3f9f1e23e27f2e4c16a2/src/crypto/tls_openssl.c
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/68fc14539feeec686ecb784d4cad6a949b61948e commit 68fc14539feeec686ecb784d4cad6a949b61948e Author: Marek BehĂșn <kabel@blackhole.sk> Date: Tue Sep 05 23:04:24 2017 UPSTREAM: Check for LIBRESSL_VERSION_NUMBER in tls_openssl.c LibreSSL does not yet support the new API, so do not use it when LIBRESSL_VERSION_NUMBER macro is defined. Signed-off-by: Marek Behun <kabel@blackhole.sk> (cherry picked from commit 36e820605f113b4a02f2033d6c7a69bc5e707a03) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: Ibd252605d0659a3832e88c1e2f41beeb53d6f70b Reviewed-on: https://chromium-review.googlesource.com/621372 Commit-Ready: Kirtika Ruchandani <kirtika@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/68fc14539feeec686ecb784d4cad6a949b61948e/src/crypto/tls_openssl.c
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/7303cda18b8c161dfeae0bf3d9290c36bfecd466 commit 7303cda18b8c161dfeae0bf3d9290c36bfecd466 Author: Jouni Malinen <j@w1.fi> Date: Tue Sep 05 23:04:24 2017 UPSTREAM: OpenSSL: Fix build with current OpenSSL master branch snapshot OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to "OpenSSL", which broke the build here for fetching the version of the running OpenSSL library when wpa_supplicant/hostapd is built against the current OpenSSL snapshot. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit b34c623c074c8eb315667320b041b4744754795f) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I11e4748773ec6af6bdfd38c58c1eb08e942f3fbf Reviewed-on: https://chromium-review.googlesource.com/621373 Commit-Ready: Kirtika Ruchandani <kirtika@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/7303cda18b8c161dfeae0bf3d9290c36bfecd466/src/crypto/tls_openssl.c
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/768c161db3fd57c0d7c37c33fabc7ca330d41228 commit 768c161db3fd57c0d7c37c33fabc7ca330d41228 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Tue Sep 05 23:04:24 2017 UPSTREAM: BoringSSL: Move OCSP implementation into a separate file This makes it easier to share the OCSP implementation needed for BoringSSL outside tls_openssl.c. For now, this is mainly for http_curl.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 213e158ca8d466c5bf1403eec83b9af56cf28dff) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I2fc6932576f46a4659ac1be2207962e0f4de9550 Reviewed-on: https://chromium-review.googlesource.com/621374 Commit-Ready: Kirtika Ruchandani <kirtika@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/768c161db3fd57c0d7c37c33fabc7ca330d41228/src/crypto/tls_openssl.c [add] https://crrev.com/768c161db3fd57c0d7c37c33fabc7ca330d41228/src/crypto/tls_openssl.h [modify] https://crrev.com/768c161db3fd57c0d7c37c33fabc7ca330d41228/hostapd/Makefile [modify] https://crrev.com/768c161db3fd57c0d7c37c33fabc7ca330d41228/wpa_supplicant/Makefile [add] https://crrev.com/768c161db3fd57c0d7c37c33fabc7ca330d41228/src/crypto/tls_openssl_ocsp.c [modify] https://crrev.com/768c161db3fd57c0d7c37c33fabc7ca330d41228/wpa_supplicant/Android.mk [modify] https://crrev.com/768c161db3fd57c0d7c37c33fabc7ca330d41228/hostapd/Android.mk
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/49c1c3c986f13c642b990827e1a77c14cf41faa6 commit 49c1c3c986f13c642b990827e1a77c14cf41faa6 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Tue Sep 05 23:04:25 2017 UPSTREAM: OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1 The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using the new API for allocating these structures. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 36478a16e622059b71337570e089f932e299358b) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: If592539214958043bd2a4f6c685c6ea833bf42f7 Reviewed-on: https://chromium-review.googlesource.com/621375 Commit-Ready: Kirtika Ruchandani <kirtika@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/49c1c3c986f13c642b990827e1a77c14cf41faa6/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/5fe6128aa6f5c5402e277c29abd4dda80ec214ab commit 5fe6128aa6f5c5402e277c29abd4dda80ec214ab Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:35 2017 UPSTREAM: OpenSSL: Drop support for OpenSSL 0.9.8 The OpenSSL project will not support version 0.9.8 anymore. As there won't be even security fixes for this branch, it is not really safe to continue using 0.9.8 and we might as well drop support for it to allow cleaning up the conditional source code blocks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit de213e84e0e64472309f656b96b3fd64789f599e) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I5308b138812a8be0f5ad0ecdc3475e41c37cd65d Reviewed-on: https://chromium-review.googlesource.com/621376 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/5fe6128aa6f5c5402e277c29abd4dda80ec214ab/src/crypto/tls_openssl.c [modify] https://crrev.com/5fe6128aa6f5c5402e277c29abd4dda80ec214ab/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/2afb15aef51ac11309d26beaf517e380044ac127 commit 2afb15aef51ac11309d26beaf517e380044ac127 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:35 2017 UPSTREAM: OpenSSL: Drop support for OpenSSL 1.0.0 The OpenSSL project will not support version 1.0.0 anymore. As there won't be even security fixes for this branch, it is not really safe to continue using 1.0.0 and we might as well drop support for it to allow cleaning up the conditional source code blocks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 9a42d859a27c10b9f5d589ebdc149143b93ca02d) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I69185c72040a366945b84160442ab7c01609fe65 Reviewed-on: https://chromium-review.googlesource.com/621377 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/2afb15aef51ac11309d26beaf517e380044ac127/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/b0c3f6291f6fe85750e3c682f354560c3c13c07a commit b0c3f6291f6fe85750e3c682f354560c3c13c07a Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:35 2017 UPSTREAM: OpenSSL: Clean up function to fetch client/server random SSL_get_client_random() and SSL_get_server_random() will be added in OpenSSL 1.1.0. Provide compatibility wrappers for older versions to simplify the tls_connection_get_random() implementation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit dea20519aaebc079d4b654880c8fd09a08e39471) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: Ief67dfb605c725872429cde97717344d6e88afb9 Reviewed-on: https://chromium-review.googlesource.com/621378 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/b0c3f6291f6fe85750e3c682f354560c3c13c07a/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/79cc4215ea874d68584dc1a7fefe9e3ebd8c6821 commit 79cc4215ea874d68584dc1a7fefe9e3ebd8c6821 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:35 2017 UPSTREAM: OpenSSL: Share a single openssl_tls_prf() implementation Add SSL_SESSION_get_master_key() compatibility wrapper for older OpenSSL versions to be able to use the new openssl_tls_prf() implementation for OpenSSL 1.1.0 with all supported versions. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 1ebb24bbfbdc05bc94487f6636e80072f78b5015) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I1bdd042efe7442812b92f6cad7da97782659aa1f Reviewed-on: https://chromium-review.googlesource.com/621379 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/79cc4215ea874d68584dc1a7fefe9e3ebd8c6821/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/5ad0f89aa55abe65ba4b0f7d379a576ba29702d6 commit 5ad0f89aa55abe65ba4b0f7d379a576ba29702d6 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:36 2017 UPSTREAM: OpenSSL: Fix client certificate chain building after PKCS#12 use If wpa_supplicant was first configured with PKCS #12 -based client certificate chain and then used with another network profile that used a different certificate chain from a X.509 certificate PEM file instead of PKCS#12, the extra certificate chain was not reconstructed properly with older versions of OpenSSL that 1.0.2. This could result in the authentication failing due to the client certificate chain not being complete or including incorrect certificates. Fix this by clearing the extra certificate chain when setting up a new TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the chain using the default mechanism in case the new TLS exchange does not use PKCS#12. The following hwsim test case sequence was able to find the issue: ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 21cb63fffd1e766c8b989125394ed0bfb05e5a4b) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I08a32a22c6c23fef5244841b991d322da5b77457 Reviewed-on: https://chromium-review.googlesource.com/621380 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/5ad0f89aa55abe65ba4b0f7d379a576ba29702d6/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/2a1bac36e0d1cf6f9d7aad5813b97703d1293438 commit 2a1bac36e0d1cf6f9d7aad5813b97703d1293438 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:36 2017 UPSTREAM: OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 API The SSL_CIPHER **cipher argument was marked const in OpenSSL 1.1.0 pre-release 2 similarly to how this is in BoringSSL. Fix build with that in preparation for supporting OpenSSL 1.1.0. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 3fb3bea8e9cc491cb92201567f112bba221e32a3) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I200de5ee9de54c61bf0d50c686ab14fab700c801 Reviewed-on: https://chromium-review.googlesource.com/621381 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/2a1bac36e0d1cf6f9d7aad5813b97703d1293438/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/d5e3f3b28341afa560d02b9ff82615092bd806ba commit d5e3f3b28341afa560d02b9ff82615092bd806ba Author: Jouni Malinen <j@w1.fi> Date: Wed Sep 06 19:42:36 2017 UPSTREAM: OpenSSL: Add TEST_FAIL() checks to allow error path testing This makes it easier to test various error paths related to key derivation and authentication steps. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit 8fd1d6236dad98442e5f4805175477bae6bb3c08) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I4f0d0e2a43d8985ffd0c0955b83743ed123309fb Reviewed-on: https://chromium-review.googlesource.com/621382 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/d5e3f3b28341afa560d02b9ff82615092bd806ba/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/b5d4c652e91cb6fef2e2063ed3f09440a1c073f5 commit b5d4c652e91cb6fef2e2063ed3f09440a1c073f5 Author: Jouni Malinen <j@w1.fi> Date: Wed Sep 06 19:42:36 2017 UPSTREAM: tests: Add TEST_FAIL() condition to omac1_aes_vector() This enables more error path testing. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit cc4f3d6ea781af9129c2a662c249355557cf0ec1) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I2de377b72b5aeca449c324fcb97b6dd93adcb702 Reviewed-on: https://chromium-review.googlesource.com/621383 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/b5d4c652e91cb6fef2e2063ed3f09440a1c073f5/src/crypto/crypto_openssl.c [modify] https://crrev.com/b5d4c652e91cb6fef2e2063ed3f09440a1c073f5/src/crypto/aes-omac1.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/ab402510653b5cc260f77db72f85081dda9325e3 commit ab402510653b5cc260f77db72f85081dda9325e3 Author: Jouni Malinen <j@w1.fi> Date: Wed Sep 06 19:42:37 2017 UPSTREAM: Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt() This enables more error path testing. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit 11c9ddb7663c39a5810496656a9cbc5e2a36f66b) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I2fba96ce254151a4b392e18404467b449c15094b Reviewed-on: https://chromium-review.googlesource.com/621384 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/ab402510653b5cc260f77db72f85081dda9325e3/src/crypto/aes-cbc.c [modify] https://crrev.com/ab402510653b5cc260f77db72f85081dda9325e3/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/6773e1203ef70d02f9de08ee9dc738609fa143eb commit 6773e1203ef70d02f9de08ee9dc738609fa143eb Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:37 2017 UPSTREAM: OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0 The EVP_CIPHER_CTX structure will be made opaque in OpenSSL 1.1.0, so need to use EVP_CIPHER_CTX_new() with it instead of stack memory. The design here moves the older OpenSSL versions to use that dynamic allocation design as well to minimize maintenance effort. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 1eb87ae48d829b77e805de9ba71f958b53930c88) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I69ebbe97335c62890dc16dd62557291d7582509a Reviewed-on: https://chromium-review.googlesource.com/621385 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/6773e1203ef70d02f9de08ee9dc738609fa143eb/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/7ddece50fd6b2233d478187da4df2743601b6fab commit 7ddece50fd6b2233d478187da4df2743601b6fab Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:37 2017 UPSTREAM: tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAIL Now the these functions cannot be made to fail by forcing the memory allocation fail since the OpenSSL-internal version is used, add TEST_FAIL check to allow OOM test cases to be converted to use the TEST_FAIL mechanism without reducing coverage. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 465196ebd281eb8466a0a93efc48c508aba296a4) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I9c16261d509fbd95b1e189961e794d5133524ed1 Reviewed-on: https://chromium-review.googlesource.com/621906 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/7ddece50fd6b2233d478187da4df2743601b6fab/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/43b04ec37fe1bbe72805047c1b174ef80f7a5218 commit 43b04ec37fe1bbe72805047c1b174ef80f7a5218 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:37 2017 UPSTREAM: LibreSSL: Fix build with LibreSSL The changes needed for OpenSSL 1.1.0 had broken this since LibreSSL is defining OPENSSL_VERSION_NUMBER in a manner that claims it to be newer than the current OpenSSL version even though it does not support the current OpenSSL API. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 587b0457e0238b7b1800d46f5cdd5e1d2b06732f) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I50140b33009069ce35fd2ac41b0485db9f12ef35 Reviewed-on: https://chromium-review.googlesource.com/621907 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/43b04ec37fe1bbe72805047c1b174ef80f7a5218/src/crypto/tls_openssl.c [modify] https://crrev.com/43b04ec37fe1bbe72805047c1b174ef80f7a5218/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/0500fe1a34469cf33327dbfbca9241f5a70792b1 commit 0500fe1a34469cf33327dbfbca9241f5a70792b1 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:38 2017 UPSTREAM: OpenSSL: Clean up crypto_hash_*() to use a single implementation Use compatibility wrapper functions to allow a single implementation based on the latest OpenSSL API to be used to implement these functions instead of having to maintain two conditional implementation based on the library version. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 5c9a33702fd9e9ae9c349d6461a6621801d4f9cb) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I8ac88bf78aee6b86208069c6ec523b2f62a04cb3 Reviewed-on: https://chromium-review.googlesource.com/621908 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/0500fe1a34469cf33327dbfbca9241f5a70792b1/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/0e3db2715c6af549e134c7031c8f720b5e0b00ac commit 0e3db2715c6af549e134c7031c8f720b5e0b00ac Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:38 2017 UPSTREAM: OpenSSL: Clean up openssl_digest_vector() to use a single implementation Use compatibility wrapper functions to allow a single implementation based on the latest OpenSSL API to be used to implement these functions instead of having to maintain two conditional implementation based on the library version. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit ac2053b1032a4413e77de11ac94fe747f1415b93) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I4f283a67fb9d9a222eac392701b80d9f3125e060 Reviewed-on: https://chromium-review.googlesource.com/621909 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/0e3db2715c6af549e134c7031c8f720b5e0b00ac/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/0961c5a783799ec44c09240dcd591caedb563796 commit 0961c5a783799ec44c09240dcd591caedb563796 Author: Ayala Beker <ayala.beker@intel.com> Date: Wed Sep 06 19:42:38 2017 UPSTREAM: OpenSSL: Fix server side PKCS#12 processing with extra certificates Fix a possible null pointer dereference in tls_parse_pkcs12() when loading a PKCS#12 file for the server keys and the file includes extra certificates. Signed-off-by: Ayala Beker <ayala.beker@intel.com> (cherry picked from commit dda091cf5159e7614259c2ccb2c017c01acc5522) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I7024d9c1468f9d4f3a26328fe25a25186931964f Reviewed-on: https://chromium-review.googlesource.com/621910 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/0961c5a783799ec44c09240dcd591caedb563796/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/5588c2ef6a2724a75a817a4f9c39d378551a1234 commit 5588c2ef6a2724a75a817a4f9c39d378551a1234 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:38 2017 UPSTREAM: OpenSSL: Fix memory leak on error path If SSL_CTX_new(SSLv23_method()) fails, tls_init() error path did not free the allocated struct tls_data instance. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 1f1e599b3bfb667f05a859afb723984cd7d4a04a) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I2238338e0ea11d7071617cd57b959d21cbcb1992 Reviewed-on: https://chromium-review.googlesource.com/621911 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/5588c2ef6a2724a75a817a4f9c39d378551a1234/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/1240f519629893f250f5301de720c94ce8a1e612 commit 1240f519629893f250f5301de720c94ce8a1e612 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:39 2017 UPSTREAM: OpenSSL: Fix memory leak with EVP_CIPHER_CTX_new() Commit 1eb87ae48d829b77e805de9ba71f958b53930c88 ('OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0') started using EVP_CIPHER_CTX_new() to allocate EVP_CIPHER_CTX from heap instead of using stack memory. This commit used incorrect EVP_CIPHER_CTX_reset() function in number of cases when the allocated memory was supposed to be freed instead of just reset for reuse. Fix this by using EVP_CIPHER_CTX_free() properly. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 6014890bfb54011217cce97f66d48d27575f74e6) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: Ic89a3fe3d5b10a4ca1c31cbd480d4ab8f4688eea Reviewed-on: https://chromium-review.googlesource.com/621912 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/1240f519629893f250f5301de720c94ce8a1e612/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/5e7de1dcc5b742a4e395d590927e0ddb2463d6e9 commit 5e7de1dcc5b742a4e395d590927e0ddb2463d6e9 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:39 2017 UPSTREAM: OpenSSL: Fix memory leak in subjectAltName parsing The parsed data from X509_get_ext_d2i() needs to be freed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 0f09637001c81deef7c1a6d3752c965fcf3fbc60) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: Ie191fcb53f2edb8026a63295df8c92913883b5d1 Reviewed-on: https://chromium-review.googlesource.com/621913 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/5e7de1dcc5b742a4e395d590927e0ddb2463d6e9/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/09f396a2010963c5186413304d58bf2095dd71f7 commit 09f396a2010963c5186413304d58bf2095dd71f7 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:39 2017 UPSTREAM: OpenSSL: Do not use library init/deinit functions with 1.1.0 SSL_library_init() does not work properly after EVP_cleanup() starting from OpenSSL 1.1.0 pre release 3. The automated library init/deinit functions in that pre release are supposed to handle all initialization and deinitialiation, so comment out the explicit calls to these function with OpenSSL 1.1.0 and newer. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 29bc76e3d3252dfc311d1ffaa15be66abd8509ee) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I4bbe16e8e0cdb6b1096f3fbc5c2887ff2d30ec5f Reviewed-on: https://chromium-review.googlesource.com/621914 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/09f396a2010963c5186413304d58bf2095dd71f7/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/ccf2fd397bc36ed59f24a9d2d51e5d710ce56592 commit ccf2fd397bc36ed59f24a9d2d51e5d710ce56592 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:39 2017 UPSTREAM: OpenSSL: Fix memory leak in OCSP parsing The result from OCSP_cert_to_id() needs to be freed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit d9a0f69747fbf00d3b8737f563b9f929bb952634) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I61e87ec5875e6e4b6305d40f24722395499d3705 Reviewed-on: https://chromium-review.googlesource.com/621915 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/ccf2fd397bc36ed59f24a9d2d51e5d710ce56592/src/utils/http_curl.c [modify] https://crrev.com/ccf2fd397bc36ed59f24a9d2d51e5d710ce56592/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/1ea897f2299826e4983b39de83a3f621d591a415 commit 1ea897f2299826e4983b39de83a3f621d591a415 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:40 2017 UPSTREAM: OpenSSL: Fix memory leak in HMAC_CTX compatibility wrapper function Commit 5c9a33702fd9e9ae9c349d6461a6621801d4f9cb ('OpenSSL: Clean up crypto_hash_*() to use a single implementation') added a wrapper function to allow the new OpenSSL API to be used with older OpenSSL versions. However, the HMAC_CTX_free() wrapper was incorrectly skipping the call to HMAC_CTX_cleanup() which is still needed to free the resources OpenSSL allocated internally. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 03e3ddf84e97f193efedd88a380cfcedfff89587) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I04f48b16b551209d4374a0b807d8da5c1bdfe3e5 Reviewed-on: https://chromium-review.googlesource.com/621916 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/1ea897f2299826e4983b39de83a3f621d591a415/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/31956eed25fdd418957572da438bfedb1c537622 commit 31956eed25fdd418957572da438bfedb1c537622 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:40 2017 UPSTREAM: OpenSSL: Fix memory leak in PKCS12 additional certificate parsing The additional PKCS12 certificates were not freed properly in the loop added in commit de2a7b796d82d92120aa9532450863f503e1885a ('OpenSSL: Use connection certificate chain with PKCS#12 extra certs'). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 8bcf8de827e841a35841034edd6f8281a7a3aeba) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I07e97af34837138accc9319701ad3400fe5414c5 Reviewed-on: https://chromium-review.googlesource.com/621917 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/31956eed25fdd418957572da438bfedb1c537622/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/d774d749d6cd15181dbf1bd03c874946d8a38b8b commit d774d749d6cd15181dbf1bd03c874946d8a38b8b Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:40 2017 UPSTREAM: OpenSSL: Fix PKCS#12 parsing of extra certificates with OpenSSL 1.0.1 Commit 8bcf8de827e841a35841034edd6f8281a7a3aeba ('OpenSSL: Fix memory leak in PKCS12 additional certificate parsing') tried to fix a memory leak in both the 1.0.2(and newer) and 1.0.1 branches of PKCS12 parsing. However, the 1.0.1 case was not properly tested and freeing of the certificate after a successful SSL_CTX_add_extra_chain_cert() call resulted in use of freed memory when going through the TLS handshake. Fix this by not freeing the certificate in that specific case. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 3a583e0023e3390e149d74e0c45ef917a6cf6909) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: Ib3f2fb06a7a743a2925c92d1ff6aa6a97edbea7f Reviewed-on: https://chromium-review.googlesource.com/621918 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/d774d749d6cd15181dbf1bd03c874946d8a38b8b/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/89cadbcb111d118af6f707c6afd3e2b63a84f86d commit 89cadbcb111d118af6f707c6afd3e2b63a84f86d Author: Jouni Malinen <j@w1.fi> Date: Wed Sep 06 19:42:40 2017 UPSTREAM: tests: Add TEST_FAIL() calls into OpenSSL bignum operations This makes it easier to test error paths in bignum operations in SAE. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit f73b167c69dbe79d94cc3b8182b1fc830ecc65d3) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: Icb46b9434eef3e8aa377a7f54a2186ebd9c734d4 Reviewed-on: https://chromium-review.googlesource.com/621919 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/89cadbcb111d118af6f707c6afd3e2b63a84f86d/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/58079763afef053209870093efa10cf1dbd428b2 commit 58079763afef053209870093efa10cf1dbd428b2 Author: Jouni Malinen <j@w1.fi> Date: Wed Sep 06 19:42:41 2017 UPSTREAM: OpenSSL: Support OpenSSL 1.1.0 DH opacity The OpenSSL 1.1.0 Beta 2 release made DH opaque and that broke compilation of crypto_openssl.c. Fix this by using the new accessor functions when building against OpenSSL 1.1.0 or newer. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit 49fe2ada20d5fd53c0388442d23e7f03086f4d57) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I3ced4625ea889b8c7c1566e261f1949fb003c3f6 Reviewed-on: https://chromium-review.googlesource.com/621920 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/58079763afef053209870093efa10cf1dbd428b2/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/6e570112ad78b145c8ad3be5212330673b8c42b2 commit 6e570112ad78b145c8ad3be5212330673b8c42b2 Author: David Benjamin <davidben@google.com> Date: Wed Sep 06 19:42:41 2017 UPSTREAM: OpenSSL: BoringSSL has SSL_get_client_random(), etc. BoringSSL added OpenSSL 1.1.0's SSL_get_client_random() and friends in working towards opaquifying the SSL struct. But it, for the moment, still looks more like 1.0.2 than 1.1.0 and advertises OPENSSL_VERSION_NUMBER as such. This means that there is no need to define those in BoringSSL and defining them causes conflicts. (C does not like having static and non-static functions with the same name.) As requested, this is conditioned on defined(BORINGSSL_API_VERSION) so wpa_supplicant may continue to support older BoringSSLs for a time. (BoringSSL revisions without the accessors predate BoringSSL maintaining a BORINGSSL_API_VERSION.) Also add a missing opensslv.h include. tls_openssl.c is sensitive to OPENSSL_VERSION_NUMBER, so it should include the header directly rather than rely on another header to do so. Signed-off-by: David Benjamin <davidben@google.com> (cherry picked from commit e4471338c6556f4e60f4aca1313df2f6c52497c6) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I48f4fcb65e997af93584f65728289e0b40666a7a Reviewed-on: https://chromium-review.googlesource.com/621921 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/6e570112ad78b145c8ad3be5212330673b8c42b2/src/crypto/tls_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/6b164eb30c642eb52ff5d9cfdd82a8b76003d994 commit 6b164eb30c642eb52ff5d9cfdd82a8b76003d994 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:41 2017 UPSTREAM: OpenSSL: Make dh5_init() match the generic implementation Commit 4104267e81b0a0acdb43f693a67f236b3237a719 ('Fix memory leak on NFC DH generation error path') modified the generic (non-OpenSSL) implementation of dh5_init() to free the previously assigned public key, if any. However, that commit did not modify the OpenSSL specific version of this function. Add the same change there to maintain consistent behavior between these two implementations of the same function. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 6a9681e90c08461c3bee4549985bb550ddf6c275) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: Ie4aa8780c93a12a34b91e5b95d8133855be09962 Reviewed-on: https://chromium-review.googlesource.com/621922 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/6b164eb30c642eb52ff5d9cfdd82a8b76003d994/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/a2a0ed1b552a95a154dd34724d9f8358a4b51214 commit a2a0ed1b552a95a154dd34724d9f8358a4b51214 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Wed Sep 06 19:42:41 2017 UPSTREAM: OpenSSL: Pull in header files to check function prototypes Since crypto_openssl.c is now implementing couple of functions internally, pull in the relevant header files md5.h and aes_wrap.h to make sure the function declaration are consistent. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit 3787c91da0cc72c106e6ba0c5cf8a66175a531c1) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I79126b98f3c898f977603abbe84f7d04ab7311ac Reviewed-on: https://chromium-review.googlesource.com/621923 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/a2a0ed1b552a95a154dd34724d9f8358a4b51214/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/136f99dd5a2753db435a5c17158259be28f7b259 commit 136f99dd5a2753db435a5c17158259be28f7b259 Author: Jouni Malinen <j@w1.fi> Date: Wed Sep 06 19:42:42 2017 UPSTREAM: OpenSSL: Update to match the modified DH_get0_key() API OpenSSL 1.1.0 (master branch) apparently ended up modifying the API after the beta 2 release that was supposed to complete the work. Mark the variables const to fix the compilation with the modified OpenSSL API. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit e6804fef93fa0c7e244baa80ee15d1a515ce0976) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I2316409cdb03e39c127c0ad524a1f73854518ca0 Reviewed-on: https://chromium-review.googlesource.com/621924 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/136f99dd5a2753db435a5c17158259be28f7b259/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/f13e591704094d1042e32547d2644d4aff43b2ae commit f13e591704094d1042e32547d2644d4aff43b2ae Author: Jouni Malinen <j@w1.fi> Date: Wed Sep 06 19:42:42 2017 UPSTREAM: OpenSSL: Fix OpenSSL 1.1.0 DH operation Commit 49fe2ada20d5fd53c0388442d23e7f03086f4d57 ('OpenSSL: Support OpenSSL 1.1.0 DH opacity') started using the new accessor functions, but used incorrect success check for the DH_set0_key() call. This resulted in dh5_init_fixed() failures and double-free on error path if the build was linked against OpenSSL 1.1.0. Fix this by checking DH_set0_key() return value to be 1 for the success case. Signed-off-by: Jouni Malinen <j@w1.fi> (cherry picked from commit 460e5cdf430372df3fff366ff7085cfd4afe8818) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I7b778e0d8f5ab73b50b0d31e0af0152862aff93b Reviewed-on: https://chromium-review.googlesource.com/621925 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/f13e591704094d1042e32547d2644d4aff43b2ae/src/crypto/crypto_openssl.c
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/8b9a17e31a5f3ad9b1ed7970daa71b60941d0c1e commit 8b9a17e31a5f3ad9b1ed7970daa71b60941d0c1e Author: David Benjamin <davidben@google.com> Date: Wed Sep 06 19:42:42 2017 UPSTREAM: OpenSSL: Fix OpenSSL 1.1.0 compatibility functions To be consistent with OpenSSL 1.1.0, the free functions should internally check for NULL. EVP_MD_CTX_free also was missing an EVP_MD_CTX_cleanup, so this leaked a little. OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace with get_rfc3526_prime_1536 as a compatibility-only name. Use that instead in 1.1.0. Signed-off-by: David Benjamin <davidben@google.com> (cherry picked from commit 478441bf81ee565440fd012a7e71f160788c59bd) Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:740096 TEST=w/ openssl-1.0.2k: emerge-{samus,hana} wpa_supplicant TEST=w/ openssl-1.1.0f: emerge-{samus,hana} wpa_supplicant => All build ok when all patches in series applied. TEST=On wificell DUT suite:wifi_matfunc Change-Id: I3ba358b4156cc77633d9b9b577b527f4f1401cfb Reviewed-on: https://chromium-review.googlesource.com/621926 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/8b9a17e31a5f3ad9b1ed7970daa71b60941d0c1e/src/crypto/crypto_openssl.c |
||
►
Sign in to add a comment |
||
Comment 1 by djkurtz@chromium.org
, Jul 7 2017