Tidying up the OpenSSL private key password logic

David Benjamin davidben at google.com
Fri Dec 1 15:08:21 PST 2017

Hi folks,

I've attached two patches that I think tidy up the logic around
OpenSSL private key loading and passwords.

The first just removes an unnecessary strdup. That parameter isn't
mutated or anything, it's just a generic data argument to the same
callback that you pass in.

The second avoids using the SSL(_CTX) default password callback
altogether. Since you all use it for one-off calls anyway, it ends up
being a little cumbersome as you must set and unset them. Further, you
end up mutating the SSL_CTX after SSLs have been created, which isn't
generally safe. Rather, I think it's cleaner to just pass the password
into the PEM_read_bio_PrivateKey call yourself. The SSL-level
functions are merely convenience routines on top of this. This also
allows abstracting away the DER/PEM fallback code. (It also avoids a
mess of OpenSSL version variability.)

Note: you probably want to run tests on this. I wasn't sure how to do
that, but I have checked that they compile on my system.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-OpenSSL-Remove-unnecessary-os_strdup.patch
Type: text/x-patch
Size: 4339 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20171201/fda16496/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-OpenSSL-Avoid-SSL-_use_default_passwd_cb.patch
Type: text/x-patch
Size: 6503 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20171201/fda16496/attachment-0001.bin>

More information about the Hostap mailing list