Tidying up the OpenSSL private key password logic

Andrew Shadura andrewsh at debian.org
Thu Dec 14 21:23:55 PST 2017

On 02/12/17 00:08, David Benjamin wrote:
> Hi folks,
> I've attached two patches that I think tidy up the logic around
> OpenSSL private key loading and passwords.
> The first just removes an unnecessary strdup. That parameter isn't
> mutated or anything, it's just a generic data argument to the same
> callback that you pass in.
> The second avoids using the SSL(_CTX) default password callback
> altogether. Since you all use it for one-off calls anyway, it ends up
> being a little cumbersome as you must set and unset them. Further, you
> end up mutating the SSL_CTX after SSLs have been created, which isn't
> generally safe. Rather, I think it's cleaner to just pass the password
> into the PEM_read_bio_PrivateKey call yourself. The SSL-level
> functions are merely convenience routines on top of this. This also
> allows abstracting away the DER/PEM fallback code. (It also avoids a
> mess of OpenSSL version variability.)

Thanks, I was dealing with issues around this a week ago or so in
Debian's wpa-supplicant package, and I will ship your patch instead of
whatever I'm currently shipping now that Jouni has applied this upstream.


More information about the Hostap mailing list