public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/hostapd] rawhide: Add OpenSSL 4.0 compatibility patches
Date: Fri, 12 Jun 2026 19:17:48 GMT [thread overview]
Message-ID: <178129186846.1.4299144624491383048.rpms-hostapd-09fbb485fa03@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/hostapd
Branch : rawhide
Commit : 09fbb485fa03794ae4f9ca5b09912d5d0aef6907
Author : Pavol Žáčik <pzacik@redhat.com>
Date : 2026-06-12T15:17:25-04:00
Stats : +244/-1 in 4 file(s)
URL : https://src.fedoraproject.org/rpms/hostapd/c/09fbb485fa03794ae4f9ca5b09912d5d0aef6907?branch=rawhide
Log:
Add OpenSSL 4.0 compatibility patches
---
diff --git a/OpenSSL-Mark-more-ASN1-X509-values-const.patch b/OpenSSL-Mark-more-ASN1-X509-values-const.patch
new file mode 100644
index 0000000..2b8bcee
--- /dev/null
+++ b/OpenSSL-Mark-more-ASN1-X509-values-const.patch
@@ -0,0 +1,84 @@
+From 907c5a99ad126bbef72b4a5d67e363decbd3d1ac Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 6 Apr 2026 11:59:07 +0300
+Subject: [PATCH 3/3] OpenSSL: Mark more ASN1/X509 values const
+
+OpenSSL 4.0 enforces this. A couple of additional typecasts are needed
+to get rid of the const marking for function calls with OpenSSL 1.1.1,
+but those could be removed for OpenSSL 3.0 and newer.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/crypto_openssl.c | 4 ++--
+ src/crypto/tls_openssl.c | 18 ++++++++++--------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index dbe85d5e3..3e88c3d0a 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -4479,8 +4479,8 @@ const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
+ size_t *len, int *type)
+ {
+ X509_ATTRIBUTE *attrib;
+- ASN1_TYPE *attrib_type;
+- ASN1_STRING *data;
++ const ASN1_TYPE *attrib_type;
++ const ASN1_STRING *data;
+ int loc;
+ int nid;
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index fc7b4d2f9..292017cc4 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2163,7 +2163,7 @@ static int match_dn_field(const X509 *cert, int nid, const char *field,
+ const struct tls_dn_field_order_cnt *dn_cnt)
+ {
+ int i, ret = 0, len, config_dn_field_index, match_index = 0;
+- X509_NAME *name;
++ const X509_NAME *name;
+
+ len = os_strlen(value);
+ name = X509_get_subject_name((X509 *) cert);
+@@ -2175,9 +2175,10 @@ static int match_dn_field(const X509 *cert, int nid, const char *field,
+ return 0;
+
+ /* Fetch value based on NID */
+- for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) {
+- X509_NAME_ENTRY *e;
+- ASN1_STRING *cn;
++ for (i = -1; (i = X509_NAME_get_index_by_NID((X509_NAME *) name, nid,
++ i)) > -1;) {
++ const X509_NAME_ENTRY *e;
++ const ASN1_STRING *cn;
+
+ e = X509_NAME_get_entry(name, i);
+ if (!e)
+@@ -2332,7 +2333,7 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ int i;
+ stack_index_t j;
+ int dns_name = 0;
+- X509_NAME *name;
++ const X509_NAME *name;
+
+ wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
+ full ? "": "suffix ", match);
+@@ -2366,10 +2367,11 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ name = X509_get_subject_name(cert);
+ i = -1;
+ for (;;) {
+- X509_NAME_ENTRY *e;
+- ASN1_STRING *cn;
++ const X509_NAME_ENTRY *e;
++ const ASN1_STRING *cn;
+
+- i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
++ i = X509_NAME_get_index_by_NID((X509_NAME *) name,
++ NID_commonName, i);
+ if (i == -1)
+ break;
+ e = X509_NAME_get_entry(name, i);
+--
+2.53.0
+
diff --git a/OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch b/OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch
new file mode 100644
index 0000000..efc9d09
--- /dev/null
+++ b/OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch
@@ -0,0 +1,64 @@
+From ec00192a5a56cadbb250816b2ed1552f6a4fdabe Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 6 Apr 2026 11:57:19 +0300
+Subject: [PATCH 2/3] OpenSSL: Set X509_REQ subject name using proper API calls
+
+X509_REQ_set_subject_name() should have used for this instead of adding
+entries into whatever X509_REQ_get_subject_name() returned. OpenSSL 4.0
+enforces this by marking the returned value from
+X509_REQ_get_subject_name() const.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/crypto_openssl.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 0514185c9..dbe85d5e3 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -4405,6 +4405,7 @@ int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
+ {
+ X509_NAME *n;
+ int nid;
++ int ret = -1;
+
+ switch (type) {
+ case CSR_NAME_CN:
+@@ -4426,7 +4427,7 @@ int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
+ return -1;
+ }
+
+- n = X509_REQ_get_subject_name((X509_REQ *) csr);
++ n = X509_NAME_new();
+ if (!n)
+ return -1;
+
+@@ -4434,15 +4435,21 @@ int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
+ if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
+ (unsigned char *) name,
+ os_strlen(name), -1, 0))
+- return -1;
++ goto fail;
+ #else
+ if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
+ (const unsigned char *) name,
+ os_strlen(name), -1, 0))
+- return -1;
++ goto fail;
+ #endif
+
+- return 0;
++ if (X509_REQ_set_subject_name((X509_REQ *) csr, n) != 1)
++ goto fail;
++
++ ret = 0;
++fail:
++ X509_NAME_free(n);
++ return ret;
+ }
+
+
+--
+2.53.0
+
diff --git a/OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch b/OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch
new file mode 100644
index 0000000..cc71cf6
--- /dev/null
+++ b/OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch
@@ -0,0 +1,83 @@
+From 141abf49a432c9a0f4f38c47a477ab258ec9e239 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 6 Apr 2026 11:32:06 +0300
+Subject: [PATCH 1/3] OpenSSL: Use ASN1_STRING_length/get0_data() more
+ consistently
+
+Some of the accesses to ASN1_IA5STRING were using direct references to
+the structure members. Replace those with helper functions to avoid the
+direct access. This is needed for OpenSSL 4.0.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/tls_openssl.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index d6f254371..fc7b4d2f9 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2020,8 +2020,9 @@ static int tls_match_altsubject_component(X509 *cert, int type,
+ gen = sk_GENERAL_NAME_value(ext, i);
+ if (gen->type != type)
+ continue;
+- if (os_strlen((char *) gen->d.ia5->data) == len &&
+- os_memcmp(value, gen->d.ia5->data, len) == 0)
++ if ((size_t) ASN1_STRING_length(gen->d.ia5) == len &&
++ os_memcmp(value, ASN1_STRING_get0_data(gen->d.ia5), len) ==
++ 0)
+ found++;
+ }
+
+@@ -2344,10 +2345,10 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ continue;
+ dns_name++;
+ wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
+- gen->d.dNSName->data,
+- gen->d.dNSName->length);
+- if (domain_suffix_match(gen->d.dNSName->data,
+- gen->d.dNSName->length,
++ ASN1_STRING_get0_data(gen->d.dNSName),
++ ASN1_STRING_length(gen->d.dNSName));
++ if (domain_suffix_match(ASN1_STRING_get0_data(gen->d.dNSName),
++ ASN1_STRING_length(gen->d.dNSName),
+ match, match_len, full) == 1) {
+ wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
+ full ? "Match" : "Suffix match");
+@@ -2378,8 +2379,10 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ if (cn == NULL)
+ continue;
+ wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
+- cn->data, cn->length);
+- if (domain_suffix_match(cn->data, cn->length,
++ ASN1_STRING_get0_data(cn),
++ ASN1_STRING_length(cn));
++ if (domain_suffix_match(ASN1_STRING_get0_data(cn),
++ ASN1_STRING_length(cn),
+ match, match_len, full) == 1) {
+ wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
+ full ? "Match" : "Suffix match");
+@@ -2588,7 +2591,7 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
+ gen->type != GEN_URI)
+ continue;
+
+- pos = os_malloc(10 + gen->d.ia5->length + 1);
++ pos = os_malloc(10 + ASN1_STRING_length(gen->d.ia5) + 1);
+ if (pos == NULL)
+ break;
+ altsubject[num_altsubject++] = pos;
+@@ -2608,8 +2611,9 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
+ break;
+ }
+
+- os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length);
+- pos += gen->d.ia5->length;
++ os_memcpy(pos, ASN1_STRING_get0_data(gen->d.ia5),
++ ASN1_STRING_length(gen->d.ia5));
++ pos += ASN1_STRING_length(gen->d.ia5);
+ *pos = '\0';
+ }
+ sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
+--
+2.53.0
+
diff --git a/hostapd.spec b/hostapd.spec
index 4df28bb..6cecf81 100644
--- a/hostapd.spec
+++ b/hostapd.spec
@@ -2,7 +2,7 @@
Name: hostapd
Version: 2.11
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
License: BSD-3-Clause
URL: http://w1.fi/hostapd
@@ -16,6 +16,13 @@ Source5: %{name}.init
# use pkcs11-provider instead of OpenSSL engine
Patch1: OpenSSL-Use-pkcs11-provider-when-OPENSSL_NO_ENGINE-i.patch
+# OpenSSL 4.0 compatibility patches
+# https://git.w1.fi/cgit/hostap/commit/?id=141abf49a432c9a0f4f38c47a477ab258ec9e239
+Patch2: OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch
+# https://git.w1.fi/cgit/hostap/commit/?id=ec00192a5a56cadbb250816b2ed1552f6a4fdabe
+Patch3: OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch
+# https://git.w1.fi/cgit/hostap/commit/?id=907c5a99ad126bbef72b4a5d67e363decbd3d1ac
+Patch4: OpenSSL-Mark-more-ASN1-X509-values-const.patch
BuildRequires: libnl3-devel
BuildRequires: openssl-devel
@@ -63,6 +70,7 @@ Logwatch scripts for hostapd.
%prep
%setup -q
+%autopatch -p1
sed \
-e '$ a CONFIG_SAE=y' \
-e '$ a CONFIG_SUITEB192=y' \
@@ -196,6 +204,10 @@ fi
%{_sysconfdir}/logwatch/scripts/services/%{name}
%changelog
+* Mon May 11 2026 Pavol Žáčik <pzacik@redhat.com> - 2.11-6
+- Add OpenSSL 4.0 compatibility patches
+- Use %%autopatch to apply patches
+
* Thu Jan 29 2026 Davide Caratti <dcaratti@redhat.com> - 2.11-5
- Enable CONFIG_IEEE80211BE
- Use pkcs11-provider to resolve PKCS11 URIs
reply other threads:[~2026-06-12 19:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178129186846.1.4299144624491383048.rpms-hostapd-09fbb485fa03@fedoraproject.org \
--to=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox