[rpms/hostapd] rawhide: Add OpenSSL 4.0 compatibility patches

[rpms/hostapd] rawhide: Add OpenSSL 4.0 compatibility patches

[@ 2026-06-12 19:17 UTC (permalink / raw)]

A new commit has been pushed.

Repo   : rpms/hostapd
Branch : rawhide
Commit : 09fbb485fa03794ae4f9ca5b09912d5d0aef6907
Author : Pavol Žáčik <pzacik@redhat.com>
Date   : 2026-06-12T15:17:25-04:00
Stats  : +244/-1 in 4 file(s)
URL    : https://src.fedoraproject.org/rpms/hostapd/c/09fbb485fa03794ae4f9ca5b09912d5d0aef6907?branch=rawhide

Log:
Add OpenSSL 4.0 compatibility patches

---
diff --git a/OpenSSL-Mark-more-ASN1-X509-values-const.patch b/OpenSSL-Mark-more-ASN1-X509-values-const.patch
new file mode 100644
index 0000000..2b8bcee
--- /dev/null
+++ b/OpenSSL-Mark-more-ASN1-X509-values-const.patch
@@ -0,0 +1,84 @@
+From 907c5a99ad126bbef72b4a5d67e363decbd3d1ac Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 6 Apr 2026 11:59:07 +0300
+Subject: [PATCH 3/3] OpenSSL: Mark more ASN1/X509 values const
+
+OpenSSL 4.0 enforces this. A couple of additional typecasts are needed
+to get rid of the const marking for function calls with OpenSSL 1.1.1,
+but those could be removed for OpenSSL 3.0 and newer.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/crypto_openssl.c |  4 ++--
+ src/crypto/tls_openssl.c    | 18 ++++++++++--------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index dbe85d5e3..3e88c3d0a 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -4479,8 +4479,8 @@ const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
+ 				    size_t *len, int *type)
+ {
+ 	X509_ATTRIBUTE *attrib;
+-	ASN1_TYPE *attrib_type;
+-	ASN1_STRING *data;
++	const ASN1_TYPE *attrib_type;
++	const ASN1_STRING *data;
+ 	int loc;
+ 	int nid;
+ 
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index fc7b4d2f9..292017cc4 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2163,7 +2163,7 @@ static int match_dn_field(const X509 *cert, int nid, const char *field,
+ 			  const struct tls_dn_field_order_cnt *dn_cnt)
+ {
+ 	int i, ret = 0, len, config_dn_field_index, match_index = 0;
+-	X509_NAME *name;
++	const X509_NAME *name;
+ 
+ 	len = os_strlen(value);
+ 	name = X509_get_subject_name((X509 *) cert);
+@@ -2175,9 +2175,10 @@ static int match_dn_field(const X509 *cert, int nid, const char *field,
+ 		return 0;
+ 
+ 	/* Fetch value based on NID */
+-	for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) {
+-		X509_NAME_ENTRY *e;
+-		ASN1_STRING *cn;
++	for (i = -1; (i = X509_NAME_get_index_by_NID((X509_NAME *) name, nid,
++						     i)) > -1;) {
++		const X509_NAME_ENTRY *e;
++		const ASN1_STRING *cn;
+ 
+ 		e = X509_NAME_get_entry(name, i);
+ 		if (!e)
+@@ -2332,7 +2333,7 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ 	int i;
+ 	stack_index_t j;
+ 	int dns_name = 0;
+-	X509_NAME *name;
++	const X509_NAME *name;
+ 
+ 	wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
+ 		   full ? "": "suffix ", match);
+@@ -2366,10 +2367,11 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ 	name = X509_get_subject_name(cert);
+ 	i = -1;
+ 	for (;;) {
+-		X509_NAME_ENTRY *e;
+-		ASN1_STRING *cn;
++		const X509_NAME_ENTRY *e;
++		const ASN1_STRING *cn;
+ 
+-		i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
++		i = X509_NAME_get_index_by_NID((X509_NAME *) name,
++					       NID_commonName, i);
+ 		if (i == -1)
+ 			break;
+ 		e = X509_NAME_get_entry(name, i);
+-- 
+2.53.0
+

diff --git a/OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch b/OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch
new file mode 100644
index 0000000..efc9d09
--- /dev/null
+++ b/OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch
@@ -0,0 +1,64 @@
+From ec00192a5a56cadbb250816b2ed1552f6a4fdabe Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 6 Apr 2026 11:57:19 +0300
+Subject: [PATCH 2/3] OpenSSL: Set X509_REQ subject name using proper API calls
+
+X509_REQ_set_subject_name() should have used for this instead of adding
+entries into whatever X509_REQ_get_subject_name() returned. OpenSSL 4.0
+enforces this by marking the returned value from
+X509_REQ_get_subject_name() const.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/crypto_openssl.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 0514185c9..dbe85d5e3 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -4405,6 +4405,7 @@ int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
+ {
+ 	X509_NAME *n;
+ 	int nid;
++	int ret = -1;
+ 
+ 	switch (type) {
+ 	case CSR_NAME_CN:
+@@ -4426,7 +4427,7 @@ int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
+ 		return -1;
+ 	}
+ 
+-	n = X509_REQ_get_subject_name((X509_REQ *) csr);
++	n = X509_NAME_new();
+ 	if (!n)
+ 		return -1;
+ 
+@@ -4434,15 +4435,21 @@ int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
+ 	if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
+ 					(unsigned char *) name,
+ 					os_strlen(name), -1, 0))
+-		return -1;
++		goto fail;
+ #else
+ 	if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
+ 					(const unsigned char *) name,
+ 					os_strlen(name), -1, 0))
+-		return -1;
++		goto fail;
+ #endif
+ 
+-	return 0;
++	if (X509_REQ_set_subject_name((X509_REQ *) csr, n) != 1)
++		goto fail;
++
++	ret = 0;
++fail:
++	X509_NAME_free(n);
++	return ret;
+ }
+ 
+ 
+-- 
+2.53.0
+

diff --git a/OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch b/OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch
new file mode 100644
index 0000000..cc71cf6
--- /dev/null
+++ b/OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch
@@ -0,0 +1,83 @@
+From 141abf49a432c9a0f4f38c47a477ab258ec9e239 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 6 Apr 2026 11:32:06 +0300
+Subject: [PATCH 1/3] OpenSSL: Use ASN1_STRING_length/get0_data() more
+ consistently
+
+Some of the accesses to ASN1_IA5STRING were using direct references to
+the structure members. Replace those with helper functions to avoid the
+direct access. This is needed for OpenSSL 4.0.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/tls_openssl.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index d6f254371..fc7b4d2f9 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2020,8 +2020,9 @@ static int tls_match_altsubject_component(X509 *cert, int type,
+ 		gen = sk_GENERAL_NAME_value(ext, i);
+ 		if (gen->type != type)
+ 			continue;
+-		if (os_strlen((char *) gen->d.ia5->data) == len &&
+-		    os_memcmp(value, gen->d.ia5->data, len) == 0)
++		if ((size_t) ASN1_STRING_length(gen->d.ia5) == len &&
++		    os_memcmp(value, ASN1_STRING_get0_data(gen->d.ia5), len) ==
++		    0)
+ 			found++;
+ 	}
+ 
+@@ -2344,10 +2345,10 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ 			continue;
+ 		dns_name++;
+ 		wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
+-				  gen->d.dNSName->data,
+-				  gen->d.dNSName->length);
+-		if (domain_suffix_match(gen->d.dNSName->data,
+-					gen->d.dNSName->length,
++				  ASN1_STRING_get0_data(gen->d.dNSName),
++				  ASN1_STRING_length(gen->d.dNSName));
++		if (domain_suffix_match(ASN1_STRING_get0_data(gen->d.dNSName),
++					ASN1_STRING_length(gen->d.dNSName),
+ 					match, match_len, full) == 1) {
+ 			wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
+ 				   full ? "Match" : "Suffix match");
+@@ -2378,8 +2379,10 @@ static int tls_match_suffix_helper(X509 *cert, const char *match,
+ 		if (cn == NULL)
+ 			continue;
+ 		wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
+-				  cn->data, cn->length);
+-		if (domain_suffix_match(cn->data, cn->length,
++				  ASN1_STRING_get0_data(cn),
++				  ASN1_STRING_length(cn));
++		if (domain_suffix_match(ASN1_STRING_get0_data(cn),
++					ASN1_STRING_length(cn),
+ 					match, match_len, full) == 1) {
+ 			wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
+ 				   full ? "Match" : "Suffix match");
+@@ -2588,7 +2591,7 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
+ 		    gen->type != GEN_URI)
+ 			continue;
+ 
+-		pos = os_malloc(10 + gen->d.ia5->length + 1);
++		pos = os_malloc(10 + ASN1_STRING_length(gen->d.ia5) + 1);
+ 		if (pos == NULL)
+ 			break;
+ 		altsubject[num_altsubject++] = pos;
+@@ -2608,8 +2611,9 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
+ 			break;
+ 		}
+ 
+-		os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length);
+-		pos += gen->d.ia5->length;
++		os_memcpy(pos, ASN1_STRING_get0_data(gen->d.ia5),
++			  ASN1_STRING_length(gen->d.ia5));
++		pos += ASN1_STRING_length(gen->d.ia5);
+ 		*pos = '\0';
+ 	}
+ 	sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
+-- 
+2.53.0
+

diff --git a/hostapd.spec b/hostapd.spec
index 4df28bb..6cecf81 100644
--- a/hostapd.spec
+++ b/hostapd.spec
@@ -2,7 +2,7 @@
 
 Name:           hostapd
 Version:        2.11
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
 License:        BSD-3-Clause
 URL:            http://w1.fi/hostapd
@@ -16,6 +16,13 @@ Source5:        %{name}.init
 
 # use pkcs11-provider instead of OpenSSL engine
 Patch1: OpenSSL-Use-pkcs11-provider-when-OPENSSL_NO_ENGINE-i.patch
+# OpenSSL 4.0 compatibility patches
+# https://git.w1.fi/cgit/hostap/commit/?id=141abf49a432c9a0f4f38c47a477ab258ec9e239
+Patch2: OpenSSL-Use-ASN1_STRING_length-get0_data-more-consis.patch
+# https://git.w1.fi/cgit/hostap/commit/?id=ec00192a5a56cadbb250816b2ed1552f6a4fdabe
+Patch3: OpenSSL-Set-X509_REQ-subject-name-using-proper-API-c.patch
+# https://git.w1.fi/cgit/hostap/commit/?id=907c5a99ad126bbef72b4a5d67e363decbd3d1ac
+Patch4: OpenSSL-Mark-more-ASN1-X509-values-const.patch
 
 BuildRequires:  libnl3-devel
 BuildRequires:  openssl-devel
@@ -63,6 +70,7 @@ Logwatch scripts for hostapd.
 
 %prep
 %setup -q
+%autopatch -p1
 sed \
     -e '$ a CONFIG_SAE=y' \
     -e '$ a CONFIG_SUITEB192=y' \
@@ -196,6 +204,10 @@ fi
 %{_sysconfdir}/logwatch/scripts/services/%{name}
 
 %changelog
+* Mon May 11 2026 Pavol Žáčik <pzacik@redhat.com> - 2.11-6
+- Add OpenSSL 4.0 compatibility patches
+- Use %%autopatch to apply patches
+
 * Thu Jan 29 2026 Davide Caratti <dcaratti@redhat.com> - 2.11-5
 - Enable CONFIG_IEEE80211BE
 - Use pkcs11-provider to resolve PKCS11 URIs