diff --git a/wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch b/wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
new file mode 100644
index 0000000..795b631
--- /dev/null
+++ b/wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
@@ -0,0 +1,71 @@
+commit 89971d8b1e328a2f79699c953625d1671fd40384
+Author: Jouni Malinen <j@w1.fi>
+Date:   Mon Jul 17 12:06:17 2017 +0300
+
+    OpenSSL: Clear default_passwd_cb more thoroughly
+    
+    Previously, the pointer to strdup passwd was left in OpenSSL library
+    default_passwd_cb_userdata and even the default_passwd_cb was left set
+    on an error path. To avoid unexpected behavior if something were to
+    manage to use there pointers, clear them explicitly once done with
+    loading of the private key.
+    
+    Signed-off-by: Jouni Malinen <j@w1.fi>
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index c790b53ea..903c38cff 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2775,6 +2775,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
+ }
+ 
+ 
++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	if (ssl) {
++		SSL_set_default_passwd_cb(ssl, NULL);
++		SSL_set_default_passwd_cb_userdata(ssl, NULL);
++	}
++#endif /* >= 1.1.0f && !LibreSSL */
++	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
++}
++
++
+ static int tls_connection_private_key(struct tls_data *data,
+ 				      struct tls_connection *conn,
+ 				      const char *private_key,
+@@ -2891,14 +2904,12 @@ static int tls_connection_private_key(struct tls_data *data,
+ 	if (!ok) {
+ 		tls_show_errors(MSG_INFO, __func__,
+ 				"Failed to load private key");
++		tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ 		os_free(passwd);
+ 		return -1;
+ 	}
+ 	ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+-	SSL_set_default_passwd_cb(conn->ssl, NULL);
+-#endif /* >= 1.1.0f && !LibreSSL */
+-	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++	tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ 	os_free(passwd);
+ 
+ 	if (!SSL_check_private_key(conn->ssl)) {
+@@ -2941,13 +2952,14 @@ static int tls_global_private_key(struct tls_data *data,
+ 	    tls_read_pkcs12(data, NULL, private_key, passwd)) {
+ 		tls_show_errors(MSG_INFO, __func__,
+ 				"Failed to load private key");
++		tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ 		os_free(passwd);
+ 		ERR_clear_error();
+ 		return -1;
+ 	}
++	tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ 	os_free(passwd);
+ 	ERR_clear_error();
+-	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ 
+ 	if (!SSL_CTX_check_private_key(ssl_ctx)) {
+ 		tls_show_errors(MSG_INFO, __func__,
diff --git a/wpa_supplicant-bnc-1099835-fix-private-key-password.patch b/wpa_supplicant-bnc-1099835-fix-private-key-password.patch
new file mode 100644
index 0000000..3727149
--- /dev/null
+++ b/wpa_supplicant-bnc-1099835-fix-private-key-password.patch
@@ -0,0 +1,43 @@
+commit f665c93e1d28fbab3d9127a8c3985cc32940824f
+Author: Beniamino Galvani <bgalvani@redhat.com>
+Date:   Sun Jul 9 11:14:10 2017 +0200
+
+    OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
+    
+    Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
+    callback from the SSL object instead of the one from the CTX, so let's
+    set the callback on both SSL and CTX. Note that
+    SSL_set_default_passwd_cb*() is available only in 1.1.0.
+    
+    Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index fd94eaf46..c790b53ea 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,
+ 	} else
+ 		passwd = NULL;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	/*
++	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
++	 * from the SSL object. See OpenSSL commit d61461a75253.
++	 */
++	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
++	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
++#endif /* >= 1.1.0f && !LibreSSL */
++	/* Keep these for OpenSSL < 1.1.0f */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
+ 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
+ 
+@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,
+ 		return -1;
+ 	}
+ 	ERR_clear_error();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	SSL_set_default_passwd_cb(conn->ssl, NULL);
++#endif /* >= 1.1.0f && !LibreSSL */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ 	os_free(passwd);
+ 
diff --git a/wpa_supplicant.changes b/wpa_supplicant.changes
index bb94d66..a48959e 100644
--- a/wpa_supplicant.changes
+++ b/wpa_supplicant.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Jul 20 13:48:52 CEST 2018 - ro@suse.de
+
+- add two patches from upstream to fix reading private key
+  passwords from the configuration file (bsc#1099835)
+  - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384
+    wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
+  - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f
+    wpa_supplicant-bnc-1099835-fix-private-key-password.patch
+
 -------------------------------------------------------------------
 Mon Oct 16 13:32:07 UTC 2017 - meissner@suse.com
 
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index db984a0..1c3855d 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package wpa_supplicant
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@ Name:           wpa_supplicant
 Version:        2.6
 Release:        0
 Summary:        WPA supplicant implementation
-License:        BSD-3-Clause and GPL-2.0+
+License:        BSD-3-Clause AND GPL-2.0-or-later
 Group:          Productivity/Networking/Other
 Url:            http://hostap.epitest.fi/wpa_supplicant/
 Source:         http://hostap.epitest.fi/releases/wpa_supplicant-%{version}.tar.gz
@@ -49,6 +49,8 @@ Patch14:        rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patc
 Patch15:        rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
 Patch16:        rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
 Patch17:        rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+Patch18:        wpa_supplicant-bnc-1099835-fix-private-key-password.patch
+Patch19:        wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
 
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
@@ -95,6 +97,8 @@ cp %{SOURCE1} wpa_supplicant/.config
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
+%patch19 -p1
 
 %build
 cd wpa_supplicant