From patchwork Wed Mar 21 00:00:47 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kenny Root X-Patchwork-Id: 288690 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "maxx.shmoo.com", Issuer "CA Cert Signing Authority" (not verified)) by ozlabs.org (Postfix) with ESMTPS id D79992C0339 for ; Wed, 6 Nov 2013 11:42:36 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id F253F9D1E3; Tue, 5 Nov 2013 19:42:34 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nx0ZYEWS1GGl; Tue, 5 Nov 2013 19:42:34 -0500 (EST) Received: from maxx.shmoo.com (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 8659E9D1F0; Tue, 5 Nov 2013 19:42:22 -0500 (EST) X-Original-To: mailman-post+hostap@maxx.shmoo.com Delivered-To: mailman-post+hostap@maxx.shmoo.com Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 2C4AD9D1E3 for ; Tue, 5 Nov 2013 19:42:21 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUMULFo0Ne4n for ; Tue, 5 Nov 2013 19:42:16 -0500 (EST) Received: from mail-oa0-f74.google.com (mail-oa0-f74.google.com [209.85.219.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified)) by maxx.maxx.shmoo.com (Postfix) with ESMTPS id 531BD9D1F0 for ; Tue, 5 Nov 2013 19:42:11 -0500 (EST) Received: by mail-oa0-f74.google.com with SMTP id j17so295297oag.1 for ; Tue, 05 Nov 2013 16:42:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:date:subject:to:message-id; bh=LPuzbNVCrvVdbS+n6o6es3JrUkqhP7H2NXixArQIHHo=; b=On3sb02COE7rOTwIMfPyj74cAk3Tnrus92sQ6mqJRMKaJaZuPCFe4STY2sezgkURK1 jDgNnY2AqGD4gNe6jemHjWpG83G0fl8cuQj+iCKIXvGKxDwV7vN+2AmVuSPJ7NxL6XZC LZFGT50nHpAd2wVuh5K2C0YBdz48uj2/DIpnW5X6g0RMawbgd/TG0Os1XCMu1evYz9L3 G+rdi2X4aN1ObG8m+kPiNwwfaKFZMzxBx9JdqngUvbgoxLPGsQtuorCeXQDNcd9J8NNZ q+GOP5uVUseMDkQ/15pDwprBGEpd4njWjJ4vERbmFdycBNL9EOUk/nw9tjPPLewkfavA LgSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:date:subject:to:message-id; bh=LPuzbNVCrvVdbS+n6o6es3JrUkqhP7H2NXixArQIHHo=; b=D6TnxXDFgoasroKOftoX0sCfG+u6VLL7IgJeJfv0HcHQM6PIDJUXqO8apyMnyuQGvL lO8yo1cHiGLve+dnUCQbidRSUc9yRs/e/LI0Zxe0I4LK9a4h4F9pandO7Vk5BZJZ4xyT W+GclripCcPKvGAcglqWTbcY/2B3OFWDn+ab//6viA/25dUWS5UEL5k061CavKTL5Tq4 /lBCa6xYe3nW8PFHPuZkBQJk20YMTXKMhpWGT7UvtegwLzPGDEWTJfSZvezv4/sxyBaV x+Q1G9X5aLTU2DaoIfhDrI1B33xcuM/jNIzbl193JORA9LGmFYmZlQTfbAZugUgiN0FE /5/w== X-Gm-Message-State: ALoCoQn3b7SXNqg70MYX+4gg+yJp08s5HVoIhFpGfIc/PvQqRdxiiaarIbZuRc6uRFXv6vuTbYS365rDl3QEHv1CaVaZmEIPvmfVIR4DMTxK13mx7EcQobDDj8Cu3X7Y5qkoDdD/TFPMMKzjCAXi6ienhCgs3w7bZ1O3oPOfvco72bQUWIKf7l9ETykliriNZfwGBaWgQToYkCgqgxJ5am9RBDjEqXAaJ67ekD4X6vE9MFnzK8gKx5yNDVtGvYDOWoRK4G23UZOR X-Received: by 10.42.65.138 with SMTP id l10mr119419ici.31.1383698530410; Tue, 05 Nov 2013 16:42:10 -0800 (PST) Received: from corp2gmr1-2.hot.corp.google.com (corp2gmr1-2.hot.corp.google.com [172.24.189.93]) by gmr-mx.google.com with ESMTPS id t42si3200506yhm.3.2013.11.05.16.42.10 for (version=TLSv1.1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 05 Nov 2013 16:42:10 -0800 (PST) Received: from ushik.mtv.corp.google.com (ushik.mtv.corp.google.com [172.18.120.113]) by corp2gmr1-2.hot.corp.google.com (Postfix) with ESMTP id 379575A41D9 for ; Tue, 5 Nov 2013 16:42:10 -0800 (PST) Received: by ushik.mtv.corp.google.com (Postfix, from userid 57417) id D226513FAD3; Tue, 5 Nov 2013 16:42:09 -0800 (PST) From: Kenny Root Date: Tue, 20 Mar 2012 17:00:47 -0700 Subject: [PATCH] Use keystore ENGINE for private key operations To: hostap@lists.shmoo.com Message-Id: <20131106004209.D226513FAD3@ushik.mtv.corp.google.com> X-BeenThere: hostap@lists.shmoo.com X-Mailman-Version: 2.1.11 Precedence: list List-Id: HostAP Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com The new keystore ENGINE is usable to perform private key operations when we can't get the actual private key data. This is the case when hardware crypto is enabled: the private key never leaves the hardware. Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't PKCS#11 or OpenSC. This just changes a few #define variables to allow us to talk to our keystore engine without having one of those enabled and without using a PIN. Change-Id: Iabab5077c3d167a1e13bc8ef8745dc59ad4d62f7 --- src/crypto/tls_openssl.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 772f0b2..aaa920b 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -10,9 +10,11 @@ #ifndef CONFIG_SMARTCARD #ifndef OPENSSL_NO_ENGINE +#ifndef ANDROID #define OPENSSL_NO_ENGINE #endif #endif +#endif #include #include @@ -793,16 +795,21 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id, wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set"); return -1; } +#ifndef ANDROID if (pin == NULL) { wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set"); return -1; } +#endif if (key_id == NULL) { wpa_printf(MSG_ERROR, "ENGINE: Key Id not set"); return -1; } ERR_clear_error(); +#ifdef ANDROID + ENGINE_load_dynamic(); +#endif conn->engine = ENGINE_by_id(engine_id); if (!conn->engine) { wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]", @@ -817,11 +824,13 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id, } wpa_printf(MSG_DEBUG, "ENGINE: engine initialized"); +#ifndef ANDROID if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) { wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]", ERR_error_string(ERR_get_error(), NULL)); goto err; } +#endif /* load private key first in-case PIN is required for cert */ conn->private_key = ENGINE_load_private_key(conn->engine, key_id, NULL, NULL);