From patchwork Tue Apr 6 16:03:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Beltrano X-Patchwork-Id: 1462897 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=FTaU++Db; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=microsoft.com header.i=@microsoft.com header.a=rsa-sha256 header.s=selector2 header.b=BbmHas2h; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FFC6L03yYz9sWd for ; Wed, 7 Apr 2021 02:05:14 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=KTSuxfS2A2sXlrEWrL6YUcvrI9xy4jy0Kc7oSfQ2aoA=; b=FTaU++DbcjEPccACUH7/nNkGHF TcXx5ac25Nene87FIVoJeTNmRacLch6/qiXuDeYeRQuy9JyPyhf7Ro8vnNArXCfmTnU1i/DMeiZm/ XAT1ykDgFtATvCdyObCd4FM9Tt+Ov2Jqjwm1gtRaFt8L+4THKwMoSIdSmLLrvc2nnK0UwOGaQ5csK b6/jj7J4/SOVNxFirGVXHKsl5mz+WWK8OGzukJm8eawwVhXDhbBbVJrCocTVGFjvuT3TihY33aFY/ hqX352xxHFJWedbLpPfgP4br/lAqsGhUQcDJiGHWpLgeN8kQIjlwuIpBcDfFdiF8jbcUuErlVqVwY qRbwyOew==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lToBI-002yQu-NQ; Tue, 06 Apr 2021 16:03:56 +0000 Received: from mail-dm6nam10on2122.outbound.protection.outlook.com ([40.107.93.122] helo=NAM10-DM6-obe.outbound.protection.outlook.com) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lToBD-002yPr-QN for hostap@lists.infradead.org; Tue, 06 Apr 2021 16:03:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HACWPLvd3yntZPoqWm8YDNNODFIHeegyskktmF/6Dss814RbzQxR+6w2bKlQvLljfQQFVpfryO5k3WNgAws7nwxHvzKL7OdC5YbctKuprM77W7EoDpdH+a23MotlFBSGOCQMHJIp6HC99MBhggSHqkQJml0LJAo+qyFVlfJgTivXPTn+um4VKY4T10cvHOA4GpUG4R+r+hVePFLoGENjkMjv00bYthu4UR4cJMxk4KIivKEhv3CUFesOO/bhXqMYhqsoKbSqgrz5ihVaDNPnUvZ6Nko5SI6H2Exc3qlZ4+TembwLlyQxb50iTp7Gs4pm//+1ldJfZMTc3Tnmcj2PWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=whTWTHCG6BTLi4S7zAF4ipPI9dPVnfs4/zjFc7pm0yg=; b=RuwWDux9wfFRpwYFGJyNVHEssna9AtfPwjp+uMU8jfIy3QDZv1TWVNd/tFxhRpcO259wBQMb5NkHnd96/4rs3tbGProvWI5jXuzR3jTMf0qRqB5jR2u2SAICHLLtT2YG9jLasL+AhAgDx29MESY414EnHS2QiUiNrIGhtTubDZgXAXIGc7y9ZfOyb/BUL1IDYxuYkNfHZ+zh0ZDqZuvnXHmfro32Qq6amkYylUJgwBOJfON76nCOgS9/TPO0KJJTz4gKrWahYzc40uukd3BZAYys5JIw7r89cQ4rhAotk9JOMhiMDq9YD44D8mlqqHgxrI+KjQintdbrIf0ahkjo6g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=whTWTHCG6BTLi4S7zAF4ipPI9dPVnfs4/zjFc7pm0yg=; b=BbmHas2hGHSZDR6gUWe+fbgYpH0QKEdtllOK2mEhV2v5XtZ/DDc5BBDXjB14fyHhVtFVWVGA3+RQC2BAQkeWHIEOBjdVNlWRjqj8Rtavfjofl6NrCf0rmZ6zFx4hjjvz1A7Yi3adqtpp/M4h0AA5oBNul3bXKI8QYq7RH8jUPHc= Received: from CH2PR21MB1445.namprd21.prod.outlook.com (2603:10b6:610:8d::24) by CH2PR21MB1430.namprd21.prod.outlook.com (2603:10b6:610:80::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.4; Tue, 6 Apr 2021 16:03:49 +0000 Received: from CH2PR21MB1445.namprd21.prod.outlook.com ([fe80::ad98:70c3:1457:a0e6]) by CH2PR21MB1445.namprd21.prod.outlook.com ([fe80::ad98:70c3:1457:a0e6%9]) with mapi id 15.20.4042.004; Tue, 6 Apr 2021 16:03:49 +0000 From: Andrew Beltrano To: "hostap@lists.infradead.org" CC: Shane Guan Subject: [PATCH] DPP: Allow loading bootstrap keys using an OpenSSL engine Thread-Topic: [PATCH] DPP: Allow loading bootstrap keys using an OpenSSL engine Thread-Index: AQHXKv29I2nMJh6cPkm6FTo86CmWqA== Date: Tue, 6 Apr 2021 16:03:48 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-04-06T16:03:48.741Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; authentication-results: lists.infradead.org; dkim=none (message not signed) header.d=none;lists.infradead.org; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [162.219.204.244] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e22c6721-7075-441f-b94d-08d8f91590b9 x-ms-traffictypediagnostic: CH2PR21MB1430: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4303; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: B3ufQ65Ix/YnU0PCaOqMNfIo/QelCcGObJ2uap9Mnn2uN4ccck6UymxmN4Puln0qZkMzfQlb8u2xGVxBqJqM1PU2Iea6Jkx4k1f5bvZLpAfYCkMOmV3gKB/97rTdYOn5K6s5Bk3t1MnZyMkyJtYR7x6tATD0JESodSZWmqBZQMjoB7SnV+NLCT6IChxdbIhdJp/JKBD/qetDH391djyWxsu2ZuyLsL/GoR6hH2FjAKnmdzqu1YxrOKui3B4sKyv/ofS5uoh90uQZ5aP3ooc07UYlSSdVn/3hUD3pO5f0FtXhb39rucMPO+dNhXBuQw8ESi92Q6uH9MJmmall+/rXZfQWBHPSQ3JduXf5ofl+MKZ1brjnCodq7RBeEJTONoErGwYRJqbGphSge5+KA0/spRgKmSU8gt90EKYpx7Bs+D3g/62aLl1oWjm0aNWEcCREHUit0isPupi1H41ev8AtEMT5vf3Z2oznBMhSkRgE3u7blJMy39o7e8mySRkiXHfY+3n4Yb+l3CdftFFPHg17+81QpGPYi4jqi11vzHKdwMQ3QDNtSxtBZNLS+KhWch0j2jqirCcFhr22wnbp+QC4axH1czVhE5/IH7zr3dWSP1E6o+hDX8uMzz4WFYYR44scJw5aw0i96ZtYxOFQ3XoPLzJIaCzE9nSvtLmzQzb0OFU= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR21MB1445.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(376002)(39860400002)(366004)(136003)(66556008)(66476007)(82960400001)(86362001)(8990500004)(5660300002)(66946007)(64756008)(2906002)(82950400001)(38100700001)(9686003)(7696005)(107886003)(55016002)(71200400001)(33656002)(26005)(186003)(4326008)(8676002)(6506007)(316002)(83380400001)(478600001)(66446008)(6916009)(52536014)(76116006)(8936002)(10290500003); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata: =?iso-8859-1?q?6N+87jC0/Rg4FJJ8X4KJKhhz2?= =?iso-8859-1?q?6DCUl01wueSv7p8osPW51VtKtsp+5uTmtDX+8n1OD5pPLcUrPwgob1EuYcma?= =?iso-8859-1?q?kCUEwIFwFgYhyy5sgfY2cweUmMpFHWIn118dG4T/DVDYD3UguKQATtKqMbyf?= =?iso-8859-1?q?MLFoJRfo3qHVL7w6sySbjcsfSLx6dXI8iGhOTgseOHQzsrY3Izw2yIgYWEPn?= =?iso-8859-1?q?723AYwKErI+ibxPNDwr5/gzlEnhC+n2IE/cDKWeypOlR+HcnRfUXMeDheE7a?= =?iso-8859-1?q?wI3ett+wit+8jjaEuwbTIromYKmFOJ/4BY3MZN/i356LjJx2RZB2Sdzo/s8K?= =?iso-8859-1?q?aNkeZNUslVi1k6uSU8wYjWl3IbEZTNeqi6pOMKqMwY0WP6AJ3mxwrl5gv4Zn?= =?iso-8859-1?q?vXRrBvnrjCdTDVdtA+6PViI1S2zKd8/sTuNUvXCp45M5X/6tygmAXg8Qngf6?= =?iso-8859-1?q?LD4hOxCmiOi8bsEH52+llW/KWolXWrCpew6rmtWEAS1bROVMGrzvuYIc24oA?= =?iso-8859-1?q?XDooklX0NZw/5gvULbY/NMGuCm4e+AiChLFYnSl/WgMp6lvwSs86GA6YwWuD?= =?iso-8859-1?q?9yq/IiC9AhXn96G7/W6zgAhu9PKlHR5WxUZ/XO7xcW5ZfBcfG7PyqNyOtUiX?= =?iso-8859-1?q?kFQxNToobc6AjcytlrLfvWHIkKdSM6CTip1oCOODzWdIrsuF4xfO11CBzeT7?= =?iso-8859-1?q?VPKq35Fu6AkmkS5AO7e4moy3uHF6hGP8ZL3nznT0Rzg6g7tSz+4Rg5tVQat/?= =?iso-8859-1?q?6a+x5nJbtWTqbaBoHcwQOX8d/XGHjkW17moD+xt1sqT5eC/riAL1JcAhCu2i?= =?iso-8859-1?q?nwu/Jg9jPO8Q5v6ySkE3mjZDtYe0grzqa37o/1kOPm3TzuruC2BU4hDnP0jS?= =?iso-8859-1?q?qmTBpxGoAPQp4RTeQPzZbTqIOONG1ebY0TKWit0kEAk3nMuC88jKTgpGnwep?= =?iso-8859-1?q?uHh2ZKBvR2n5eyjJwProhD7io0Yz/bdvTrWMV8SiU0AmZpC13JmiSdeOYJW3?= =?iso-8859-1?q?puOj5aHdXpfztbJSETQiWA3WZfDkeqNlRKKIXWWoJ+IsMVz9ukt+0Itz7Brg?= =?iso-8859-1?q?sJmgIzNo7yhcWXpAH6UvnU3BbxnzvOEZZ92UPiZmcoXKx1cAdkH98ddVn5A/?= =?iso-8859-1?q?a+/TdOE0aGMqJo245w13Bhjvj2AG6BiacnZeivjiqwLsk8KbSoKlt0oiHUbF?= =?iso-8859-1?q?foaptd5kils16MQOo3+6PDVTR89xOyJynmJgClc/0lORTDx6EHj1pZ4CYGiH?= =?iso-8859-1?q?JHDh7Jk+licBFz73vS+etrNwfGgZSE8XnyzBBiQFfcwMmMeFR6N2/DEIOzmC?= =?iso-8859-1?q?xLshpvKDxzAsCikHxJpk5IOS7tcR+v4DgBPjHIzK3Qsfht4bG67hudP7A3M?= MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CH2PR21MB1445.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e22c6721-7075-441f-b94d-08d8f91590b9 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Apr 2021 16:03:48.9818 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: wjDwOLCCJMYJwjiUH8yCpIK9aP9q5aPSB78HJGZA5og/vm2QflF3MwVKpDqMENZKvZ8ejOvoqEy6S78q5Rz2kA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR21MB1430 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210406_170352_146085_D7001358 X-CRM114-Status: GOOD ( 12.58 ) X-Spam-Score: 0.8 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Add ability to load a DPP bootstrap key-pair using an arbitrary OpenSSL engine instead of requiring the private key to be specified explicitly. The engine name, so path, and key identifier must be spe [...] Content analysis details: (0.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [40.107.93.122 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [40.107.93.122 listed in wl.mailspike.net] 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 1.0 FORGED_SPF_HELO No description available. -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add ability to load a DPP bootstrap key-pair using an arbitrary OpenSSL engine instead of requiring the private key to be specified explicitly. The engine name, so path, and key identifier must be specified to enable loading a key using an OpenSSL engine. The key identifier is an engine-specific field used to identify the key to load. Explicit private keys, if specified, take precedence over OpenSSL engine-based keys. Signed-off-by: Andrew Beltrano --- Note that this patch depends on the patch-set titled 'Expose OpenSSL dynamic engine loading globally'. hostapd/hostapd_cli.c | 2 +- src/common/dpp.c | 19 ++++++++ src/common/dpp.h | 9 ++++ src/common/dpp_crypto.c | 101 +++++++++++++++++++++++++++++++++++++++ src/common/dpp_i.h | 7 +++ wpa_supplicant/wpa_cli.c | 2 +- 6 files changed, 138 insertions(+), 2 deletions(-) diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c index eaa628ad0..62d948680 100644 --- a/hostapd/hostapd_cli.c +++ b/hostapd/hostapd_cli.c @@ -1690,7 +1690,7 @@ static const struct hostapd_cli_cmd hostapd_cli_commands[] = { { "dpp_qr_code", hostapd_cli_cmd_dpp_qr_code, NULL, "report a scanned DPP URI from a QR Code" }, { "dpp_bootstrap_gen", hostapd_cli_cmd_dpp_bootstrap_gen, NULL, - "type= [chan=..] [mac=..] [info=..] [curve=..] [key=..] = generate DPP bootstrap information" }, + "type= [chan=..] [mac=..] [info=..] [curve=..] [key=..] [key_id=..] [engine=..] [engine_path=..] = generate DPP bootstrap information" }, { "dpp_bootstrap_remove", hostapd_cli_cmd_dpp_bootstrap_remove, NULL, "*| = remove DPP bootstrap information" }, { "dpp_bootstrap_get_uri", hostapd_cli_cmd_dpp_bootstrap_get_uri, NULL, diff --git a/src/common/dpp.c b/src/common/dpp.c index 3c8c7682d..a7468ca91 100644 --- a/src/common/dpp.c +++ b/src/common/dpp.c @@ -180,6 +180,13 @@ void dpp_bootstrap_info_free(struct dpp_bootstrap_info *info) os_free(info->info); os_free(info->chan); os_free(info->pk); +#ifndef OPENSSL_NO_ENGINE + os_free(info->key_id); + os_free(info->engine_id); + os_free(info->engine_path); + if (info->engine) + ENGINE_finish(info->engine); +#endif /* OPENSSL_NO_ENGINE */ EVP_PKEY_free(info->pubkey); str_clear_free(info->configurator_params); os_free(info); @@ -3893,6 +3900,11 @@ int dpp_bootstrap_gen(struct dpp_global *dpp, const char *cmd) info = get_param(cmd, " info="); curve = get_param(cmd, " curve="); key = get_param(cmd, " key="); +#ifndef OPENSSL_NO_ENGINE + bi->key_id = get_param(cmd, " key_id="); + bi->engine_id = get_param(cmd, " engine="); + bi->engine_path = get_param(cmd, " engine_path="); +#endif /* OPENSSL_NO_ENGINE */ if (key) { privkey_len = os_strlen(key) / 2; @@ -3901,6 +3913,13 @@ int dpp_bootstrap_gen(struct dpp_global *dpp, const char *cmd) hexstr2bin(key, privkey, privkey_len) < 0) goto fail; } +#ifndef OPENSSL_NO_ENGINE + else if (bi->key_id) { + bi->engine = dpp_load_engine(bi->engine_id, bi->engine_path); + if (!bi->engine) + goto fail; + } +#endif /* OPENSSL_NO_ENGINE */ if (dpp_keygen(bi, curve, privkey, privkey_len) < 0 || dpp_parse_uri_chan_list(bi, bi->chan) < 0 || diff --git a/src/common/dpp.h b/src/common/dpp.h index 65ee905a7..d5c062f82 100644 --- a/src/common/dpp.h +++ b/src/common/dpp.h @@ -12,6 +12,9 @@ #ifdef CONFIG_DPP #include +#ifndef OPENSSL_NO_ENGINE +#include +#endif /* OPENSSL_NO_ENGINE */ #include "utils/list.h" #include "common/wpa_common.h" @@ -166,6 +169,12 @@ struct dpp_bootstrap_info { int nfc_negotiated; /* whether this has been used in NFC negotiated * connection handover */ char *configurator_params; +#ifndef OPENSSL_NO_ENGINE + char *key_id; + char *engine_id; + char *engine_path; + ENGINE *engine; +#endif /* OPENSSL_NO_ENGINE */ }; #define PKEX_COUNTER_T_LIMIT 5 diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c index c75fc7871..f04ee9e0e 100644 --- a/src/common/dpp_crypto.c +++ b/src/common/dpp_crypto.c @@ -19,6 +19,9 @@ #include "utils/json.h" #include "common/ieee802_11_defs.h" #include "crypto/crypto.h" +#ifndef OPENSSL_NO_ENGINE +#include "crypto/openssl_engine.h" +#endif #include "crypto/random.h" #include "crypto/sha384.h" #include "crypto/sha512.h" @@ -363,6 +366,100 @@ int dpp_pbkdf2(size_t hash_len, const u8 *password, size_t password_len, #endif /* CONFIG_DPP2 */ +#ifndef OPENSSL_NO_ENGINE +static EVP_PKEY * dpp_load_keypair(const struct dpp_curve_params **curve, + ENGINE *engine, const char *key_id) +{ + EVP_PKEY *pkey; + EC_KEY *eckey; + const EC_GROUP *group; + int nid; + + pkey = ENGINE_load_private_key(engine, key_id, NULL, NULL); + if (!pkey) { + wpa_printf(MSG_ERROR, "ENGINE: cannot load private key with id '%s' [%s]", + key_id, ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (!eckey) { + EVP_PKEY_free(pkey); + return NULL; + } + + group = EC_KEY_get0_group(eckey); + if (!group) { + EC_KEY_free(eckey); + EVP_PKEY_free(pkey); + return NULL; + } + + nid = EC_GROUP_get_curve_name(group); + *curve = dpp_get_curve_nid(nid); + if (!*curve) { + wpa_printf(MSG_INFO, + "DPP: Unsupported curve (nid=%d) in pre-assigned key", + nid); + EC_KEY_free(eckey); + EVP_PKEY_free(pkey); + return NULL; + } + + EC_KEY_free(eckey); + return pkey; +} + + +static int dpp_openssl_engine_load_dynamic(const char *engine_id, + const char *engine_path) +{ + const char *pre_cmd[] = { + "SO_PATH", engine_path, + "ID", engine_id, + "LIST_ADD", "1", + "LOAD", NULL, + NULL, NULL + }; + const char *post_cmd[] = { + NULL, NULL + }; + + if (!engine_id || !engine_path) + return 0; + + wpa_printf(MSG_DEBUG, "ENGINE: Loading %s Engine from %s", + engine_id, engine_path); + + return openssl_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id); +} + + +ENGINE * dpp_load_engine(const char *engine_id, const char *engine_path) +{ + if (dpp_openssl_engine_load_dynamic(engine_id, engine_path) < 0) + return NULL; + + ENGINE *engine = ENGINE_by_id(engine_id); + if (!engine) { + wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]", + engine_id, ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + + if (ENGINE_init(engine) != 1) { + wpa_printf(MSG_ERROR, "ENGINE: engine init failed " + "(engine: %s) [%s]", engine_id, + ERR_error_string(ERR_get_error(), NULL)); + ENGINE_free(engine); + return NULL; + } + + return engine; +} +#endif /* OPENSSL_NO_ENGINE */ + + int dpp_bn2bin_pad(const BIGNUM *bn, u8 *pos, size_t len) { int num_bytes, offset; @@ -730,6 +827,10 @@ int dpp_keygen(struct dpp_bootstrap_info *bi, const char *curve, if (privkey) bi->pubkey = dpp_set_keypair(&bi->curve, privkey, privkey_len); +#ifndef OPENSSL_NO_ENGINE + else if (bi->engine) + bi->pubkey = dpp_load_keypair(&bi->curve, bi->engine, bi->key_id); +#endif /* OPENSSL_NO_ENGINE */ else bi->pubkey = dpp_gen_keypair(bi->curve); if (!bi->pubkey) diff --git a/src/common/dpp_i.h b/src/common/dpp_i.h index af12467a5..3e42b1a11 100644 --- a/src/common/dpp_i.h +++ b/src/common/dpp_i.h @@ -12,6 +12,10 @@ #ifdef CONFIG_DPP +#ifndef OPENSSL_NO_ENGINE +#include +#endif /* OPENSSL_NO_ENGINE */ + struct dpp_global { void *msg_ctx; struct dl_list bootstrap; /* struct dpp_bootstrap_info */ @@ -139,6 +143,9 @@ char * dpp_sign_connector(struct dpp_configurator *conf, const struct wpabuf *dppcon); int dpp_test_gen_invalid_key(struct wpabuf *msg, const struct dpp_curve_params *curve); +#ifndef OPENSSL_NO_ENGINE +ENGINE * dpp_load_engine(const char *engine_id, const char *engine_path); +#endif /* OPENSSL_NO_ENGINE */ struct dpp_reconfig_id { const EC_GROUP *group; diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index fea7b85e0..11bb63dc3 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -3855,7 +3855,7 @@ static const struct wpa_cli_cmd wpa_cli_commands[] = { "report a scanned DPP URI from a QR Code" }, { "dpp_bootstrap_gen", wpa_cli_cmd_dpp_bootstrap_gen, NULL, cli_cmd_flag_sensitive, - "type= [chan=..] [mac=..] [info=..] [curve=..] [key=..] = generate DPP bootstrap information" }, + "type= [chan=..] [mac=..] [info=..] [curve=..] [key=..] [key_id=..] [engine=..] [engine_path=..] = generate DPP bootstrap information" }, { "dpp_bootstrap_remove", wpa_cli_cmd_dpp_bootstrap_remove, NULL, cli_cmd_flag_none, "*| = remove DPP bootstrap information" },