[PATCH 6/6] Do not require a PIN for PKCS#11

David Woodhouse dwmw2 at infradead.org
Thu Dec 18 10:09:55 EST 2014


It isn't mandatory. If we need one and it's not present, the ENGINE will
try asking for it. Make sure it doesn't actually let an OpenSSL UI loose,
since we don't currently capture those.

Signed-off-by: David Woodhouse <David.Woodhouse at intel.com>
---
 src/crypto/tls_openssl.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 2b0ef4e..c72bf4e 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -897,12 +897,6 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 		wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
 		return -1;
 	}
-#ifndef ANDROID
-	if (pin == NULL) {
-		wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
-		return -1;
-	}
-#endif
 
 	ERR_clear_error();
 #ifdef ANDROID
@@ -923,16 +917,24 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 	wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
 
 #ifndef ANDROID
-	if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
+	if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
 		wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
 			   ERR_error_string(ERR_get_error(), NULL));
 		goto err;
 	}
 #endif
 	if (key_id) {
+		/* Ensure that the ENGINE does not attempt to use the OpenSSL
+		   UI system to obtain a PIN, if we didn't provide one. */
+		struct {
+			const void *password;
+			const char *prompt_info;
+		} key_cb = { "", NULL };
+
 		/* load private key first in-case PIN is required for cert */
 		conn->private_key = ENGINE_load_private_key(conn->engine,
-							    key_id, NULL, NULL);
+							    key_id, NULL,
+							    &key_cb);
 		if (!conn->private_key) {
 			wpa_printf(MSG_ERROR, "ENGINE: cannot load private key"
 				   " with id '%s' [%s]", key_id,
-- 
2.1.0


-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20141218/ad6a3838/attachment.bin>


More information about the HostAP mailing list