Separate OpenSSL engine configuration for Phase 2
I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you only defined one engine variable, which was read already in phase1. I defined some new variables: engine2 engine2_id pin2 and added support to read those in phase2 wheres all the engine variables without number are only read in phase1. That solved it and I am now able to use an engine also in EAP-TTLS phase2.
This commit is contained in:
parent
9ef21b2fef
commit
98842d51ec
6 changed files with 63 additions and 6 deletions
|
@ -408,6 +408,47 @@ struct eap_peer_config {
|
||||||
*/
|
*/
|
||||||
char *engine_id;
|
char *engine_id;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2)
|
||||||
|
*
|
||||||
|
* This is used if private key operations for EAP-TLS are performed
|
||||||
|
* using a smartcard.
|
||||||
|
*
|
||||||
|
* This field is like engine, but used for phase 2 (inside
|
||||||
|
* EAP-TTLS/PEAP/FAST tunnel) authentication.
|
||||||
|
*/
|
||||||
|
int engine2;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2)
|
||||||
|
*
|
||||||
|
* This field is used to configure PIN for SIM and smartcards for
|
||||||
|
* EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
|
||||||
|
* smartcard is used for private key operations.
|
||||||
|
*
|
||||||
|
* This field is like pin2, but used for phase 2 (inside
|
||||||
|
* EAP-TTLS/PEAP/FAST tunnel) authentication.
|
||||||
|
*
|
||||||
|
* If left out, this will be asked through control interface.
|
||||||
|
*/
|
||||||
|
char *pin2;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* engine2_id - Engine ID for OpenSSL engine (Phase 2)
|
||||||
|
*
|
||||||
|
* "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
|
||||||
|
* engine.
|
||||||
|
*
|
||||||
|
* This is used if private key operations for EAP-TLS are performed
|
||||||
|
* using a smartcard.
|
||||||
|
*
|
||||||
|
* This field is like engine_id, but used for phase 2 (inside
|
||||||
|
* EAP-TTLS/PEAP/FAST tunnel) authentication.
|
||||||
|
*/
|
||||||
|
char *engine2_id;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* key_id - Key ID for OpenSSL engine
|
* key_id - Key ID for OpenSSL engine
|
||||||
*
|
*
|
||||||
|
|
|
@ -36,7 +36,8 @@ static void * eap_tls_init(struct eap_sm *sm)
|
||||||
struct eap_peer_config *config = eap_get_config(sm);
|
struct eap_peer_config *config = eap_get_config(sm);
|
||||||
if (config == NULL ||
|
if (config == NULL ||
|
||||||
((sm->init_phase2 ? config->private_key2 : config->private_key)
|
((sm->init_phase2 ? config->private_key2 : config->private_key)
|
||||||
== NULL && config->engine == 0)) {
|
== NULL &&
|
||||||
|
(sm->init_phase2 ? config->engine2 : config->engine) == 0)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
|
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,6 +56,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
|
||||||
params->dh_file = (char *) config->dh_file;
|
params->dh_file = (char *) config->dh_file;
|
||||||
params->subject_match = (char *) config->subject_match;
|
params->subject_match = (char *) config->subject_match;
|
||||||
params->altsubject_match = (char *) config->altsubject_match;
|
params->altsubject_match = (char *) config->altsubject_match;
|
||||||
|
params->engine = config->engine;
|
||||||
params->engine_id = config->engine_id;
|
params->engine_id = config->engine_id;
|
||||||
params->pin = config->pin;
|
params->pin = config->pin;
|
||||||
params->key_id = config->key_id;
|
params->key_id = config->key_id;
|
||||||
|
@ -75,8 +76,9 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params,
|
||||||
params->dh_file = (char *) config->dh_file2;
|
params->dh_file = (char *) config->dh_file2;
|
||||||
params->subject_match = (char *) config->subject_match2;
|
params->subject_match = (char *) config->subject_match2;
|
||||||
params->altsubject_match = (char *) config->altsubject_match2;
|
params->altsubject_match = (char *) config->altsubject_match2;
|
||||||
params->engine_id = config->engine_id;
|
params->engine = config->engine2;
|
||||||
params->pin = config->pin;
|
params->engine_id = config->engine2_id;
|
||||||
|
params->pin = config->pin2;
|
||||||
params->key_id = config->key2_id;
|
params->key_id = config->key2_id;
|
||||||
params->cert_id = config->cert2_id;
|
params->cert_id = config->cert2_id;
|
||||||
params->ca_cert_id = config->ca_cert2_id;
|
params->ca_cert_id = config->ca_cert2_id;
|
||||||
|
@ -89,11 +91,13 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
|
||||||
struct eap_peer_config *config, int phase2)
|
struct eap_peer_config *config, int phase2)
|
||||||
{
|
{
|
||||||
os_memset(params, 0, sizeof(*params));
|
os_memset(params, 0, sizeof(*params));
|
||||||
params->engine = config->engine;
|
if (phase2) {
|
||||||
if (phase2)
|
wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
|
||||||
eap_tls_params_from_conf2(params, config);
|
eap_tls_params_from_conf2(params, config);
|
||||||
else
|
} else {
|
||||||
|
wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
|
||||||
eap_tls_params_from_conf1(params, config);
|
eap_tls_params_from_conf1(params, config);
|
||||||
|
}
|
||||||
params->tls_ia = data->tls_ia;
|
params->tls_ia = data->tls_ia;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -1331,10 +1331,13 @@ static const struct parse_data ssid_fields[] = {
|
||||||
{ STRe(key_id) },
|
{ STRe(key_id) },
|
||||||
{ STRe(cert_id) },
|
{ STRe(cert_id) },
|
||||||
{ STRe(ca_cert_id) },
|
{ STRe(ca_cert_id) },
|
||||||
|
{ STR_KEYe(pin2) },
|
||||||
|
{ STRe(engine2_id) },
|
||||||
{ STRe(key2_id) },
|
{ STRe(key2_id) },
|
||||||
{ STRe(cert2_id) },
|
{ STRe(cert2_id) },
|
||||||
{ STRe(ca_cert2_id) },
|
{ STRe(ca_cert2_id) },
|
||||||
{ INTe(engine) },
|
{ INTe(engine) },
|
||||||
|
{ INTe(engine2) },
|
||||||
{ INT(eapol_flags) },
|
{ INT(eapol_flags) },
|
||||||
#endif /* IEEE8021X_EAPOL */
|
#endif /* IEEE8021X_EAPOL */
|
||||||
{ FUNC_KEY(wep_key0) },
|
{ FUNC_KEY(wep_key0) },
|
||||||
|
@ -1497,6 +1500,8 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
|
||||||
os_free(eap->key2_id);
|
os_free(eap->key2_id);
|
||||||
os_free(eap->cert2_id);
|
os_free(eap->cert2_id);
|
||||||
os_free(eap->ca_cert2_id);
|
os_free(eap->ca_cert2_id);
|
||||||
|
os_free(eap->pin2);
|
||||||
|
os_free(eap->engine2_id);
|
||||||
os_free(eap->otp);
|
os_free(eap->otp);
|
||||||
os_free(eap->pending_req_otp);
|
os_free(eap->pending_req_otp);
|
||||||
os_free(eap->pac_file);
|
os_free(eap->pac_file);
|
||||||
|
|
|
@ -758,9 +758,12 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
|
||||||
STR(cert_id);
|
STR(cert_id);
|
||||||
STR(ca_cert_id);
|
STR(ca_cert_id);
|
||||||
STR(key2_id);
|
STR(key2_id);
|
||||||
|
STR(pin2);
|
||||||
|
STR(engine2_id);
|
||||||
STR(cert2_id);
|
STR(cert2_id);
|
||||||
STR(ca_cert2_id);
|
STR(ca_cert2_id);
|
||||||
INTe(engine);
|
INTe(engine);
|
||||||
|
INTe(engine2);
|
||||||
INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
|
INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
|
||||||
#endif /* IEEE8021X_EAPOL */
|
#endif /* IEEE8021X_EAPOL */
|
||||||
for (i = 0; i < 4; i++)
|
for (i = 0; i < 4; i++)
|
||||||
|
|
|
@ -770,9 +770,12 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
|
||||||
STR(cert_id);
|
STR(cert_id);
|
||||||
STR(ca_cert_id);
|
STR(ca_cert_id);
|
||||||
STR(key2_id);
|
STR(key2_id);
|
||||||
|
STR(pin2);
|
||||||
|
STR(engine2_id);
|
||||||
STR(cert2_id);
|
STR(cert2_id);
|
||||||
STR(ca_cert2_id);
|
STR(ca_cert2_id);
|
||||||
INTe(engine);
|
INTe(engine);
|
||||||
|
INTe(engine2);
|
||||||
INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
|
INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
|
||||||
#endif /* IEEE8021X_EAPOL */
|
#endif /* IEEE8021X_EAPOL */
|
||||||
for (i = 0; i < 4; i++)
|
for (i = 0; i < 4; i++)
|
||||||
|
|
Loading…
Reference in a new issue