From a642a52b1798776ff089e4103a5d1d7edec8f9ea Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 18 Dec 2014 15:09:55 +0000 Subject: [PATCH] OpenSSL: Do not require a PIN for PKCS#11 It isn't mandatory. If we need one and it's not present, the ENGINE will try asking for it. Make sure it doesn't actually let an OpenSSL UI loose, since we don't currently capture those. Signed-off-by: David Woodhouse --- src/crypto/tls_openssl.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 7dab3151b..c72134afe 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -897,12 +897,6 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id, wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set"); return -1; } -#ifndef ANDROID - if (pin == NULL) { - wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set"); - return -1; - } -#endif ERR_clear_error(); #ifdef ANDROID @@ -923,16 +917,26 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id, wpa_printf(MSG_DEBUG, "ENGINE: engine initialized"); #ifndef ANDROID - if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) { + if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) { wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]", ERR_error_string(ERR_get_error(), NULL)); goto err; } #endif if (key_id) { + /* + * Ensure that the ENGINE does not attempt to use the OpenSSL + * UI system to obtain a PIN, if we didn't provide one. + */ + struct { + const void *password; + const char *prompt_info; + } key_cb = { "", NULL }; + /* load private key first in-case PIN is required for cert */ conn->private_key = ENGINE_load_private_key(conn->engine, - key_id, NULL, NULL); + key_id, NULL, + &key_cb); if (!conn->private_key) { wpa_printf(MSG_ERROR, "ENGINE: cannot load private key with id '%s' [%s]",