OpenSSL: Do not require a PIN for PKCS#11
It isn't mandatory. If we need one and it's not present, the ENGINE will try asking for it. Make sure it doesn't actually let an OpenSSL UI loose, since we don't currently capture those. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This commit is contained in:
parent
96955192b3
commit
a642a52b17
1 changed files with 12 additions and 8 deletions
|
@ -897,12 +897,6 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
|
wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#ifndef ANDROID
|
|
||||||
if (pin == NULL) {
|
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
ERR_clear_error();
|
ERR_clear_error();
|
||||||
#ifdef ANDROID
|
#ifdef ANDROID
|
||||||
|
@ -923,16 +917,26 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
|
||||||
wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
|
wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
|
||||||
|
|
||||||
#ifndef ANDROID
|
#ifndef ANDROID
|
||||||
if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
|
if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
|
wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
|
||||||
ERR_error_string(ERR_get_error(), NULL));
|
ERR_error_string(ERR_get_error(), NULL));
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if (key_id) {
|
if (key_id) {
|
||||||
|
/*
|
||||||
|
* Ensure that the ENGINE does not attempt to use the OpenSSL
|
||||||
|
* UI system to obtain a PIN, if we didn't provide one.
|
||||||
|
*/
|
||||||
|
struct {
|
||||||
|
const void *password;
|
||||||
|
const char *prompt_info;
|
||||||
|
} key_cb = { "", NULL };
|
||||||
|
|
||||||
/* load private key first in-case PIN is required for cert */
|
/* load private key first in-case PIN is required for cert */
|
||||||
conn->private_key = ENGINE_load_private_key(conn->engine,
|
conn->private_key = ENGINE_load_private_key(conn->engine,
|
||||||
key_id, NULL, NULL);
|
key_id, NULL,
|
||||||
|
&key_cb);
|
||||||
if (!conn->private_key) {
|
if (!conn->private_key) {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_ERROR,
|
||||||
"ENGINE: cannot load private key with id '%s' [%s]",
|
"ENGINE: cannot load private key with id '%s' [%s]",
|
||||||
|
|
Loading…
Reference in a new issue