From 98842d51ec1d4c6b124774b2c2fdaa6b312a1dc0 Mon Sep 17 00:00:00 2001 From: Carolin Latze Date: Tue, 18 Nov 2008 16:53:32 +0200 Subject: [PATCH] Separate OpenSSL engine configuration for Phase 2 I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you only defined one engine variable, which was read already in phase1. I defined some new variables: engine2 engine2_id pin2 and added support to read those in phase2 wheres all the engine variables without number are only read in phase1. That solved it and I am now able to use an engine also in EAP-TTLS phase2. --- src/eap_peer/eap_config.h | 41 ++++++++++++++++++++++++++++++++++ src/eap_peer/eap_tls.c | 3 ++- src/eap_peer/eap_tls_common.c | 14 +++++++----- wpa_supplicant/config.c | 5 +++++ wpa_supplicant/config_file.c | 3 +++ wpa_supplicant/config_winreg.c | 3 +++ 6 files changed, 63 insertions(+), 6 deletions(-) diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 3fd3783b4..bd526ff7e 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -408,6 +408,47 @@ struct eap_peer_config { */ char *engine_id; + /** + * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2) + * + * This is used if private key operations for EAP-TLS are performed + * using a smartcard. + * + * This field is like engine, but used for phase 2 (inside + * EAP-TTLS/PEAP/FAST tunnel) authentication. + */ + int engine2; + + + /** + * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2) + * + * This field is used to configure PIN for SIM and smartcards for + * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a + * smartcard is used for private key operations. + * + * This field is like pin2, but used for phase 2 (inside + * EAP-TTLS/PEAP/FAST tunnel) authentication. + * + * If left out, this will be asked through control interface. + */ + char *pin2; + + /** + * engine2_id - Engine ID for OpenSSL engine (Phase 2) + * + * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 + * engine. + * + * This is used if private key operations for EAP-TLS are performed + * using a smartcard. + * + * This field is like engine_id, but used for phase 2 (inside + * EAP-TTLS/PEAP/FAST tunnel) authentication. + */ + char *engine2_id; + + /** * key_id - Key ID for OpenSSL engine * diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c index 6929468c3..31344a913 100644 --- a/src/eap_peer/eap_tls.c +++ b/src/eap_peer/eap_tls.c @@ -36,7 +36,8 @@ static void * eap_tls_init(struct eap_sm *sm) struct eap_peer_config *config = eap_get_config(sm); if (config == NULL || ((sm->init_phase2 ? config->private_key2 : config->private_key) - == NULL && config->engine == 0)) { + == NULL && + (sm->init_phase2 ? config->engine2 : config->engine) == 0)) { wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured"); return NULL; } diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index d2a494bbf..9ff4eed8d 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -56,6 +56,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params, params->dh_file = (char *) config->dh_file; params->subject_match = (char *) config->subject_match; params->altsubject_match = (char *) config->altsubject_match; + params->engine = config->engine; params->engine_id = config->engine_id; params->pin = config->pin; params->key_id = config->key_id; @@ -75,8 +76,9 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params, params->dh_file = (char *) config->dh_file2; params->subject_match = (char *) config->subject_match2; params->altsubject_match = (char *) config->altsubject_match2; - params->engine_id = config->engine_id; - params->pin = config->pin; + params->engine = config->engine2; + params->engine_id = config->engine2_id; + params->pin = config->pin2; params->key_id = config->key2_id; params->cert_id = config->cert2_id; params->ca_cert_id = config->ca_cert2_id; @@ -89,11 +91,13 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, struct eap_peer_config *config, int phase2) { os_memset(params, 0, sizeof(*params)); - params->engine = config->engine; - if (phase2) + if (phase2) { + wpa_printf(MSG_DEBUG, "TLS: using phase2 config options"); eap_tls_params_from_conf2(params, config); - else + } else { + wpa_printf(MSG_DEBUG, "TLS: using phase1 config options"); eap_tls_params_from_conf1(params, config); + } params->tls_ia = data->tls_ia; /* diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 70b02c4ef..c95e7a074 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -1331,10 +1331,13 @@ static const struct parse_data ssid_fields[] = { { STRe(key_id) }, { STRe(cert_id) }, { STRe(ca_cert_id) }, + { STR_KEYe(pin2) }, + { STRe(engine2_id) }, { STRe(key2_id) }, { STRe(cert2_id) }, { STRe(ca_cert2_id) }, { INTe(engine) }, + { INTe(engine2) }, { INT(eapol_flags) }, #endif /* IEEE8021X_EAPOL */ { FUNC_KEY(wep_key0) }, @@ -1497,6 +1500,8 @@ static void eap_peer_config_free(struct eap_peer_config *eap) os_free(eap->key2_id); os_free(eap->cert2_id); os_free(eap->ca_cert2_id); + os_free(eap->pin2); + os_free(eap->engine2_id); os_free(eap->otp); os_free(eap->pending_req_otp); os_free(eap->pac_file); diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 60650ae7c..359c5f10b 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -758,9 +758,12 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(cert_id); STR(ca_cert_id); STR(key2_id); + STR(pin2); + STR(engine2_id); STR(cert2_id); STR(ca_cert2_id); INTe(engine); + INTe(engine2); INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS); #endif /* IEEE8021X_EAPOL */ for (i = 0; i < 4; i++) diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c index 974672793..4ec50f636 100644 --- a/wpa_supplicant/config_winreg.c +++ b/wpa_supplicant/config_winreg.c @@ -770,9 +770,12 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) STR(cert_id); STR(ca_cert_id); STR(key2_id); + STR(pin2); + STR(engine2_id); STR(cert2_id); STR(ca_cert2_id); INTe(engine); + INTe(engine2); INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS); #endif /* IEEE8021X_EAPOL */ for (i = 0; i < 4; i++)