[PATCH] OpenSSL: use pkcs11-provider when OPENSSL_NO_ENGINE is defined
Davide Caratti
davide.caratti at gmail.com
Wed Jan 15 09:04:54 PST 2025
Now that ENGINE API starts being deprecated in distros (like Fedora [1])
wpa_supplicant users might need a way to load certificates and keys from
PKCS11 URIs even when OPENSSL_NO_ENGINE is defined. We can do that using
pkcs11-provider: load it by default in wpa_supplicant, and try to use it
when OPENSSL_NO_ENGINE is defined and configuration requests PKCS11 URIs
for certificates / keys.
Inspired by pkcs11-provider test program 'tlssetkey.c' [2]
[1] https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
[2] https://github.com/latchset/pkcs11-provider/blob/main/tests/tlssetkey.c
Signed-off-by: Davide Caratti <davide.caratti at gmail.com>
---
src/crypto/tls_openssl.c | 191 ++++++++++++++++++++++++++++++++++-----
1 file changed, 166 insertions(+), 25 deletions(-)
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 17283f998..94596b25b 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -33,6 +33,8 @@
#include <openssl/core_names.h>
#include <openssl/decoder.h>
#include <openssl/param_build.h>
+#include <openssl/store.h>
+#include <openssl/provider.h>
#else /* OpenSSL version >= 3.0 */
#ifndef OPENSSL_NO_DSA
#include <openssl/dsa.h>
@@ -244,8 +246,8 @@ struct tls_connection {
BIO *ssl_in, *ssl_out;
#if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
ENGINE *engine; /* functional reference to the engine */
- EVP_PKEY *private_key; /* the private key if using engine */
#endif /* OPENSSL_NO_ENGINE */
+ EVP_PKEY *private_key; /* the private key if using engine/provider */
char *subject_match, *altsubject_match, *suffix_match, *domain_match;
char *check_cert_subject;
int read_alerts, write_alerts, failed;
@@ -356,6 +358,125 @@ static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
return store;
}
+#ifdef OPENSSL_NO_ENGINE
+static OSSL_PROVIDER *openssl_pkcs11_provider = NULL;
+
+void openssl_load_pkcs11_provider(void)
+{
+ if (openssl_pkcs11_provider)
+ return;
+
+ openssl_pkcs11_provider = OSSL_PROVIDER_try_load(NULL, "pkcs11", 1);
+ if (!openssl_pkcs11_provider)
+ wpa_printf(MSG_WARNING, "PKCS11 provider not present");
+}
+
+
+static void openssl_unload_pkcs11_provider(void)
+{
+ if (openssl_pkcs11_provider) {
+ OSSL_PROVIDER_unload(openssl_pkcs11_provider);
+ openssl_pkcs11_provider = NULL;
+ }
+}
+
+
+bool openssl_can_use_provider(const char *engine_id, const char *req)
+{
+
+ if (!os_strcmp(engine_id, "pkcs11") && openssl_pkcs11_provider)
+ return true;
+
+ wpa_printf(MSG_ERROR, "Can't find OpenSSL provider for '%s' (missing '%s')",
+ req, engine_id);
+ return false;
+}
+
+
+EVP_PKEY *provider_load_key(const char *uri)
+{
+ OSSL_STORE_CTX *store;
+ OSSL_STORE_INFO *info;
+ EVP_PKEY *key = NULL;
+
+ if (!uri) {
+ tls_show_errors(MSG_ERROR, __func__,
+ "Invalid NULL uri for key");
+ goto err_key;
+ }
+ store = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL);
+ if (!store) {
+ wpa_printf(MSG_DEBUG,"bad uri for private key:%s", uri);
+
+ tls_show_errors(MSG_ERROR, __func__,
+ "Failed to open key store");
+ goto err_key;
+ }
+ if (strncmp(uri, "pkcs11:", 7) && strstr(uri, "type=private") == NULL) {
+ /* This is a workaround for OpenSSL < 3.2.0 where the code fails
+ * to correctly source public keys unless explicitly requested
+ * via an expect hint */
+ if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PUBKEY) != 1) {
+ tls_show_errors(MSG_ERROR, __func__,
+ "Failed to expect Public Key File");
+ goto err_store;
+ }
+ }
+ while (!OSSL_STORE_eof(store)) {
+ info = OSSL_STORE_load(store);
+ if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_PKEY)
+ key = OSSL_STORE_INFO_get1_PKEY(info);
+
+ OSSL_STORE_INFO_free(info);
+ if (key)
+ break;
+ }
+err_store:
+ OSSL_STORE_close(store);
+err_key:
+ if (key == NULL)
+ wpa_printf(MSG_ERROR,
+ "Failed to load key from URI");
+
+ return key;
+}
+
+
+static X509 *provider_load_cert(const char *cert_id)
+{
+ OSSL_STORE_CTX *store;
+ OSSL_STORE_INFO *info;
+ X509 *cert = NULL;
+
+ if (cert_id == NULL) {
+ tls_show_errors(MSG_ERROR, __func__,
+ "Invalid NULL uri");
+ goto err_cert;
+ }
+
+ store = OSSL_STORE_open(cert_id, NULL, NULL, NULL, NULL);
+ if (store == NULL) {
+ tls_show_errors(MSG_ERROR, __func__,
+ "Failed to open store");
+ goto err_cert;
+ }
+ while (!OSSL_STORE_eof(store)) {
+ info = OSSL_STORE_load(store);
+ if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_CERT)
+ cert = OSSL_STORE_INFO_get1_CERT(info);
+
+ OSSL_STORE_INFO_free(info);
+ if (cert)
+ break;
+ }
+ OSSL_STORE_close(store);
+err_cert:
+ if (cert == NULL)
+ tls_show_errors(MSG_ERROR, __func__,
+ "Failed to load cert from URI");
+ return cert;
+}
+#endif
#ifdef CONFIG_NATIVE_WINDOWS
@@ -1020,7 +1141,9 @@ void * tls_init(const struct tls_config *conf)
void openssl_load_legacy_provider(void);
openssl_load_legacy_provider();
-
+#ifdef OPENSSL_NO_ENGINE
+ openssl_load_pkcs11_provider();
+#endif
tls_global = context = tls_context_new(conf);
if (context == NULL)
return NULL;
@@ -1211,6 +1334,9 @@ void tls_deinit(void *ssl_ctx)
tls_openssl_ref_count--;
if (tls_openssl_ref_count == 0) {
+#ifdef OPENSSL_NO_ENGINE
+ openssl_unload_pkcs11_provider();
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
@@ -1369,6 +1495,10 @@ err:
return ret;
#else /* OPENSSL_NO_ENGINE */
+ conn->private_key = provider_load_key(key_id);
+ if (conn->private_key == NULL)
+ return -1;
+
return 0;
#endif /* OPENSSL_NO_ENGINE */
}
@@ -1388,6 +1518,11 @@ static void tls_engine_deinit(struct tls_connection *conn)
#endif /* !OPENSSL_IS_BORINGSSL */
conn->engine = NULL;
}
+#else
+ if (conn->private_key) {
+ EVP_PKEY_free(conn->private_key);
+ conn->private_key = NULL;
+ }
#endif /* ANDROID || !OPENSSL_NO_ENGINE */
}
@@ -3799,12 +3934,16 @@ static int tls_engine_get_cert(struct tls_connection *conn,
static int tls_connection_engine_client_cert(struct tls_connection *conn,
const char *cert_id)
{
-#ifndef OPENSSL_NO_ENGINE
X509 *cert;
+#ifndef OPENSSL_NO_ENGINE
if (tls_engine_get_cert(conn, cert_id, &cert))
return -1;
-
+#else /* OPENSSL_NO_ENGINE */
+ cert = provider_load_cert(cert_id);
+ if (cert == NULL)
+ return -1;
+#endif /* OPENSSL_NO_ENGINE */
if (!SSL_use_certificate(conn->ssl, cert)) {
tls_show_errors(MSG_ERROR, __func__,
"SSL_use_certificate failed");
@@ -3812,13 +3951,9 @@ static int tls_connection_engine_client_cert(struct tls_connection *conn,
return -1;
}
X509_free(cert);
- wpa_printf(MSG_DEBUG, "ENGINE: SSL_use_certificate --> "
+ wpa_printf(MSG_DEBUG, "ENGINE/provider: SSL_use_certificate --> "
"OK");
return 0;
-
-#else /* OPENSSL_NO_ENGINE */
- return -1;
-#endif /* OPENSSL_NO_ENGINE */
}
@@ -3826,14 +3961,18 @@ static int tls_connection_engine_ca_cert(struct tls_data *data,
struct tls_connection *conn,
const char *ca_cert_id)
{
-#ifndef OPENSSL_NO_ENGINE
X509 *cert;
SSL_CTX *ssl_ctx = data->ssl;
X509_STORE *store;
+#ifndef OPENSSL_NO_ENGINE
if (tls_engine_get_cert(conn, ca_cert_id, &cert))
return -1;
-
+#else /* OPENSSL_NO_ENGINE */
+ cert = provider_load_cert(ca_cert_id);
+ if (cert == NULL)
+ return -1;
+#endif /* OPENSSL_NO_ENGINE */
/* start off the same as tls_connection_ca_cert */
store = X509_STORE_new();
if (store == NULL) {
@@ -3846,7 +3985,7 @@ static int tls_connection_engine_ca_cert(struct tls_data *data,
if (!X509_STORE_add_cert(store, cert)) {
unsigned long err = ERR_peek_error();
tls_show_errors(MSG_WARNING, __func__,
- "Failed to add CA certificate from engine "
+ "Failed to add CA certificate from engine/provider "
"to certificate store");
if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
@@ -3859,25 +3998,20 @@ static int tls_connection_engine_ca_cert(struct tls_data *data,
}
}
X509_free(cert);
- wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine/provider "
"to certificate store", __func__);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
conn->ca_cert_verify = 1;
return 0;
-
-#else /* OPENSSL_NO_ENGINE */
- return -1;
-#endif /* OPENSSL_NO_ENGINE */
}
static int tls_connection_engine_private_key(struct tls_connection *conn)
{
-#if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) {
tls_show_errors(MSG_ERROR, __func__,
- "ENGINE: cannot use private key for TLS");
+ "ENGINE/provider: cannot use private key for TLS");
return -1;
}
if (!SSL_check_private_key(conn->ssl)) {
@@ -3886,11 +4020,6 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
return -1;
}
return 0;
-#else /* OPENSSL_NO_ENGINE */
- wpa_printf(MSG_ERROR, "SSL: Configuration uses engine, but "
- "engine support was not compiled in");
- return -1;
-#endif /* OPENSSL_NO_ENGINE */
}
@@ -5437,6 +5566,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
if (engine_id && ca_cert_id) {
+#ifdef OPENSSL_NO_ENGINE
+ if (!openssl_can_use_provider(engine_id, ca_cert_id))
+ return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
+#endif
if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
} else if (tls_connection_ca_cert(data, conn, params->ca_cert,
@@ -5446,6 +5579,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
if (engine_id && cert_id) {
+#ifdef OPENSSL_NO_ENGINE
+ if (!openssl_can_use_provider(engine_id, cert_id))
+ return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
+#endif
if (tls_connection_engine_client_cert(conn, cert_id))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
} else if (tls_connection_client_cert(conn, params->client_cert,
@@ -5454,7 +5591,11 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
if (engine_id && key_id) {
- wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
+#ifdef OPENSSL_NO_ENGINE
+ if (!openssl_can_use_provider(engine_id, key_id))
+ return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
+#endif
+ wpa_printf(MSG_DEBUG, "TLS: Using private key from engine/provider");
if (tls_connection_engine_private_key(conn))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
} else if (tls_connection_private_key(data, conn,
--
2.47.0
More information about the Hostap
mailing list