Separate OpenSSL engine configuration for Phase 2

I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you
only defined one engine variable, which was read already in phase1. I
defined some new variables:

engine2
engine2_id
pin2

and added support to read those in phase2 wheres all the engine
variables without number are only read in phase1. That solved it and I
am now able to use an engine also in EAP-TTLS phase2.

diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 3fd3783..bd526ff 100644 (file)
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -409,6 +409,47 @@ struct eap_peer_config {
        char *engine_id;
 
        /**
+        * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2)
+        *
+        * This is used if private key operations for EAP-TLS are performed
+        * using a smartcard.
+        *
+        * This field is like engine, but used for phase 2 (inside
+        * EAP-TTLS/PEAP/FAST tunnel) authentication.
+        */
+       int engine2;
+
+
+       /**
+        * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2)
+        *
+        * This field is used to configure PIN for SIM and smartcards for
+        * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
+        * smartcard is used for private key operations.
+        *
+        * This field is like pin2, but used for phase 2 (inside
+        * EAP-TTLS/PEAP/FAST tunnel) authentication.
+        *
+        * If left out, this will be asked through control interface.
+        */
+       char *pin2;
+
+       /**
+        * engine2_id - Engine ID for OpenSSL engine (Phase 2)
+        *
+        * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
+        * engine.
+        *
+        * This is used if private key operations for EAP-TLS are performed
+        * using a smartcard.
+        *
+        * This field is like engine_id, but used for phase 2 (inside
+        * EAP-TTLS/PEAP/FAST tunnel) authentication.
+        */
+       char *engine2_id;
+
+
+       /**
         * key_id - Key ID for OpenSSL engine
         *
         * This is used if private key operations for EAP-TLS are performed

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index 6929468..31344a9 100644 (file)
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -36,7 +36,8 @@ static void * eap_tls_init(struct eap_sm *sm)
        struct eap_peer_config *config = eap_get_config(sm);
        if (config == NULL ||
            ((sm->init_phase2 ? config->private_key2 : config->private_key)
-           == NULL && config->engine == 0)) {
+            == NULL &&
+            (sm->init_phase2 ? config->engine2 : config->engine) == 0)) {
                wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
                return NULL;
        }

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index d2a494b..9ff4eed 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -56,6 +56,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
        params->dh_file = (char *) config->dh_file;
        params->subject_match = (char *) config->subject_match;
        params->altsubject_match = (char *) config->altsubject_match;
+       params->engine = config->engine;
        params->engine_id = config->engine_id;
        params->pin = config->pin;
        params->key_id = config->key_id;
@@ -75,8 +76,9 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params,
        params->dh_file = (char *) config->dh_file2;
        params->subject_match = (char *) config->subject_match2;
        params->altsubject_match = (char *) config->altsubject_match2;
-       params->engine_id = config->engine_id;
-       params->pin = config->pin;
+       params->engine = config->engine2;
+       params->engine_id = config->engine2_id;
+       params->pin = config->pin2;
        params->key_id = config->key2_id;
        params->cert_id = config->cert2_id;
        params->ca_cert_id = config->ca_cert2_id;
@@ -89,11 +91,13 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
                                    struct eap_peer_config *config, int phase2)
 {
        os_memset(params, 0, sizeof(*params));
-       params->engine = config->engine;
-       if (phase2)
+       if (phase2) {
+               wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
                eap_tls_params_from_conf2(params, config);
-       else
+       } else {
+               wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
                eap_tls_params_from_conf1(params, config);
+       }
        params->tls_ia = data->tls_ia;
 
        /*

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 70b02c4..c95e7a0 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1331,10 +1331,13 @@ static const struct parse_data ssid_fields[] = {
        { STRe(key_id) },
        { STRe(cert_id) },
        { STRe(ca_cert_id) },
+       { STR_KEYe(pin2) },
+       { STRe(engine2_id) },
        { STRe(key2_id) },
        { STRe(cert2_id) },
        { STRe(ca_cert2_id) },
        { INTe(engine) },
+       { INTe(engine2) },
        { INT(eapol_flags) },
 #endif /* IEEE8021X_EAPOL */
        { FUNC_KEY(wep_key0) },
@@ -1497,6 +1500,8 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
        os_free(eap->key2_id);
        os_free(eap->cert2_id);
        os_free(eap->ca_cert2_id);
+       os_free(eap->pin2);
+       os_free(eap->engine2_id);
        os_free(eap->otp);
        os_free(eap->pending_req_otp);
        os_free(eap->pac_file);

diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 60650ae..359c5f1 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -758,9 +758,12 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
        STR(cert_id);
        STR(ca_cert_id);
        STR(key2_id);
+       STR(pin2);
+       STR(engine2_id);
        STR(cert2_id);
        STR(ca_cert2_id);
        INTe(engine);
+       INTe(engine2);
        INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
 #endif /* IEEE8021X_EAPOL */
        for (i = 0; i < 4; i++)

diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c
index 9746727..4ec50f6 100644 (file)
--- a/wpa_supplicant/config_winreg.c
+++ b/wpa_supplicant/config_winreg.c
@@ -770,9 +770,12 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
        STR(cert_id);
        STR(ca_cert_id);
        STR(key2_id);
+       STR(pin2);
+       STR(engine2_id);
        STR(cert2_id);
        STR(ca_cert2_id);
        INTe(engine);
+       INTe(engine2);
        INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
 #endif /* IEEE8021X_EAPOL */
        for (i = 0; i < 4; i++)