Android: Use keystore ENGINE for private key operations

The new keystore ENGINE is usable to perform private key operations when
we can't get the actual private key data. This is the case when hardware
crypto is enabled: the private key never leaves the hardware.

Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't
PKCS#11 or OpenSC. This just changes a few #define variables to allow us
to talk to our keystore engine without having one of those enabled and
without using a PIN.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 95c674a45de7d53fe00997b5ebe6c00d0f14c2aa..2b7b010cb86a43f8f3f622896c37faafab17165a 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -10,9 +10,11 @@
 
 #ifndef CONFIG_SMARTCARD
 #ifndef OPENSSL_NO_ENGINE
+#ifndef ANDROID
 #define OPENSSL_NO_ENGINE
 #endif
 #endif
+#endif
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -858,16 +860,21 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
                wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
                return -1;
        }
+#ifndef ANDROID
        if (pin == NULL) {
                wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
                return -1;
        }
+#endif
        if (key_id == NULL) {
                wpa_printf(MSG_ERROR, "ENGINE: Key Id not set");
                return -1;
        }
 
        ERR_clear_error();
+#ifdef ANDROID
+       ENGINE_load_dynamic();
+#endif
        conn->engine = ENGINE_by_id(engine_id);
        if (!conn->engine) {
                wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
@@ -882,11 +889,13 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
        }
        wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
 
+#ifndef ANDROID
        if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
                wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
                           ERR_error_string(ERR_get_error(), NULL));
                goto err;
        }
+#endif
        /* load private key first in-case PIN is required for cert */
        conn->private_key = ENGINE_load_private_key(conn->engine,
                                                    key_id, NULL, NULL);