OpenSSL: Fix EAP-TLS connection failure in Android

In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.

Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.

Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.

Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined")
Signed-off-by: sunilravi <sunilravi@google.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index aaf519be57eff4d38f6556203d4eb60320aaaf76..719797662c4f3d512044a2a142c90ad1185c9c11 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -389,6 +389,8 @@ static void openssl_unload_pkcs11_provider(void)
 }
 
 
+#ifndef ANDROID
+
 static bool openssl_can_use_provider(const char *engine_id, const char *req)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -459,6 +461,8 @@ err_key:
 #endif /* OpenSSL version >= 3.0 */
 }
 
+#endif /* !ANDROID */
+
 
 static X509 * provider_load_cert(const char *cert_id)
 {
@@ -1521,9 +1525,11 @@ err:
 
        return ret;
 #else /* OPENSSL_NO_ENGINE */
+#ifndef ANDROID
        conn->private_key = provider_load_key(key_id);
        if (!conn->private_key)
                return -1;
+#endif /* !ANDROID */
 
        return 0;
 #endif /* OPENSSL_NO_ENGINE */
@@ -5592,10 +5598,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
 
        if (engine_id && ca_cert_id) {
-#ifdef OPENSSL_NO_ENGINE
+#if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
                if (!openssl_can_use_provider(engine_id, ca_cert_id))
                        return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* !ANDROID && OPENSSL_NO_ENGINE */
                if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
                        return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
        } else if (tls_connection_ca_cert(data, conn, params->ca_cert,
@@ -5605,10 +5611,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
 
        if (engine_id && cert_id) {
-#ifdef OPENSSL_NO_ENGINE
+#if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
                if (!openssl_can_use_provider(engine_id, cert_id))
                        return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* !ANDROID && OPENSSL_NO_ENGINE */
                if (tls_connection_engine_client_cert(conn, cert_id))
                        return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
        } else if (tls_connection_client_cert(conn, params->client_cert,
@@ -5617,10 +5623,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
 
        if (engine_id && key_id) {
-#ifdef OPENSSL_NO_ENGINE
+#if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
                if (!openssl_can_use_provider(engine_id, key_id))
                        return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* !ANDROID && OPENSSL_NO_ENGINE */
                wpa_printf(MSG_DEBUG,
                           "TLS: Using private key from engine/provider");
                if (tls_connection_engine_private_key(conn))