From: sunilravi <sunilravi@google.com>
Date: Fri, 21 Mar 2025 02:14:23 +0000 (+0000)
Subject: OpenSSL: Fix EAP-TLS connection failure in Android
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5c7f20804655de31114e17524735691cf0e2798;p=thirdparty%2Fhostap.git

OpenSSL: Fix EAP-TLS connection failure in Android

In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.

Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.

Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.

Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined")
Signed-off-by: sunilravi <sunilravi@google.com>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index aaf519be5..719797662 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -389,6 +389,8 @@ static void openssl_unload_pkcs11_provider(void)
 }
 
 
+#ifndef ANDROID
+
 static bool openssl_can_use_provider(const char *engine_id, const char *req)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -459,6 +461,8 @@ err_key:
 #endif /* OpenSSL version >= 3.0 */
 }
 
+#endif /* !ANDROID */
+
 
 static X509 * provider_load_cert(const char *cert_id)
 {
@@ -1521,9 +1525,11 @@ err:
 
 	return ret;
 #else /* OPENSSL_NO_ENGINE */
+#ifndef ANDROID
 	conn->private_key = provider_load_key(key_id);
 	if (!conn->private_key)
 		return -1;
+#endif /* !ANDROID */
 
 	return 0;
 #endif /* OPENSSL_NO_ENGINE */
@@ -5592,10 +5598,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		return -1;
 
 	if (engine_id && ca_cert_id) {
-#ifdef OPENSSL_NO_ENGINE
+#if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
 		if (!openssl_can_use_provider(engine_id, ca_cert_id))
 			return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* !ANDROID && OPENSSL_NO_ENGINE */
 		if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
 	} else if (tls_connection_ca_cert(data, conn, params->ca_cert,
@@ -5605,10 +5611,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		return -1;
 
 	if (engine_id && cert_id) {
-#ifdef OPENSSL_NO_ENGINE
+#if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
 		if (!openssl_can_use_provider(engine_id, cert_id))
 			return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* !ANDROID && OPENSSL_NO_ENGINE */
 		if (tls_connection_engine_client_cert(conn, cert_id))
 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
 	} else if (tls_connection_client_cert(conn, params->client_cert,
@@ -5617,10 +5623,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		return -1;
 
 	if (engine_id && key_id) {
-#ifdef OPENSSL_NO_ENGINE
+#if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
 		if (!openssl_can_use_provider(engine_id, key_id))
 			return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* !ANDROID && OPENSSL_NO_ENGINE */
 		wpa_printf(MSG_DEBUG,
 			   "TLS: Using private key from engine/provider");
 		if (tls_connection_engine_private_key(conn))