FreeRADIUS · nickrbogdanov · Feb 15, 2021
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
@@ -235,6 +235,9 @@ eap {
 			#  root CAs, instead of putting them in
 			#  `certificate_file`.
 			#
+			#  This field may contain a PKCS #11 URI instead of a filename
+			#  if OpenSSL is using the libp11 "pkcs11" ENGINE plugin.
+			#
 			certificate_file = ${certdir}/rsa/server.pem
 
 			#
@@ -249,6 +252,9 @@ eap {
 			#  `ca_file` entries is to permit the use of EAP-TLS with client certificates
 			#  from multiple Root CAs.
 			#
+			#  This field may contain a PKCS #11 URI instead of a filename
+			#  if OpenSSL is using the libp11 "pkcs11" ENGINE plugin.
+			#
 			ca_file = ${certdir}/rsa/ca.pem
 
 			#
@@ -265,6 +271,9 @@ eap {
 			#  then `private_key_file` & `certificate_file` must contain the
 			#  same file name.
 			#
+			#  This field may contain a PKCS #11 URI instead of a filename
+			#  if OpenSSL is using the libp11 "pkcs11" ENGINE plugin.
+			#
 			private_key_file = ${certdir}/rsa/server.key
 
 			#

diff --git a/src/lib/tls/base-h b/src/lib/tls/base-h
@@ -341,6 +341,8 @@ extern CONF_PARSER fr_tls_client_config[];
  */
 extern _Thread_local TALLOC_CTX *ssl_talloc_ctx;
 
+extern ENGINE *pkcs11_engine;
+
 /** Bind any memory allocated by an OpenSSL function to the object it created
  *
  * This is a horrible workaround for OpenSSL memory leaks.  But should always

diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
@@ -45,6 +45,8 @@ static uint32_t instance_count = 0;
  */
 _Thread_local TALLOC_CTX 	*ssl_talloc_ctx;
 
+ENGINE *pkcs11_engine;
+
 fr_dict_t const *dict_freeradius;
 fr_dict_t const *dict_radius;
 
@@ -556,6 +558,20 @@ int fr_openssl_init(void)
 	if (rand_engine && (strcmp(ENGINE_get_id(rand_engine), "rdrand") == 0)) ENGINE_unregister_RAND(rand_engine);
 	ENGINE_register_all_complete();
 
+	pkcs11_engine = ENGINE_by_id("pkcs11");
+	if (pkcs11_engine) {
+		if (!ENGINE_init(pkcs11_engine)) {
+			fr_tls_log_error(NULL, "Failed to initialize PKCS#11 engine");
+			ENGINE_free(pkcs11_engine);
+			pkcs11_engine = NULL;
+		} else {
+			/*
+			 *	Free the structural reference from ENGINE_by_id()
+			 */
+			ENGINE_free(pkcs11_engine);
+		}
+	}
+
 	instance_count++;
 
 	return 0;

diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c
@@ -37,6 +37,7 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
 
 #include <openssl/rand.h>
 #include <openssl/dh.h>
+#include <openssl/engine.h>
 
 #include "base.h"
 #include "missing.h"
@@ -144,32 +145,66 @@ static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t const *chai
 	 */
 	SSL_CTX_set_default_passwd_cb(ctx, fr_tls_session_password_cb);
 
-	switch (chain->file_format) {
-	case SSL_FILETYPE_PEM:
-		if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) {
-			fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"",
-				      chain->certificate_file);
+	if (!strncmp("pkcs11:", chain->certificate_file, 7)) {
+		struct {
+			const char *cert_id;
+			X509 *cert;
+		} params;
+		params.cert_id = chain->certificate_file;
+		params.cert = NULL;
+
+		if (!ENGINE_ctrl_cmd(pkcs11_engine, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
+			fr_tls_log_error(NULL, "Failed to load certificate \"%s\"", chain->certificate_file);
 			return -1;
 		}
-		break;
-
-	case SSL_FILETYPE_ASN1:
-		if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) {
-			fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"",
-				      chain->certificate_file);
+		if (!SSL_CTX_use_certificate(ctx, params.cert)) {
+			fr_tls_log_error(NULL, "Failed adding PKCS#11 certificate");
+			X509_free(params.cert);
 			return -1;
 		}
-		break;
+		X509_free(params.cert);
+	} else {
+		switch (chain->file_format) {
+		case SSL_FILETYPE_PEM:
+			if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) {
+				fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"",
+					      chain->certificate_file);
+				return -1;
+			}
+			break;
 
-	default:
-		fr_assert(0);
-		break;
+		case SSL_FILETYPE_ASN1:
+			if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) {
+				fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"",
+					      chain->certificate_file);
+				return -1;
+			}
+			break;
+
+		default:
+			fr_assert(0);
+			break;
+		}
 	}
 
-	if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) {
-		fr_tls_log_error(NULL, "Failed reading private key file \"%s\"",
-			      chain->private_key_file);
-		return -1;
+	if (!strncmp("pkcs11:", chain->private_key_file, 7)) {
+		EVP_PKEY *pkey = ENGINE_load_private_key(pkcs11_engine, chain->private_key_file, NULL, NULL);
+		if (!pkey) {
+			fr_tls_log_error(NULL, "Failed to load private key \"%s\"", chain->private_key_file);
+			return -1;
+		}
+		if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
+			fr_tls_log_error(NULL, "Failed adding PKCS#11 private key");
+			EVP_PKEY_free(pkey);
+			return -1;
+		}
+		EVP_PKEY_free(pkey);
+	} else {
+		if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) {
+			fr_tls_log_error(NULL, "Failed reading private key file \"%s\"",
+				      chain->private_key_file);
+			return -1;
+		}
 	}
 
 	{