headers
moran jacuel | 20 Jun 2012 14:07
Picon

configure wpa_supplicant to work with openssl

Hello, 

I am trying to configure wpa_supplicant on my linux machine to work with openssl pkcs11 engine with smartcard. The wpa_supplicant doesn't load my pkcs11 engine.  What do i need to write in my wpa_supplicant.cnf file to make it work ? 

I am trying to debug the wpa_supplicant in order to understand how it works. I cant find a place where the supplicant loads the pkcs11 engine or the pkcs11 module. Can you refer me to the place it happens in the code ?

Regards, 
Moran Jacuel | Software Engineer | ARX
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply |
headers
Jouni Malinen | 23 Jun 2012 19:43
Picon

Re: configure wpa_supplicant to work with openssl

On Wed, Jun 20, 2012 at 03:07:54PM +0300, moran jacuel wrote:
> I am trying to configure wpa_supplicant on my linux machine to work with
> openssl pkcs11 engine with smartcard. The wpa_supplicant doesn't load my
> pkcs11 engine.  What do i need to write in my wpa_supplicant.cnf file to
> make it work ?

wpa_supplicant/examples/openCryptoki.conf has some examples on this:
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/openCryptoki.conf;hb=HEAD

> I am trying to debug the wpa_supplicant in order to understand how it
> works. I cant find a place where the supplicant loads the pkcs11 engine or
> the pkcs11 module. Can you refer me to the place it happens in the code ?

Assuming your OpenSSL has engine support defined (i.e., does not define
OPENSSL_NO_ENGINE), you should see related debug messages in
wpa_supplicant -d output with ENGINE: prefix.

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Permalink | Reply |
headers
moran arx | 24 Jun 2012 14:07
Picon

Re: configure wpa_supplicant to work with openssl

Hi, 

I already looked at these examples of conf file.
The supplicant loads the enginepkcs11.so but doesnt load myengine.so.
I investigated the code and couldn't find who suppose to load the module. 
In openssl the function ENGINE_init suppose to load it. but in wpa_supplicant no one calls this function. 

Thanks, 
Moran

On Sat, Jun 23, 2012 at 8:43 PM, Jouni Malinen <j <at> w1.fi> wrote:
On Wed, Jun 20, 2012 at 03:07:54PM +0300, moran jacuel wrote:
> I am trying to configure wpa_supplicant on my linux machine to work with
> openssl pkcs11 engine with smartcard. The wpa_supplicant doesn't load my
> pkcs11 engine.  What do i need to write in my wpa_supplicant.cnf file to
> make it work ?

wpa_supplicant/examples/openCryptoki.conf has some examples on this:
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/openCryptoki.conf;hb=HEAD

> I am trying to debug the wpa_supplicant in order to understand how it
> works. I cant find a place where the supplicant loads the pkcs11 engine or
> the pkcs11 module. Can you refer me to the place it happens in the code ?

Assuming your OpenSSL has engine support defined (i.e., does not define
OPENSSL_NO_ENGINE), you should see related debug messages in
wpa_supplicant -d output with ENGINE: prefix.

--
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
 

_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply |
headers
Jouni Malinen | 30 Jun 2012 12:42
Picon

Re: configure wpa_supplicant to work with openssl

On Sun, Jun 24, 2012 at 03:07:02PM +0300, moran arx wrote:
> I already looked at these examples of conf file.
> The supplicant loads the enginepkcs11.so but doesnt load myengine.so.
> I investigated the code and couldn't find who suppose to load the module.
> In openssl the function ENGINE_init suppose to load it. but in
> wpa_supplicant no one calls this function.

ENGINE_init() is called from tls_engine_init() in
src/crypto/tls_openssl.c when EAP-TLS is being initialized if the
configuration file has engine=1 like the
wpa_supplicant/examples/openCryptoki.conf example has.

You can see it in the debug log with something like this:

EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
SSL: Initializing TLS engine
unable to load module /usr/lib/opencryptoki/libopencryptoki.so
ENGINE: engine init failed (engine: pkcs11) [error:80001401:PKCS11
library:PKCS11_CTX_load:Unable to load PKCS#11 module]

(I didn't have the opencryptoki package installed, but that error is
from ENGINE_init() which does get called here.).

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Permalink | Reply |

Gmane