Integrating the TPM into wpa_supplicant

Carolin Latze carolin.latze at unifr.ch
Thu Jan 24 09:06:10 EST 2008


Fixed that... forgot a "=" in config.h ...

Carolin Latze wrote:
> Hi,
>
> I just started integrating the openssl-tpm-engine. I added a
> tpm_engine_path variable in every file and place where I found
> opensc_engine_path. Furthermore, I modified tls_openssl.c a little bit.
> I did not a new config option. From my understanding it should be
> sufficient to enable CONFIG_SMARTCARD, since this enables the engine (am
> I wrong?). Everything compiles fine. For the test I add
> tpm_engine_path=/path/to/libtpm.so. If I start wpa_supplicant, I get
>
> Line 18: Invalid configuration line
> 'tpm_engine_path=/usr/local/lib/openssl/engines/libtpm.so'.
>
> My wpa_supplicant.conf starts like this:
>
> ~~~
>
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
>
> eapol_version=1
> ap_scan=2
> fast_reauth=1
>
> tpm_engine_path=/usr/local/lib/openssl/engines/libtpm.so
>
> network={
>
> ~~~
>
>
> That does mean, that wpa_supplicant is not able to parse
> tpm_engine_path, doesn't it? If I change tpm_engine_path to
> opensc_engine_path I do not get that error (I'll get another one, since
> I still point to the tpm engine, but that's ok). I tried to grep through
> the code to find the file, which causes this error message, but I didn't
> find it. It should be sufficient to add the variable tpm_engine_path to
>
> config.{h|c}
> config_file.c
>
> shouldn't it? (well, obviously not :-)) I compared all occurencies of
> opensc_engine_path with tpm_engine_path, I don't see any differences...
>
> Does somebody on this list have any idea?
>
> Thanks
> Carolin
>
> Jouni Malinen wrote:
>   
>> On Fri, Jan 18, 2008 at 02:06:45PM +0100, Carolin Latze wrote:
>>
>>   
>>     
>>> I had a look at the smart card integration into wpa_supplicant and saw
>>> that the smart card is only used to store the private key. The
>>> wpa_supplicant just copies the private key from the smart card into its
>>> own memory and works as always.
>>>     
>>>       
>> That's not accurate. OpenSSL engine can be used to perform private key
>> operations with wpa_supplicant having to ever see the key. Likewise,
>> tls_openssl.c has support for using Windows CryptoAPI for RSA private
>> key operations; again, without copying the private key.
>>
>> I would assume you could follow either of these options: enhance OpenSSL
>> engine to handle the private kehy operations with TPM or implement
>> TPM-specific RSA operations in tls_openssl.c (see the CryptoAPI example
>> there; e.g., tls_cryptoapi_cert() registers the specific RSA operations
>> to get OpenSSL to call CryptoAPI wrappers in tls_openssl.c for RSA
>> functions).
>>
>>   
>>     
>>> I had a look at the source code and think, that I have to extend the
>>> tls_openssl.c. Is that right? I see, that this file is also responsible
>>> for the communication with the smart card, so it seems a good place for
>>> the TPM.
>>>     
>>>       
>> If you are going to be using OpenSSL, yes, that would likely be a good
>> location for modifications.
>>
>>   
>>     
>>> Are there more smart card related things in the code? (Yes, I know, in
>>> the config file, but are there more?) I mean, is it sufficient to modify
>>> tls_openssl.c?
>>>     
>>>       
>> As far as EAP-TLS is concerned, smartcard access is mostly contained in
>> tls_*.c, i.e., in case of OpenSSL, in tls_openssl.c.
>>
>>   
>>     
>
>   



More information about the HostAP mailing list