All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [tpm2] Support for EAP-TLS with openssl TPM2 engine
@ 2019-03-13 23:56 David Woodhouse
  0 siblings, 0 replies; 3+ messages in thread
From: David Woodhouse @ 2019-03-13 23:56 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2766 bytes --]

On Sat, 2019-01-12 at 12:59 +0100, huger(a)web.de wrote:
> Hi
> 
> I am working on a plan to operate mobile Linux computers and would like 
> them to use corporate wifi with EAP TLS. Security requires us to safely 
> store the client key. Easiest solution would be in the computer's TPM 
> 2.0 device.
> 
> So far we were not successful trying to set this up with wpa_supplicant 
> and pkcs11 engine. Even if successful a solution with these multiple 
> layers of abstraction is quite complex and therefore might be prone to 
> updates of any of the components.
> 
> So I wonder if there are plans to directly support openssl tpm2 engine?

Here's a quick hack to make it work by abusing the OpenSC engine
config, as a proof of concept. Making it work cleanly so that it can be
merged is left as an exercise for the reader, or perhaps an interested
party in one of the mailing lists I've added to Cc.

I have no idea why wpa_supplicant doesn't call ENGINE_load_dynamic()
for current versions of OpenSSL. That seems to be a bug, which is why
I've removed the #ifdefs around it.

Signed-off-by: David Woodhouse <dwmw2(a)infradead.org> (not that you'd
want to apply it as-is).

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 705fa29a3..546d3a598 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -864,7 +864,7 @@ static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
  */
 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
 {
-	char *engine_id = "opensc";
+	char *engine_id = "tpm2";
 	const char *pre_cmd[] = {
 		"SO_PATH", NULL /* opensc_so_path */,
 		"ID", NULL /* engine_id */,
@@ -1034,10 +1034,8 @@ void * tls_init(const struct tls_config *conf)
 
 #ifndef OPENSSL_NO_ENGINE
 	wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine");
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	ERR_load_ENGINE_strings();
 	ENGINE_load_dynamic();
-#endif /* OPENSSL_VERSION_NUMBER */
 
 	if (conf &&
 	    (conf->opensc_engine_path || conf->pkcs11_engine_path ||
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 1bd43b226..b3045fb3d 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -174,7 +174,7 @@ fast_reauth=1
 # private_key option appear to be a PKCS#11 URI, and these options
 # should not need to be used explicitly.
 # make the opensc engine available
-#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
+opensc_engine_path=/home/dwmw/git/openssl_tpm2_engine/.libs/libtpm2.so
 # make the pkcs11 engine available
 #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
 # configure the path to the pkcs11 module required by the pkcs11 engine

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [tpm2] Support for EAP-TLS with openssl TPM2 engine
@ 2019-03-14 16:41 David Woodhouse
  0 siblings, 0 replies; 3+ messages in thread
From: David Woodhouse @ 2019-03-14 16:41 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote:
> Sweet! I'd been working on this too, I just got the hostapd / wpa_supplicant
> test stuff working and was going to try setting
> pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
> 
> To the tpm2-software/tpm2-pcks11 library.
> 
> From the amount of changes it took you, it seems like your approach is cleaner,
> so, out of curiousity, what was your ratoinal for going with this approach? I
> was going to try the pcks11 way because I came across
> 
> https://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.conf
> 
> But, I haven't gotten to it yet as I got sidetracked right after I got the tests
> up and running.

If you are using the TPMv2 PKCS#11 token (or indeed any PKCS#11 token)
and it's installed correctly, it ought to Just Work.

You should be able to just give a PKCS#11 URI in place of a filename
for any key or certificate, and any well-behaved application will do
the right thing. I believe wpa_supplicant meets that definition of
"well-behaved application", by automatically using the PKCS#11 ENGINE
when the "filename" it's given is actually a PKCS#11 URI.

(Except for the fact that all ENGINE loading is broken in
wpa_supplicant right now because the init call was removed, as noted).



[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [tpm2] Support for EAP-TLS with openssl TPM2 engine
@ 2019-03-14 16:19 Andersen, John
  0 siblings, 0 replies; 3+ messages in thread
From: Andersen, John @ 2019-03-14 16:19 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 3740 bytes --]

On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote:
> On Sat, 2019-01-12 at 12:59 +0100, huger(a)web.de wrote:
> > Hi
> > 
> > I am working on a plan to operate mobile Linux computers and would like 
> > them to use corporate wifi with EAP TLS. Security requires us to safely 
> > store the client key. Easiest solution would be in the computer's TPM 
> > 2.0 device.
> > 
> > So far we were not successful trying to set this up with wpa_supplicant 
> > and pkcs11 engine. Even if successful a solution with these multiple 
> > layers of abstraction is quite complex and therefore might be prone to 
> > updates of any of the components.
> > 
> > So I wonder if there are plans to directly support openssl tpm2 engine?
> 
> Here's a quick hack to make it work by abusing the OpenSC engine
> config, as a proof of concept. Making it work cleanly so that it can be
> merged is left as an exercise for the reader, or perhaps an interested
> party in one of the mailing lists I've added to Cc.
> 
> I have no idea why wpa_supplicant doesn't call ENGINE_load_dynamic()
> for current versions of OpenSSL. That seems to be a bug, which is why
> I've removed the #ifdefs around it.
> 
> Signed-off-by: David Woodhouse <dwmw2(a)infradead.org> (not that you'd
> want to apply it as-is).
> 
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> index 705fa29a3..546d3a598 100644
> --- a/src/crypto/tls_openssl.c
> +++ b/src/crypto/tls_openssl.c
> @@ -864,7 +864,7 @@ static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
>   */
>  static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
>  {
> -	char *engine_id = "opensc";
> +	char *engine_id = "tpm2";
>  	const char *pre_cmd[] = {
>  		"SO_PATH", NULL /* opensc_so_path */,
>  		"ID", NULL /* engine_id */,
> @@ -1034,10 +1034,8 @@ void * tls_init(const struct tls_config *conf)
>  
>  #ifndef OPENSSL_NO_ENGINE
>  	wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine");
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
>  	ERR_load_ENGINE_strings();
>  	ENGINE_load_dynamic();
> -#endif /* OPENSSL_VERSION_NUMBER */
>  
>  	if (conf &&
>  	    (conf->opensc_engine_path || conf->pkcs11_engine_path ||
> diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
> index 1bd43b226..b3045fb3d 100644
> --- a/wpa_supplicant/wpa_supplicant.conf
> +++ b/wpa_supplicant/wpa_supplicant.conf
> @@ -174,7 +174,7 @@ fast_reauth=1
>  # private_key option appear to be a PKCS#11 URI, and these options
>  # should not need to be used explicitly.
>  # make the opensc engine available
> -#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
> +opensc_engine_path=/home/dwmw/git/openssl_tpm2_engine/.libs/libtpm2.so
>  # make the pkcs11 engine available
>  #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
>  # configure the path to the pkcs11 module required by the pkcs11 engine
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2

Sweet! I'd been working on this too, I just got the hostapd / wpa_supplicant
test stuff working and was going to try setting
pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so

To the tpm2-software/tpm2-pcks11 library.

From the amount of changes it took you, it seems like your approach is cleaner,
so, out of curiousity, what was your ratoinal for going with this approach? I
was going to try the pcks11 way because I came across

https://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.conf

But, I haven't gotten to it yet as I got sidetracked right after I got the tests
up and running.

Thanks,
John

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-14 16:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-13 23:56 [tpm2] Support for EAP-TLS with openssl TPM2 engine David Woodhouse
2019-03-14 16:19 Andersen, John
2019-03-14 16:41 David Woodhouse

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.