ctrl_iface support for OpenSSL PKCS#11 configuration

Jouni Malinen j
Fri Jun 8 10:46:32 PDT 2012

On Tue, May 08, 2012 at 01:42:27PM +0200, Enrico wrote:
> after reading the wpa_ctrl docs and experimenting a bit with wpa_cli,
> i still can not understand if the wpa_ctrl interface supports setting
> OpenSSL PKCS#11 configuration at runtime. In particular, for our platform, we 
> are interested in setting global variables:
> 	pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
> 	pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
> However 'set' command in wpa_cli outputs only the following properties:

> Are they simply not implemented in wpa_cli vars list?

Yeah, there are quite a few parameters that can be set with the SET
command even though they are not listed by wpa_cli. You can set the
pkcs11_engine_path and pkcs11_module_path there, but please note that
this does not necessarily mean that you get the behavior you want..
These parameters are used at the time the network interface is added. As
such, you would be too late when setting these parameters through the
control interface. There is actually a related TODO comment in
wpa_supplicant_reload_configuration(), i.e., the same issue shows up
with reloading of a modified configuration file. More code would be
needed to address these cases so that the EAPOL state machine would be
notified of modified parameters to allow OpenSSL to be re-initialized in
this type of cases.

> If we do not use a configuration backend, is there a way to set these 'global' 
> properties at runtime?

There is, but with the caveat of not every global parameter taking
affect at the time the value is changed.

> Another question:
> does 'set_network' command support these fields?
> 	engine=1
> 	engine_id="pkcs11"
> 	key_id="4"
> 	cert_id="4"
> 	ca_cert_id="1"
> 	pin="123456"

Yes, set_network should allow setting of any network block parameter
that can be used through the configuration file.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list