Smartcards and wpa_supplicant

Jouni Malinen jkmaline at cc.hut.fi
Wed Oct 13 00:05:55 EDT 2004


On Tue, Oct 12, 2004 at 03:11:05PM +0200, Gordon Hecker wrote:

> I'm working on a patch to support smartcards in wpa_supplicant.
> The smartcards are integrated via Openssl engines.
> The engines currently supported are the opensc and pkcs11
> engines from the opensc project.

This sounds like a very nice addition to wpa_supplicant. The current
version supports SIM cards with EAP-SIM/AKA, but getting TLS to use a
smartcard should make this more usable for number of cases.

I did not yet go through all the details, so only couple of quick
comments/questions:

- are you willing to license this under dual GPL/BSD license in the same
  way as the core wpa_supplicant code is licensed?
- please use func(void) instead of func()
- please verify that the end result can be compiled even if engine
  support is disabled in openssl (i.e., no-engine; OPENSSL_NO_ENGINE is
  defined); this may mean using #ifndef OPENSSL_NO_ENGINE in
  tls_openssl.[ch]; this probably goes also for no-ui; one option would
  be to use wpa_supplicant CONFIG_SMARTCARD or something similar to make
  this code conditional
- please do not use global_scpin as a global variable; I would assume
  there is a mechanism for registering a context pointer or something
  similar for UI functions (read_scpin; which, btw, should be marked
  static)
- if you have a nice example script for generating a suitable CA
  certificate and smartcard setup, it could be quite useful for testing
  this..

> If an engine is used the smartcard requires a pin code. That pin code is
> asked for via the control interface. So running wpa_cli is currently
> neccessary to provide the smartcard pin.
> The command I added to wpa_cli is "scpin <network id> <pin>". It's
> similar to the existing password and identity commands.

This should also be useful for SIM use.. I was too lazy to add this to
the control interface, but this should really be done at some point.
Both cases could then share the options of either hardcoding the pin or
getting it through ctrl_iface. I would probably rename this to simple
"pin" instead of using somewhat unclear "scpin".

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list