Smartcards and wpa_supplicant
g.hecker at et.bocholt.fh-ge.de
Wed Oct 13 09:34:08 EDT 2004
first thanks for your interest and feedback!
Jouni Malinen wrote:
> - are you willing to license this under dual GPL/BSD license in the same
> way as the core wpa_supplicant code is licensed?
> - please use func(void) instead of func()
> - please verify that the end result can be compiled even if engine
> support is disabled in openssl (i.e., no-engine; OPENSSL_NO_ENGINE is
> defined); this may mean using #ifndef OPENSSL_NO_ENGINE in
> tls_openssl.[ch]; this probably goes also for no-ui; one option would
> be to use wpa_supplicant CONFIG_SMARTCARD or something similar to make
> this code conditional
I didn't see this as a requirement since engine support is enabled by
default in openssl-0.9.7. But anyway, I thought about that and will add
it in the next days.
I would prefer to make it default at compile time and only disable it
automatically if openssl is compiled without engine support. So I'll
take your #ifndef OPENSSL_NO_ENGINE approach.
That way it will be easier to maintain the code in my opinion - since
in case something breaks during future development it will be noticed
immediately and not only by those using smartcards.
> - please do not use global_scpin as a global variable; I would assume
> there is a mechanism for registering a context pointer or something
> similar for UI functions (read_scpin; which, btw, should be marked
That global variable seems to be an issue, I don't see a different
solution right now, but I'll discuss that on the opensc-devel list.
> - if you have a nice example script for generating a suitable CA
> certificate and smartcard setup, it could be quite useful for testing
The key and certificate will be the same as with simple EAP-TLS.
I'll include a script that can be used to initialize the smartcard in
the next version of my patch.
I'm using the opensc package that provides the engines and a set of
tools to perform various operations with smartcards.
>>If an engine is used the smartcard requires a pin code. That pin code is
>>asked for via the control interface. So running wpa_cli is currently
>>neccessary to provide the smartcard pin.
>>The command I added to wpa_cli is "scpin <network id> <pin>". It's
>>similar to the existing password and identity commands.
> This should also be useful for SIM use.. I was too lazy to add this to
> the control interface, but this should really be done at some point.
> Both cases could then share the options of either hardcoding the pin or
> getting it through ctrl_iface. I would probably rename this to simple
> "pin" instead of using somewhat unclear "scpin".
I named it scpin because the member pin already existed in struct
wpa_ssid and I didn't want to interfere with it. And I remember an
issue adding a command named "pin" to wpa_cli that interfered with the
"ping" command. But that shouldn't be too difficult to fix.
More information about the HostAP