Smartcards and wpa_supplicant

Gordon Hecker g.hecker at et.bocholt.fh-ge.de
Mon Oct 18 10:25:49 EDT 2004


Hi,

I've fixed the issues you mentioned so far:

Jouni Malinen wrote:
> On Tue, Oct 12, 2004 at 03:11:05PM +0200, Gordon Hecker wrote:
> 
> 
>>I'm working on a patch to support smartcards in wpa_supplicant.
>>The smartcards are integrated via Openssl engines.
>>The engines currently supported are the opensc and pkcs11
>>engines from the opensc project.
> 
> 
> This sounds like a very nice addition to wpa_supplicant. The current
> version supports SIM cards with EAP-SIM/AKA, but getting TLS to use a
> smartcard should make this more usable for number of cases.
> 
> I did not yet go through all the details, so only couple of quick
> comments/questions:
> 
> - are you willing to license this under dual GPL/BSD license in the same
>   way as the core wpa_supplicant code is licensed?

Still, yes.

> - please use func(void) instead of func()

Done.

> - please verify that the end result can be compiled even if engine
>   support is disabled in openssl (i.e., no-engine; OPENSSL_NO_ENGINE is
>   defined); this may mean using #ifndef OPENSSL_NO_ENGINE in
>   tls_openssl.[ch]; this probably goes also for no-ui; one option would
>   be to use wpa_supplicant CONFIG_SMARTCARD or something similar to make
>   this code conditional

I implemented the OPENSSL_NO_ENGINE approach. So wpa_supplicant silently
compiles with or without engine enabled in openssl. And there's an error 
message if wpa_supplicant is compiled without engine support and the 
configuration requires the engine.

There's no ui related code in the patch any more, so that should be no
longer important.

> - please do not use global_scpin as a global variable; I would assume
>   there is a mechanism for registering a context pointer or something
>   similar for UI functions (read_scpin; which, btw, should be marked
>   static)

Solved this within the opensc engine. I sent a patch that should appear
in opensc cvs in the next days. So all the ui stuff is removed and the
code looks much cleaner now.

The patch for opensc is only related to the opensc engine, not to
the pkcs11 engine.

> - if you have a nice example script for generating a suitable CA
>   certificate and smartcard setup, it could be quite useful for testing
>   this..

There's an example script that initailizes a smartcard:
http://ghe.dyndns.org/patches/wpa_supplicant/initsc

The certificates can be the same than with eap-tls without smartcards.

> 
> 
>>If an engine is used the smartcard requires a pin code. That pin code is
>>asked for via the control interface. So running wpa_cli is currently
>>neccessary to provide the smartcard pin.
>>The command I added to wpa_cli is "scpin <network id> <pin>". It's
>>similar to the existing password and identity commands.
> 
> 
> This should also be useful for SIM use.. I was too lazy to add this to
> the control interface, but this should really be done at some point.
> Both cases could then share the options of either hardcoding the pin or
> getting it through ctrl_iface. I would probably rename this to simple
> "pin" instead of using somewhat unclear "scpin".
> 
I'm using the pin variable in struct wpa_ssid now and renamed "scpin" to
"pin" everywhere. That way it should now be possible to set the pin for
SIM too, right?

The example configuration was modified to include the smartcard related
options.

There's some more information on how to get it all running in the files
readme and changelog in this directory:
http://ghe.dyndns.org/patches/wpa_supplicant/

The opensc patch required to use the opensc engine:
http://ghe.dyndns.org/patches/opensc/opensc-engine-1.diff

and of course the new version of my patch:
http://ghe.dyndns.org/patches/wpa_supplicant/wpa_supplicant-engine-20041018-2.patch

Jouni, it would be great if you could look into it again!

Gordon



More information about the HostAP mailing list