Smartcards and wpa_supplicant

Gordon Hecker g.hecker at et.bocholt.fh-ge.de
Tue Jan 25 05:11:32 EST 2005


Hi everyone,

I started to work on the wpa_supplicant - smartcard patch again
recently.
First a short summary to get it all back to your mind:
The patch implements smartcard support for EAP-TLS in wpa_supplicant
using the Openssl Engine interface with the engines provided by the
Opensc project. So at least in theory every smartcard supported by
Opensc should be usable. I'm using a Cryptoflex Egate USB Token.

Jouni, I worked through your suggestions from this thread:
http://lists.shmoo.com/pipermail/hostap/2004-October/008281.html
and I would like to go ahead if there's more to do.

As I said, it would be great if you could integrate the code in one of
the next wpa_supplicant releases.

There's a patch against today's cvs version:
http://ghe.dyndns.org/patches/wpa_supplicant/wpa_supplicant-engine-20050125-2.patch

The following patch works with the wpa_supplicant-0.3.4 release:
http://ghe.dyndns.org/patches/wpa_supplicant/wpa_supplicant-engine-20050117.patch

And there's an example script that initializes the Cryptoflex Egate
USB Token called initsc and a file listing the changes. Some more hints
are in the readme file.
http://ghe.dyndns.org/patches/wpa_supplicant/

Gordon

Gordon Hecker wrote:
> Hi,
> 
> I've fixed the issues you mentioned so far:
> 
> Jouni Malinen wrote:
> 
>> On Tue, Oct 12, 2004 at 03:11:05PM +0200, Gordon Hecker wrote:
>>
>>
>>> I'm working on a patch to support smartcards in wpa_supplicant.
>>> The smartcards are integrated via Openssl engines.
>>> The engines currently supported are the opensc and pkcs11
>>> engines from the opensc project.
>>
>>
>>
>> This sounds like a very nice addition to wpa_supplicant. The current
>> version supports SIM cards with EAP-SIM/AKA, but getting TLS to use a
>> smartcard should make this more usable for number of cases.
>>
>> I did not yet go through all the details, so only couple of quick
>> comments/questions:
>>
>> - are you willing to license this under dual GPL/BSD license in the same
>>   way as the core wpa_supplicant code is licensed?
> 
> 
> Still, yes.
> 
>> - please use func(void) instead of func()
> 
> 
> Done.
> 
>> - please verify that the end result can be compiled even if engine
>>   support is disabled in openssl (i.e., no-engine; OPENSSL_NO_ENGINE is
>>   defined); this may mean using #ifndef OPENSSL_NO_ENGINE in
>>   tls_openssl.[ch]; this probably goes also for no-ui; one option would
>>   be to use wpa_supplicant CONFIG_SMARTCARD or something similar to make
>>   this code conditional
> 
> 
> I implemented the OPENSSL_NO_ENGINE approach. So wpa_supplicant silently
> compiles with or without engine enabled in openssl. And there's an error 
> message if wpa_supplicant is compiled without engine support and the 
> configuration requires the engine.
> 
> There's no ui related code in the patch any more, so that should be no
> longer important.
> 
>> - please do not use global_scpin as a global variable; I would assume
>>   there is a mechanism for registering a context pointer or something
>>   similar for UI functions (read_scpin; which, btw, should be marked
>>   static)
> 
> 
> Solved this within the opensc engine. I sent a patch that should appear
> in opensc cvs in the next days. So all the ui stuff is removed and the
> code looks much cleaner now.
> 
> The patch for opensc is only related to the opensc engine, not to
> the pkcs11 engine.
> 
>> - if you have a nice example script for generating a suitable CA
>>   certificate and smartcard setup, it could be quite useful for testing
>>   this..
> 
> 
> There's an example script that initailizes a smartcard:
> http://ghe.dyndns.org/patches/wpa_supplicant/initsc
> 
> The certificates can be the same than with eap-tls without smartcards.
> 
>>
>>
>>> If an engine is used the smartcard requires a pin code. That pin code is
>>> asked for via the control interface. So running wpa_cli is currently
>>> neccessary to provide the smartcard pin.
>>> The command I added to wpa_cli is "scpin <network id> <pin>". It's
>>> similar to the existing password and identity commands.
>>
>>
>>
>> This should also be useful for SIM use.. I was too lazy to add this to
>> the control interface, but this should really be done at some point.
>> Both cases could then share the options of either hardcoding the pin or
>> getting it through ctrl_iface. I would probably rename this to simple
>> "pin" instead of using somewhat unclear "scpin".
>>
> I'm using the pin variable in struct wpa_ssid now and renamed "scpin" to
> "pin" everywhere. That way it should now be possible to set the pin for
> SIM too, right?
> 
> The example configuration was modified to include the smartcard related
> options.
> 
> There's some more information on how to get it all running in the files
> readme and changelog in this directory:
> http://ghe.dyndns.org/patches/wpa_supplicant/
> 
> The opensc patch required to use the opensc engine:
> http://ghe.dyndns.org/patches/opensc/opensc-engine-1.diff
> 
> and of course the new version of my patch:
> http://ghe.dyndns.org/patches/wpa_supplicant/wpa_supplicant-engine-20041018-2.patch 
> 
> 
> Jouni, it would be great if you could look into it again!
> 
> Gordon
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
> 



More information about the HostAP mailing list