Smartcards and wpa_supplicant
g.hecker at et.bocholt.fh-ge.de
Tue Jan 25 05:11:32 EST 2005
I started to work on the wpa_supplicant - smartcard patch again
First a short summary to get it all back to your mind:
The patch implements smartcard support for EAP-TLS in wpa_supplicant
using the Openssl Engine interface with the engines provided by the
Opensc project. So at least in theory every smartcard supported by
Opensc should be usable. I'm using a Cryptoflex Egate USB Token.
Jouni, I worked through your suggestions from this thread:
and I would like to go ahead if there's more to do.
As I said, it would be great if you could integrate the code in one of
the next wpa_supplicant releases.
There's a patch against today's cvs version:
The following patch works with the wpa_supplicant-0.3.4 release:
And there's an example script that initializes the Cryptoflex Egate
USB Token called initsc and a file listing the changes. Some more hints
are in the readme file.
Gordon Hecker wrote:
> I've fixed the issues you mentioned so far:
> Jouni Malinen wrote:
>> On Tue, Oct 12, 2004 at 03:11:05PM +0200, Gordon Hecker wrote:
>>> I'm working on a patch to support smartcards in wpa_supplicant.
>>> The smartcards are integrated via Openssl engines.
>>> The engines currently supported are the opensc and pkcs11
>>> engines from the opensc project.
>> This sounds like a very nice addition to wpa_supplicant. The current
>> version supports SIM cards with EAP-SIM/AKA, but getting TLS to use a
>> smartcard should make this more usable for number of cases.
>> I did not yet go through all the details, so only couple of quick
>> - are you willing to license this under dual GPL/BSD license in the same
>> way as the core wpa_supplicant code is licensed?
> Still, yes.
>> - please use func(void) instead of func()
>> - please verify that the end result can be compiled even if engine
>> support is disabled in openssl (i.e., no-engine; OPENSSL_NO_ENGINE is
>> defined); this may mean using #ifndef OPENSSL_NO_ENGINE in
>> tls_openssl.[ch]; this probably goes also for no-ui; one option would
>> be to use wpa_supplicant CONFIG_SMARTCARD or something similar to make
>> this code conditional
> I implemented the OPENSSL_NO_ENGINE approach. So wpa_supplicant silently
> compiles with or without engine enabled in openssl. And there's an error
> message if wpa_supplicant is compiled without engine support and the
> configuration requires the engine.
> There's no ui related code in the patch any more, so that should be no
> longer important.
>> - please do not use global_scpin as a global variable; I would assume
>> there is a mechanism for registering a context pointer or something
>> similar for UI functions (read_scpin; which, btw, should be marked
> Solved this within the opensc engine. I sent a patch that should appear
> in opensc cvs in the next days. So all the ui stuff is removed and the
> code looks much cleaner now.
> The patch for opensc is only related to the opensc engine, not to
> the pkcs11 engine.
>> - if you have a nice example script for generating a suitable CA
>> certificate and smartcard setup, it could be quite useful for testing
> There's an example script that initailizes a smartcard:
> The certificates can be the same than with eap-tls without smartcards.
>>> If an engine is used the smartcard requires a pin code. That pin code is
>>> asked for via the control interface. So running wpa_cli is currently
>>> neccessary to provide the smartcard pin.
>>> The command I added to wpa_cli is "scpin <network id> <pin>". It's
>>> similar to the existing password and identity commands.
>> This should also be useful for SIM use.. I was too lazy to add this to
>> the control interface, but this should really be done at some point.
>> Both cases could then share the options of either hardcoding the pin or
>> getting it through ctrl_iface. I would probably rename this to simple
>> "pin" instead of using somewhat unclear "scpin".
> I'm using the pin variable in struct wpa_ssid now and renamed "scpin" to
> "pin" everywhere. That way it should now be possible to set the pin for
> SIM too, right?
> The example configuration was modified to include the smartcard related
> There's some more information on how to get it all running in the files
> readme and changelog in this directory:
> The opensc patch required to use the opensc engine:
> and of course the new version of my patch:
> Jouni, it would be great if you could look into it again!
> HostAP mailing list
> HostAP at shmoo.com
More information about the HostAP