Smartcards and wpa_supplicant
Tue Oct 12 21:05:55 PDT 2004
On Tue, Oct 12, 2004 at 03:11:05PM +0200, Gordon Hecker wrote:
> I'm working on a patch to support smartcards in wpa_supplicant.
> The smartcards are integrated via Openssl engines.
> The engines currently supported are the opensc and pkcs11
> engines from the opensc project.
This sounds like a very nice addition to wpa_supplicant. The current
version supports SIM cards with EAP-SIM/AKA, but getting TLS to use a
smartcard should make this more usable for number of cases.
I did not yet go through all the details, so only couple of quick
- are you willing to license this under dual GPL/BSD license in the same
way as the core wpa_supplicant code is licensed?
- please use func(void) instead of func()
- please verify that the end result can be compiled even if engine
support is disabled in openssl (i.e., no-engine; OPENSSL_NO_ENGINE is
defined); this may mean using #ifndef OPENSSL_NO_ENGINE in
tls_openssl.[ch]; this probably goes also for no-ui; one option would
be to use wpa_supplicant CONFIG_SMARTCARD or something similar to make
this code conditional
- please do not use global_scpin as a global variable; I would assume
there is a mechanism for registering a context pointer or something
similar for UI functions (read_scpin; which, btw, should be marked
- if you have a nice example script for generating a suitable CA
certificate and smartcard setup, it could be quite useful for testing
> If an engine is used the smartcard requires a pin code. That pin code is
> asked for via the control interface. So running wpa_cli is currently
> neccessary to provide the smartcard pin.
> The command I added to wpa_cli is "scpin <network id> <pin>". It's
> similar to the existing password and identity commands.
This should also be useful for SIM use.. I was too lazy to add this to
the control interface, but this should really be done at some point.
Both cases could then share the options of either hardcoding the pin or
getting it through ctrl_iface. I would probably rename this to simple
"pin" instead of using somewhat unclear "scpin".
Jouni Malinen PGP id EFC895FA
More information about the Hostap