Smartcards and wpa_supplicant

Gordon Hecker g.hecker
Wed Oct 13 06:34:08 PDT 2004


Hi,

first thanks for your interest and feedback!

Jouni Malinen wrote:
> 
> - are you willing to license this under dual GPL/BSD license in the same
>   way as the core wpa_supplicant code is licensed?
Yes.

> - please use func(void) instead of func()
Done.

> - please verify that the end result can be compiled even if engine
>   support is disabled in openssl (i.e., no-engine; OPENSSL_NO_ENGINE is
>   defined); this may mean using #ifndef OPENSSL_NO_ENGINE in
>   tls_openssl.[ch]; this probably goes also for no-ui; one option would
>   be to use wpa_supplicant CONFIG_SMARTCARD or something similar to make
>   this code conditional
I didn't see this as a requirement since engine support is enabled by
default in openssl-0.9.7. But anyway, I thought about that and will add
it in the next days.
I would prefer to make it default at compile time and only disable it
automatically if openssl is compiled without engine support. So I'll
take your #ifndef OPENSSL_NO_ENGINE approach.
That way it will be easier to maintain the code in my opinion - since
in case something breaks during future development it will be noticed
immediately and not only by those using smartcards.

> - please do not use global_scpin as a global variable; I would assume
>   there is a mechanism for registering a context pointer or something
>   similar for UI functions (read_scpin; which, btw, should be marked
>   static)
That global variable seems to be an issue, I don't see a different
solution right now, but I'll discuss that on the opensc-devel list.

> - if you have a nice example script for generating a suitable CA
>   certificate and smartcard setup, it could be quite useful for testing
>   this..
The key and certificate will be the same as with simple EAP-TLS.
I'll include a script that can be used to initialize the smartcard in
the next version of my patch.
I'm using the opensc package that provides the engines and a set of
tools to perform various operations with smartcards.

> 
> 
>>If an engine is used the smartcard requires a pin code. That pin code is
>>asked for via the control interface. So running wpa_cli is currently
>>neccessary to provide the smartcard pin.
>>The command I added to wpa_cli is "scpin <network id> <pin>". It's
>>similar to the existing password and identity commands.
> 
> 
> This should also be useful for SIM use.. I was too lazy to add this to
> the control interface, but this should really be done at some point.
> Both cases could then share the options of either hardcoding the pin or
> getting it through ctrl_iface. I would probably rename this to simple
> "pin" instead of using somewhat unclear "scpin".
I named it scpin because the member pin already existed in struct
wpa_ssid and I didn't want to interfere with it. And I remember an
issue adding a command named "pin" to wpa_cli that interfered with the
"ping" command. But that shouldn't be too difficult to fix.

Gordon




More information about the Hostap mailing list