Smartcards and wpa_supplicant

Gordon Hecker g.hecker
Mon Apr 18 08:36:51 PDT 2005 

Jouni Malinen wrote:
> On Thu, Apr 14, 2005 at 12:30:01PM +0200, Gordon Hecker wrote:
> 
> 
>>There's no update yet, but as the old patch does no longer apply I did
>>a simple re-merge. I'll put it into the same directory.
> 
> 
> Thanks! I merged this into CVS with following changes:
> - allow PIN to be entered through ctrl_iface without having to
>   reassociate (i.e., just delay the EAP session enough to wait for user
>   input)
> - move tls_engine initialization to eap.c so that it can be shared by
>   all programs using EAPOL/EAP "library" (wpa_supplicant, eapol_test,
>   preauth_test); no TLS-specific code in wpa_supplicant.c
> - cleaned up TLS wrapper (tls.h) for engine support: no need for new
>   functions, just use tls_init/deinit
> - coding style cleanup (e.g., extra/missing whitespace)
> - make TLS engine support configurable (CONFIG_SMARTCARD=y in .config)

I chose the approach of "autodetecting" openssl engine support to
avoid the need to configure smartcard support manually. That way the
code would simply get compiled more often.
The OPENSSL_NO_ENGINE macro is available after including ssl.h if
openssl is compiled with the no-engine option.
So inside tls_openssl.c the CONFIG_SMARTCARD macro is not required.

I verified that again using this test code:

-----------------
#include <openssl/ssl.h>
int main()
{
#ifdef OPENSSL_NO_ENGINE
         puts("OPENSSL_NO_ENGINE is defined\n");
#else
         puts("OPENSSL_ENGINE is not defined\n");
#endif
}
-----------------

> - add -ldl to fix linking
I never had to explicitly use -ldl when compiling wpa_supplicant
since dlopen & friends are not used directly. Did you have issues or
is your way just considered the clean way?
This might be stuff for a general (and thus off-topic) discussion.

Taking the last two together it might be possible to remove the need
of the CONFIG_SMARTCARD=y compile time configuration without breaking
anything.

Finally, if you prefer to keep it configurable manually there's no need
for a discussion anyway and it's fine.

> 
> 
> I haven't been able to fully test this yet due to some problems with
> OpenSC and SetCOS cards I'm using. I got a bit further with the latest
> snapshot release, but I haven't yet been able to complete PKCS#15
> initialization. I found the PIN for a card that was already initialized,
> but unfortunately, some operations with the private key are failing, so
> I was not able to generate a new certificate for the private key. This
> was enough to test PIN configuration, though.
> 
> If you have chance of testing the current wpa_supplicant snapshot, I
> would be interested in hearing whether I broke something while moving
> things around..
I did a short test today and it works for me.

> 
> 
>>I might add some functionality to get the certificates from the
>>smartcard, too since there was a patch allowing that in opensc cvs
>>recently. I'll keep you up to date.
> 
> 
> OK, that would be useful. I take that this would mean reading both the
> CA certificate(s) and client certificate so no certificates would need
> to be configured in wpa_supplicant.conf. If you start working on this,
> please take the latest wpa_supplicant snapshot from CVS to avoid merging
> mismatches after my changes to the engine code.
> 
Yes.

More information about the Hostap mailing list