[RFC] supplicant/interworking: Allow EAP-TLS without user specified.

Ben Greear greearb
Mon Sep 23 08:58:21 PDT 2013

On 09/23/2013 01:35 AM, Jouni Malinen wrote:
> On Thu, Sep 19, 2013 at 04:44:10PM -0700, greearb at candelatech.com wrote:
>> It appears that it is not required for the user to specify the
>> user-name when using EAP-TLS.  The user-name could instead come
>> from the PCSC logic??
> I'd assume this would result in empty EAP identity getting used and that
> does not sound ideal. I'd rather make it auto-generated with something
> similar to how IMSI is used in EAP-SIM/AKA/AKA' (which, I'd assume, is
> what you are referring to with "PCSC logic"). Without that change, I
> would rather not apply this.

In eap_sm_buildIdentity, there is a check for null identity.  From what I
can tell by reading code, it would seem that eap_sm_get_scard_identity
could populate this automatically and let the EAP response be built properly,
even when the user does not specify a username in the config file.

I don't actually have any system that supports the pcsc/IMSI logic yet,
so I can't test it.

And, would it be worth just using a hard-coded "default-user" string
for ID in cases where we cannot otherwise determine the ID?

	if (identity == NULL) {
		wpa_printf(MSG_WARNING, "EAP: buildIdentity: identity "
			   "configuration was not available");
		if (config->pcsc) {
			if (eap_sm_get_scard_identity(sm, config) < 0)
				return NULL;
			identity = config->identity;
			identity_len = config->identity_len;
			wpa_hexdump_ascii(MSG_DEBUG, "permanent identity from "
					  "IMSI", identity, identity_len);
		} else {
			return NULL;
	} else if (config->pcsc) {
		if (eap_sm_set_scard_pin(sm, config) < 0)
			return NULL;


Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

More information about the Hostap mailing list