[RFC] supplicant/interworking: Allow EAP-TLS without user specified.
Ben Greear
greearb
Mon Sep 23 08:58:21 PDT 2013
On 09/23/2013 01:35 AM, Jouni Malinen wrote:
> On Thu, Sep 19, 2013 at 04:44:10PM -0700, greearb at candelatech.com wrote:
>> It appears that it is not required for the user to specify the
>> user-name when using EAP-TLS. The user-name could instead come
>> from the PCSC logic??
>
> I'd assume this would result in empty EAP identity getting used and that
> does not sound ideal. I'd rather make it auto-generated with something
> similar to how IMSI is used in EAP-SIM/AKA/AKA' (which, I'd assume, is
> what you are referring to with "PCSC logic"). Without that change, I
> would rather not apply this.
In eap_sm_buildIdentity, there is a check for null identity. From what I
can tell by reading code, it would seem that eap_sm_get_scard_identity
could populate this automatically and let the EAP response be built properly,
even when the user does not specify a username in the config file.
I don't actually have any system that supports the pcsc/IMSI logic yet,
so I can't test it.
And, would it be worth just using a hard-coded "default-user" string
for ID in cases where we cannot otherwise determine the ID?
if (identity == NULL) {
wpa_printf(MSG_WARNING, "EAP: buildIdentity: identity "
"configuration was not available");
if (config->pcsc) {
if (eap_sm_get_scard_identity(sm, config) < 0)
return NULL;
identity = config->identity;
identity_len = config->identity_len;
wpa_hexdump_ascii(MSG_DEBUG, "permanent identity from "
"IMSI", identity, identity_len);
} else {
eap_sm_request_identity(sm);
return NULL;
}
} else if (config->pcsc) {
if (eap_sm_set_scard_pin(sm, config) < 0)
return NULL;
}
Thanks,
Ben
--
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the Hostap
mailing list