rpms / wpa_supplicant

Clone
Source Code
GIT

Files

  1.   ae491f828709c90bb841a8a7a23db13ed28baa83
  2.   SOURCES
  3.   0014-rh1178263-cert_in_cb.patch
Blob Blame History Raw 
Backport of:

commit 483dd6a5e0069d0646505c26a5194eda15472858
Author: Jouni Malinen <j@w1.fi>
Date:   Wed Jan 14 12:14:31 2015 +0200

    Include peer certificate always in EAP events
    
    This makes it easier for upper layer applications to get information
    regarding the server certificate without having to use a special
    certificate probing connection. This provides both the SHA256 hash of
    the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
    if desired) and the full DER encoded X.509 certificate so that upper
    layer applications can parse and display the certificate easily or
    extract fields from it for purposes like configuring an altsubject_match
    or domain_suffix_match.
    
    The old behavior can be configured by adding cert_in_cb=0 to
    wpa_supplicant configuration file.
    
    Signed-off-by: Jouni Malinen <j@w1.fi>

diff -up wpa_supplicant-2.0/wpa_supplicant/config.c.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/config.c
--- wpa_supplicant-2.0/wpa_supplicant/config.c.cert-in-cb	2015-01-16 08:57:30.532900618 -0500
+++ wpa_supplicant-2.0/wpa_supplicant/config.c	2015-01-16 08:59:57.437986307 -0500
@@ -2644,6 +2644,7 @@ struct wpa_config * wpa_config_alloc_emp
 	config->wmm_ac_params[1] = ac_bk;
 	config->wmm_ac_params[2] = ac_vi;
 	config->wmm_ac_params[3] = ac_vo;
+	config->cert_in_cb = DEFAULT_CERT_IN_CB;
 
 	if (ctrl_interface)
 		config->ctrl_interface = os_strdup(ctrl_interface);
diff -up wpa_supplicant-2.0/wpa_supplicant/config_file.c.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/config_file.c
--- wpa_supplicant-2.0/wpa_supplicant/config_file.c.cert-in-cb	2015-01-16 08:57:30.533900626 -0500
+++ wpa_supplicant-2.0/wpa_supplicant/config_file.c	2015-01-16 09:00:32.265243695 -0500
@@ -972,6 +972,9 @@ static void wpa_config_write_global(FILE
 		fprintf(f, "okc=%d\n", config->okc);
 	if (config->pmf)
 		fprintf(f, "pmf=%d\n", config->pmf);
+
+	if (config->cert_in_cb != DEFAULT_CERT_IN_CB)
+		fprintf(f, "cert_in_cb=%d\n", config->cert_in_cb);
 }
 
 #endif /* CONFIG_NO_CONFIG_WRITE */
diff -up wpa_supplicant-2.0/wpa_supplicant/config.h.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/config.h
--- wpa_supplicant-2.0/wpa_supplicant/config.h.cert-in-cb	2015-01-16 08:57:30.532900618 -0500
+++ wpa_supplicant-2.0/wpa_supplicant/config.h	2015-01-16 08:59:32.442801582 -0500
@@ -24,6 +24,7 @@
 #define DEFAULT_BSS_EXPIRATION_SCAN_COUNT 2
 #define DEFAULT_MAX_NUM_STA 128
 #define DEFAULT_ACCESS_NETWORK_TYPE 15
+#define DEFAULT_CERT_IN_CB 1
 
 #include "config_ssid.h"
 #include "wps/wps.h"
@@ -797,6 +798,14 @@ struct wpa_config {
 	 * this default behavior.
 	 */
 	enum mfp_options pmf;
+
+	/**
+	 * cert_in_cb - Whether to include a peer certificate dump in events
+	 *
+	 * This controls whether peer certificates for authentication server and
+	 * its certificate chain are included in EAP peer certificate events.
+	 */
+	int cert_in_cb;
 };
 
 
diff -up wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c
--- wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c.cert-in-cb	2013-01-12 10:42:53.000000000 -0500
+++ wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c	2015-01-16 08:57:30.533900626 -0500
@@ -790,6 +790,7 @@ int wpa_supplicant_init_eapol(struct wpa
 	ctx->port_cb = wpa_supplicant_port_cb;
 	ctx->cb = wpa_supplicant_eapol_cb;
 	ctx->cert_cb = wpa_supplicant_cert_cb;
+	ctx->cert_in_cb = wpa_s->conf->cert_in_cb;
 	ctx->status_cb = wpa_supplicant_status_cb;
 	ctx->set_anon_id = wpa_supplicant_set_anon_id;
 	ctx->cb_ctx = wpa_s;
diff -up wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf
--- wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf.cert-in-cb	2015-01-16 08:57:30.533900626 -0500
+++ wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf	2015-01-16 08:58:35.707382284 -0500
@@ -110,6 +110,12 @@ eapol_version=1
 # networks are found, a new IBSS or AP mode network is created.
 ap_scan=1
 
+# cert_in_cb - Whether to include a peer certificate dump in events
+# This controls whether peer certificates for authentication server and
+# its certificate chain are included in EAP peer certificate events. This is
+# enabled by default.
+#cert_in_cb=1
+
 # EAP fast re-authentication
 # By default, fast re-authentication is enabled for all EAP methods that
 # support it. This variable can be used to disable fast re-authentication.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation