diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 3238f74f9..49a03d841 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -103,24 +103,6 @@ struct eap_peer_cert_config { */ char *private_key_passwd; - /** - * dh_file - File path to DH/DSA parameters file (in PEM format) - * - * This is an optional configuration file for setting parameters for an - * ephemeral DH key exchange. In most cases, the default RSA - * authentication does not use this configuration. However, it is - * possible setup RSA to use ephemeral DH key exchange. In addition, - * ciphers with DSA keys always use ephemeral DH keys. This can be used - * to achieve forward secrecy. If the file is in DSA parameters format, - * it will be automatically converted into DH params. Full path to the - * file should be used since working directory may change when - * wpa_supplicant is run in the background. - * - * Alternatively, a named configuration blob can be used by setting - * this to blob://blob_name. - */ - char *dh_file; - /** * subject_match - Constraint for server certificate subject * diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 5fb894501..06c9b211e 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -113,7 +113,6 @@ static void eap_tls_cert_params_from_conf(struct tls_connection_params *params, params->client_cert = config->client_cert; params->private_key = config->private_key; params->private_key_passwd = config->private_key_passwd; - params->dh_file = config->dh_file; params->subject_match = config->subject_match; params->altsubject_match = config->altsubject_match; params->check_cert_subject = config->check_cert_subject; @@ -230,9 +229,7 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, ¶ms->client_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->private_key, ¶ms->private_key_blob, - ¶ms->private_key_blob_len) || - eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob, - ¶ms->dh_blob_len)) { + ¶ms->private_key_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); return -1; } diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 58ed8bc0a..782bb2197 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2451,7 +2451,6 @@ static const struct parse_data ssid_fields[] = { { STRe(client_cert, cert.client_cert) }, { STRe(private_key, cert.private_key) }, { STR_KEYe(private_key_passwd, cert.private_key_passwd) }, - { STRe(dh_file, cert.dh_file) }, { STRe(subject_match, cert.subject_match) }, { STRe(check_cert_subject, cert.check_cert_subject) }, { STRe(altsubject_match, cert.altsubject_match) }, @@ -2462,7 +2461,6 @@ static const struct parse_data ssid_fields[] = { { STRe(client_cert2, phase2_cert.client_cert) }, { STRe(private_key2, phase2_cert.private_key) }, { STR_KEYe(private_key2_passwd, phase2_cert.private_key_passwd) }, - { STRe(dh_file2, phase2_cert.dh_file) }, { STRe(subject_match2, phase2_cert.subject_match) }, { STRe(check_cert_subject2, phase2_cert.check_cert_subject) }, { STRe(altsubject_match2, phase2_cert.altsubject_match) }, @@ -2490,7 +2488,6 @@ static const struct parse_data ssid_fields[] = { { STRe(machine_private_key, machine_cert.private_key) }, { STR_KEYe(machine_private_key_passwd, machine_cert.private_key_passwd) }, - { STRe(machine_dh_file, machine_cert.dh_file) }, { STRe(machine_subject_match, machine_cert.subject_match) }, { STRe(machine_check_cert_subject, machine_cert.check_cert_subject) }, { STRe(machine_altsubject_match, machine_cert.altsubject_match) }, @@ -2754,7 +2751,6 @@ static void eap_peer_config_free_cert(struct eap_peer_cert_config *cert) os_free(cert->client_cert); os_free(cert->private_key); str_clear_free(cert->private_key_passwd); - os_free(cert->dh_file); os_free(cert->subject_match); os_free(cert->check_cert_subject); os_free(cert->altsubject_match); @@ -3156,6 +3152,26 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid) } +static const char *removed_fields[] = { + "dh_file", + "dh_file2", + "machine_dh_file", + NULL +}; + +static bool removed_field(const char *field) +{ + int i; + + for (i = 0; removed_fields[i]; i++) { + if (os_strcmp(field, removed_fields[i]) == 0) + return true; + } + + return false; +} + + /** * wpa_config_set - Set a variable in network configuration * @ssid: Pointer to network configuration data @@ -3204,6 +3220,12 @@ int wpa_config_set(struct wpa_ssid *ssid, const char *var, const char *value, break; } if (i == NUM_SSID_FIELDS) { + if (removed_field(var)) { + wpa_printf(MSG_INFO, + "Line %d: Ignore removed configuration field '%s'", + line, var); + return ret; + } if (line) { wpa_printf(MSG_ERROR, "Line %d: unknown network field " "'%s'.", line, var); diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 9e7118532..163b48073 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -699,7 +699,6 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(client_cert); STR(private_key); STR(private_key_passwd); - STR(dh_file); STR(subject_match); STR(check_cert_subject); STR(altsubject_match); @@ -710,7 +709,6 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(client_cert2); STR(private_key2); STR(private_key2_passwd); - STR(dh_file2); STR(subject_match2); STR(check_cert_subject2); STR(altsubject_match2); @@ -721,7 +719,6 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(machine_client_cert); STR(machine_private_key); STR(machine_private_key_passwd); - STR(machine_dh_file); STR(machine_subject_match); STR(machine_check_cert_subject); STR(machine_altsubject_match); diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c index 1b7f96ed2..b27c6cf34 100644 --- a/wpa_supplicant/config_winreg.c +++ b/wpa_supplicant/config_winreg.c @@ -905,7 +905,6 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) STR(client_cert); STR(private_key); STR(private_key_passwd); - STR(dh_file); STR(subject_match); STR(check_cert_subject); STR(altsubject_match); @@ -914,7 +913,6 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) STR(client_cert2); STR(private_key2); STR(private_key2_passwd); - STR(dh_file2); STR(subject_match2); STR(check_cert_subject2); STR(altsubject_match2); diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index 753d11032..0e2315d25 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -1418,11 +1418,11 @@ static const char *network_fields[] = { #ifdef IEEE8021X_EAPOL "eap", "identity", "anonymous_identity", "password", "ca_cert", "ca_path", "client_cert", "private_key", "private_key_passwd", - "dh_file", "subject_match", "altsubject_match", + "subject_match", "altsubject_match", "check_cert_subject", "domain_suffix_match", "domain_match", "ca_cert2", "ca_path2", "client_cert2", "private_key2", "private_key2_passwd", - "dh_file2", "subject_match2", "altsubject_match2", + "subject_match2", "altsubject_match2", "check_cert_subject2", "domain_suffix_match2", "domain_match2", "phase1", "phase2", "pcsc", "pin", "engine_id", "key_id", "cert_id", "ca_cert_id", diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 6619d6ba7..a1dc769c9 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1234,14 +1234,6 @@ fast_reauth=1 # to blob://. # private_key_passwd: Password for private key file (if left out, this will be # asked through control interface) -# dh_file: File path to DH/DSA parameters file (in PEM format) -# This is an optional configuration file for setting parameters for an -# ephemeral DH key exchange. In most cases, the default RSA -# authentication does not use this configuration. However, it is possible -# setup RSA to use ephemeral DH key exchange. In addition, ciphers with -# DSA keys always use ephemeral DH keys. This can be used to achieve -# forward secrecy. If the file is in DSA parameters format, it will be -# automatically converted into DH params. # subject_match: Substring to be matched against the subject of the # authentication server certificate. If this string is set, the server # certificate is only accepted if it contains this string in the subject.