From 65652c67f5d6af3c1b15c9febff12850e09d322f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 15 Apr 2022 23:30:10 +0300 Subject: [PATCH] Remove DH file configuration from TLS client functionality The DH file parameters are applicable only for the TLS server, so this parameter did not really have any impact to functionality. Remove it to get rid of useless code and confusing documentation for the network block configuration. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_config.h | 18 ------------------ src/eap_peer/eap_tls_common.c | 5 +---- wpa_supplicant/config.c | 30 ++++++++++++++++++++++++++---- wpa_supplicant/config_file.c | 3 --- wpa_supplicant/config_winreg.c | 2 -- wpa_supplicant/wpa_cli.c | 4 ++-- wpa_supplicant/wpa_supplicant.conf | 8 -------- 7 files changed, 29 insertions(+), 41 deletions(-) diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 3238f74f9..49a03d841 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -103,24 +103,6 @@ struct eap_peer_cert_config { */ char *private_key_passwd; - /** - * dh_file - File path to DH/DSA parameters file (in PEM format) - * - * This is an optional configuration file for setting parameters for an - * ephemeral DH key exchange. In most cases, the default RSA - * authentication does not use this configuration. However, it is - * possible setup RSA to use ephemeral DH key exchange. In addition, - * ciphers with DSA keys always use ephemeral DH keys. This can be used - * to achieve forward secrecy. If the file is in DSA parameters format, - * it will be automatically converted into DH params. Full path to the - * file should be used since working directory may change when - * wpa_supplicant is run in the background. - * - * Alternatively, a named configuration blob can be used by setting - * this to blob://blob_name. - */ - char *dh_file; - /** * subject_match - Constraint for server certificate subject * diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 5fb894501..06c9b211e 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -113,7 +113,6 @@ static void eap_tls_cert_params_from_conf(struct tls_connection_params *params, params->client_cert = config->client_cert; params->private_key = config->private_key; params->private_key_passwd = config->private_key_passwd; - params->dh_file = config->dh_file; params->subject_match = config->subject_match; params->altsubject_match = config->altsubject_match; params->check_cert_subject = config->check_cert_subject; @@ -230,9 +229,7 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, ¶ms->client_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->private_key, ¶ms->private_key_blob, - ¶ms->private_key_blob_len) || - eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob, - ¶ms->dh_blob_len)) { + ¶ms->private_key_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); return -1; } diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 58ed8bc0a..782bb2197 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2451,7 +2451,6 @@ static const struct parse_data ssid_fields[] = { { STRe(client_cert, cert.client_cert) }, { STRe(private_key, cert.private_key) }, { STR_KEYe(private_key_passwd, cert.private_key_passwd) }, - { STRe(dh_file, cert.dh_file) }, { STRe(subject_match, cert.subject_match) }, { STRe(check_cert_subject, cert.check_cert_subject) }, { STRe(altsubject_match, cert.altsubject_match) }, @@ -2462,7 +2461,6 @@ static const struct parse_data ssid_fields[] = { { STRe(client_cert2, phase2_cert.client_cert) }, { STRe(private_key2, phase2_cert.private_key) }, { STR_KEYe(private_key2_passwd, phase2_cert.private_key_passwd) }, - { STRe(dh_file2, phase2_cert.dh_file) }, { STRe(subject_match2, phase2_cert.subject_match) }, { STRe(check_cert_subject2, phase2_cert.check_cert_subject) }, { STRe(altsubject_match2, phase2_cert.altsubject_match) }, @@ -2490,7 +2488,6 @@ static const struct parse_data ssid_fields[] = { { STRe(machine_private_key, machine_cert.private_key) }, { STR_KEYe(machine_private_key_passwd, machine_cert.private_key_passwd) }, - { STRe(machine_dh_file, machine_cert.dh_file) }, { STRe(machine_subject_match, machine_cert.subject_match) }, { STRe(machine_check_cert_subject, machine_cert.check_cert_subject) }, { STRe(machine_altsubject_match, machine_cert.altsubject_match) }, @@ -2754,7 +2751,6 @@ static void eap_peer_config_free_cert(struct eap_peer_cert_config *cert) os_free(cert->client_cert); os_free(cert->private_key); str_clear_free(cert->private_key_passwd); - os_free(cert->dh_file); os_free(cert->subject_match); os_free(cert->check_cert_subject); os_free(cert->altsubject_match); @@ -3156,6 +3152,26 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid) } +static const char *removed_fields[] = { + "dh_file", + "dh_file2", + "machine_dh_file", + NULL +}; + +static bool removed_field(const char *field) +{ + int i; + + for (i = 0; removed_fields[i]; i++) { + if (os_strcmp(field, removed_fields[i]) == 0) + return true; + } + + return false; +} + + /** * wpa_config_set - Set a variable in network configuration * @ssid: Pointer to network configuration data @@ -3204,6 +3220,12 @@ int wpa_config_set(struct wpa_ssid *ssid, const char *var, const char *value, break; } if (i == NUM_SSID_FIELDS) { + if (removed_field(var)) { + wpa_printf(MSG_INFO, + "Line %d: Ignore removed configuration field '%s'", + line, var); + return ret; + } if (line) { wpa_printf(MSG_ERROR, "Line %d: unknown network field " "'%s'.", line, var); diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 9e7118532..163b48073 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -699,7 +699,6 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(client_cert); STR(private_key); STR(private_key_passwd); - STR(dh_file); STR(subject_match); STR(check_cert_subject); STR(altsubject_match); @@ -710,7 +709,6 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(client_cert2); STR(private_key2); STR(private_key2_passwd); - STR(dh_file2); STR(subject_match2); STR(check_cert_subject2); STR(altsubject_match2); @@ -721,7 +719,6 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(machine_client_cert); STR(machine_private_key); STR(machine_private_key_passwd); - STR(machine_dh_file); STR(machine_subject_match); STR(machine_check_cert_subject); STR(machine_altsubject_match); diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c index 1b7f96ed2..b27c6cf34 100644 --- a/wpa_supplicant/config_winreg.c +++ b/wpa_supplicant/config_winreg.c @@ -905,7 +905,6 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) STR(client_cert); STR(private_key); STR(private_key_passwd); - STR(dh_file); STR(subject_match); STR(check_cert_subject); STR(altsubject_match); @@ -914,7 +913,6 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) STR(client_cert2); STR(private_key2); STR(private_key2_passwd); - STR(dh_file2); STR(subject_match2); STR(check_cert_subject2); STR(altsubject_match2); diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index 753d11032..0e2315d25 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -1418,11 +1418,11 @@ static const char *network_fields[] = { #ifdef IEEE8021X_EAPOL "eap", "identity", "anonymous_identity", "password", "ca_cert", "ca_path", "client_cert", "private_key", "private_key_passwd", - "dh_file", "subject_match", "altsubject_match", + "subject_match", "altsubject_match", "check_cert_subject", "domain_suffix_match", "domain_match", "ca_cert2", "ca_path2", "client_cert2", "private_key2", "private_key2_passwd", - "dh_file2", "subject_match2", "altsubject_match2", + "subject_match2", "altsubject_match2", "check_cert_subject2", "domain_suffix_match2", "domain_match2", "phase1", "phase2", "pcsc", "pin", "engine_id", "key_id", "cert_id", "ca_cert_id", diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 6619d6ba7..a1dc769c9 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1234,14 +1234,6 @@ fast_reauth=1 # to blob://. # private_key_passwd: Password for private key file (if left out, this will be # asked through control interface) -# dh_file: File path to DH/DSA parameters file (in PEM format) -# This is an optional configuration file for setting parameters for an -# ephemeral DH key exchange. In most cases, the default RSA -# authentication does not use this configuration. However, it is possible -# setup RSA to use ephemeral DH key exchange. In addition, ciphers with -# DSA keys always use ephemeral DH keys. This can be used to achieve -# forward secrecy. If the file is in DSA parameters format, it will be -# automatically converted into DH params. # subject_match: Substring to be matched against the subject of the # authentication server certificate. If this string is set, the server # certificate is only accepted if it contains this string in the subject.