Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
wpa_supplicant.689
0014-rh1178263-CVE-2015-0210-cert_in_cb.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0014-rh1178263-CVE-2015-0210-cert_in_cb.patch of Package wpa_supplicant.689
Backport of: commit 483dd6a5e0069d0646505c26a5194eda15472858 Author: Jouni Malinen <j@w1.fi> Date: Wed Jan 14 12:14:31 2015 +0200 Include peer certificate always in EAP events This makes it easier for upper layer applications to get information regarding the server certificate without having to use a special certificate probing connection. This provides both the SHA256 hash of the certificate (to be used with ca_cert="hash://server/sha256/<hash>", if desired) and the full DER encoded X.509 certificate so that upper layer applications can parse and display the certificate easily or extract fields from it for purposes like configuring an altsubject_match or domain_suffix_match. The old behavior can be configured by adding cert_in_cb=0 to wpa_supplicant configuration file. Signed-off-by: Jouni Malinen <j@w1.fi> ================================================================================ --- wpa_supplicant-2.2/wpa_supplicant/config.c +++ wpa_supplicant-2.2/wpa_supplicant/config.c @@ -3270,6 +3270,7 @@ config->wmm_ac_params[1] = ac_bk; config->wmm_ac_params[2] = ac_vi; config->wmm_ac_params[3] = ac_vo; + config->cert_in_cb = DEFAULT_CERT_IN_CB; if (ctrl_interface) config->ctrl_interface = os_strdup(ctrl_interface); --- wpa_supplicant-2.2/wpa_supplicant/config.h +++ wpa_supplicant-2.2/wpa_supplicant/config.h @@ -25,6 +25,7 @@ #define DEFAULT_MAX_NUM_STA 128 #define DEFAULT_ACCESS_NETWORK_TYPE 15 #define DEFAULT_SCAN_CUR_FREQ 0 +#define DEFAULT_CERT_IN_CB 1 #include "config_ssid.h" #include "wps/wps.h" @@ -949,6 +950,14 @@ enum mfp_options pmf; /** + * cert_in_cb - Whether to include a peer certificate dump in events + * + * This controls whether peer certificates for authentication server and + * its certificate chain are included in EAP peer certificate events. + */ + int cert_in_cb; + + /** * sae_groups - Preference list of enabled groups for SAE * * By default (if this parameter is not set), the mandatory group 19 --- wpa_supplicant-2.2/wpa_supplicant/config_file.c +++ wpa_supplicant-2.2/wpa_supplicant/config_file.c @@ -1107,6 +1107,8 @@ fprintf(f, "okc=%d\n", config->okc); if (config->pmf) fprintf(f, "pmf=%d\n", config->pmf); + if (config->cert_in_cb != DEFAULT_CERT_IN_CB) + fprintf(f, "cert_in_cb=%d\n", config->cert_in_cb); if (config->dtim_period) fprintf(f, "dtim_period=%d\n", config->dtim_period); if (config->beacon_int) --- wpa_supplicant-2.2/wpa_supplicant/wpa_supplicant.conf +++ wpa_supplicant-2.2/wpa_supplicant/wpa_supplicant.conf @@ -114,6 +114,12 @@ # networks are found, a new IBSS or AP mode network is created. ap_scan=1 +# cert_in_cb - Whether to include a peer certificate dump in events +# This controls whether peer certificates for authentication server and +# its certificate chain are included in EAP peer certificate events. This is +# enabled by default. +#cert_in_cb=1 + # EAP fast re-authentication # By default, fast re-authentication is enabled for all EAP methods that # support it. This variable can be used to disable fast re-authentication. --- wpa_supplicant-2.2/wpa_supplicant/wpas_glue.c +++ wpa_supplicant-2.2/wpa_supplicant/wpas_glue.c @@ -851,6 +851,7 @@ ctx->port_cb = wpa_supplicant_port_cb; ctx->cb = wpa_supplicant_eapol_cb; ctx->cert_cb = wpa_supplicant_cert_cb; + ctx->cert_in_cb = wpa_s->conf->cert_in_cb; ctx->status_cb = wpa_supplicant_status_cb; ctx->set_anon_id = wpa_supplicant_set_anon_id; ctx->cb_ctx = wpa_s;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor