From 94bbe7465f35b69487f306ed60b99ae6d50784e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= <jklimes@redhat.com>
Date: Wed, 16 Sep 2015 18:22:08 +0200
Subject: [PATCH] supplicant: adjust fragment_size according to MTU (bgo
 #755145)

NetworkManager set wpa_supplicant's fragment_size option to 1300. But if MTU
was lower, wpa_supplicant failed with "l2_packet_send - sendto: Message too
long" due to fragmentation of EAP-TLS or EAP-PEAP packets.

Actually, MTU has to be 14 bytes bigger than the "fragment_size" parameter.

Ideally, wpa_supplicant would take MTU in the account and adjust the
fragmentation limit accordingly. See discussion in
http://lists.shmoo.com/pipermail/hostap/2015-August/033546.html

https://bugzilla.gnome.org/show_bug.cgi?id=755145
---
 configure.ac                                  |   1 +
 src/devices/nm-device-ethernet.c              |   5 +-
 src/devices/wifi/nm-device-wifi.c             |   5 +-
 src/supplicant-manager/nm-supplicant-config.c |  19 ++-
 src/supplicant-manager/nm-supplicant-config.h |   4 +-
 src/supplicant-manager/tests/Makefile.am      |   3 +
 .../tests/certs/Makefile.am                   |   6 +
 .../tests/certs/test-ca-cert.pem              |  27 ++++
 .../tests/certs/test-cert.p12                 | Bin 0 -> 4092 bytes
 .../tests/test-supplicant-config.c            | 143 +++++++++++++++++-
 10 files changed, 204 insertions(+), 9 deletions(-)
 create mode 100644 src/supplicant-manager/tests/certs/Makefile.am
 create mode 100644 src/supplicant-manager/tests/certs/test-ca-cert.pem
 create mode 100644 src/supplicant-manager/tests/certs/test-cert.p12

diff --git a/configure.ac b/configure.ac
index 0deb4a4098..d4f673f217 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1014,6 +1014,7 @@ src/dhcp-manager/Makefile
 src/dhcp-manager/tests/Makefile
 src/dnsmasq-manager/tests/Makefile
 src/supplicant-manager/tests/Makefile
+src/supplicant-manager/tests/certs/Makefile
 src/ppp-manager/Makefile
 src/settings/plugins/Makefile
 src/settings/plugins/ifupdown/Makefile
diff --git a/src/devices/nm-device-ethernet.c b/src/devices/nm-device-ethernet.c
index ff3994d127..319ce1fc85 100644
--- a/src/devices/nm-device-ethernet.c
+++ b/src/devices/nm-device-ethernet.c
@@ -566,15 +566,18 @@ build_supplicant_config (NMDeviceEthernet *self)
 	NMSupplicantConfig *config = NULL;
 	NMSetting8021x *security;
 	NMConnection *connection;
+	guint32 mtu;
 
 	connection = nm_device_get_applied_connection (NM_DEVICE (self));
 	g_assert (connection);
 	con_uuid = nm_connection_get_uuid (connection);
+	mtu = nm_platform_link_get_mtu (NM_PLATFORM_GET,
+	                                nm_device_get_ifindex (NM_DEVICE (self)));
 
 	config = nm_supplicant_config_new ();
 
 	security = nm_connection_get_setting_802_1x (connection);
-	if (!nm_supplicant_config_add_setting_8021x (config, security, con_uuid, TRUE)) {
+	if (!nm_supplicant_config_add_setting_8021x (config, security, con_uuid, mtu, TRUE)) {
 		_LOGW (LOGD_DEVICE, "Couldn't add 802.1X security setting to supplicant config.");
 		g_object_unref (config);
 		config = NULL;
diff --git a/src/devices/wifi/nm-device-wifi.c b/src/devices/wifi/nm-device-wifi.c
index 2996218ebc..225a477310 100644
--- a/src/devices/wifi/nm-device-wifi.c
+++ b/src/devices/wifi/nm-device-wifi.c
@@ -2225,13 +2225,16 @@ build_supplicant_config (NMDeviceWifi *self,
 	if (s_wireless_sec) {
 		NMSetting8021x *s_8021x;
 		const char *con_uuid = nm_connection_get_uuid (connection);
+		guint32 mtu = nm_platform_link_get_mtu (NM_PLATFORM_GET,
+		                                        nm_device_get_ifindex (NM_DEVICE (self)));
 
 		g_assert (con_uuid);
 		s_8021x = nm_connection_get_setting_802_1x (connection);
 		if (!nm_supplicant_config_add_setting_wireless_security (config,
 		                                                         s_wireless_sec,
 		                                                         s_8021x,
-		                                                         con_uuid)) {
+		                                                         con_uuid,
+		                                                         mtu)) {
 			_LOGE (LOGD_WIFI, "Couldn't add 802-11-wireless-security setting to supplicant config.");
 			goto error;
 		}
diff --git a/src/supplicant-manager/nm-supplicant-config.c b/src/supplicant-manager/nm-supplicant-config.c
index 86fd1814ca..65d6e2df44 100644
--- a/src/supplicant-manager/nm-supplicant-config.c
+++ b/src/supplicant-manager/nm-supplicant-config.c
@@ -610,7 +610,8 @@ gboolean
 nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
                                                     NMSettingWirelessSecurity *setting,
                                                     NMSetting8021x *setting_8021x,
-                                                    const char *con_uuid)
+                                                    const char *con_uuid,
+                                                    guint32 mtu)
 {
 	gboolean success = FALSE;
 	const char *key_mgmt, *auth_alg;
@@ -727,7 +728,7 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
 		if (!strcmp (key_mgmt, "ieee8021x") || !strcmp (key_mgmt, "wpa-eap")) {
 		    if (!setting_8021x)
 		    	return FALSE;
-			if (!nm_supplicant_config_add_setting_8021x (self, setting_8021x, con_uuid, FALSE))
+			if (!nm_supplicant_config_add_setting_8021x (self, setting_8021x, con_uuid, mtu, FALSE))
 				return FALSE;
 		}
 
@@ -754,6 +755,7 @@ gboolean
 nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
                                         NMSetting8021x *setting,
                                         const char *con_uuid,
+                                        guint32 mtu,
                                         gboolean wired)
 {
 	NMSupplicantConfigPrivate *priv;
@@ -766,6 +768,8 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 	guint32 i, num_eap;
 	gboolean fast_provisoning_allowed = FALSE;
 	const char *ca_path_override = NULL, *ca_cert_override = NULL;
+	guint32 frag, hdrs;
+	gs_free char *frag_str = NULL;
 
 	g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
 	g_return_val_if_fail (setting != NULL, FALSE);
@@ -817,8 +821,15 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 		}
 	}
 
-	/* Drop the fragment size a bit for better compatibility */
-	if (!nm_supplicant_config_add_option (self, "fragment_size", "1300", -1, FALSE))
+	/* Adjust the fragment size according to MTU, but do not set it higher than 1280-14
+	 * for better compatibility */
+	hdrs = 14; /* EAPOL + EAP-TLS */
+	frag = 1280 - hdrs;
+	if (mtu > hdrs)
+		frag = CLAMP (mtu - hdrs, 100, frag);
+	frag_str = g_strdup_printf ("%u", frag);
+
+	if (!nm_supplicant_config_add_option (self, "fragment_size", frag_str, -1, FALSE))
 		return FALSE;
 
 	phase1 = g_string_new (NULL);
diff --git a/src/supplicant-manager/nm-supplicant-config.h b/src/supplicant-manager/nm-supplicant-config.h
index 76a404ddd7..0cd3243ebf 100644
--- a/src/supplicant-manager/nm-supplicant-config.h
+++ b/src/supplicant-manager/nm-supplicant-config.h
@@ -70,13 +70,15 @@ gboolean nm_supplicant_config_add_setting_wireless (NMSupplicantConfig *self,
 gboolean nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
                                                              NMSettingWirelessSecurity *setting,
                                                              NMSetting8021x *setting_8021x,
-                                                             const char *con_uuid);
+                                                             const char *con_uuid,
+                                                             guint32 mtu);
 
 gboolean nm_supplicant_config_add_no_security (NMSupplicantConfig *self);
 
 gboolean nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
                                                  NMSetting8021x *setting,
                                                  const char *con_uuid,
+                                                 guint32 mtu,
                                                  gboolean wired);
 
 G_END_DECLS
diff --git a/src/supplicant-manager/tests/Makefile.am b/src/supplicant-manager/tests/Makefile.am
index 63193a1b35..e786664779 100644
--- a/src/supplicant-manager/tests/Makefile.am
+++ b/src/supplicant-manager/tests/Makefile.am
@@ -1,3 +1,5 @@
+SUBDIRS=certs
+
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/include \
 	-I$(top_srcdir)/libnm-core \
@@ -7,6 +9,7 @@ AM_CPPFLAGS = \
 	-DG_LOG_DOMAIN=\""NetworkManager"\" \
 	-DNETWORKMANAGER_COMPILATION=NM_NETWORKMANAGER_COMPILATION_INSIDE_DAEMON \
 	-DNM_VERSION_MAX_ALLOWED=NM_VERSION_NEXT_STABLE \
+	-DTEST_CERT_DIR=\"$(srcdir)/certs/\" \
 	$(GLIB_CFLAGS)
 
 noinst_PROGRAMS = test-supplicant-config
diff --git a/src/supplicant-manager/tests/certs/Makefile.am b/src/supplicant-manager/tests/certs/Makefile.am
new file mode 100644
index 0000000000..f2e889f7ca
--- /dev/null
+++ b/src/supplicant-manager/tests/certs/Makefile.am
@@ -0,0 +1,6 @@
+CERTS = \
+	test-ca-cert.pem \
+	test-cert.p12
+
+EXTRA_DIST = $(CERTS)
+
diff --git a/src/supplicant-manager/tests/certs/test-ca-cert.pem b/src/supplicant-manager/tests/certs/test-ca-cert.pem
new file mode 100644
index 0000000000..ef1be20d2b
--- /dev/null
+++ b/src/supplicant-manager/tests/certs/test-ca-cert.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEjzCCA3egAwIBAgIJAOvnZPt59yIZMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJVUzESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
+FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEQMA4GA1UECxMHVGVzdGluZzENMAsGA1UE
+AxMEdGVzdDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0LmNvbTAeFw0wOTAzMTAx
+NTEyMTRaFw0xOTAzMDgxNTEyMTRaMIGLMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
+QmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5NeSBDb21wYW55
+IEx0ZDEQMA4GA1UECxMHVGVzdGluZzENMAsGA1UEAxMEdGVzdDEcMBoGCSqGSIb3
+DQEJARYNdGVzdEB0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAKot9j+/+CX1/gZLgJHIXCRgCItKLGnf7qGbgqB9T2ACBqR0jllKWwDKrcWU
+xjXNIc+GF9Wnv+lX6G0Okn4Zt3/uRNobL+2b/yOF7M3Td3/9W873zdkQQX930YZc
+Rr8uxdRPP5bxiCgtcw632y21sSEbG9mjccAUnV/0jdvfmMNj0i8gN6E0fMBiJ9S3
+FkxX/KFvt9JWE9CtoyL7ki7UIDq+6vj7Gd5N0B3dOa1y+rRHZzKlJPcSXQSEYUS4
+HmKDwiKSVahft8c4tDn7KPi0vex91hlgZVd3usL2E/Vq7o5D9FAZ5kZY0AdFXwdm
+J4lO4Mj7ac7GE4vNERNcXVIX59sCAwEAAaOB8zCB8DAdBgNVHQ4EFgQUuDU3Mr7P
+T3n1e3Sy8hBauoDFahAwgcAGA1UdIwSBuDCBtYAUuDU3Mr7PT3n1e3Sy8hBauoDF
+ahChgZGkgY4wgYsxCzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAO
+BgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMRAwDgYDVQQL
+EwdUZXN0aW5nMQ0wCwYDVQQDEwR0ZXN0MRwwGgYJKoZIhvcNAQkBFg10ZXN0QHRl
+c3QuY29tggkA6+dk+3n3IhkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOC
+AQEAVRG4aALIvCXCiKfe7K+iJxjBVRDFPEf7JWA9LGgbFOn6pNvbxonrR+0BETdc
+JV1ET4ct2xsE7QNFIkp9GKRC+6J32zCo8qtLCD5+v436r8TUG2/t2JRMkb9I2XVT
+p7RJoot6M0Ltf8KNQUPYh756xmKZ4USfQUwc58MOSDGY8VWEXJOYij9Pf0e0c52t
+qiCEjXH7uXiS8Pgq9TYm7AkWSOrglYhSa83x0f8mtT8Q15nBESIHZ6o8FAS2bBgn
+B0BkrKRjtBUkuJG3vTox+bYINh2Gxi1JZHWSV1tN5z3hd4VFcKqanW5OgQwToBqp
+3nniskIjbH0xjgZf/nVMyLnjxg==
+-----END CERTIFICATE-----
diff --git a/src/supplicant-manager/tests/certs/test-cert.p12 b/src/supplicant-manager/tests/certs/test-cert.p12
new file mode 100644
index 0000000000000000000000000000000000000000..ae4a68304973f7e8fec78c8e8f53d169df2afe59
GIT binary patch
literal 4092
zcmY+GbyO1!+r~$1glrD!l7>kRP#OtAx)}ma2`Om>aVq5~ky0240wa{JF_3n2OV<c#
zq>+?{&*z-)`=0mx<BoG(_qqSP&JT{heoRV221j2ffT)DRw8D<SBorhW=<B8A=<9`l
z<y<(LTIOF1l!2y({gwDgNdSKb$G;8<oE=2{zaMBwKyU~-C4$BG@~qLnl9ZGZ5QL`M
z31N@;SO?7s>J4XYH~BThq(0VhSFJCm_yqN2ye*m(=5D+EJ%3CftWZt_&Ve&OUDWNf
za}UZPveG_kaaQA#6dcwiD)I;Y(l0mqWBa>f)2OG2=WEHyX}aNL{}&pzz2C4(_wn?L
z%|{B>*WANgaW9uHLTV)5G#7C1|H@SF!&5r!epnS98!4Z8HC4=H%y@#1N)*V4a&gFx
z)vT<0FL5Y7d3f|zT`^x}LFo#}m2W|PhRrZ7d=ODtWD#hx<`UHw{;&e>>7vv~e23Ap
zWGJpLDcb=kg5>Q?J(Csqh)geVrUe)uvsYfAs&@M;Cj4ytm$YZXBn|Ego1!(NcQXl{
zmr_<_Q<IEoIh4FX*YUVFDz_S5NhVfTfADD7U$TF&@Vr^GWNCDq8gE{P02>&d#FiIt
zR%>3cv!~$0F5;%vKAMl|uKzxb=FG`yUEn!eZrfGZAX$&<eRkLVkYiIImYHbP)_W#7
z%E&Nuv@7&vD4XCB`=z=27x&1o4{n1kKct2Hx~6Sm=O1YYRgbf36ODi@&Uvm=<CPRQ
z@{4T*fw_r_!FbdosOPF2`3<Lin<UPC52;5R;I>*Z2-l-{#y_cU)+Sw2QfdRhx#;(g
z*^KOeCKS6E7avXBVYkr)+IVI{BkKwgbs{|~$g5#dyl;&H?lh#(NX>X=%YHPedG#2o
z%^Px`6K&wyex)L-+ksEsDj&3L<(}Mu%=HLXkcPS}RGlNX6UNjhm>X#%zFdggcx*H6
zCJD;gUSS1iWj+u{<FmM?<@0T(<!glKDlOz0BT~JCzLohMUOL*RN+$Dmm+SmNaHyDG
zC5%GK<ttSYdi%3YZZ(aOU&QzNX023!iBe`szZnB}($Y^+^r2osy{jRW=}aJo5!W}z
z;&h_G6*(?9=0(5!;sjqnx&e7Hp`wc)lLUE{?+)I(5+KDQ7?UF%v(9Z~Tpo4iEO1F{
zsmx76g_6X2qgs?_0=-}O5<+%0NNSj4vImEH&E1MXuP87d90LZKN$v>U<N?bp%X(GJ
zdb@BatnLzj_TQBzuEZV41h>_ua<`f~L&Or^4S6H0m9yrVc@D#ii?p9@^lAGJ?Qq}K
zTHtoLp^vAG@1VL6ME9i`@?r_~G3SOwtB59T_O&;IBy{l*f}l){s+40H6T%<^l&<q*
z<-VxXqf}l6k<YUvs2(OPbYPG?HD-5F{aNwjGlxF<A0)Zl^Vjk;`bYc>>%PMzhq)Pa
zaqi0UO{J<rAX5jo){TNcs;V;6hFN4Q+N#|#WgwaeyX%W};h@3g-BfKSJ>B$U*?v%N
zxJl6u2lLTo!%NeIE)O4(QfmfGGnH<keo5agn(f!(Ki!z?g0!^Q%p2pC2izoj!&Svz
zyMBtH3PYfTw?D=RU$f%sJob{6AFX(_XfYct@PgB;7-{ws@qmIzOt%au*+0U79;Z(W
z2hwaP7##+wx%+l(tXgFf=N#zONv+K2kPJA38)4RhJ`UtMlpJa!A7*eq#FAFNp~_QN
z(bt3NHCBVM?P5r|+dTf6&S$L7OF5si6;&p(iQn|@0`!)M;UfmoF*K_84ykEOrf2i>
zlS6;u0QHr2Zg97E5QM2DYl`Ta`#v66kp1ND!j)ko!$=C2rPR1c_!!plMeF_E&+^jd
zYq}%Ff;?)+YSY1(GrmZOg`f!A0ra7`$7&k`o>lHLE_jpf`+nL|Z_k{9&eQjK@jKh5
zAGZF;A1i5iGW17!)C`2UVU&U!!JG2>BE4(-)d5Su=hiMNmoq+BrEc8Ap!G@qcTWYN
z?h7+9?Iz;xt`y3w!KXkI*GDqY_;3t>2gcv8|LpruiNFVQiu%L)^P|`zH^`!ps`Dte
zKl)VeEH4b0{fS?^!VAw^#PgQz%dlU?TJGy_dwa^#cC{9%GOa;Tw=jnRW{0ahI=5nL
z=?QS%E9$YSr{BA`4@FB0d$hW^cP{1BC^2qd&B<t2TJ{oVN~%wV(A|_&wol5*HDyau
z{EM_xB>HYu+%uhq)YNqPX}v=@X860_?0v7YRfei^4sZ)mPi|%_B!wwR^!>IqH#st*
z1FGeS(!?4R>fh`+4){F(JP$!lnq?Ynn~W0;fJe;wHaakvUwieI5Dhk)|2j*O=4Z*@
zEFh#aQ07>CC*+usLgMpTxLGnpl&H>eExw#{Z?$Zj{VF@}PIn2Di0ZL9b)OlRUuG;y
z)JMVd;jmvkr#@EC^+9aOZ|28pIVnK9016$fG)AQQ;;T`5h0j;Zp`2(BO{(}t=Jlab
zA*2wraNuc@${n8>#^DL(j8OZLP=euG{+#9OD{0xf3>{QwEkAqSHaQdj9GZpYic(0x
z%N+I~hjP8tupVH<$xQusi0HR1xa{1p4gR|D&L<<Gx<Zwju<AggK7Rs-RMB^j2*-Lg
z1~aRg*s<zhRN<N5W<gNb496>*=x6El0yR!-<od>pbio-(zME^+i;T$JGTF<K_;kTD
zY`im`gI_{$NU<?Vk(_p27vn`dh$z)~tmsrU4!jd{Q%?z8P~u*}zP*N?XoBgj!&9}S
zFrR}<e1-G^yyaBc!Rlit9_4n4ZAL?1m`bEqC?lFPyK^58eV^GRZ+!YP8SOQQ%=W+V
zO{Sda$0Yfa!gS;X83dO|e=r;7Gb(-mF&e-0+O8;=`eWw$vN5+@!z8>DifmZS;{cpJ
zY)0kSPT=k-2Dl(KA-GB*jg{i;s{J824(9zW)`$Eg$p_vjvh1nz1zZ)k>;+cOly+4F
z-=se55%i)xPw|v@al;r_HYwhJ8yp9vxhKhh5DlCDk^TmvPrqd!VU_8mC7Je%K`Y%r
z%?<E%gQd5Cb|kV9P~!%T&r?d`7o)LQ-tzk_u`y73ljYjHX1-0)%g(F%J(@ACZr2!S
zGYhiFK1%Kfq~!!PDsEwbw|d5DzwS-X1v+p|nC|G}6_7uzV0@zJk~v5x!alZHS+L(A
zV!Is3ugZ5tODY-<winyu1{*9;6P2Vcr?N63pAUaZ<nOlwg6T%c7_Tl{qW&nzaSfE;
zSsEYfh--fMys$atN#~${6EfHrlk3Qh<9kYpvZ!Qt*_X0-T5ofv9yN^e?J|_AJsY)n
zxI3-ZCLC<rlAieTeKv@a??jEz<L4~0Yvp^VOeyGyRa2=tY&x`R$BH2R(lBr>5As;O
zyIoaqCjkLy`!xN8$SGd<#=vO0`JrG#Pg-*KCt0PjE^6Q3$yaMm-*`PV)BQhb-erPK
z5lobMYkU1E^}0|R!!>nW0_(gUhC<30%6#17f?-&nLC4xquv_Tew0Vg>+ZFVRWoi8(
zbDeaVRiVS;uk|YGgr+0*O`3Bk1yfn~M~`Q*buKR+0N}W|Hb+1oi%;x0Cokp*js`ma
z2OwskftKWGAmXoV{I~Q$*ZvO|sYysP(B#{2H2L~}Q6$+v6uC!gz&}?SS@I7>lB3Bx
zaW_=t5o%|x&<`f{yrV2O8u$46z|5oERmHKtc<-&i?oR~o-SJTSjh#NlcE;K?QJiZ>
zLBW{xl)<+{4RsCR$xE0C_zgeOJ0|*mj`wV-LG(jBF@T!q^~Er1`9pOA$!nZEVS(A^
zemvs?x*Xy+f$~DTMCl2ykdAvH8Z~ddP+6-;i$lNf9^Qi9Xzl^o?kX0O+mj4A<?%V#
zh5CEvjVuZN7|A{tU!X6CTNz$rtNTeWvy~=Mmr9{*YKL?j&@G%n<@ajdDaL3sIOUmM
zS*85O8#zB57p$*?wqMFnuQZ_*W#1S5mTWvN*XY2SM&mhNCHfmV^GbDc4%rf$c|4?Q
z?qxjD*zfS2wZOYIWL>P(R4VFyQQ%_%L(M^iwt8CKc6OCo?*w*l7eL7r6g1;P2xsb+
z&sF^#5UR;xZQUOI9JZvLV!P6mCo{;3qO|dupcjXiNa+{=^D=%CZ)e~A7D+luCv54w
zPLz`-`WcSi#fBFc(DU^2%-{+UR@MQ@&T~XJZIlc0m)Lk^=_9_IFIBv@X=!#ub{eoR
zgYpkp+vdHCB}&BH55P;==2N(hwO^2vdOL4smbuA7O3~E?&kk-qaSh8qp`;K{iQYWt
zQ|<>H2LaqMNlARkxml6=1D;OhkMDDr4G(kj^48#N!MxBZV3fNN<r@?J1>O;oTjS4t
zRYxO7&4x7X+K(cAIGS)zCPDW8-uGaML|YDa_BfFGyxNDR1`V@=Hs4(nM=0a4%;)3_
z%Gk$?yb&zQJB^j#$muJIT-p+@ZO@c!VKFV7UA8qq)`M+v2^yZ2Eix@@;ej|XoXr0m
zqmx@I?zo);QMUL>A?+LPoavC5Z1in%>$ELqjN1MIU4O%mjv*biD2vtm2>sM6rZ_dU
z&51MV`lFL8fv677FAtcI#z&gfg&y6~&u?*I=WhTQK$qG~Gl_s#Z&DMV{w%RL?esU=
z7h~lLGM!r)0e*VpmP%&Y8IU08Rr(RORZ~0AU7O2PetT%@xPVt13)&^fBE7v@sdI6*
zF@4jf=T}bnX=NnqbxHhAE%^(XB}~`wOjZ4-ihvEpM2*CYkI|43K2?%=cfv-?Fjeh=
zq&<ZROmwM#kE>Pr&*&8YWL$j_ZEFvGXa(=>5L`T}_s=Sx6V*P`#hH$zzp>qA^4M_!
zV{TEsT_ssX+iuE9`<^Wm>4O+?3Z>6^-vj$u)*%sFxz*x}1pIy-ihXcyP?kD|5@XxG
zeh(z%e^Q|CLlqsKMpC<QQ?hqnB_DDnZ+^qPO9c1OjPBswtk$tz0nbZ;%A7fVx^B%|
z0k4_tQs(tZw3z+O5PBYZ{h%X!=5}u>+hSa0=waaV^zl~H?Y(d9&1@dMB6`cF1Y$i?
zhK!i@vLQY(z)`NpsI_+OU|=jru2E&I6d`93oOcq!PYV!ooU@ObfP~q+Aj}W@{l4MK
zIm|ZeD9m5c(rw^`xxY(8TZ7W!*|g=&zfxil9-GsHzNnDb`T9=ta~ze~A&j^lbiVF;
z?{;a({^#`xtd@aEQ0lQW-%704X|;@{hMsC^%ZKa2Dv6#LYx=+(5hk_g&(vLnMXF}}
zSi)xS_b?M~O@c9WS;&u_b1~YM{w*Wtmd0cfdT`$VPe&>S2}W}IL@r^hc{1U90RdK$
zvK1IXw9np!^Z$E9FTs415#R%G0C@lHq5v;|E8xlBT>>Bpmw<D_sX#zs2pK6W5I|0!
lu61~_hq#tP7C_xP8&W?bp~Frjr_8Q67g0Zj+Wixz{{tSMuTB5}

literal 0
HcmV?d00001

diff --git a/src/supplicant-manager/tests/test-supplicant-config.c b/src/supplicant-manager/tests/test-supplicant-config.c
index 24bfbfdb1c..11b027a3ed 100644
--- a/src/supplicant-manager/tests/test-supplicant-config.c
+++ b/src/supplicant-manager/tests/test-supplicant-config.c
@@ -268,7 +268,8 @@ test_wifi_wep_key (const char *detail,
 	g_assert (nm_supplicant_config_add_setting_wireless_security (config,
 	                                                              s_wsec,
 	                                                              NULL,
-	                                                              "376aced7-b28c-46be-9a62-fcdf072571da"));
+	                                                              "376aced7-b28c-46be-9a62-fcdf072571da",
+	                                                              1500));
 	g_test_assert_expected_messages ();
 
 	config_dict = nm_supplicant_config_to_variant (config);
@@ -408,7 +409,8 @@ test_wifi_wpa_psk (const char *detail,
 	g_assert (nm_supplicant_config_add_setting_wireless_security (config,
 	                                                              s_wsec,
 	                                                              NULL,
-	                                                              "376aced7-b28c-46be-9a62-fcdf072571da"));
+	                                                              "376aced7-b28c-46be-9a62-fcdf072571da",
+	                                                              1500));
 	g_test_assert_expected_messages ();
 
 	config_dict = nm_supplicant_config_to_variant (config);
@@ -438,6 +440,142 @@ test_wifi_wpa_psk_types (void)
 	test_wifi_wpa_psk ("wifi-wep-psk-passphrase", TYPE_STRING, key2, (gconstpointer) key2, strlen (key2));
 }
 
+static void
+test_wifi_eap (void)
+{
+	gs_unref_object NMConnection *connection = NULL;
+	gs_unref_object NMSupplicantConfig *config = NULL;
+	gs_unref_variant GVariant *config_dict = NULL;
+	NMSettingConnection *s_con;
+	NMSettingWireless *s_wifi;
+	NMSettingWirelessSecurity *s_wsec;
+	NMSetting8021x *s_8021x;
+	NMSettingIPConfig *s_ip4;
+	char *uuid;
+	gboolean success;
+	GError *error = NULL;
+	GBytes *ssid;
+	const unsigned char ssid_data[] = { 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x53, 0x49, 0x44 };
+	const char *bssid_str = "11:22:33:44:55:66";
+	guint32 mtu = 1100;
+
+	connection = nm_simple_connection_new ();
+
+	/* Connection setting */
+	s_con = (NMSettingConnection *) nm_setting_connection_new ();
+	nm_connection_add_setting (connection, NM_SETTING (s_con));
+
+	uuid = nm_utils_uuid_generate ();
+	g_object_set (s_con,
+	              NM_SETTING_CONNECTION_ID, "Test Wifi EAP-TLS",
+	              NM_SETTING_CONNECTION_UUID, uuid,
+	              NM_SETTING_CONNECTION_AUTOCONNECT, TRUE,
+	              NM_SETTING_CONNECTION_TYPE, NM_SETTING_WIRELESS_SETTING_NAME,
+	              NULL);
+	g_free (uuid);
+
+	/* Wifi setting */
+	s_wifi = (NMSettingWireless *) nm_setting_wireless_new ();
+	nm_connection_add_setting (connection, NM_SETTING (s_wifi));
+
+	ssid = g_bytes_new (ssid_data, sizeof (ssid_data));
+
+	g_object_set (s_wifi,
+	              NM_SETTING_WIRELESS_SSID, ssid,
+	              NM_SETTING_WIRELESS_BSSID, bssid_str,
+	              NM_SETTING_WIRELESS_MODE, "infrastructure",
+	              NM_SETTING_WIRELESS_BAND, "bg",
+	              NULL);
+
+	g_bytes_unref (ssid);
+
+	/* Wifi Security setting */
+	s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
+	nm_connection_add_setting (connection, NM_SETTING (s_wsec));
+
+	g_object_set (s_wsec,
+	              NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap",
+	              NULL);
+
+	nm_setting_wireless_security_add_proto (s_wsec, "wpa");
+	nm_setting_wireless_security_add_proto (s_wsec, "rsn");
+	nm_setting_wireless_security_add_pairwise (s_wsec, "tkip");
+	nm_setting_wireless_security_add_pairwise (s_wsec, "ccmp");
+	nm_setting_wireless_security_add_group (s_wsec, "tkip");
+	nm_setting_wireless_security_add_group (s_wsec, "ccmp");
+
+	/* 802-1X setting */
+	s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
+	nm_connection_add_setting (connection, NM_SETTING (s_8021x));
+	nm_setting_802_1x_add_eap_method (s_8021x, "tls");
+	nm_setting_802_1x_set_client_cert (s_8021x, TEST_CERT_DIR "test-cert.p12", NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, NULL);
+	nm_setting_802_1x_set_ca_cert (s_8021x, TEST_CERT_DIR "test-ca-cert.pem", NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, NULL);
+	nm_setting_802_1x_set_private_key (s_8021x, TEST_CERT_DIR "test-cert.p12", NULL, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, NULL);
+
+	/* IP4 setting */
+	s_ip4 = (NMSettingIPConfig *) nm_setting_ip4_config_new ();
+	nm_connection_add_setting (connection, NM_SETTING (s_ip4));
+
+	g_object_set (s_ip4, NM_SETTING_IP_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL);
+
+	success = nm_connection_verify (connection, &error);
+	g_assert_no_error (error);
+	g_assert (success);
+
+	config = nm_supplicant_config_new ();
+
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'ssid' value 'Test SSID'*");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'scan_ssid' value '1'*");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'bssid' value '11:22:33:44:55:66'*");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'freq_list' value *");
+	g_assert (nm_supplicant_config_add_setting_wireless (config, s_wifi, 0));
+	g_test_assert_expected_messages ();
+
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'key_mgmt' value 'WPA-EAP'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'proto' value 'WPA RSN'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'pairwise' value 'TKIP CCMP'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*added 'group' value 'TKIP CCMP'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*Config: added 'eap' value 'TLS'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*Config: added 'fragment_size' value '1086'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "* Config: added 'ca_cert' value '*/test-ca-cert.pem'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "* Config: added 'private_key' value '*/test-cert.p12'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*Config: added 'bgscan' value 'simple:30:-65:300'");
+	g_test_expect_message ("NetworkManager", G_LOG_LEVEL_MESSAGE,
+	                       "*Config: added 'proactive_key_caching' value '1'");
+	g_assert (nm_supplicant_config_add_setting_wireless_security (config,
+	                                                              s_wsec,
+	                                                              s_8021x,
+	                                                              "d5b488af-9cab-41ed-bad4-97709c58430f",
+	                                                              mtu));
+	g_test_assert_expected_messages ();
+
+	config_dict = nm_supplicant_config_to_variant (config);
+	g_assert (config_dict);
+
+	validate_opt ("wifi-eap", config_dict, "scan_ssid", TYPE_INT, GINT_TO_POINTER (1), -1);
+	validate_opt ("wifi-eap", config_dict, "ssid", TYPE_BYTES, ssid_data, sizeof (ssid_data));
+	validate_opt ("wifi-eap", config_dict, "bssid", TYPE_KEYWORD, bssid_str, -1);
+	validate_opt ("wifi-eap", config_dict, "key_mgmt", TYPE_KEYWORD, "WPA-EAP", -1);
+	validate_opt ("wifi-eap", config_dict, "eap", TYPE_KEYWORD, "TLS", -1);
+	validate_opt ("wifi-eap", config_dict, "proto", TYPE_KEYWORD, "WPA RSN", -1);
+	validate_opt ("wifi-eap", config_dict, "pairwise", TYPE_KEYWORD, "TKIP CCMP", -1);
+	validate_opt ("wifi-eap", config_dict, "group", TYPE_KEYWORD, "TKIP CCMP", -1);
+	validate_opt ("wifi-eap", config_dict, "fragment_size", TYPE_INT, GINT_TO_POINTER(mtu-14), -1);
+}
+
 NMTST_DEFINE ();
 
 int main (int argc, char **argv)
@@ -447,6 +585,7 @@ int main (int argc, char **argv)
 	g_test_add_func ("/supplicant-config/wifi-open", test_wifi_open);
 	g_test_add_func ("/supplicant-config/wifi-wep", test_wifi_wep);
 	g_test_add_func ("/supplicant-config/wifi-wpa-psk-types", test_wifi_wpa_psk_types);
+	g_test_add_func ("/supplicant-config/wifi-eap", test_wifi_eap);
 
 	return g_test_run ();
 }