From 2677b7524fc939c5b5022c2fb7fb81614fe31b74 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Fri, 21 Apr 2017 15:07:26 +0200
Subject: cli: add WPS PIN enrollment support

  nmcli d wifi connect "My Network" pin 12345670

Also, add a note in the manual that it shouldn't really be used.
---
 clients/cli/devices.c                     | 27 +++++++++++++++++++++------
 clients/common/nm-meta-setting-desc.c     |  1 -
 libnm-core/nm-setting-wireless-security.c |  8 ++++++--
 man/nmcli.xml                             | 14 +++++++++++++-
 4 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/clients/cli/devices.c b/clients/cli/devices.c
index 234a82e914..0f2c3d6951 100644
--- a/clients/cli/devices.c
+++ b/clients/cli/devices.c
@@ -14,7 +14,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  *
- * Copyright 2010 - 2014 Red Hat, Inc.
+ * Copyright 2010 - 2017 Red Hat, Inc.
  */
 
 #include "nm-default.h"
@@ -2814,12 +2814,13 @@ do_device_wifi_connect_network (NmCli *nmc, int argc, char **argv)
 	NMConnection *connection = NULL;
 	NMSettingConnection *s_con;
 	NMSettingWireless *s_wifi;
-	NMSettingWirelessSecurity *s_wsec;
+	NMSettingWirelessSecurity *s_wsec = NULL;
 	AddAndActivateInfo *info;
 	const char *param_user = NULL;
 	const char *ifname = NULL;
 	const char *bssid = NULL;
 	const char *password = NULL;
+	const char *pin = NULL;
 	const char *con_name = NULL;
 	gboolean private = FALSE;
 	gboolean hidden = FALSE;
@@ -2867,7 +2868,7 @@ do_device_wifi_connect_network (NmCli *nmc, int argc, char **argv)
 	while (argc > 0) {
 		if (argc == 1 && nmc->complete) {
 			nmc_complete_strings (*argv, "ifname", "bssid", "password", "wep-key-type",
-			                      "name", "private", "hidden", NULL);
+			                      "name", "private", "hidden", "pin", NULL);
 		}
 
 		if (strcmp (*argv, "ifname") == 0) {
@@ -2974,6 +2975,15 @@ do_device_wifi_connect_network (NmCli *nmc, int argc, char **argv)
 				g_clear_error (&err_tmp);
 				goto finish;
 			}
+		} else if (strcmp (*argv, "pin") == 0) {
+			argc--;
+			argv++;
+			if (!argc) {
+				g_string_printf (nmc->return_text, _("Error: %s argument is missing."), *(argv-1));
+				nmc->return_value = NMC_RESULT_ERROR_USER_INPUT;
+				goto finish;
+			}
+			pin = *argv;
 		} else if (!nmc->complete) {
 			g_printerr (_("Unknown parameter: %s\n"), *argv);
 		}
@@ -3061,7 +3071,7 @@ do_device_wifi_connect_network (NmCli *nmc, int argc, char **argv)
 
 	/* If there are some connection data from user, create a connection and
 	 * fill them into proper settings. */
-	if (con_name || private || bssid2_arr || password || hidden)
+	if (con_name || private || bssid2_arr || password || hidden || pin)
 		connection = nm_simple_connection_new ();
 
 	if (con_name || private) {
@@ -3107,17 +3117,19 @@ do_device_wifi_connect_network (NmCli *nmc, int argc, char **argv)
 	ap_rsn_flags = nm_access_point_get_rsn_flags (ap);
 
 	/* Set password for WEP or WPA-PSK. */
-	if (ap_flags & NM_802_11_AP_FLAGS_PRIVACY) {
+	if (ap_flags & NM_802_11_AP_FLAGS_PRIVACY || pin) {
 		/* Ask for missing password when one is expected and '--ask' is used */
 		if (!password && nmc->ask)
 			password = passwd_ask = nmc_readline_echo (nmc->nmc_config.show_secrets, _("Password: "));
 
-		if (password) {
+		if (password || pin) {
 			if (!connection)
 				connection = nm_simple_connection_new ();
 			s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
 			nm_connection_add_setting (connection, NM_SETTING (s_wsec));
+		}
 
+		if (password) {
 			if (ap_wpa_flags == NM_802_11_AP_SEC_NONE && ap_rsn_flags == NM_802_11_AP_SEC_NONE) {
 				/* WEP */
 				nm_setting_wireless_security_set_wep_key (s_wsec, 0, password);
@@ -3131,6 +3143,9 @@ do_device_wifi_connect_network (NmCli *nmc, int argc, char **argv)
 				g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_PSK, password, NULL);
 			}
 		}
+
+		if (pin)
+			g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_WPS_PIN, pin, NULL);
 	}
 	// FIXME: WPA-Enterprise is not supported yet.
 	// We are not able to determine and fill all the parameters for
diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
index 9a6fda09a8..d255a11eb8 100644
--- a/clients/common/nm-meta-setting-desc.c
+++ b/clients/common/nm-meta-setting-desc.c
@@ -6572,7 +6572,6 @@ static const NMMetaPropertyInfo *const property_infos_WIRELESS_SECURITY[] = {
 		),
 	),
 	PROPERTY_INFO_WITH_DESC (NM_SETTING_WIRELESS_SECURITY_WPS_PIN,
-		.is_secret =                    TRUE,
 		.property_type =                &_pt_gobject_string,
 	),
 	NULL
diff --git a/libnm-core/nm-setting-wireless-security.c b/libnm-core/nm-setting-wireless-security.c
index 0363fa3342..dda4b70451 100644
--- a/libnm-core/nm-setting-wireless-security.c
+++ b/libnm-core/nm-setting-wireless-security.c
@@ -1930,8 +1930,12 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting
 	 *
 	 * The PIN used for WPS.
 	 *
-	 * NetworkManager will automatically disable WPS and unset this property
-	 * after a successful WPS enrollment.
+	 * Please note that this property is not handled as a secret and will be
+	 * visible to the users of the machine. Aside from that, there's a known
+	 * security flaw in the PIN based method that makes the PIN easy to guess.
+	 *
+	 * Enabling PIN method it on your router introduces a substantial risk that
+	 * unauthorized nodes will join the wireless network.
 	 *
 	 * Since: 1.10
 	 **/
diff --git a/man/nmcli.xml b/man/nmcli.xml
index 58a7004f07..55bf9558de 100644
--- a/man/nmcli.xml
+++ b/man/nmcli.xml
@@ -9,7 +9,7 @@
 <!--
   nmcli(1) manual page
 
-  Copyright 2010 - 2016 Red Hat, Inc.
+  Copyright 2010 - 2017 Red Hat, Inc.
 
   Permission is granted to copy, distribute and/or modify this document
   under the terms of the GNU Free Documentation License, Version 1.1
@@ -1395,6 +1395,7 @@
           <command>connect</command>
           <arg choice='plain'><replaceable>(B)SSID</replaceable></arg>
           <arg><option>password</option> <replaceable>password</replaceable></arg>
+          <arg><option>pin</option> <replaceable>pin</replaceable></arg>
           <arg>
             <option>wep-key-type</option>
             <group choice='req'>
@@ -1444,6 +1445,17 @@
                 <para>password for secured networks (WEP or WPA).</para>
               </listitem>
             </varlistentry>
+            <varlistentry>
+              <term><option>pin</option></term>
+              <listitem>
+                <para>PIN for WPA Protected Setup. If this option is set, the PIN will be
+                stored in the connection profile and a PIN-based WPS enrollment will be
+                attempted in case the PSK is required.</para>
+                <para>Please note that there is known security flaw in the PIN based method
+                that makes the PIN easy to guess. Enabling it on your router introduces a
+                substantial risk that unauthorized nodes will join the wireless network.</para>
+              </listitem>
+            </varlistentry>
             <varlistentry>
               <term><option>wep-key-type</option></term>
               <listitem>
-- 
cgit v1.2.1