diff --git a/system-settings/plugins/ifcfg-rh/Makefile.am b/system-settings/plugins/ifcfg-rh/Makefile.am index acfc38655..f804ef172 100644 --- a/system-settings/plugins/ifcfg-rh/Makefile.am +++ b/system-settings/plugins/ifcfg-rh/Makefile.am @@ -16,17 +16,20 @@ libifcfg_rh_io_la_SOURCES = \ errors.c \ common.h \ utils.c \ - utils.h + utils.h \ + crypto.c \ + crypto.h libifcfg_rh_io_la_CPPFLAGS = \ $(GLIB_CFLAGS) \ $(DBUS_CFLAGS) \ + $(NSS_CFLAGS) \ -DG_DISABLE_DEPRECATED \ -I$(top_srcdir)/include \ -I$(top_srcdir)/libnm-util \ -DSYSCONFDIR=\"$(sysconfdir)\" -libifcfg_rh_io_la_LIBADD = $(GLIB_LIBS) +libifcfg_rh_io_la_LIBADD = $(GLIB_LIBS) $(NSS_LIBS) libnm_settings_plugin_ifcfg_rh_la_SOURCES = \ plugin.c \ diff --git a/system-settings/plugins/ifcfg-rh/crypto.c b/system-settings/plugins/ifcfg-rh/crypto.c new file mode 100644 index 000000000..bd8d09cb6 --- /dev/null +++ b/system-settings/plugins/ifcfg-rh/crypto.c @@ -0,0 +1,391 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* NetworkManager system settings service - keyfile plugin + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2009 Red Hat, Inc. + */ + +#include "config.h" + +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "common.h" +#include "crypto.h" +#include "utils.h" + +static gboolean initialized = FALSE; + +static gboolean +crypto_init (GError **error) +{ + SECStatus ret; + + if (initialized) + return TRUE; + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1); + ret = NSS_NoDB_Init (NULL); + if (ret != SECSuccess) { + PR_Cleanup (); + g_set_error (error, ifcfg_plugin_error_quark (), 0, + _("Failed to initialize the crypto engine: %d."), + PR_GetError ()); + return FALSE; + } + + initialized = TRUE; + return TRUE; +} + +static gboolean +nss_md5_hash (const unsigned char *salt, + const gsize salt_len, + const char *password, + gsize password_len, + unsigned char *buffer, + gsize buflen, + GError **error) +{ + PK11Context *ctx; + int nkey = buflen; + unsigned int digest_len; + int count = 0; + char digest[20]; /* MD5 hash length */ + unsigned char *p = buffer; + + if (salt) + g_return_val_if_fail (salt_len >= 8, FALSE); + + g_return_val_if_fail (password != NULL, FALSE); + g_return_val_if_fail (password_len > 0, FALSE); + g_return_val_if_fail (buffer != NULL, FALSE); + g_return_val_if_fail (buflen > 0, FALSE); + + ctx = PK11_CreateDigestContext (SEC_OID_MD5); + if (!ctx) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Failed to initialize the MD5 context: %d.", + PORT_GetError ()); + return FALSE; + } + + while (nkey > 0) { + int i = 0; + + PK11_DigestBegin (ctx); + if (count++) + PK11_DigestOp (ctx, (const unsigned char *) digest, digest_len); + PK11_DigestOp (ctx, (const unsigned char *) password, password_len); + if (salt) + PK11_DigestOp (ctx, salt, 8); /* Only use 8 bytes of salt */ + PK11_DigestFinal (ctx, (unsigned char *) digest, &digest_len, sizeof (digest)); + + while (nkey && (i < digest_len)) { + *(p++) = digest[i++]; + nkey--; + } + } + + memset (digest, 0, sizeof (digest)); + PK11_DestroyContext (ctx, PR_TRUE); + return TRUE; +} + +static unsigned char * +make_key (const unsigned char *salt, + gsize salt_len, + const char *password, + gsize *out_len, + GError **error) +{ + unsigned char *key; + guint32 digest_len = 24; /* DES-EDE3-CBC */ + + g_return_val_if_fail (salt != NULL, NULL); + g_return_val_if_fail (salt_len >= 8, NULL); + g_return_val_if_fail (password != NULL, NULL); + g_return_val_if_fail (out_len != NULL, NULL); + + key = g_malloc0 (digest_len + 1); + if (!key) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Not enough memory to decrypt private key."); + return NULL; + } + + if (!nss_md5_hash (salt, salt_len, password, strlen (password), key, digest_len, error)) { + *out_len = 0; + memset (key, 0, digest_len); + g_free (key); + key = NULL; + } else + *out_len = digest_len; + + return key; +} + +static unsigned char * +nss_des3_encrypt (const unsigned char *key, + gsize key_len, + const unsigned char *iv, + gsize iv_len, + const unsigned char *data, + gsize data_len, + gsize *out_len, + GError **error) +{ + SECStatus ret; + CK_MECHANISM_TYPE cipher_mech = CKM_DES3_CBC_PAD; + PK11SlotInfo *slot = NULL; + SECItem key_item = { .data = (unsigned char *) key, .len = key_len }; + SECItem iv_item = { .data = (unsigned char *) iv, .len = iv_len }; + PK11SymKey *sym_key = NULL; + SECItem *sec_param = NULL; + PK11Context *ctx = NULL; + unsigned char *buf; + gsize buflen = data_len + 64; + int tmp1_len = 0; + unsigned int tmp2_len = 0, len; + gboolean success = FALSE; + + buf = g_malloc0 (buflen); + if (!buf) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not allocate memory encrypting private key."); + return NULL; + } + + slot = PK11_GetBestSlot (cipher_mech, NULL); + if (!slot) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Failed to initialize the encryption cipher slot."); + goto out; + } + + sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, NULL); + if (!sym_key) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Failed to set symmetric key for encryption."); + goto out; + } + + sec_param = PK11_ParamFromIV (cipher_mech, &iv_item); + if (!sec_param) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Failed to set IV for encryption."); + goto out; + } + + ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_ENCRYPT, sym_key, sec_param); + if (!ctx) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Failed to initialize the encryption context."); + goto out; + } + + ret = PK11_CipherOp (ctx, buf, &tmp1_len, buflen, (unsigned char *) data, data_len); + if (ret != SECSuccess) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Failed to encrypt the private key: %d.", + PORT_GetError ()); + goto out; + } + + ret = PK11_DigestFinal (ctx, + (unsigned char *) (buf + tmp1_len), + &tmp2_len, + buflen - tmp1_len); + if (ret != SECSuccess) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Failed to finalize encryption of the private key: %d.", + PORT_GetError ()); + goto out; + } + len = tmp1_len + tmp2_len; + if (len > buflen) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Error encrypting private key; too much data."); + goto out; + } + + *out_len = len; + buf[*out_len] = '\0'; + success = TRUE; + +out: + if (ctx) + PK11_DestroyContext (ctx, PR_TRUE); + if (sym_key) + PK11_FreeSymKey (sym_key); + if (sec_param) + SECITEM_FreeItem (sec_param, PR_TRUE); + if (slot) + PK11_FreeSlot (slot); + + if (!success) { + memset (buf, 0, buflen); + g_free (buf); + buf = NULL; + } + return buf; +} + +#define PEM_RSA_KEY_BEGIN "-----BEGIN RSA PRIVATE KEY-----"; +#define PEM_RSA_KEY_END "-----END RSA PRIVATE KEY-----"; + +GByteArray * +crypto_key_to_pem (const GByteArray *data, + const char *password, + GError **error) +{ + SECStatus s; + unsigned char salt[32]; + unsigned char *key = NULL, *enc = NULL; + gsize key_len = 0, enc_len = 0; + GString *pem = NULL; + char *tmp; + gboolean success = FALSE; + int left; + const char *p; + GByteArray *ret = NULL; + + g_return_val_if_fail (data != NULL, NULL); + g_return_val_if_fail (data->len > 0, NULL); + g_return_val_if_fail (password != NULL, NULL); + + if (!crypto_init (error)) + return NULL; + + s = PK11_GenerateRandom (salt, sizeof (salt)); + if (s != SECSuccess) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not generate random IV for encrypting private key."); + return NULL; + } + + key = make_key (&salt[0], sizeof (salt), password, &key_len, error); + if (!key) + return NULL; + + enc = nss_des3_encrypt (key, key_len, salt, sizeof (salt), data->data, data->len, &enc_len, error); + if (!enc) + goto out; + + pem = g_string_sized_new (enc_len * 2 + 100); + if (!pem) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not allocate memory for PEM file creation."); + goto out; + } + + g_string_append (pem, "-----BEGIN RSA PRIVATE KEY-----\n"); + g_string_append (pem, "Proc-Type: 4,ENCRYPTED\n"); + + /* Convert the salt to a hex string */ + tmp = utils_bin2hexstr ((const char *) salt, sizeof (salt), 16); + if (!tmp) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not allocate memory for writing IV to PEM file."); + goto out; + } + + g_string_append_printf (pem, "DEK-Info: DES-EDE3-CBC,%s\n\n", tmp); + g_free (tmp); + + /* Convert the encrypted key to a base64 string */ + p = tmp = g_base64_encode (enc, enc_len); + if (!tmp) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not allocate memory for writing encrypted key to PEM file."); + goto out; + } + + left = strlen (tmp); + while (left > 0) { + g_string_append_len (pem, p, (left < 64) ? left : 64); + g_string_append_c (pem, '\n'); + left -= 64; + p += 64; + } + g_free (tmp); + + g_string_append (pem, "-----END RSA PRIVATE KEY-----\n"); + + ret = g_byte_array_sized_new (pem->len); + if (!ret) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not allocate memory for PEM file data."); + goto out; + } + g_byte_array_append (ret, (const unsigned char *) pem->str, pem->len); + success = TRUE; + +out: + if (key) { + memset (key, 0, key_len); + g_free (key); + } + if (!enc) { + memset (enc, 0, enc_len); + g_free (enc); + } + if (pem) + g_string_free (pem, TRUE); + + return ret; +} + +GByteArray * +crypto_random (gsize len, GError **error) +{ + SECStatus s; + GByteArray *array; + unsigned char *buf; + + if (!crypto_init (error)) + return NULL; + + buf = g_malloc (len); + if (!buf) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not allocate memory for random data."); + return NULL; + } + + s = PK11_GenerateRandom (buf, len); + if (s != SECSuccess) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Could not generate random IV for encrypting private key."); + g_free (buf); + return NULL; + } + + array = g_byte_array_sized_new (len); + g_byte_array_append (array, buf, len); + memset (buf, 0, len); + g_free (buf); + + return array; +} + diff --git a/system-settings/plugins/ifcfg-rh/crypto.h b/system-settings/plugins/ifcfg-rh/crypto.h new file mode 100644 index 000000000..b145020fd --- /dev/null +++ b/system-settings/plugins/ifcfg-rh/crypto.h @@ -0,0 +1,34 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* NetworkManager system settings service - keyfile plugin + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2009 Red Hat, Inc. + */ + +#ifndef _CRYPTO_H_ +#define _CRYPTO_H_ + +#include + +GByteArray * +crypto_key_to_pem (const GByteArray *data, + const char *password, + GError **error); + +GByteArray *crypto_random (gsize len, GError **error); + +#endif /* _CRYPTO_H_ */ + diff --git a/system-settings/plugins/ifcfg-rh/reader.c b/system-settings/plugins/ifcfg-rh/reader.c index c18dee86b..8c136c2e6 100644 --- a/system-settings/plugins/ifcfg-rh/reader.c +++ b/system-settings/plugins/ifcfg-rh/reader.c @@ -973,6 +973,7 @@ eap_tls_reader (const char *eap_method, gboolean phase2, GError **error) { + char *value; char *ca_cert = NULL; char *real_path = NULL; char *client_cert = NULL; @@ -981,6 +982,16 @@ eap_tls_reader (const char *eap_method, gboolean success = FALSE; NMSetting8021xCKType privkey_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN; + value = svGetValue (ifcfg, "IEEE_8021X_IDENTITY", FALSE); + if (!value) { + g_set_error (error, ifcfg_plugin_error_quark (), 0, + "Missing IEEE_8021X_IDENTITY for EAP method '%s'.", + eap_method); + return FALSE; + } + g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, value, NULL); + g_free (value); + ca_cert = svGetValue (ifcfg, phase2 ? "IEEE_8021X_INNER_CA_CERT" : "IEEE_8021X_CA_CERT", FALSE); @@ -1065,6 +1076,14 @@ eap_tls_reader (const char *eap_method, * same data as the private key, since pkcs12 files contain both. */ if (privkey_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) { + /* Set the private key password if PKCS#12, because PKCS#12 doesn't get + * decrypted when being stored in the Setting. + */ + if (phase2) + g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, privkey_password, NULL); + else + g_object_set (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, privkey_password, NULL); + if (phase2) { if (!nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, real_path, NULL, error)) goto done; @@ -1083,12 +1102,6 @@ eap_tls_reader (const char *eap_method, NM_SETTING_802_1X_CLIENT_CERT); } } else { - /* Set the private key password if not PKCS#12 */ - if (phase2) - g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, privkey_password, NULL); - else - g_object_set (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, privkey_password, NULL); - /* Otherwise, private key is "traditional" OpenSSL format, so * client certificate will be a separate file. */ diff --git a/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-tls b/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-tls index c4d8ee0b7..92aaeeab9 100644 --- a/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-tls +++ b/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-tls @@ -18,6 +18,7 @@ KEY_MGMT=WPA-EAP WPA_ALLOW_WPA=yes WPA_ALLOW_WPA2=yes IEEE_8021X_EAP_METHODS=TLS +IEEE_8021X_IDENTITY="Bill Smith" IEEE_8021X_CA_CERT=test_ca_cert.pem IEEE_8021X_CLIENT_CERT=test1_key_and_cert.pem IEEE_8021X_PRIVATE_KEY=test1_key_and_cert.pem diff --git a/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-ttls-tls b/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-ttls-tls index a6b5da537..42ed1d68a 100644 --- a/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-ttls-tls +++ b/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-ttls-tls @@ -18,6 +18,7 @@ KEY_MGMT=WPA-EAP WPA_ALLOW_WPA=yes WPA_ALLOW_WPA2=yes IEEE_8021X_EAP_METHODS=TTLS +IEEE_8021X_IDENTITY="Chuck Shumer" IEEE_8021X_ANON_IDENTITY="anonymous" IEEE_8021X_CA_CERT=test_ca_cert.pem IEEE_8021X_INNER_AUTH_METHODS=EAP-TLS diff --git a/system-settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c b/system-settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c index b9f832ed4..50197b1bd 100644 --- a/system-settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c +++ b/system-settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c @@ -2845,8 +2845,9 @@ test_read_wifi_wpa_eap_tls (void) char *keyfile = NULL; gboolean ignore_error = FALSE; GError *error = NULL; - const char *tmp, *privkey_password; - const char *expected_private_key_password = "test1"; + const char *tmp; + const char *expected_identity = "Bill Smith"; + const char *expected_privkey_password = "test1"; connection = connection_from_file (TEST_IFCFG_WIFI_WPA_EAP_TLS, NULL, @@ -2913,6 +2914,19 @@ test_read_wifi_wpa_eap_tls (void) NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_EAP); + /* Identity */ + tmp = nm_setting_802_1x_get_identity (s_8021x); + ASSERT (tmp != NULL, + "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: missing %s / %s key", + TEST_IFCFG_WIFI_WPA_EAP_TLS, + NM_SETTING_802_1X_SETTING_NAME, + NM_SETTING_802_1X_IDENTITY); + ASSERT (strcmp (tmp, expected_identity) == 0, + "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value", + TEST_IFCFG_WIFI_WPA_EAP_TLS, + NM_SETTING_802_1X_SETTING_NAME, + NM_SETTING_802_1X_IDENTITY); + /* CA Cert */ verify_cert_or_key (CK_CA_CERT, s_8021x, @@ -2932,14 +2946,8 @@ test_read_wifi_wpa_eap_tls (void) NM_SETTING_802_1X_CLIENT_CERT); /* Private Key Password */ - privkey_password = nm_setting_802_1x_get_private_key_password (s_8021x); - ASSERT (privkey_password != NULL, - "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: missing %s / %s key", - TEST_IFCFG_WIFI_WPA_EAP_TLS, - NM_SETTING_802_1X_SETTING_NAME, - NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD); - ASSERT (strcmp (privkey_password, expected_private_key_password) == 0, - "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value", + ASSERT (nm_setting_802_1x_get_private_key_password (s_8021x) == NULL, + "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key", TEST_IFCFG_WIFI_WPA_EAP_TLS, NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD); @@ -2948,7 +2956,7 @@ test_read_wifi_wpa_eap_tls (void) verify_cert_or_key (CK_PRIV_KEY, s_8021x, TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, - privkey_password, + expected_privkey_password, TEST_IFCFG_WIFI_WPA_EAP_TLS, "wifi-wpa-eap-tls-verify-8021x", NM_SETTING_802_1X_PRIVATE_KEY); @@ -2971,8 +2979,9 @@ test_read_wifi_wpa_eap_ttls_tls (void) char *keyfile = NULL; gboolean ignore_error = FALSE; GError *error = NULL; - const char *tmp, *privkey_password; - const char *expected_private_key_password = "test1"; + const char *tmp; + const char *expected_identity = "Chuck Shumer"; + const char *expected_privkey_password = "test1"; connection = connection_from_file (TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS, NULL, @@ -3080,14 +3089,8 @@ test_read_wifi_wpa_eap_ttls_tls (void) NM_SETTING_802_1X_PHASE2_CLIENT_CERT); /* Inner Private Key Password */ - privkey_password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x); - ASSERT (privkey_password != NULL, - "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: missing %s / %s key", - TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS, - NM_SETTING_802_1X_SETTING_NAME, - NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD); - ASSERT (strcmp (privkey_password, expected_private_key_password) == 0, - "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value", + ASSERT (nm_setting_802_1x_get_phase2_private_key_password (s_8021x) == NULL, + "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key", TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS, NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD); @@ -3096,11 +3099,24 @@ test_read_wifi_wpa_eap_ttls_tls (void) verify_cert_or_key (CK_PRIV_KEY, s_8021x, TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, - privkey_password, + expected_privkey_password, TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS, "wifi-wpa-eap-ttls-tls-verify-8021x", NM_SETTING_802_1X_PHASE2_PRIVATE_KEY); + /* Identity */ + tmp = nm_setting_802_1x_get_identity (s_8021x); + ASSERT (tmp != NULL, + "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: missing %s / %s key", + TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS, + NM_SETTING_802_1X_SETTING_NAME, + NM_SETTING_802_1X_IDENTITY); + ASSERT (strcmp (tmp, expected_identity) == 0, + "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value", + TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS, + NM_SETTING_802_1X_SETTING_NAME, + NM_SETTING_802_1X_IDENTITY); + g_object_unref (connection); } @@ -4116,6 +4132,165 @@ test_write_wifi_wpa_psk (const char *name, g_object_unref (reread); } +static void +test_write_wifi_wpa_eap_tls (void) +{ + NMConnection *connection; + NMConnection *reread; + NMSettingConnection *s_con; + NMSettingWireless *s_wifi; + NMSettingWirelessSecurity *s_wsec; + NMSetting8021x *s_8021x; + NMSettingIP4Config *s_ip4; + char *uuid; + gboolean success; + GError *error = NULL; + char *testfile = NULL; + gboolean unmanaged = FALSE; + char *keyfile = NULL; + gboolean ignore_error = FALSE; + GByteArray *ssid; + const char *ssid_data = "blahblah"; + + connection = nm_connection_new (); + ASSERT (connection != NULL, + "wifi-wpa-eap-tls-write", "failed to allocate new connection"); + + /* Connection setting */ + s_con = (NMSettingConnection *) nm_setting_connection_new (); + ASSERT (s_con != NULL, + "wifi-wpa-eap-tls-write", "failed to allocate new %s setting", + NM_SETTING_CONNECTION_SETTING_NAME); + nm_connection_add_setting (connection, NM_SETTING (s_con)); + + uuid = nm_utils_uuid_generate (); + g_object_set (s_con, + NM_SETTING_CONNECTION_ID, "Test Write Wifi WPA EAP-TLS", + NM_SETTING_CONNECTION_UUID, uuid, + NM_SETTING_CONNECTION_AUTOCONNECT, TRUE, + NM_SETTING_CONNECTION_TYPE, NM_SETTING_WIRELESS_SETTING_NAME, + NULL); + g_free (uuid); + + /* Wifi setting */ + s_wifi = (NMSettingWireless *) nm_setting_wireless_new (); + ASSERT (s_wifi != NULL, + "wifi-wpa-eap-tls-write", "failed to allocate new %s setting", + NM_SETTING_WIRELESS_SETTING_NAME); + nm_connection_add_setting (connection, NM_SETTING (s_wifi)); + + ssid = g_byte_array_sized_new (strlen (ssid_data)); + g_byte_array_append (ssid, (const unsigned char *) ssid_data, strlen (ssid_data)); + + g_object_set (s_wifi, + NM_SETTING_WIRELESS_SSID, ssid, + NM_SETTING_WIRELESS_MODE, "infrastructure", + NM_SETTING_WIRELESS_SEC, NM_SETTING_WIRELESS_SECURITY_SETTING_NAME, + NULL); + + g_byte_array_free (ssid, TRUE); + + /* Wireless security setting */ + s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new (); + ASSERT (s_wsec != NULL, + "wifi-wpa-eap-tls-write", "failed to allocate new %s setting", + NM_SETTING_WIRELESS_SECURITY_SETTING_NAME); + nm_connection_add_setting (connection, NM_SETTING (s_wsec)); + + g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap", NULL); + nm_setting_wireless_security_add_proto (s_wsec, "wpa"); + nm_setting_wireless_security_add_pairwise (s_wsec, "tkip"); + nm_setting_wireless_security_add_group (s_wsec, "tkip"); + + /* Wireless security setting */ + s_8021x = (NMSetting8021x *) nm_setting_802_1x_new (); + ASSERT (s_8021x != NULL, + "wifi-wpa-eap-tls-write", "failed to allocate new %s setting", + NM_SETTING_802_1X_SETTING_NAME); + nm_connection_add_setting (connection, NM_SETTING (s_8021x)); + + g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL); + + nm_setting_802_1x_add_eap_method (s_8021x, "tls"); + + success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x, + TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, + NULL, + &error); + ASSERT (success == TRUE, + "wifi-wpa-eap-tls-write", "failed to set CA certificate '%s': %s", + TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message); + + success = nm_setting_802_1x_set_client_cert_from_file (s_8021x, + TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, + NULL, + &error); + ASSERT (success == TRUE, + "wifi-wpa-eap-tls-write", "failed to set client certificate '%s': %s", + TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message); + + success = nm_setting_802_1x_set_private_key_from_file (s_8021x, + TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, + "test1", + NULL, + &error); + ASSERT (success == TRUE, + "wifi-wpa-eap-tls-write", "failed to set private key '%s': %s", + TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message); + + /* IP4 setting */ + s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new (); + ASSERT (s_ip4 != NULL, + "wifi-wpa-eap-tls-write", "failed to allocate new %s setting", + NM_SETTING_IP4_CONFIG_SETTING_NAME); + nm_connection_add_setting (connection, NM_SETTING (s_ip4)); + + g_object_set (s_ip4, NM_SETTING_IP4_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL); + + ASSERT (nm_connection_verify (connection, &error) == TRUE, + "wifi-wpa-eap-tls-write", "failed to verify connection: %s", + (error && error->message) ? error->message : "(unknown)"); + + /* Save the ifcfg */ + success = writer_new_connection (connection, + TEST_DIR "/network-scripts/", + &testfile, + &error); + ASSERT (success == TRUE, + "wifi-wpa-eap-tls-write", "failed to write connection to disk: %s", + (error && error->message) ? error->message : "(unknown)"); + + ASSERT (testfile != NULL, + "wifi-wpa-eap-tls-write", "didn't get ifcfg file path back after writing connection"); + + /* re-read the connection for comparison */ + reread = connection_from_file (testfile, + NULL, + TYPE_WIRELESS, + &unmanaged, + &keyfile, + &error, + &ignore_error); + unlink (testfile); + + ASSERT (keyfile != NULL, + "wifi-wpa-eap-tls-write-reread", "expected keyfile for '%s'", testfile); + unlink (keyfile); + + ASSERT (reread != NULL, + "wifi-wpa-eap-tls-write-reread", "failed to read %s: %s", testfile, error->message); + + ASSERT (nm_connection_verify (reread, &error), + "wifi-wpa-eap-tls-write-reread-verify", "failed to verify %s: %s", testfile, error->message); + + ASSERT (nm_connection_compare (connection, reread, NM_SETTING_COMPARE_FLAG_EXACT) == TRUE, + "wifi-wpa-eap-tls-write", "written and re-read connection weren't the same."); + + g_free (testfile); + g_object_unref (connection); + g_object_unref (reread); +} + #define TEST_IFCFG_WIFI_OPEN_SSID_BAD_HEX TEST_DIR"/network-scripts/ifcfg-test-wifi-open-ssid-bad-hex" #define TEST_IFCFG_WIFI_OPEN_SSID_LONG_QUOTED TEST_DIR"/network-scripts/ifcfg-test-wifi-open-ssid-long-quoted" #define TEST_IFCFG_WIFI_OPEN_SSID_LONG_HEX TEST_DIR"/network-scripts/ifcfg-test-wifi-open-ssid-long-hex" @@ -4167,6 +4342,7 @@ int main (int argc, char **argv) test_write_wifi_wpa_psk ("Test Write Wifi WPA2 PSK", "wifi-wpa2-psk-write", FALSE, FALSE, TRUE); test_write_wifi_wpa_psk ("Test Write Wifi WPA WPA2 PSK", "wifi-wpa-wpa2-psk-write", FALSE, TRUE, TRUE); test_write_wifi_wpa_psk ("Test Write Wifi WEP WPA WPA2 PSK", "wifi-wep-wpa-wpa2-psk-write", TRUE, TRUE, TRUE); + test_write_wifi_wpa_eap_tls (); basename = g_path_get_basename (argv[0]); fprintf (stdout, "%s: SUCCESS\n", basename); diff --git a/system-settings/plugins/ifcfg-rh/utils.c b/system-settings/plugins/ifcfg-rh/utils.c index addee801f..8e22e4253 100644 --- a/system-settings/plugins/ifcfg-rh/utils.c +++ b/system-settings/plugins/ifcfg-rh/utils.c @@ -37,15 +37,18 @@ char * utils_bin2hexstr (const char *bytes, int len, int final_len) { - static char hex_digits[] = "0123456789abcdef"; - char * result; - int i; + static char hex_digits[] = "0123456789abcdef"; + char *result; + int i; + gsize buflen = (len * 2) + 1; g_return_val_if_fail (bytes != NULL, NULL); g_return_val_if_fail (len > 0, NULL); - g_return_val_if_fail (len < 256, NULL); /* Arbitrary limit */ + g_return_val_if_fail (len < 4096, NULL); /* Arbitrary limit */ + if (final_len > -1) + g_return_val_if_fail (final_len < buflen, NULL); - result = g_malloc0 (len * 2 + 1); + result = g_malloc0 (buflen); for (i = 0; i < len; i++) { result[2*i] = hex_digits[(bytes[i] >> 4) & 0xf]; @@ -54,6 +57,8 @@ utils_bin2hexstr (const char *bytes, int len, int final_len) /* Cut converted key off at the correct length for this cipher type */ if (final_len > -1) result[final_len] = '\0'; + else + result[buflen - 1] = '\0'; return result; } @@ -123,13 +128,13 @@ utils_hash_byte_array (const GByteArray *data) } char * -utils_cert_path (const char *parent, const char *prefix, const char *suffix) +utils_cert_path (const char *parent, const char *suffix) { char *name, *dir, *path; name = utils_get_ifcfg_name (parent); dir = g_path_get_dirname (parent); - path = g_strdup_printf ("%s/%s-%s.%s", dir, prefix, name, suffix); + path = g_strdup_printf ("%s/%s-%s", dir, name, suffix); g_free (dir); g_free (name); return path; diff --git a/system-settings/plugins/ifcfg-rh/utils.h b/system-settings/plugins/ifcfg-rh/utils.h index e9197b1cb..1dd7e7dce 100644 --- a/system-settings/plugins/ifcfg-rh/utils.h +++ b/system-settings/plugins/ifcfg-rh/utils.h @@ -31,7 +31,7 @@ char *utils_hexstr2bin (const char *hex, size_t len); char *utils_hash_byte_array (const GByteArray *data); -char *utils_cert_path (const char *parent, const char *prefix, const char *suffix); +char *utils_cert_path (const char *parent, const char *suffix); char *utils_get_ifcfg_name (const char *file); diff --git a/system-settings/plugins/ifcfg-rh/writer.c b/system-settings/plugins/ifcfg-rh/writer.c index 7214dd665..d4334f282 100644 --- a/system-settings/plugins/ifcfg-rh/writer.c +++ b/system-settings/plugins/ifcfg-rh/writer.c @@ -40,6 +40,7 @@ #include "reader.h" #include "writer.h" #include "utils.h" +#include "crypto.h" #define PLUGIN_WARN(pname, fmt, args...) \ { g_warning (" " pname ": " fmt, ##args); } @@ -142,74 +143,112 @@ out: return success; } +typedef struct ObjectType { + const char *setting_key; + const char *ifcfg_key; + const char *path_tag; + const char *hash_tag; + const char *suffix; +} ObjectType; + +static const ObjectType ca_type = { + NM_SETTING_802_1X_CA_CERT, + "IEEE_8021X_CA_CERT", + TAG_CA_CERT_PATH, + TAG_CA_CERT_HASH, + "ca-cert.der" +}; + +static const ObjectType client_type = { + NM_SETTING_802_1X_CLIENT_CERT, + "IEEE_8021X_CLIENT_CERT", + TAG_CLIENT_CERT_PATH, + TAG_CLIENT_CERT_HASH, + "client-cert.der" +}; + +static const ObjectType pk_type = { + NM_SETTING_802_1X_PRIVATE_KEY, + "IEEE_8021X_PRIVATE_KEY", + TAG_PRIVATE_KEY_PATH, + TAG_PRIVATE_KEY_HASH, + "private-key.pem" +}; + +static const ObjectType p12_type = { + NM_SETTING_802_1X_PRIVATE_KEY, + "IEEE_8021X_PRIVATE_KEY", + TAG_PRIVATE_KEY_PATH, + TAG_PRIVATE_KEY_HASH, + "private-key.p12" +}; + static gboolean -write_cert (NMSetting8021x *s_8021x, - shvarFile *ifcfg, - const char *setting_key, - const char *ifcfg_key, - const char *path_tag, - const char *hash_tag, - const char *prefix, - gboolean is_pkcs12, - gboolean *wrote, - GError **error) +write_object (NMSetting8021x *s_8021x, + shvarFile *ifcfg, + const GByteArray *object, + const ObjectType *objtype, + gboolean *wrote, + GError **error) { const char *orig_hash, *orig_file; char *new_hash = NULL, *new_file = NULL; - const GByteArray *cert = NULL; gboolean success = FALSE; GError *write_error = NULL; + g_return_val_if_fail (objtype != NULL, FALSE); + g_return_val_if_fail (ifcfg != NULL, FALSE); + g_return_val_if_fail (wrote != NULL, FALSE); + *wrote = FALSE; - g_object_get (G_OBJECT (s_8021x), setting_key, &cert, NULL); - if (!cert) { - svSetValue (ifcfg, ifcfg_key, NULL, FALSE); + if (!object) { + svSetValue (ifcfg, objtype->ifcfg_key, NULL, FALSE); return TRUE; } - new_hash = utils_hash_byte_array (cert); + new_hash = utils_hash_byte_array (object); if (!new_hash) { g_set_error (error, ifcfg_plugin_error_quark (), 0, - "Could not hash certificate data for %s / %s", - NM_SETTING_802_1X_SETTING_NAME, setting_key); + "Could not hash certificate/key data for %s / %s", + NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key); return FALSE; } - orig_hash = g_object_get_data (G_OBJECT (s_8021x), TAG_CA_CERT_HASH); - orig_file = g_object_get_data (G_OBJECT (s_8021x), TAG_CA_CERT_PATH); + orig_hash = g_object_get_data (G_OBJECT (s_8021x), objtype->hash_tag); + orig_file = g_object_get_data (G_OBJECT (s_8021x), objtype->path_tag); if (!orig_hash || !orig_file || strcmp (new_hash, orig_hash)) { /* if the cert data has changed, or there wasn't a cert * originally, write data out to the standard file. */ - new_file = utils_cert_path (ifcfg->fileName, prefix, is_pkcs12 ? "p12" : "der"); + new_file = utils_cert_path (ifcfg->fileName, objtype->suffix); if (!new_file) { g_set_error (error, ifcfg_plugin_error_quark (), 0, "Could not create file path for %s / %s", - NM_SETTING_802_1X_SETTING_NAME, setting_key); + NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key); goto out; } - if (!write_secret_file (new_file, (const char *) cert->data, cert->len, &write_error)) { + if (!write_secret_file (new_file, (const char *) object->data, object->len, &write_error)) { g_set_error (error, ifcfg_plugin_error_quark (), 0, - "Could not write certificate for %s / %s: %s", - NM_SETTING_802_1X_SETTING_NAME, setting_key, + "Could not write certificate/key for %s / %s: %s", + NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key, (write_error && write_error->message) ? write_error->message : "(unknown)"); g_clear_error (&write_error); goto out; } *wrote = TRUE; - svSetValue (ifcfg, ifcfg_key, new_file, FALSE); - g_object_set_data_full (G_OBJECT (s_8021x), path_tag, new_file, g_free); + svSetValue (ifcfg, objtype->ifcfg_key, new_file, FALSE); + g_object_set_data_full (G_OBJECT (s_8021x), objtype->path_tag, new_file, g_free); new_file = NULL; /* g_object_set_data_full() took ownership */ - g_object_set_data_full (G_OBJECT (s_8021x), hash_tag, new_hash, g_free); + g_object_set_data_full (G_OBJECT (s_8021x), objtype->hash_tag, new_hash, g_free); new_hash = NULL; /* g_object_set_data_full() took ownership */ } else { /* cert data hasn't changed */ - svSetValue (ifcfg, ifcfg_key, orig_file, FALSE); + svSetValue (ifcfg, objtype->ifcfg_key, orig_file, FALSE); } success = TRUE; @@ -230,6 +269,10 @@ write_8021x_setting (NMConnection *connection, char *tmp = NULL; gboolean success = FALSE, is_pkcs12 = FALSE, wrote; GString *phase2_auth; + const GByteArray *data; + GByteArray *enc_key = NULL; + const char *password = NULL; + char *generated_pw = NULL; s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X); if (!s_8021x) { @@ -295,19 +338,16 @@ write_8021x_setting (NMConnection *connection, g_free (tmp); } - if (phase2_auth->len) - svSetValue (ifcfg, "IEEE_8021X_INNER_AUTH_METHODS", phase2_auth->str, FALSE); + svSetValue (ifcfg, "IEEE_8021X_INNER_AUTH_METHODS", + phase2_auth->len ? phase2_auth->str : NULL, + FALSE); + g_string_free (phase2_auth, TRUE); - + /* CA certificate */ - if (!write_cert (s_8021x, ifcfg, - NM_SETTING_802_1X_CA_CERT, - "IEEE_8021X_CA_CERT", - TAG_CA_CERT_PATH, - TAG_CA_CERT_HASH, - "ca-cert", - FALSE, &wrote, - error)) + data = NULL; + g_object_get (G_OBJECT (s_8021x), NM_SETTING_802_1X_CA_CERT, &data, NULL); + if (!write_object (s_8021x, ifcfg, data, &ca_type, &wrote, error)) goto out; /* Private key */ @@ -315,40 +355,64 @@ write_8021x_setting (NMConnection *connection, if (nm_setting_802_1x_get_private_key_type (s_8021x) == NM_SETTING_802_1X_CK_TYPE_PKCS12) is_pkcs12 = TRUE; } - if (!write_cert (s_8021x, ifcfg, - NM_SETTING_802_1X_PRIVATE_KEY, - "IEEE_8021X_PRIVATE_KEY", - TAG_PRIVATE_KEY_PATH, - TAG_PRIVATE_KEY_HASH, - "private-key", - is_pkcs12, &wrote, - error)) + + data = NULL; + g_object_get (G_OBJECT (s_8021x), NM_SETTING_802_1X_PRIVATE_KEY, &data, NULL); + + password = nm_setting_802_1x_get_private_key_password (s_8021x); + if (data && !is_pkcs12) { + GByteArray *array; + + if (!password) { + /* Create a random private key */ + array = crypto_random (32, error); + if (!array) + goto out; + + password = generated_pw = utils_bin2hexstr ((const char *) array->data, array->len, -1); + memset (array->data, 0, array->len); + g_byte_array_free (array, TRUE); + } + + /* Re-encrypt the private key if it's not PKCS#12 (which never decrypted by NM) */ + enc_key = crypto_key_to_pem (data, password, error); + if (!enc_key) + goto out; + } + + if (!write_object (s_8021x, + ifcfg, + enc_key ? enc_key : data, + is_pkcs12 ? &p12_type : &pk_type, + &wrote, + error)) goto out; - if (is_pkcs12) { - svSetValue (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", - nm_setting_802_1x_get_private_key_password (s_8021x), FALSE); - } else { - /* Clear the private key password for non-pkcs12 private keys that - * we just wrote out, since it will be unencrypted. - */ - if (wrote) - svSetValue (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", NULL, FALSE); + /* Private key password */ + set_secret (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", password); - /* Client certificate */ - if (!write_cert (s_8021x, ifcfg, - NM_SETTING_802_1X_CA_CERT, - "IEEE_8021X_CA_CERT", - TAG_CA_CERT_PATH, - TAG_CA_CERT_HASH, - "ca-cert", - FALSE, &wrote, - error)) + if (enc_key) { + memset (enc_key->data, 0, enc_key->len); + g_byte_array_free (enc_key, TRUE); + } + + /* Client certificate */ + if (is_pkcs12) + svSetValue (ifcfg, "IEEE_8021X_CLIENT_CERT", NULL, FALSE); + else { + data = NULL; + g_object_get (G_OBJECT (s_8021x), NM_SETTING_802_1X_CLIENT_CERT, &data, NULL); + if (!write_object (s_8021x, ifcfg, data, &client_type, &wrote, error)) goto out; } success = TRUE; out: + if (generated_pw) { + memset (generated_pw, 0, strlen (generated_pw)); + g_free (generated_pw); + } + return success; }