libnm/802-1x: simplify verify_tls() for phase1 and phase2
The checks are duplicated and verbose. Combine them.
This commit is contained in:
Thomas Haller
@@ -2618,132 +2618,66 @@ static gboolean
|
|||||||
verify_tls(NMSetting8021x *self, gboolean phase2, GError **error)
|
verify_tls(NMSetting8021x *self, gboolean phase2, GError **error)
|
||||||
{
|
{
|
||||||
NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self);
|
NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self);
|
||||||
|
GBytes *client_cert;
|
||||||
|
GBytes *private_key;
|
||||||
|
const char *prop_client_cert;
|
||||||
|
const char *prop_private_key;
|
||||||
|
|
||||||
if (phase2) {
|
client_cert = phase2 ? priv->phase2_client_cert : priv->client_cert;
|
||||||
if (!priv->phase2_client_cert) {
|
private_key = phase2 ? priv->phase2_private_key : priv->private_key;
|
||||||
g_set_error_literal(error,
|
prop_client_cert =
|
||||||
NM_CONNECTION_ERROR,
|
phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT : NM_SETTING_802_1X_CLIENT_CERT;
|
||||||
NM_CONNECTION_ERROR_MISSING_PROPERTY,
|
prop_private_key =
|
||||||
_("property is missing"));
|
phase2 ? NM_SETTING_802_1X_PHASE2_PRIVATE_KEY : NM_SETTING_802_1X_PRIVATE_KEY;
|
||||||
g_prefix_error(error,
|
|
||||||
"%s.%s: ",
|
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
|
|
||||||
return FALSE;
|
|
||||||
} else if (!g_bytes_get_size(priv->phase2_client_cert)) {
|
|
||||||
g_set_error_literal(error,
|
|
||||||
NM_CONNECTION_ERROR,
|
|
||||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
|
||||||
_("property is empty"));
|
|
||||||
g_prefix_error(error,
|
|
||||||
"%s.%s: ",
|
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Private key is required for TLS */
|
if (!client_cert) {
|
||||||
if (!priv->phase2_private_key) {
|
g_set_error_literal(error,
|
||||||
g_set_error_literal(error,
|
NM_CONNECTION_ERROR,
|
||||||
NM_CONNECTION_ERROR,
|
NM_CONNECTION_ERROR_MISSING_PROPERTY,
|
||||||
NM_CONNECTION_ERROR_MISSING_PROPERTY,
|
_("property is missing"));
|
||||||
_("property is missing"));
|
g_prefix_error(error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_client_cert);
|
||||||
g_prefix_error(error,
|
return FALSE;
|
||||||
"%s.%s: ",
|
}
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
if (g_bytes_get_size(client_cert) == 0) {
|
||||||
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
|
g_set_error_literal(error,
|
||||||
return FALSE;
|
|
||||||
} else if (!g_bytes_get_size(priv->phase2_private_key)) {
|
|
||||||
g_set_error_literal(error,
|
|
||||||
NM_CONNECTION_ERROR,
|
|
||||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
|
||||||
_("property is empty"));
|
|
||||||
g_prefix_error(error,
|
|
||||||
"%s.%s: ",
|
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If the private key is PKCS#12, check that it matches the client cert */
|
|
||||||
if (nm_crypto_is_pkcs12_data(g_bytes_get_data(priv->phase2_private_key, NULL),
|
|
||||||
g_bytes_get_size(priv->phase2_private_key),
|
|
||||||
NULL)) {
|
|
||||||
if (!g_bytes_equal(priv->phase2_private_key, priv->phase2_client_cert)) {
|
|
||||||
g_set_error(error,
|
|
||||||
NM_CONNECTION_ERROR,
|
NM_CONNECTION_ERROR,
|
||||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
||||||
_("has to match '%s' property for PKCS#12"),
|
_("property is empty"));
|
||||||
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
|
g_prefix_error(error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_client_cert);
|
||||||
g_prefix_error(error,
|
return FALSE;
|
||||||
"%s.%s: ",
|
}
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (!priv->client_cert) {
|
|
||||||
g_set_error_literal(error,
|
|
||||||
NM_CONNECTION_ERROR,
|
|
||||||
NM_CONNECTION_ERROR_MISSING_PROPERTY,
|
|
||||||
_("property is missing"));
|
|
||||||
g_prefix_error(error,
|
|
||||||
"%s.%s: ",
|
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_CLIENT_CERT);
|
|
||||||
return FALSE;
|
|
||||||
} else if (!g_bytes_get_size(priv->client_cert)) {
|
|
||||||
g_set_error_literal(error,
|
|
||||||
NM_CONNECTION_ERROR,
|
|
||||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
|
||||||
_("property is empty"));
|
|
||||||
g_prefix_error(error,
|
|
||||||
"%s.%s: ",
|
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_CLIENT_CERT);
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Private key is required for TLS */
|
/* Private key is required for TLS */
|
||||||
if (!priv->private_key) {
|
if (!private_key) {
|
||||||
g_set_error_literal(error,
|
g_set_error_literal(error,
|
||||||
NM_CONNECTION_ERROR,
|
NM_CONNECTION_ERROR,
|
||||||
NM_CONNECTION_ERROR_MISSING_PROPERTY,
|
NM_CONNECTION_ERROR_MISSING_PROPERTY,
|
||||||
_("property is missing"));
|
_("property is missing"));
|
||||||
g_prefix_error(error,
|
g_prefix_error(error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_private_key);
|
||||||
"%s.%s: ",
|
return FALSE;
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
}
|
||||||
NM_SETTING_802_1X_PRIVATE_KEY);
|
|
||||||
return FALSE;
|
|
||||||
} else if (!g_bytes_get_size(priv->private_key)) {
|
|
||||||
g_set_error_literal(error,
|
|
||||||
NM_CONNECTION_ERROR,
|
|
||||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
|
||||||
_("property is empty"));
|
|
||||||
g_prefix_error(error,
|
|
||||||
"%s.%s: ",
|
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_PRIVATE_KEY);
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If the private key is PKCS#12, check that it matches the client cert */
|
if (g_bytes_get_size(private_key) == 0) {
|
||||||
if (nm_crypto_is_pkcs12_data(g_bytes_get_data(priv->private_key, NULL),
|
g_set_error_literal(error,
|
||||||
g_bytes_get_size(priv->private_key),
|
|
||||||
NULL)) {
|
|
||||||
if (!g_bytes_equal(priv->private_key, priv->client_cert)) {
|
|
||||||
g_set_error(error,
|
|
||||||
NM_CONNECTION_ERROR,
|
NM_CONNECTION_ERROR,
|
||||||
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
||||||
_("has to match '%s' property for PKCS#12"),
|
_("property is empty"));
|
||||||
NM_SETTING_802_1X_PRIVATE_KEY);
|
g_prefix_error(error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_private_key);
|
||||||
g_prefix_error(error,
|
return FALSE;
|
||||||
"%s.%s: ",
|
}
|
||||||
NM_SETTING_802_1X_SETTING_NAME,
|
|
||||||
NM_SETTING_802_1X_CLIENT_CERT);
|
/* If the private key is PKCS#12, check that it matches the client cert */
|
||||||
return FALSE;
|
if (nm_crypto_is_pkcs12_data(g_bytes_get_data(private_key, NULL),
|
||||||
}
|
g_bytes_get_size(private_key),
|
||||||
|
NULL)) {
|
||||||
|
if (!g_bytes_equal(private_key, client_cert)) {
|
||||||
|
g_set_error(error,
|
||||||
|
NM_CONNECTION_ERROR,
|
||||||
|
NM_CONNECTION_ERROR_INVALID_PROPERTY,
|
||||||
|
_("has to match '%s' property for PKCS#12"),
|
||||||
|
prop_private_key);
|
||||||
|
g_prefix_error(error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_client_cert);
|
||||||
|
return FALSE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user