colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libnm-util: allow certificate/key paths

Browse Source 
Overload the certificate and key properties to allow paths to the
certificates and keys using a special prefix for the property data.
Add API to libnm-util for easy certificate path handling, and
documentation for NMSetting8021x.
This commit is contained in:
Dan Williams
2009-09-04 09:07:00 -05:00
parent cecf8f64c7
commit e5ed391f28
13 changed files with 2073 additions and 644 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libnm-util/crypto.c
View File

@@ -619,14 +619,14 @@ crypto_is_pkcs12_data (const GByteArray *data)
} }
gboolean gboolean
crypto_is_pkcs12_file (const char *file) crypto_is_pkcs12_file (const char *file, GError **error)
{ {
GByteArray *contents; GByteArray *contents;
gboolean success = FALSE; gboolean success = FALSE;
g_return_val_if_fail (file != NULL, FALSE); g_return_val_if_fail (file != NULL, FALSE);
contents = file_to_g_byte_array (file, TRUE, NULL); contents = file_to_g_byte_array (file, TRUE, error);
if (contents) { if (contents) {
success = crypto_is_pkcs12_data (contents); success = crypto_is_pkcs12_data (contents);
g_byte_array_free (contents, TRUE); g_byte_array_free (contents, TRUE);

2
libnm-util/crypto.h
View File

@@ -83,7 +83,7 @@ GByteArray * crypto_load_and_verify_certificate (const char *file,
NMCryptoFileFormat *out_file_format, NMCryptoFileFormat *out_file_format,
GError **error); GError **error);
gboolean crypto_is_pkcs12_file (const char *file); gboolean crypto_is_pkcs12_file (const char *file, GError **error);
gboolean crypto_is_pkcs12_data (const GByteArray *data); gboolean crypto_is_pkcs12_data (const GByteArray *data);

40
libnm-util/libnm-util.ver
View File

@@ -31,11 +31,15 @@ global:
nm_setting_802_1x_error_get_type; nm_setting_802_1x_error_get_type;
nm_setting_802_1x_error_quark; nm_setting_802_1x_error_quark;
nm_setting_802_1x_get_anonymous_identity; nm_setting_802_1x_get_anonymous_identity;
nm_setting_802_1x_get_ca_cert; nm_setting_802_1x_get_ca_cert_scheme;
nm_setting_802_1x_set_ca_cert_from_file; nm_setting_802_1x_get_ca_cert_blob;
nm_setting_802_1x_get_ca_cert_path;
nm_setting_802_1x_set_ca_cert;
nm_setting_802_1x_get_ca_path; nm_setting_802_1x_get_ca_path;
nm_setting_802_1x_get_client_cert; nm_setting_802_1x_get_client_cert_scheme;
nm_setting_802_1x_set_client_cert_from_file; nm_setting_802_1x_get_client_cert_blob;
nm_setting_802_1x_get_client_cert_path;
nm_setting_802_1x_set_client_cert;
nm_setting_802_1x_get_eap_method; nm_setting_802_1x_get_eap_method;
nm_setting_802_1x_get_identity; nm_setting_802_1x_get_identity;
nm_setting_802_1x_get_num_eap_methods; nm_setting_802_1x_get_num_eap_methods;
@@ -45,20 +49,28 @@ global:
nm_setting_802_1x_get_phase1_peapver; nm_setting_802_1x_get_phase1_peapver;
nm_setting_802_1x_get_phase2_auth; nm_setting_802_1x_get_phase2_auth;
nm_setting_802_1x_get_phase2_autheap; nm_setting_802_1x_get_phase2_autheap;
nm_setting_802_1x_get_phase2_ca_cert; nm_setting_802_1x_get_phase2_ca_cert_scheme;
nm_setting_802_1x_set_phase2_ca_cert_from_file; nm_setting_802_1x_get_phase2_ca_cert_blob;
nm_setting_802_1x_get_phase2_ca_cert_path;
nm_setting_802_1x_set_phase2_ca_cert;
nm_setting_802_1x_get_phase2_ca_path; nm_setting_802_1x_get_phase2_ca_path;
nm_setting_802_1x_get_phase2_client_cert; nm_setting_802_1x_get_phase2_client_cert_scheme;
nm_setting_802_1x_set_phase2_client_cert_from_file; nm_setting_802_1x_get_phase2_client_cert_blob;
nm_setting_802_1x_get_phase2_private_key; nm_setting_802_1x_get_phase2_client_cert_path;
nm_setting_802_1x_set_phase2_private_key_from_file; nm_setting_802_1x_set_phase2_client_cert;
nm_setting_802_1x_get_phase2_private_key_blob;
nm_setting_802_1x_get_phase2_private_key_format;
nm_setting_802_1x_get_phase2_private_key_password; nm_setting_802_1x_get_phase2_private_key_password;
nm_setting_802_1x_get_phase2_private_key_type; nm_setting_802_1x_get_phase2_private_key_path;
nm_setting_802_1x_get_phase2_private_key_scheme;
nm_setting_802_1x_set_phase2_private_key;
nm_setting_802_1x_get_pin; nm_setting_802_1x_get_pin;
nm_setting_802_1x_get_private_key; nm_setting_802_1x_get_private_key_blob;
nm_setting_802_1x_set_private_key_from_file; nm_setting_802_1x_get_private_key_format;
nm_setting_802_1x_get_private_key_password; nm_setting_802_1x_get_private_key_password;
nm_setting_802_1x_get_private_key_type; nm_setting_802_1x_get_private_key_path;
nm_setting_802_1x_get_private_key_scheme;
nm_setting_802_1x_set_private_key;
nm_setting_802_1x_get_psk; nm_setting_802_1x_get_psk;
nm_setting_802_1x_get_system_ca_certs; nm_setting_802_1x_get_system_ca_certs;
nm_setting_802_1x_get_type; nm_setting_802_1x_get_type;

1747
libnm-util/nm-setting-8021x.c
View File

File diff suppressed because it is too large Load Diff

149
libnm-util/nm-setting-8021x.h
View File

@@ -19,7 +19,7 @@
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA. * Boston, MA 02110-1301 USA.
* *
* (C) Copyright 2007 - 2008 Red Hat, Inc. * (C) Copyright 2007 - 2009 Red Hat, Inc.
* (C) Copyright 2007 - 2008 Novell, Inc. * (C) Copyright 2007 - 2008 Novell, Inc.
*/ */
@@ -31,11 +31,17 @@
G_BEGIN_DECLS G_BEGIN_DECLS
typedef enum { typedef enum {
NM_SETTING_802_1X_CK_TYPE_UNKNOWN = 0, NM_SETTING_802_1X_CK_FORMAT_UNKNOWN = 0,
NM_SETTING_802_1X_CK_TYPE_X509, NM_SETTING_802_1X_CK_FORMAT_X509,
NM_SETTING_802_1X_CK_TYPE_RAW_KEY, NM_SETTING_802_1X_CK_FORMAT_RAW_KEY,
NM_SETTING_802_1X_CK_TYPE_PKCS12 NM_SETTING_802_1X_CK_FORMAT_PKCS12
} NMSetting8021xCKType; } NMSetting8021xCKFormat;
typedef enum {
NM_SETTING_802_1X_CK_SCHEME_UNKNOWN = 0,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
NM_SETTING_802_1X_CK_SCHEME_PATH
} NMSetting8021xCKScheme;
#define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type ()) #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type ())
#define NM_SETTING_802_1X(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_802_1X, NMSetting8021x)) #define NM_SETTING_802_1X(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_802_1X, NMSetting8021x))
@@ -83,6 +89,30 @@ GQuark nm_setting_802_1x_error_quark (void);
#define NM_SETTING_802_1X_PSK "psk" #define NM_SETTING_802_1X_PSK "psk"
#define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs" #define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
/* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties
* using the "blob" scheme, the data must be passed in PKCS#12 format. In this
* case, the private key password must also be passed to NetworkManager, and the
* appropriate "client-cert" (or "phase2-client-cert") property of the
* NMSetting8021x object must also contain the exact same PKCS#12 data that the
* private key will when NetworkManager requests secrets. This is because the
* PKCS#12 file contains both the private key and client certificate, so both
* properties need to be set to the same thing. When using the "path" scheme,
* just set both the private-key and client-cert properties to the same path,
* and set the private-key password correctly.
*
* When setting OpenSSL-derived "traditional" format (ie S/MIME style, not
* PKCS#8) RSA and DSA keys directly via properties with the "blob" scheme, they
* must passed to NetworkManager completely decrypted because the OpenSSL
* "traditional" format is non-standard and is not complete enough for all
* crypto libraries to use. Thus, for OpenSSL "traditional" format keys, the
* private key password is not passed to NetworkManager (because the data is
* already decrypted by the client), and the appropriate "client-cert" (or
* "phase2-client-cert") property of the NMSetting8021x object must be a valid
* client certificate. When using the "path" scheme, just set the private-key
* and client-cert properties to the paths to their respective objects, and
* set the private-key password correctly.
*/
typedef struct { typedef struct {
NMSetting parent; NMSetting parent;
} NMSetting8021x; } NMSetting8021x;
@@ -105,18 +135,27 @@ const char * nm_setting_802_1x_get_identity (NMSetting8
const char * nm_setting_802_1x_get_anonymous_identity (NMSetting8021x *setting); const char * nm_setting_802_1x_get_anonymous_identity (NMSetting8021x *setting);
const GByteArray *nm_setting_802_1x_get_ca_cert (NMSetting8021x *setting); gboolean nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_ca_path (NMSetting8021x *setting); const char * nm_setting_802_1x_get_ca_path (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_ca_cert_from_file (NMSetting8021x *setting, const char * nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting);
const char *filename,
NMSetting8021xCKType *out_ck_type,
GError **err);
const GByteArray *nm_setting_802_1x_get_client_cert (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_client_cert_from_file (NMSetting8021x *setting, const GByteArray * nm_setting_802_1x_get_ca_cert_blob (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting,
const char *filename, const char *filename,
NMSetting8021xCKType *out_ck_type, NMSetting8021xCKScheme scheme,
GError **err); NMSetting8021xCKFormat *out_format,
GError **error);
NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting);
const GByteArray * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_client_cert_path (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_client_cert (NMSetting8021x *setting,
const char *filename,
NMSetting8021xCKScheme scheme,
NMSetting8021xCKFormat *out_format,
GError **error);
const char * nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting); const char * nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting);
@@ -128,19 +167,23 @@ const char * nm_setting_802_1x_get_phase2_auth (NMSetting8
const char * nm_setting_802_1x_get_phase2_autheap (NMSetting8021x *setting); const char * nm_setting_802_1x_get_phase2_autheap (NMSetting8021x *setting);
const GByteArray *nm_setting_802_1x_get_phase2_ca_cert (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_ca_cert_scheme (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting); const GByteArray * nm_setting_802_1x_get_phase2_ca_cert_blob (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_phase2_ca_cert_from_file (NMSetting8021x *setting, const char * nm_setting_802_1x_get_phase2_ca_cert_path (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting,
const char *filename, const char *filename,
NMSetting8021xCKType *out_ck_type, NMSetting8021xCKScheme scheme,
GError **err); NMSetting8021xCKFormat *out_format,
gboolean nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting); GError **error);
const GByteArray *nm_setting_802_1x_get_phase2_client_cert (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_phase2_client_cert_from_file (NMSetting8021x *setting, const GByteArray * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting);
const char *filename, const char * nm_setting_802_1x_get_phase2_client_cert_path (NMSetting8021x *setting);
NMSetting8021xCKType *out_ck_type, gboolean nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *setting,
GError **err); const char *filename,
NMSetting8021xCKScheme scheme,
NMSetting8021xCKFormat *out_format,
GError **error);
const char * nm_setting_802_1x_get_password (NMSetting8021x *setting); const char * nm_setting_802_1x_get_password (NMSetting8021x *setting);
@@ -148,39 +191,31 @@ const char * nm_setting_802_1x_get_pin (NMSetting8
const char * nm_setting_802_1x_get_psk (NMSetting8021x *setting); const char * nm_setting_802_1x_get_psk (NMSetting8021x *setting);
/* PRIVATE KEY NOTE: when PKCS#12 private keys are used, the PKCS#12 data must NMSetting8021xCKScheme nm_setting_802_1x_get_private_key_scheme (NMSetting8021x *setting);
* be passed to NetworkManager as PKCS#12 (ie, shrouded). In this case, the const GByteArray * nm_setting_802_1x_get_private_key_blob (NMSetting8021x *setting);
* private key password must also be passed to NetworkManager, and the const char * nm_setting_802_1x_get_private_key_path (NMSetting8021x *setting);
* appropriate "client-cert" (or "phase2-client-cert") property of the gboolean nm_setting_802_1x_set_private_key (NMSetting8021x *setting,
* NMSetting8021x object must also contain the exact same PKCS#12 data that the const char *filename,
* private key will when NetworkManager requests secrets. const char *password,
* NMSetting8021xCKScheme scheme,
* When OpenSSL-derived "traditional" format (ie S/MIME style, not PKCS#8) RSA NMSetting8021xCKFormat *out_format,
* and DSA keys are used, they must passed to NetworkManager completely GError **error);
* decrypted because the OpenSSL "traditional" format is non-standard and is not const char * nm_setting_802_1x_get_private_key_password (NMSetting8021x *setting);
* complete enough for all crypto libraries to use. Thus, for OpenSSL
* "traditional" format keys, the private key password is not passed to
* NetworkManager, and the appropriate "client-cert" (or "phase2-client-cert")
* property of the NMSetting8021x object must be a valid client certificate.
*/
const GByteArray *nm_setting_802_1x_get_private_key (NMSetting8021x *setting); NMSetting8021xCKFormat nm_setting_802_1x_get_private_key_format (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_private_key_password (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_private_key_from_file (NMSetting8021x *setting,
const char *filename,
const char *password,
NMSetting8021xCKType *out_ck_type,
GError **err);
NMSetting8021xCKType nm_setting_802_1x_get_private_key_type (NMSetting8021x *setting);
const GByteArray *nm_setting_802_1x_get_phase2_private_key (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_private_key_scheme (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_phase2_private_key_password (NMSetting8021x *setting); const GByteArray * nm_setting_802_1x_get_phase2_private_key_blob (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_phase2_private_key_from_file (NMSetting8021x *setting, const char * nm_setting_802_1x_get_phase2_private_key_path (NMSetting8021x *setting);
const char *filename, gboolean nm_setting_802_1x_set_phase2_private_key (NMSetting8021x *setting,
const char *password, const char *filename,
NMSetting8021xCKType *out_ck_type, const char *password,
GError **err); NMSetting8021xCKScheme scheme,
NMSetting8021xCKType nm_setting_802_1x_get_phase2_private_key_type (NMSetting8021x *setting); NMSetting8021xCKFormat *out_format,
GError **error);
const char * nm_setting_802_1x_get_phase2_private_key_password (NMSetting8021x *setting);
NMSetting8021xCKFormat nm_setting_802_1x_get_phase2_private_key_format (NMSetting8021x *setting);
G_END_DECLS G_END_DECLS

2
libnm-util/tests/test-crypto.c
View File

@@ -205,7 +205,7 @@ test_is_pkcs12 (const char *path, gboolean expect_fail, const char *desc)
{ {
gboolean is_pkcs12; gboolean is_pkcs12;
is_pkcs12 = crypto_is_pkcs12_file (path); is_pkcs12 = crypto_is_pkcs12_file (path, NULL);
if (expect_fail) { if (expect_fail) {
ASSERT (is_pkcs12 == FALSE, desc, ASSERT (is_pkcs12 == FALSE, desc,
"unexpected success reading non-PKCS#12 file '%s'", "unexpected success reading non-PKCS#12 file '%s'",

176
src/supplicant-manager/nm-supplicant-config.c
View File

@@ -702,8 +702,8 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
{ {
NMSupplicantConfigPrivate *priv; NMSupplicantConfigPrivate *priv;
char *tmp; char *tmp;
const char *peapver, *value; const char *peapver, *value, *path;
gboolean success; gboolean success, added;
GString *phase1, *phase2; GString *phase1, *phase2;
const GByteArray *array; const GByteArray *array;
@@ -780,53 +780,163 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
} }
g_string_free (phase2, TRUE); g_string_free (phase2, TRUE);
if (nm_setting_802_1x_get_system_ca_certs (setting)) { /* CA path */
if (!add_string_val (self, SYSTEM_CA_PATH, "ca_path", FALSE, FALSE)) path = nm_setting_802_1x_get_ca_path (setting);
if (nm_setting_802_1x_get_system_ca_certs (setting))
path = SYSTEM_CA_PATH;
if (path) {
if (!add_string_val (self, path, "ca_path", FALSE, FALSE))
return FALSE; return FALSE;
} else {
ADD_BLOB_VAL (nm_setting_802_1x_get_ca_cert (setting), "ca_cert", connection_uid);
} }
array = nm_setting_802_1x_get_private_key (setting); /* Phase2 CA path */
if (array) { path = nm_setting_802_1x_get_phase2_ca_path (setting);
ADD_BLOB_VAL (array, "private_key", connection_uid); if (nm_setting_802_1x_get_system_ca_certs (setting))
path = SYSTEM_CA_PATH;
if (path) {
if (!add_string_val (self, path, "ca_path2", FALSE, FALSE))
return FALSE;
}
switch (nm_setting_802_1x_get_private_key_type (setting)) { /* CA certificate */
case NM_SETTING_802_1X_CK_TYPE_PKCS12: switch (nm_setting_802_1x_get_ca_cert_scheme (setting)) {
/* Only add the private key password for PKCS#12 keys */ case NM_SETTING_802_1X_CK_SCHEME_BLOB:
array = nm_setting_802_1x_get_ca_cert_blob (setting);
ADD_BLOB_VAL (array, "ca_cert", connection_uid);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = nm_setting_802_1x_get_ca_cert_path (setting);
if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
return FALSE;
break;
default:
break;
}
/* Phase 2 CA certificate */
switch (nm_setting_802_1x_get_phase2_ca_cert_scheme (setting)) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
array = nm_setting_802_1x_get_phase2_ca_cert_blob (setting);
ADD_BLOB_VAL (array, "ca_cert2", connection_uid);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = nm_setting_802_1x_get_phase2_ca_cert_path (setting);
if (!add_string_val (self, path, "ca_cert2", FALSE, FALSE))
return FALSE;
break;
default:
break;
}
/* Private key */
added = FALSE;
switch (nm_setting_802_1x_get_private_key_scheme (setting)) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
array = nm_setting_802_1x_get_private_key_blob (setting);
ADD_BLOB_VAL (array, "private_key", connection_uid);
added = TRUE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = nm_setting_802_1x_get_private_key_path (setting);
if (!add_string_val (self, path, "private_key", FALSE, FALSE))
return FALSE;
added = TRUE;
break;
default:
break;
}
if (added) {
NMSetting8021xCKFormat format;
NMSetting8021xCKScheme scheme;
format = nm_setting_802_1x_get_private_key_format (setting);
scheme = nm_setting_802_1x_get_private_key_scheme (setting);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PATH
|| format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
/* Only add the private key password for PKCS#12 blobs and
* all path schemes, since in both of these cases the private key
* isn't decrypted at all.
*/
value = nm_setting_802_1x_get_private_key_password (setting); value = nm_setting_802_1x_get_private_key_password (setting);
if (!add_string_val (self, value, "private_key_passwd", FALSE, TRUE)) if (!add_string_val (self, value, "private_key_passwd", FALSE, TRUE))
return FALSE; return FALSE;
break; }
default:
/* Only add the client cert if the private key is not PKCS#12 */ if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
ADD_BLOB_VAL (nm_setting_802_1x_get_client_cert (setting), "client_cert", connection_uid); /* Only add the client cert if the private key is not PKCS#12, as
break; * wpa_supplicant configuration directs us to do.
*/
switch (nm_setting_802_1x_get_client_cert_scheme (setting)) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
array = nm_setting_802_1x_get_client_cert_blob (setting);
ADD_BLOB_VAL (array, "client_cert", connection_uid);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = nm_setting_802_1x_get_client_cert_path (setting);
if (!add_string_val (self, path, "client_cert", FALSE, FALSE))
return FALSE;
break;
default:
break;
}
} }
} }
if (nm_setting_802_1x_get_system_ca_certs (setting)) { /* Phase 2 private key */
if (!add_string_val (self, SYSTEM_CA_PATH, "ca_path2", FALSE, FALSE)) added = FALSE;
switch (nm_setting_802_1x_get_phase2_private_key_scheme (setting)) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
array = nm_setting_802_1x_get_phase2_private_key_blob (setting);
ADD_BLOB_VAL (array, "private_key2", connection_uid);
added = TRUE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = nm_setting_802_1x_get_phase2_private_key_path (setting);
if (!add_string_val (self, path, "private_key2", FALSE, FALSE))
return FALSE; return FALSE;
} else { added = TRUE;
ADD_BLOB_VAL (nm_setting_802_1x_get_phase2_ca_cert (setting), "ca_cert2", connection_uid); break;
default:
break;
} }
array = nm_setting_802_1x_get_phase2_private_key (setting); if (added) {
if (array) { NMSetting8021xCKFormat format;
ADD_BLOB_VAL (array, "private_key2", connection_uid); NMSetting8021xCKScheme scheme;
switch (nm_setting_802_1x_get_phase2_private_key_type (setting)) { format = nm_setting_802_1x_get_phase2_private_key_format (setting);
case NM_SETTING_802_1X_CK_TYPE_PKCS12: scheme = nm_setting_802_1x_get_phase2_private_key_scheme (setting);
/* Only add the private key password for PKCS#12 keys */
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PATH
|| format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
/* Only add the private key password for PKCS#12 blobs and
* all path schemes, since in both of these cases the private key
* isn't decrypted at all.
*/
value = nm_setting_802_1x_get_phase2_private_key_password (setting); value = nm_setting_802_1x_get_phase2_private_key_password (setting);
if (!add_string_val (self, value, "private_key2_passwd", FALSE, TRUE)) if (!add_string_val (self, value, "private_key_passwd2", FALSE, TRUE))
return FALSE; return FALSE;
break; }
default:
/* Only add the client cert if the private key is not PKCS#12 */ if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
ADD_BLOB_VAL (nm_setting_802_1x_get_phase2_client_cert (setting), "client_cert2", connection_uid); /* Only add the client cert if the private key is not PKCS#12, as
break; * wpa_supplicant configuration directs us to do.
*/
switch (nm_setting_802_1x_get_phase2_client_cert_scheme (setting)) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
array = nm_setting_802_1x_get_phase2_client_cert_blob (setting);
ADD_BLOB_VAL (array, "client_cert2", connection_uid);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = nm_setting_802_1x_get_phase2_client_cert_path (setting);
if (!add_string_val (self, path, "client_cert2", FALSE, FALSE))
return FALSE;
break;
default:
break;
}
} }
} }

18
system-settings/plugins/ifcfg-rh/common.h
View File

@@ -38,24 +38,6 @@
#define TYPE_ETHERNET "Ethernet" #define TYPE_ETHERNET "Ethernet"
#define TYPE_WIRELESS "Wireless" #define TYPE_WIRELESS "Wireless"
#define TAG_CA_CERT_PATH "ca-cert-path"
#define TAG_CA_CERT_HASH "ca-cert-hash"
#define TAG_CLIENT_CERT_PATH "client-cert-path"
#define TAG_CLIENT_CERT_HASH "client-cert-hash"
#define TAG_PRIVATE_KEY_PATH "private-key-path"
#define TAG_PRIVATE_KEY_HASH "private-key-hash"
#define TAG_PHASE2_CA_CERT_PATH "phase2-ca-cert-path"
#define TAG_PHASE2_CA_CERT_HASH "phase2-ca-cert-hash"
#define TAG_PHASE2_CLIENT_CERT_PATH "phase2-client-cert-path"
#define TAG_PHASE2_CLIENT_CERT_HASH "phase2-client-cert-hash"
#define TAG_PHASE2_PRIVATE_KEY_PATH "phase2-private-key-path"
#define TAG_PHASE2_PRIVATE_KEY_HASH "phase2-private-key-hash"
GQuark ifcfg_plugin_error_quark (void); GQuark ifcfg_plugin_error_quark (void);

145
system-settings/plugins/ifcfg-rh/reader.c
View File

@@ -1201,21 +1201,6 @@ get_cert_file (const char *ifcfg_path, const char *cert_path)
return ret; return ret;
} }
static void
set_file_path (NMSetting8021x *s_8021x,
const char *path_tag,
const char *hash_tag,
const char *path,
const char *setting_key)
{
GByteArray *data = NULL;
g_object_set_data_full (G_OBJECT (s_8021x), path_tag, g_strdup (path), g_free);
g_object_get (G_OBJECT (s_8021x), setting_key, &data, NULL);
if (data)
g_object_set_data_full (G_OBJECT (s_8021x), hash_tag, utils_hash_byte_array (data), g_free);
}
static gboolean static gboolean
eap_tls_reader (const char *eap_method, eap_tls_reader (const char *eap_method,
shvarFile *ifcfg, shvarFile *ifcfg,
@@ -1231,7 +1216,7 @@ eap_tls_reader (const char *eap_method,
char *privkey = NULL; char *privkey = NULL;
char *privkey_password = NULL; char *privkey_password = NULL;
gboolean success = FALSE; gboolean success = FALSE;
NMSetting8021xCKType privkey_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN; NMSetting8021xCKFormat privkey_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
value = svGetValue (ifcfg, "IEEE_8021X_IDENTITY", FALSE); value = svGetValue (ifcfg, "IEEE_8021X_IDENTITY", FALSE);
if (!value) { if (!value) {
@@ -1249,21 +1234,19 @@ eap_tls_reader (const char *eap_method,
if (ca_cert) { if (ca_cert) {
real_path = get_cert_file (ifcfg->fileName, ca_cert); real_path = get_cert_file (ifcfg->fileName, ca_cert);
if (phase2) { if (phase2) {
if (!nm_setting_802_1x_set_phase2_ca_cert_from_file (s_8021x, real_path, NULL, error)) if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_PHASE2_CA_CERT_PATH,
TAG_PHASE2_CA_CERT_HASH,
real_path,
NM_SETTING_802_1X_PHASE2_CA_CERT);
} else { } else {
if (!nm_setting_802_1x_set_ca_cert_from_file (s_8021x, real_path, NULL, error)) if (!nm_setting_802_1x_set_ca_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_CA_CERT_PATH,
TAG_CA_CERT_HASH,
real_path,
NM_SETTING_802_1X_CA_CERT);
} }
} else { } else {
PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing %s for EAP" PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing %s for EAP"
@@ -1306,56 +1289,30 @@ eap_tls_reader (const char *eap_method,
g_free (real_path); g_free (real_path);
real_path = get_cert_file (ifcfg->fileName, privkey); real_path = get_cert_file (ifcfg->fileName, privkey);
if (phase2) { if (phase2) {
if (!nm_setting_802_1x_set_phase2_private_key_from_file (s_8021x, real_path, privkey_password, &privkey_type, error)) if (!nm_setting_802_1x_set_phase2_private_key (s_8021x,
real_path,
privkey_password,
NM_SETTING_802_1X_CK_SCHEME_PATH,
&privkey_format,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_PHASE2_PRIVATE_KEY_PATH,
TAG_PHASE2_PRIVATE_KEY_HASH,
real_path,
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
} else { } else {
if (!nm_setting_802_1x_set_private_key_from_file (s_8021x, real_path, privkey_password, &privkey_type, error)) if (!nm_setting_802_1x_set_private_key (s_8021x,
real_path,
privkey_password,
NM_SETTING_802_1X_CK_SCHEME_PATH,
&privkey_format,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_PRIVATE_KEY_PATH,
TAG_PRIVATE_KEY_HASH,
real_path,
NM_SETTING_802_1X_PRIVATE_KEY);
} }
/* Per NM requirements, if the private key is pkcs12, set the client cert to the /* Only set the client certificate if the private key is not PKCS#12 format,
* same data as the private key, since pkcs12 files contain both. * as NM (due to supplicant restrictions) requires. If the key was PKCS#12,
* then nm_setting_802_1x_set_private_key() already set the client certificate
* to the same value as the private key.
*/ */
if (privkey_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) { if ( privkey_format == NM_SETTING_802_1X_CK_FORMAT_RAW_KEY
/* Set the private key password if PKCS#12, because PKCS#12 doesn't get || privkey_format == NM_SETTING_802_1X_CK_FORMAT_X509) {
* decrypted when being stored in the Setting.
*/
if (phase2)
g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
else
g_object_set (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
if (phase2) {
if (!nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, real_path, NULL, error))
goto done;
set_file_path (s_8021x,
TAG_PHASE2_CLIENT_CERT_PATH,
TAG_PHASE2_CLIENT_CERT_HASH,
real_path,
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
} else {
if (!nm_setting_802_1x_set_client_cert_from_file (s_8021x, real_path, NULL, error))
goto done;
set_file_path (s_8021x,
TAG_CLIENT_CERT_PATH,
TAG_CLIENT_CERT_HASH,
real_path,
NM_SETTING_802_1X_CLIENT_CERT);
}
} else {
/* Otherwise, private key is "traditional" OpenSSL format, so
* client certificate will be a separate file.
*/
client_cert = svGetValue (ifcfg, client_cert = svGetValue (ifcfg,
phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT", phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT",
FALSE); FALSE);
@@ -1370,21 +1327,19 @@ eap_tls_reader (const char *eap_method,
g_free (real_path); g_free (real_path);
real_path = get_cert_file (ifcfg->fileName, client_cert); real_path = get_cert_file (ifcfg->fileName, client_cert);
if (phase2) { if (phase2) {
if (!nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, real_path, NULL, error)) if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_PHASE2_CLIENT_CERT_PATH,
TAG_PHASE2_CLIENT_CERT_HASH,
real_path,
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
} else { } else {
if (!nm_setting_802_1x_set_client_cert_from_file (s_8021x, real_path, NULL, error)) if (!nm_setting_802_1x_set_client_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_CLIENT_CERT_PATH,
TAG_CLIENT_CERT_HASH,
real_path,
NM_SETTING_802_1X_CLIENT_CERT);
} }
} }
@@ -1418,13 +1373,12 @@ eap_peap_reader (const char *eap_method,
ca_cert = svGetValue (ifcfg, "IEEE_8021X_CA_CERT", FALSE); ca_cert = svGetValue (ifcfg, "IEEE_8021X_CA_CERT", FALSE);
if (ca_cert) { if (ca_cert) {
real_cert_path = get_cert_file (ifcfg->fileName, ca_cert); real_cert_path = get_cert_file (ifcfg->fileName, ca_cert);
if (!nm_setting_802_1x_set_ca_cert_from_file (s_8021x, real_cert_path, NULL, error)) if (!nm_setting_802_1x_set_ca_cert (s_8021x,
real_cert_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_CA_CERT_PATH,
TAG_CA_CERT_HASH,
real_cert_path,
NM_SETTING_802_1X_CA_CERT);
} else { } else {
PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing " PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing "
"IEEE_8021X_CA_CERT for EAP method '%s'; this is" "IEEE_8021X_CA_CERT for EAP method '%s'; this is"
@@ -1520,13 +1474,12 @@ eap_ttls_reader (const char *eap_method,
ca_cert = svGetValue (ifcfg, "IEEE_8021X_CA_CERT", FALSE); ca_cert = svGetValue (ifcfg, "IEEE_8021X_CA_CERT", FALSE);
if (ca_cert) { if (ca_cert) {
real_cert_path = get_cert_file (ifcfg->fileName, ca_cert); real_cert_path = get_cert_file (ifcfg->fileName, ca_cert);
if (!nm_setting_802_1x_set_ca_cert_from_file (s_8021x, real_cert_path, NULL, error)) if (!nm_setting_802_1x_set_ca_cert (s_8021x,
real_cert_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
goto done; goto done;
set_file_path (s_8021x,
TAG_CA_CERT_PATH,
TAG_CA_CERT_HASH,
real_cert_path,
NM_SETTING_802_1X_CA_CERT);
} else { } else {
PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing " PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing "
"IEEE_8021X_CA_CERT for EAP method '%s'; this is" "IEEE_8021X_CA_CERT for EAP method '%s'; this is"

204
system-settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c
View File

@@ -69,8 +69,9 @@ verify_cert_or_key (CertKeyType ck_type,
NMSetting8021x *s_8021x; NMSetting8021x *s_8021x;
GError *error = NULL; GError *error = NULL;
gboolean success = FALSE; gboolean success = FALSE;
const GByteArray *expected = NULL, *setting = NULL; const char *expected = NULL, *setting = NULL;
gboolean phase2 = FALSE; gboolean phase2 = FALSE;
NMSetting8021xCKScheme scheme = NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
if (strstr (setting_key, "phase2")) if (strstr (setting_key, "phase2"))
phase2 = TRUE; phase2 = TRUE;
@@ -83,19 +84,19 @@ verify_cert_or_key (CertKeyType ck_type,
if (ck_type == CK_CA_CERT) { if (ck_type == CK_CA_CERT) {
if (phase2) if (phase2)
success = nm_setting_802_1x_set_phase2_ca_cert_from_file (s_8021x, file, NULL, &error); success = nm_setting_802_1x_set_phase2_ca_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
else else
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x, file, NULL, &error); success = nm_setting_802_1x_set_ca_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
} else if (ck_type == CK_CLIENT_CERT) { } else if (ck_type == CK_CLIENT_CERT) {
if (phase2) if (phase2)
success = nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, file, NULL, &error); success = nm_setting_802_1x_set_phase2_client_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
else else
success = nm_setting_802_1x_set_client_cert_from_file (s_8021x, file, NULL, &error); success = nm_setting_802_1x_set_client_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
} else if (ck_type == CK_PRIV_KEY) { } else if (ck_type == CK_PRIV_KEY) {
if (phase2) if (phase2)
success = nm_setting_802_1x_set_phase2_private_key_from_file (s_8021x, file, privkey_password, NULL, &error); success = nm_setting_802_1x_set_phase2_private_key (s_8021x, file, privkey_password, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
else else
success = nm_setting_802_1x_set_private_key_from_file (s_8021x, file, privkey_password, NULL, &error); success = nm_setting_802_1x_set_private_key (s_8021x, file, privkey_password, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
} }
ASSERT (success == TRUE, ASSERT (success == TRUE,
test_name, "failed to verify %s: could not load item for %s / %s: %s", test_name, "failed to verify %s: could not load item for %s / %s: %s",
@@ -103,19 +104,39 @@ verify_cert_or_key (CertKeyType ck_type,
if (ck_type == CK_CA_CERT) { if (ck_type == CK_CA_CERT) {
if (phase2) if (phase2)
expected = nm_setting_802_1x_get_phase2_ca_cert (s_8021x); scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (s_8021x);
else else
expected = nm_setting_802_1x_get_ca_cert (s_8021x); scheme = nm_setting_802_1x_get_ca_cert_scheme (s_8021x);
} else if (ck_type == CK_CLIENT_CERT) { } else if (ck_type == CK_CLIENT_CERT) {
if (phase2) if (phase2)
expected = nm_setting_802_1x_get_phase2_client_cert (s_8021x); scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (s_8021x);
else else
expected = nm_setting_802_1x_get_client_cert (s_8021x); scheme = nm_setting_802_1x_get_client_cert_scheme (s_8021x);
} else if (ck_type == CK_PRIV_KEY) { } else if (ck_type == CK_PRIV_KEY) {
if (phase2) if (phase2)
expected = nm_setting_802_1x_get_phase2_private_key (s_8021x); scheme = nm_setting_802_1x_get_phase2_private_key_scheme (s_8021x);
else else
expected = nm_setting_802_1x_get_private_key (s_8021x); scheme = nm_setting_802_1x_get_private_key_scheme (s_8021x);
}
ASSERT (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
test_name, "failed to verify %s: unexpected cert/key scheme for %s / %s",
ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key);
if (ck_type == CK_CA_CERT) {
if (phase2)
expected = nm_setting_802_1x_get_phase2_ca_cert_path (s_8021x);
else
expected = nm_setting_802_1x_get_ca_cert_path (s_8021x);
} else if (ck_type == CK_CLIENT_CERT) {
if (phase2)
expected = nm_setting_802_1x_get_phase2_client_cert_path (s_8021x);
else
expected = nm_setting_802_1x_get_client_cert_path (s_8021x);
} else if (ck_type == CK_PRIV_KEY) {
if (phase2)
expected = nm_setting_802_1x_get_phase2_private_key_path (s_8021x);
else
expected = nm_setting_802_1x_get_private_key_path (s_8021x);
} }
ASSERT (expected != NULL, ASSERT (expected != NULL,
test_name, "failed to verify %s: failed to get read item for %s / %s", test_name, "failed to verify %s: failed to get read item for %s / %s",
@@ -123,29 +144,29 @@ verify_cert_or_key (CertKeyType ck_type,
if (ck_type == CK_CA_CERT) { if (ck_type == CK_CA_CERT) {
if (phase2) if (phase2)
setting = nm_setting_802_1x_get_phase2_ca_cert (s_compare); setting = nm_setting_802_1x_get_phase2_ca_cert_path (s_compare);
else else
setting = nm_setting_802_1x_get_ca_cert (s_compare); setting = nm_setting_802_1x_get_ca_cert_path (s_compare);
} else if (ck_type == CK_CLIENT_CERT) { } else if (ck_type == CK_CLIENT_CERT) {
if (phase2) if (phase2)
setting = nm_setting_802_1x_get_phase2_client_cert (s_compare); setting = nm_setting_802_1x_get_phase2_client_cert_path (s_compare);
else else
setting = nm_setting_802_1x_get_client_cert (s_compare); setting = nm_setting_802_1x_get_client_cert_path (s_compare);
} else if (ck_type == CK_PRIV_KEY) { } else if (ck_type == CK_PRIV_KEY) {
if (phase2) if (phase2)
setting = nm_setting_802_1x_get_phase2_private_key (s_compare); setting = nm_setting_802_1x_get_phase2_private_key_path (s_compare);
else else
setting = nm_setting_802_1x_get_private_key (s_compare); setting = nm_setting_802_1x_get_private_key_path (s_compare);
} }
ASSERT (setting != NULL, ASSERT (setting != NULL,
test_name, "failed to verify %s: missing %s / %s key", test_name, "failed to verify %s: missing %s / %s key",
ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key); ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key);
ASSERT (setting->len == expected->len, ASSERT (strlen (setting) == strlen (expected),
test_name, "failed to verify %s: unexpected %s / %s certificate length", test_name, "failed to verify %s: unexpected %s / %s certificate length",
test_name, NM_SETTING_802_1X_SETTING_NAME, setting_key); test_name, NM_SETTING_802_1X_SETTING_NAME, setting_key);
ASSERT (memcmp (setting->data, expected->data, setting->len) == 0, ASSERT (strcmp (setting, expected) == 0,
test_name, "failed to verify %s: %s / %s key certificate mismatch", test_name, "failed to verify %s: %s / %s key certificate mismatch",
ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key); ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key);
@@ -1040,8 +1061,8 @@ test_read_wired_8021x_peap_mschapv2 (void)
const char *expected_identity = "David Smith"; const char *expected_identity = "David Smith";
const char *expected_password = "foobar baz"; const char *expected_password = "foobar baz";
gboolean success = FALSE; gboolean success = FALSE;
const GByteArray *expected_ca_cert; const char *expected_ca_cert_path;
const GByteArray *read_ca_cert; const char *read_ca_cert_path;
connection = connection_from_file (TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2, connection = connection_from_file (TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
NULL, NULL,
@@ -1166,40 +1187,34 @@ test_read_wired_8021x_peap_mschapv2 (void)
ASSERT (tmp_8021x != NULL, ASSERT (tmp_8021x != NULL,
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: could not create temp 802.1x setting", "wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: could not create temp 802.1x setting",
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2, TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME);
NM_SETTING_802_1X_CA_CERT);
success = nm_setting_802_1x_set_ca_cert_from_file (tmp_8021x, success = nm_setting_802_1x_set_ca_cert (tmp_8021x,
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT, TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: could not load CA certificate", "wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: could not load CA certificate",
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2, TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME,
NM_SETTING_802_1X_CA_CERT); NM_SETTING_802_1X_CA_CERT);
expected_ca_cert = nm_setting_802_1x_get_ca_cert (tmp_8021x); expected_ca_cert_path = nm_setting_802_1x_get_ca_cert_path (tmp_8021x);
ASSERT (expected_ca_cert != NULL, ASSERT (expected_ca_cert_path != NULL,
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: failed to get CA certificate", "wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: failed to get CA certificate",
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2, TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME,
NM_SETTING_802_1X_CA_CERT); NM_SETTING_802_1X_CA_CERT);
read_ca_cert = nm_setting_802_1x_get_ca_cert (s_8021x); read_ca_cert_path = nm_setting_802_1x_get_ca_cert_path (s_8021x);
ASSERT (read_ca_cert != NULL, ASSERT (read_ca_cert_path != NULL,
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: missing %s / %s key", "wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: missing %s / %s key",
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2, TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME,
NM_SETTING_802_1X_CA_CERT); NM_SETTING_802_1X_CA_CERT);
ASSERT (read_ca_cert->len == expected_ca_cert->len, ASSERT (strcmp (read_ca_cert_path, expected_ca_cert_path) == 0,
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: unexpected %s / %s certificate length", "wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: unexpected %s / %s certificate path",
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
NM_SETTING_802_1X_SETTING_NAME,
NM_SETTING_802_1X_CA_CERT);
ASSERT (memcmp (read_ca_cert->data, expected_ca_cert->data, read_ca_cert->len) == 0,
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: %s / %s key certificate mismatch",
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2, TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME,
NM_SETTING_802_1X_CA_CERT); NM_SETTING_802_1X_CA_CERT);
@@ -2878,7 +2893,7 @@ test_read_wifi_wpa_eap_tls (void)
char *keyfile = NULL; char *keyfile = NULL;
gboolean ignore_error = FALSE; gboolean ignore_error = FALSE;
GError *error = NULL; GError *error = NULL;
const char *tmp; const char *tmp, *password;
const char *expected_identity = "Bill Smith"; const char *expected_identity = "Bill Smith";
const char *expected_privkey_password = "test1"; const char *expected_privkey_password = "test1";
@@ -2980,7 +2995,14 @@ test_read_wifi_wpa_eap_tls (void)
NM_SETTING_802_1X_CLIENT_CERT); NM_SETTING_802_1X_CLIENT_CERT);
/* Private Key Password */ /* Private Key Password */
ASSERT (nm_setting_802_1x_get_private_key_password (s_8021x) == NULL, password = nm_setting_802_1x_get_private_key_password (s_8021x);
ASSERT (password != NULL,
"wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
TEST_IFCFG_WIFI_WPA_EAP_TLS,
NM_SETTING_802_1X_SETTING_NAME,
NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
ASSERT (strcmp (password, expected_privkey_password) == 0,
"wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key", "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key",
TEST_IFCFG_WIFI_WPA_EAP_TLS, TEST_IFCFG_WIFI_WPA_EAP_TLS,
NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME,
@@ -3013,7 +3035,7 @@ test_read_wifi_wpa_eap_ttls_tls (void)
char *keyfile = NULL; char *keyfile = NULL;
gboolean ignore_error = FALSE; gboolean ignore_error = FALSE;
GError *error = NULL; GError *error = NULL;
const char *tmp; const char *tmp, *password;
const char *expected_identity = "Chuck Shumer"; const char *expected_identity = "Chuck Shumer";
const char *expected_privkey_password = "test1"; const char *expected_privkey_password = "test1";
@@ -3124,7 +3146,14 @@ test_read_wifi_wpa_eap_ttls_tls (void)
NM_SETTING_802_1X_PHASE2_CLIENT_CERT); NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
/* Inner Private Key Password */ /* Inner Private Key Password */
ASSERT (nm_setting_802_1x_get_phase2_private_key_password (s_8021x) == NULL, password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
ASSERT (password != NULL,
"wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
NM_SETTING_802_1X_SETTING_NAME,
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
ASSERT (strcmp (password, expected_privkey_password) == 0,
"wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key", "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key",
TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS, TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME,
@@ -3619,10 +3648,11 @@ test_write_wired_dhcp_8021x_peap_mschapv2 (void)
nm_setting_802_1x_add_eap_method (s_8021x, "peap"); nm_setting_802_1x_add_eap_method (s_8021x, "peap");
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x, success = nm_setting_802_1x_set_ca_cert (s_8021x,
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT, TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wired-dhcp-8021x-peap-mschapv2write", "failed to verify connection: %s", "wired-dhcp-8021x-peap-mschapv2write", "failed to verify connection: %s",
(error && error->message) ? error->message : "(unknown)"); (error && error->message) ? error->message : "(unknown)");
@@ -4548,27 +4578,30 @@ test_write_wifi_wpa_eap_tls (void)
nm_setting_802_1x_add_eap_method (s_8021x, "tls"); nm_setting_802_1x_add_eap_method (s_8021x, "tls");
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x, success = nm_setting_802_1x_set_ca_cert (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-tls-write", "failed to set CA certificate '%s': %s", "wifi-wpa-eap-tls-write", "failed to set CA certificate '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
success = nm_setting_802_1x_set_client_cert_from_file (s_8021x, success = nm_setting_802_1x_set_client_cert (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-tls-write", "failed to set client certificate '%s': %s", "wifi-wpa-eap-tls-write", "failed to set client certificate '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message);
success = nm_setting_802_1x_set_private_key_from_file (s_8021x, success = nm_setting_802_1x_set_private_key (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
"test1", "test1",
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-tls-write", "failed to set private key '%s': %s", "wifi-wpa-eap-tls-write", "failed to set private key '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message);
@@ -4712,10 +4745,11 @@ test_write_wifi_wpa_eap_ttls_tls (void)
NM_SETTING_802_1X_PHASE2_AUTHEAP, "tls", NM_SETTING_802_1X_PHASE2_AUTHEAP, "tls",
NULL); NULL);
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x, success = nm_setting_802_1x_set_ca_cert (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-ttls-tls-write", "failed to set CA certificate '%s': %s", "wifi-wpa-eap-ttls-tls-write", "failed to set CA certificate '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
@@ -4723,29 +4757,32 @@ test_write_wifi_wpa_eap_ttls_tls (void)
/* Phase 2 TLS stuff */ /* Phase 2 TLS stuff */
/* phase2 CA cert */ /* phase2 CA cert */
success = nm_setting_802_1x_set_phase2_ca_cert_from_file (s_8021x, success = nm_setting_802_1x_set_phase2_ca_cert (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-ttls-tls-write", "failed to set inner CA certificate '%s': %s", "wifi-wpa-eap-ttls-tls-write", "failed to set inner CA certificate '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
/* phase2 client cert */ /* phase2 client cert */
success = nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, success = nm_setting_802_1x_set_phase2_client_cert (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-ttls-tls-write", "failed to set inner client certificate '%s': %s", "wifi-wpa-eap-ttls-tls-write", "failed to set inner client certificate '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message);
/* phase2 private key */ /* phase2 private key */
success = nm_setting_802_1x_set_phase2_private_key_from_file (s_8021x, success = nm_setting_802_1x_set_phase2_private_key (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
"test1", "test1",
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-ttls-tls-write", "failed to set private key '%s': %s", "wifi-wpa-eap-ttls-tls-write", "failed to set private key '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message);
@@ -4893,10 +4930,11 @@ test_write_wifi_wpa_eap_ttls_mschapv2 (void)
NM_SETTING_802_1X_PHASE2_AUTHEAP, "mschapv2", NM_SETTING_802_1X_PHASE2_AUTHEAP, "mschapv2",
NULL); NULL);
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x, success = nm_setting_802_1x_set_ca_cert (s_8021x,
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
NULL, NM_SETTING_802_1X_CK_SCHEME_PATH,
&error); NULL,
&error);
ASSERT (success == TRUE, ASSERT (success == TRUE,
"wifi-wpa-eap-ttls-mschapv2-write", "failed to set CA certificate '%s': %s", "wifi-wpa-eap-ttls-mschapv2-write", "failed to set CA certificate '%s': %s",
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message); TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);

11
system-settings/plugins/ifcfg-rh/utils.c
View File

@@ -116,17 +116,6 @@ utils_hexstr2bin (const char *hex, size_t len)
/* End from hostap */ /* End from hostap */
char *
utils_hash_byte_array (const GByteArray *data)
{
unsigned char buf[SHA1_MAC_LEN];
static const char *key = "0123456789abcdefghijklmnopqrstuvwxyz";
memset (buf, 0, sizeof (buf));
sha1_mac ((const unsigned char *) key, strlen (key), (const u_int8_t *) data->data, data->len, &buf[0]);
return utils_bin2hexstr ((const char *) &buf[0], SHA1_MAC_LEN, SHA1_MAC_LEN * 2);
}
char * char *
utils_cert_path (const char *parent, const char *suffix) utils_cert_path (const char *parent, const char *suffix)
{ {

2
system-settings/plugins/ifcfg-rh/utils.h
View File

@@ -29,8 +29,6 @@ char *utils_bin2hexstr (const char *bytes, int len, int final_len);
char *utils_hexstr2bin (const char *hex, size_t len); char *utils_hexstr2bin (const char *hex, size_t len);
char *utils_hash_byte_array (const GByteArray *data);
char *utils_cert_path (const char *parent, const char *suffix); char *utils_cert_path (const char *parent, const char *suffix);
char *utils_get_ifcfg_name (const char *file); char *utils_get_ifcfg_name (const char *file);

209
system-settings/plugins/ifcfg-rh/writer.c
View File

@@ -144,151 +144,187 @@ out:
return success; return success;
} }
typedef NMSetting8021xCKScheme (*SchemeFunc)(NMSetting8021x *setting);
typedef const char * (*PathFunc) (NMSetting8021x *setting);
typedef const GByteArray * (*BlobFunc) (NMSetting8021x *setting);
typedef struct ObjectType { typedef struct ObjectType {
const char *setting_key; const char *setting_key;
SchemeFunc scheme_func;
PathFunc path_func;
BlobFunc blob_func;
const char *ifcfg_key; const char *ifcfg_key;
const char *path_tag;
const char *hash_tag;
const char *suffix; const char *suffix;
} ObjectType; } ObjectType;
static const ObjectType ca_type = { static const ObjectType ca_type = {
NM_SETTING_802_1X_CA_CERT, NM_SETTING_802_1X_CA_CERT,
nm_setting_802_1x_get_ca_cert_scheme,
nm_setting_802_1x_get_ca_cert_path,
nm_setting_802_1x_get_ca_cert_blob,
"IEEE_8021X_CA_CERT", "IEEE_8021X_CA_CERT",
TAG_CA_CERT_PATH,
TAG_CA_CERT_HASH,
"ca-cert.der" "ca-cert.der"
}; };
static const ObjectType phase2_ca_type = { static const ObjectType phase2_ca_type = {
NM_SETTING_802_1X_PHASE2_CA_CERT, NM_SETTING_802_1X_PHASE2_CA_CERT,
nm_setting_802_1x_get_phase2_ca_cert_scheme,
nm_setting_802_1x_get_phase2_ca_cert_path,
nm_setting_802_1x_get_phase2_ca_cert_blob,
"IEEE_8021X_INNER_CA_CERT", "IEEE_8021X_INNER_CA_CERT",
TAG_PHASE2_CA_CERT_PATH,
TAG_PHASE2_CA_CERT_HASH,
"inner-ca-cert.der" "inner-ca-cert.der"
}; };
static const ObjectType client_type = { static const ObjectType client_type = {
NM_SETTING_802_1X_CLIENT_CERT, NM_SETTING_802_1X_CLIENT_CERT,
nm_setting_802_1x_get_client_cert_scheme,
nm_setting_802_1x_get_client_cert_path,
nm_setting_802_1x_get_client_cert_blob,
"IEEE_8021X_CLIENT_CERT", "IEEE_8021X_CLIENT_CERT",
TAG_CLIENT_CERT_PATH,
TAG_CLIENT_CERT_HASH,
"client-cert.der" "client-cert.der"
}; };
static const ObjectType phase2_client_type = { static const ObjectType phase2_client_type = {
NM_SETTING_802_1X_PHASE2_CLIENT_CERT, NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
nm_setting_802_1x_get_phase2_client_cert_scheme,
nm_setting_802_1x_get_phase2_client_cert_path,
nm_setting_802_1x_get_phase2_client_cert_blob,
"IEEE_8021X_INNER_CLIENT_CERT", "IEEE_8021X_INNER_CLIENT_CERT",
TAG_PHASE2_CLIENT_CERT_PATH,
TAG_PHASE2_CLIENT_CERT_HASH,
"inner-client-cert.der" "inner-client-cert.der"
}; };
static const ObjectType pk_type = { static const ObjectType pk_type = {
NM_SETTING_802_1X_PRIVATE_KEY, NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
"IEEE_8021X_PRIVATE_KEY", "IEEE_8021X_PRIVATE_KEY",
TAG_PRIVATE_KEY_PATH,
TAG_PRIVATE_KEY_HASH,
"private-key.pem" "private-key.pem"
}; };
static const ObjectType phase2_pk_type = { static const ObjectType phase2_pk_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
"IEEE_8021X_INNER_PRIVATE_KEY", "IEEE_8021X_INNER_PRIVATE_KEY",
TAG_PHASE2_PRIVATE_KEY_PATH,
TAG_PHASE2_PRIVATE_KEY_HASH,
"inner-private-key.pem" "inner-private-key.pem"
}; };
static const ObjectType p12_type = { static const ObjectType p12_type = {
NM_SETTING_802_1X_PRIVATE_KEY, NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
"IEEE_8021X_PRIVATE_KEY", "IEEE_8021X_PRIVATE_KEY",
TAG_PRIVATE_KEY_PATH,
TAG_PRIVATE_KEY_HASH,
"private-key.p12" "private-key.p12"
}; };
static const ObjectType phase2_p12_type = { static const ObjectType phase2_p12_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
"IEEE_8021X_INNER_PRIVATE_KEY", "IEEE_8021X_INNER_PRIVATE_KEY",
TAG_PHASE2_PRIVATE_KEY_PATH,
TAG_PHASE2_PRIVATE_KEY_HASH,
"inner-private-key.p12" "inner-private-key.p12"
}; };
static gboolean static gboolean
write_object (NMSetting8021x *s_8021x, write_object (NMSetting8021x *s_8021x,
shvarFile *ifcfg, shvarFile *ifcfg,
const GByteArray *object, const GByteArray *override_data,
const ObjectType *objtype, const ObjectType *objtype,
gboolean *wrote,
GError **error) GError **error)
{ {
const char *orig_hash, *orig_file; NMSetting8021xCKScheme scheme;
char *new_hash = NULL, *new_file = NULL; const char *path = NULL;
gboolean success = FALSE; const GByteArray *blob = NULL;
GError *write_error = NULL;
g_return_val_if_fail (objtype != NULL, FALSE);
g_return_val_if_fail (ifcfg != NULL, FALSE); g_return_val_if_fail (ifcfg != NULL, FALSE);
g_return_val_if_fail (wrote != NULL, FALSE); g_return_val_if_fail (objtype != NULL, FALSE);
*wrote = FALSE; if (override_data) {
/* if given explicit data to save, always use that instead of asking
* the setting what to do.
*/
blob = override_data;
} else {
scheme = (*(objtype->scheme_func))(s_8021x);
switch (scheme) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
blob = (*(objtype->blob_func))(s_8021x);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = (*(objtype->path_func))(s_8021x);
break;
default:
break;
}
}
/* If certificate/private key was sent, the connection may no longer be
* 802.1x and thus we clear out the paths and certs.
*/
if (!path && !blob) {
char *standard_file;
int ignored;
/* Since no cert/private key is now being used, delete any standard file
* that was created for this connection, but leave other files alone.
* Thus, for example,
* /etc/sysconfig/network-scripts/ca-cert-Test_Write_Wifi_WPA_EAP-TLS.der
* will be deleted, but /etc/pki/tls/cert.pem will not.
*/
standard_file = utils_cert_path (ifcfg->fileName, objtype->suffix);
if (g_file_test (standard_file, G_FILE_TEST_EXISTS))
ignored = unlink (standard_file);
g_free (standard_file);
if (!object) {
svSetValue (ifcfg, objtype->ifcfg_key, NULL, FALSE); svSetValue (ifcfg, objtype->ifcfg_key, NULL, FALSE);
return TRUE; return TRUE;
} }
new_hash = utils_hash_byte_array (object); /* If the object path was specified, prefer that over any raw cert data that
if (!new_hash) { * may have been sent.
g_set_error (error, ifcfg_plugin_error_quark (), 0, */
"Could not hash certificate/key data for %s / %s", if (path) {
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key); svSetValue (ifcfg, objtype->ifcfg_key, path, FALSE);
return FALSE; return TRUE;
} }
orig_hash = g_object_get_data (G_OBJECT (s_8021x), objtype->hash_tag); /* If it's raw certificate data, write the cert data out to the standard file */
orig_file = g_object_get_data (G_OBJECT (s_8021x), objtype->path_tag); if (blob) {
gboolean success;
char *new_file;
GError *write_error = NULL;
if (!orig_hash || !orig_file || strcmp (new_hash, orig_hash)) {
/* if the cert data has changed, or there wasn't a cert
* originally, write data out to the standard file.
*/
new_file = utils_cert_path (ifcfg->fileName, objtype->suffix); new_file = utils_cert_path (ifcfg->fileName, objtype->suffix);
if (!new_file) { if (!new_file) {
g_set_error (error, ifcfg_plugin_error_quark (), 0, g_set_error (error, ifcfg_plugin_error_quark (), 0,
"Could not create file path for %s / %s", "Could not create file path for %s / %s",
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key); NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key);
goto out; return FALSE;
} }
if (!write_secret_file (new_file, (const char *) object->data, object->len, &write_error)) { /* Write the raw certificate data out to the standard file so that we
* can use paths from now on instead of pushing around the certificate
* data itself.
*/
success = write_secret_file (new_file, (const char *) blob->data, blob->len, &write_error);
if (success) {
svSetValue (ifcfg, objtype->ifcfg_key, new_file, FALSE);
return TRUE;
} else {
g_set_error (error, ifcfg_plugin_error_quark (), 0, g_set_error (error, ifcfg_plugin_error_quark (), 0,
"Could not write certificate/key for %s / %s: %s", "Could not write certificate/key for %s / %s: %s",
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key, NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key,
(write_error && write_error->message) ? write_error->message : "(unknown)"); (write_error && write_error->message) ? write_error->message : "(unknown)");
g_clear_error (&write_error); g_clear_error (&write_error);
goto out;
} }
*wrote = TRUE; g_free (new_file);
svSetValue (ifcfg, objtype->ifcfg_key, new_file, FALSE);
g_object_set_data_full (G_OBJECT (s_8021x), objtype->path_tag, new_file, g_free);
new_file = NULL; /* g_object_set_data_full() took ownership */
g_object_set_data_full (G_OBJECT (s_8021x), objtype->hash_tag, new_hash, g_free);
new_hash = NULL; /* g_object_set_data_full() took ownership */
} else {
/* cert data hasn't changed */
svSetValue (ifcfg, objtype->ifcfg_key, orig_file, FALSE);
} }
success = TRUE;
out: return FALSE;
g_free (new_hash);
g_free (new_file);
return success;
} }
static gboolean static gboolean
@@ -297,16 +333,15 @@ write_8021x_certs (NMSetting8021x *s_8021x,
shvarFile *ifcfg, shvarFile *ifcfg,
GError **error) GError **error)
{ {
const GByteArray *data;
GByteArray *enc_key = NULL; GByteArray *enc_key = NULL;
const char *password = NULL; const char *password = NULL;
char *generated_pw = NULL; char *generated_pw = NULL;
gboolean success = FALSE, is_pkcs12 = FALSE, wrote; gboolean success = FALSE, is_pkcs12 = FALSE;
const ObjectType *otype = NULL; const ObjectType *otype = NULL;
const char *prop; const char *prop;
const GByteArray *blob = NULL;
/* CA certificate */ /* CA certificate */
data = NULL;
if (phase2) { if (phase2) {
prop = NM_SETTING_802_1X_PHASE2_CA_CERT; prop = NM_SETTING_802_1X_PHASE2_CA_CERT;
otype = &phase2_ca_type; otype = &phase2_ca_type;
@@ -314,24 +349,22 @@ write_8021x_certs (NMSetting8021x *s_8021x,
prop = NM_SETTING_802_1X_CA_CERT; prop = NM_SETTING_802_1X_CA_CERT;
otype = &ca_type; otype = &ca_type;
} }
g_object_get (G_OBJECT (s_8021x), prop, &data, NULL);
if (!write_object (s_8021x, ifcfg, data, otype, &wrote, error)) if (!write_object (s_8021x, ifcfg, NULL, otype, error))
return FALSE; return FALSE;
/* Private key */ /* Private key */
if (phase2) { if (phase2) {
if (nm_setting_802_1x_get_phase2_private_key (s_8021x)) { if (nm_setting_802_1x_get_phase2_private_key_scheme (s_8021x) != NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) {
if (nm_setting_802_1x_get_phase2_private_key_type (s_8021x) == NM_SETTING_802_1X_CK_TYPE_PKCS12) if (nm_setting_802_1x_get_phase2_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
is_pkcs12 = TRUE; is_pkcs12 = TRUE;
} }
prop = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY;
password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x); password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
} else { } else {
if (nm_setting_802_1x_get_private_key (s_8021x)) { if (nm_setting_802_1x_get_private_key_scheme (s_8021x) != NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) {
if (nm_setting_802_1x_get_private_key_type (s_8021x) == NM_SETTING_802_1X_CK_TYPE_PKCS12) if (nm_setting_802_1x_get_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
is_pkcs12 = TRUE; is_pkcs12 = TRUE;
} }
prop = NM_SETTING_802_1X_PRIVATE_KEY;
password = nm_setting_802_1x_get_private_key_password (s_8021x); password = nm_setting_802_1x_get_private_key_password (s_8021x);
} }
@@ -340,11 +373,19 @@ write_8021x_certs (NMSetting8021x *s_8021x,
else else
otype = phase2 ? &phase2_pk_type : &pk_type; otype = phase2 ? &phase2_pk_type : &pk_type;
data = NULL; if ((*(otype->scheme_func))(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB)
g_object_get (G_OBJECT (s_8021x), prop, &data, NULL); blob = (*(otype->blob_func))(s_8021x);
if (data && !is_pkcs12) {
/* Only do the private key re-encrypt dance if we got the raw key data, which
* by definition will be unencrypted. If we're given a direct path to the
* private key file, it'll be encrypted, so we don't need to re-encrypt.
*/
if (blob && !is_pkcs12) {
GByteArray *array; GByteArray *array;
/* If the private key is an unencrypted blob, re-encrypt it with a
* random password since we don't store unencrypted private keys on disk.
*/
if (!password) { if (!password) {
/* Create a random private key */ /* Create a random private key */
array = crypto_random (32, error); array = crypto_random (32, error);
@@ -356,13 +397,14 @@ write_8021x_certs (NMSetting8021x *s_8021x,
g_byte_array_free (array, TRUE); g_byte_array_free (array, TRUE);
} }
/* Re-encrypt the private key if it's not PKCS#12 (which never decrypted by NM) */ /* Encrypt the unencrypted private key with the fake password */
enc_key = crypto_key_to_pem (data, password, error); enc_key = crypto_key_to_pem (blob, password, error);
if (!enc_key) if (!enc_key)
goto out; goto out;
} }
if (!write_object (s_8021x, ifcfg, enc_key ? enc_key : data, otype, &wrote, error)) /* Save the private key */
if (!write_object (s_8021x, ifcfg, enc_key, otype, error))
goto out; goto out;
/* Private key password */ /* Private key password */
@@ -371,11 +413,6 @@ write_8021x_certs (NMSetting8021x *s_8021x,
else else
set_secret (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", password); set_secret (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", password);
if (enc_key) {
memset (enc_key->data, 0, enc_key->len);
g_byte_array_free (enc_key, TRUE);
}
/* Client certificate */ /* Client certificate */
if (is_pkcs12) { if (is_pkcs12) {
svSetValue (ifcfg, svSetValue (ifcfg,
@@ -389,9 +426,9 @@ write_8021x_certs (NMSetting8021x *s_8021x,
prop = NM_SETTING_802_1X_CLIENT_CERT; prop = NM_SETTING_802_1X_CLIENT_CERT;
otype = &client_type; otype = &client_type;
} }
data = NULL;
g_object_get (G_OBJECT (s_8021x), prop, &data, NULL); /* Save the client certificate */
if (!write_object (s_8021x, ifcfg, data, otype, &wrote, error)) if (!write_object (s_8021x, ifcfg, NULL, otype, error))
goto out; goto out;
} }
@@ -402,6 +439,10 @@ out:
memset (generated_pw, 0, strlen (generated_pw)); memset (generated_pw, 0, strlen (generated_pw));
g_free (generated_pw); g_free (generated_pw);
} }
if (enc_key) {
memset (enc_key->data, 0, enc_key->len);
g_byte_array_free (enc_key, TRUE);
}
return success; return success;
} }