libnm-util: allow certificate/key paths
Overload the certificate and key properties to allow paths to the certificates and keys using a special prefix for the property data. Add API to libnm-util for easy certificate path handling, and documentation for NMSetting8021x.
This commit is contained in:
Dan Williams
@@ -619,14 +619,14 @@ crypto_is_pkcs12_data (const GByteArray *data)
|
||||
}
|
||||
|
||||
gboolean
|
||||
crypto_is_pkcs12_file (const char *file)
|
||||
crypto_is_pkcs12_file (const char *file, GError **error)
|
||||
{
|
||||
GByteArray *contents;
|
||||
gboolean success = FALSE;
|
||||
|
||||
g_return_val_if_fail (file != NULL, FALSE);
|
||||
|
||||
contents = file_to_g_byte_array (file, TRUE, NULL);
|
||||
contents = file_to_g_byte_array (file, TRUE, error);
|
||||
if (contents) {
|
||||
success = crypto_is_pkcs12_data (contents);
|
||||
g_byte_array_free (contents, TRUE);
|
||||
|
||||
@@ -83,7 +83,7 @@ GByteArray * crypto_load_and_verify_certificate (const char *file,
|
||||
NMCryptoFileFormat *out_file_format,
|
||||
GError **error);
|
||||
|
||||
gboolean crypto_is_pkcs12_file (const char *file);
|
||||
gboolean crypto_is_pkcs12_file (const char *file, GError **error);
|
||||
|
||||
gboolean crypto_is_pkcs12_data (const GByteArray *data);
|
||||
|
||||
|
||||
@@ -31,11 +31,15 @@ global:
|
||||
nm_setting_802_1x_error_get_type;
|
||||
nm_setting_802_1x_error_quark;
|
||||
nm_setting_802_1x_get_anonymous_identity;
|
||||
nm_setting_802_1x_get_ca_cert;
|
||||
nm_setting_802_1x_set_ca_cert_from_file;
|
||||
nm_setting_802_1x_get_ca_cert_scheme;
|
||||
nm_setting_802_1x_get_ca_cert_blob;
|
||||
nm_setting_802_1x_get_ca_cert_path;
|
||||
nm_setting_802_1x_set_ca_cert;
|
||||
nm_setting_802_1x_get_ca_path;
|
||||
nm_setting_802_1x_get_client_cert;
|
||||
nm_setting_802_1x_set_client_cert_from_file;
|
||||
nm_setting_802_1x_get_client_cert_scheme;
|
||||
nm_setting_802_1x_get_client_cert_blob;
|
||||
nm_setting_802_1x_get_client_cert_path;
|
||||
nm_setting_802_1x_set_client_cert;
|
||||
nm_setting_802_1x_get_eap_method;
|
||||
nm_setting_802_1x_get_identity;
|
||||
nm_setting_802_1x_get_num_eap_methods;
|
||||
@@ -45,20 +49,28 @@ global:
|
||||
nm_setting_802_1x_get_phase1_peapver;
|
||||
nm_setting_802_1x_get_phase2_auth;
|
||||
nm_setting_802_1x_get_phase2_autheap;
|
||||
nm_setting_802_1x_get_phase2_ca_cert;
|
||||
nm_setting_802_1x_set_phase2_ca_cert_from_file;
|
||||
nm_setting_802_1x_get_phase2_ca_cert_scheme;
|
||||
nm_setting_802_1x_get_phase2_ca_cert_blob;
|
||||
nm_setting_802_1x_get_phase2_ca_cert_path;
|
||||
nm_setting_802_1x_set_phase2_ca_cert;
|
||||
nm_setting_802_1x_get_phase2_ca_path;
|
||||
nm_setting_802_1x_get_phase2_client_cert;
|
||||
nm_setting_802_1x_set_phase2_client_cert_from_file;
|
||||
nm_setting_802_1x_get_phase2_private_key;
|
||||
nm_setting_802_1x_set_phase2_private_key_from_file;
|
||||
nm_setting_802_1x_get_phase2_client_cert_scheme;
|
||||
nm_setting_802_1x_get_phase2_client_cert_blob;
|
||||
nm_setting_802_1x_get_phase2_client_cert_path;
|
||||
nm_setting_802_1x_set_phase2_client_cert;
|
||||
nm_setting_802_1x_get_phase2_private_key_blob;
|
||||
nm_setting_802_1x_get_phase2_private_key_format;
|
||||
nm_setting_802_1x_get_phase2_private_key_password;
|
||||
nm_setting_802_1x_get_phase2_private_key_type;
|
||||
nm_setting_802_1x_get_phase2_private_key_path;
|
||||
nm_setting_802_1x_get_phase2_private_key_scheme;
|
||||
nm_setting_802_1x_set_phase2_private_key;
|
||||
nm_setting_802_1x_get_pin;
|
||||
nm_setting_802_1x_get_private_key;
|
||||
nm_setting_802_1x_set_private_key_from_file;
|
||||
nm_setting_802_1x_get_private_key_blob;
|
||||
nm_setting_802_1x_get_private_key_format;
|
||||
nm_setting_802_1x_get_private_key_password;
|
||||
nm_setting_802_1x_get_private_key_type;
|
||||
nm_setting_802_1x_get_private_key_path;
|
||||
nm_setting_802_1x_get_private_key_scheme;
|
||||
nm_setting_802_1x_set_private_key;
|
||||
nm_setting_802_1x_get_psk;
|
||||
nm_setting_802_1x_get_system_ca_certs;
|
||||
nm_setting_802_1x_get_type;
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -19,7 +19,7 @@
|
||||
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
* Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* (C) Copyright 2007 - 2008 Red Hat, Inc.
|
||||
* (C) Copyright 2007 - 2009 Red Hat, Inc.
|
||||
* (C) Copyright 2007 - 2008 Novell, Inc.
|
||||
*/
|
||||
|
||||
@@ -31,11 +31,17 @@
|
||||
G_BEGIN_DECLS
|
||||
|
||||
typedef enum {
|
||||
NM_SETTING_802_1X_CK_TYPE_UNKNOWN = 0,
|
||||
NM_SETTING_802_1X_CK_TYPE_X509,
|
||||
NM_SETTING_802_1X_CK_TYPE_RAW_KEY,
|
||||
NM_SETTING_802_1X_CK_TYPE_PKCS12
|
||||
} NMSetting8021xCKType;
|
||||
NM_SETTING_802_1X_CK_FORMAT_UNKNOWN = 0,
|
||||
NM_SETTING_802_1X_CK_FORMAT_X509,
|
||||
NM_SETTING_802_1X_CK_FORMAT_RAW_KEY,
|
||||
NM_SETTING_802_1X_CK_FORMAT_PKCS12
|
||||
} NMSetting8021xCKFormat;
|
||||
|
||||
typedef enum {
|
||||
NM_SETTING_802_1X_CK_SCHEME_UNKNOWN = 0,
|
||||
NM_SETTING_802_1X_CK_SCHEME_BLOB,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH
|
||||
} NMSetting8021xCKScheme;
|
||||
|
||||
#define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type ())
|
||||
#define NM_SETTING_802_1X(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_802_1X, NMSetting8021x))
|
||||
@@ -83,6 +89,30 @@ GQuark nm_setting_802_1x_error_quark (void);
|
||||
#define NM_SETTING_802_1X_PSK "psk"
|
||||
#define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
|
||||
|
||||
/* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties
|
||||
* using the "blob" scheme, the data must be passed in PKCS#12 format. In this
|
||||
* case, the private key password must also be passed to NetworkManager, and the
|
||||
* appropriate "client-cert" (or "phase2-client-cert") property of the
|
||||
* NMSetting8021x object must also contain the exact same PKCS#12 data that the
|
||||
* private key will when NetworkManager requests secrets. This is because the
|
||||
* PKCS#12 file contains both the private key and client certificate, so both
|
||||
* properties need to be set to the same thing. When using the "path" scheme,
|
||||
* just set both the private-key and client-cert properties to the same path,
|
||||
* and set the private-key password correctly.
|
||||
*
|
||||
* When setting OpenSSL-derived "traditional" format (ie S/MIME style, not
|
||||
* PKCS#8) RSA and DSA keys directly via properties with the "blob" scheme, they
|
||||
* must passed to NetworkManager completely decrypted because the OpenSSL
|
||||
* "traditional" format is non-standard and is not complete enough for all
|
||||
* crypto libraries to use. Thus, for OpenSSL "traditional" format keys, the
|
||||
* private key password is not passed to NetworkManager (because the data is
|
||||
* already decrypted by the client), and the appropriate "client-cert" (or
|
||||
* "phase2-client-cert") property of the NMSetting8021x object must be a valid
|
||||
* client certificate. When using the "path" scheme, just set the private-key
|
||||
* and client-cert properties to the paths to their respective objects, and
|
||||
* set the private-key password correctly.
|
||||
*/
|
||||
|
||||
typedef struct {
|
||||
NMSetting parent;
|
||||
} NMSetting8021x;
|
||||
@@ -105,18 +135,27 @@ const char * nm_setting_802_1x_get_identity (NMSetting8
|
||||
|
||||
const char * nm_setting_802_1x_get_anonymous_identity (NMSetting8021x *setting);
|
||||
|
||||
const GByteArray *nm_setting_802_1x_get_ca_cert (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_ca_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_ca_cert_from_file (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
NMSetting8021xCKType *out_ck_type,
|
||||
GError **err);
|
||||
const char * nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting);
|
||||
|
||||
const GByteArray *nm_setting_802_1x_get_client_cert (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_client_cert_from_file (NMSetting8021x *setting,
|
||||
NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme (NMSetting8021x *setting);
|
||||
const GByteArray * nm_setting_802_1x_get_ca_cert_blob (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
NMSetting8021xCKType *out_ck_type,
|
||||
GError **err);
|
||||
NMSetting8021xCKScheme scheme,
|
||||
NMSetting8021xCKFormat *out_format,
|
||||
GError **error);
|
||||
|
||||
NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting);
|
||||
const GByteArray * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_client_cert_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_client_cert (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
NMSetting8021xCKScheme scheme,
|
||||
NMSetting8021xCKFormat *out_format,
|
||||
GError **error);
|
||||
|
||||
const char * nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting);
|
||||
|
||||
@@ -128,19 +167,23 @@ const char * nm_setting_802_1x_get_phase2_auth (NMSetting8
|
||||
|
||||
const char * nm_setting_802_1x_get_phase2_autheap (NMSetting8021x *setting);
|
||||
|
||||
const GByteArray *nm_setting_802_1x_get_phase2_ca_cert (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_phase2_ca_cert_from_file (NMSetting8021x *setting,
|
||||
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_ca_cert_scheme (NMSetting8021x *setting);
|
||||
const GByteArray * nm_setting_802_1x_get_phase2_ca_cert_blob (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_phase2_ca_cert_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
NMSetting8021xCKType *out_ck_type,
|
||||
GError **err);
|
||||
gboolean nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting);
|
||||
NMSetting8021xCKScheme scheme,
|
||||
NMSetting8021xCKFormat *out_format,
|
||||
GError **error);
|
||||
|
||||
const GByteArray *nm_setting_802_1x_get_phase2_client_cert (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_phase2_client_cert_from_file (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
NMSetting8021xCKType *out_ck_type,
|
||||
GError **err);
|
||||
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting);
|
||||
const GByteArray * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_phase2_client_cert_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
NMSetting8021xCKScheme scheme,
|
||||
NMSetting8021xCKFormat *out_format,
|
||||
GError **error);
|
||||
|
||||
const char * nm_setting_802_1x_get_password (NMSetting8021x *setting);
|
||||
|
||||
@@ -148,39 +191,31 @@ const char * nm_setting_802_1x_get_pin (NMSetting8
|
||||
|
||||
const char * nm_setting_802_1x_get_psk (NMSetting8021x *setting);
|
||||
|
||||
/* PRIVATE KEY NOTE: when PKCS#12 private keys are used, the PKCS#12 data must
|
||||
* be passed to NetworkManager as PKCS#12 (ie, shrouded). In this case, the
|
||||
* private key password must also be passed to NetworkManager, and the
|
||||
* appropriate "client-cert" (or "phase2-client-cert") property of the
|
||||
* NMSetting8021x object must also contain the exact same PKCS#12 data that the
|
||||
* private key will when NetworkManager requests secrets.
|
||||
*
|
||||
* When OpenSSL-derived "traditional" format (ie S/MIME style, not PKCS#8) RSA
|
||||
* and DSA keys are used, they must passed to NetworkManager completely
|
||||
* decrypted because the OpenSSL "traditional" format is non-standard and is not
|
||||
* complete enough for all crypto libraries to use. Thus, for OpenSSL
|
||||
* "traditional" format keys, the private key password is not passed to
|
||||
* NetworkManager, and the appropriate "client-cert" (or "phase2-client-cert")
|
||||
* property of the NMSetting8021x object must be a valid client certificate.
|
||||
*/
|
||||
NMSetting8021xCKScheme nm_setting_802_1x_get_private_key_scheme (NMSetting8021x *setting);
|
||||
const GByteArray * nm_setting_802_1x_get_private_key_blob (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_private_key_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_private_key (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
const char *password,
|
||||
NMSetting8021xCKScheme scheme,
|
||||
NMSetting8021xCKFormat *out_format,
|
||||
GError **error);
|
||||
const char * nm_setting_802_1x_get_private_key_password (NMSetting8021x *setting);
|
||||
|
||||
const GByteArray *nm_setting_802_1x_get_private_key (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_private_key_password (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_private_key_from_file (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
const char *password,
|
||||
NMSetting8021xCKType *out_ck_type,
|
||||
GError **err);
|
||||
NMSetting8021xCKType nm_setting_802_1x_get_private_key_type (NMSetting8021x *setting);
|
||||
NMSetting8021xCKFormat nm_setting_802_1x_get_private_key_format (NMSetting8021x *setting);
|
||||
|
||||
const GByteArray *nm_setting_802_1x_get_phase2_private_key (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_phase2_private_key_password (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_phase2_private_key_from_file (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
const char *password,
|
||||
NMSetting8021xCKType *out_ck_type,
|
||||
GError **err);
|
||||
NMSetting8021xCKType nm_setting_802_1x_get_phase2_private_key_type (NMSetting8021x *setting);
|
||||
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_private_key_scheme (NMSetting8021x *setting);
|
||||
const GByteArray * nm_setting_802_1x_get_phase2_private_key_blob (NMSetting8021x *setting);
|
||||
const char * nm_setting_802_1x_get_phase2_private_key_path (NMSetting8021x *setting);
|
||||
gboolean nm_setting_802_1x_set_phase2_private_key (NMSetting8021x *setting,
|
||||
const char *filename,
|
||||
const char *password,
|
||||
NMSetting8021xCKScheme scheme,
|
||||
NMSetting8021xCKFormat *out_format,
|
||||
GError **error);
|
||||
const char * nm_setting_802_1x_get_phase2_private_key_password (NMSetting8021x *setting);
|
||||
|
||||
NMSetting8021xCKFormat nm_setting_802_1x_get_phase2_private_key_format (NMSetting8021x *setting);
|
||||
|
||||
G_END_DECLS
|
||||
|
||||
|
||||
@@ -205,7 +205,7 @@ test_is_pkcs12 (const char *path, gboolean expect_fail, const char *desc)
|
||||
{
|
||||
gboolean is_pkcs12;
|
||||
|
||||
is_pkcs12 = crypto_is_pkcs12_file (path);
|
||||
is_pkcs12 = crypto_is_pkcs12_file (path, NULL);
|
||||
if (expect_fail) {
|
||||
ASSERT (is_pkcs12 == FALSE, desc,
|
||||
"unexpected success reading non-PKCS#12 file '%s'",
|
||||
|
||||
@@ -702,8 +702,8 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
|
||||
{
|
||||
NMSupplicantConfigPrivate *priv;
|
||||
char *tmp;
|
||||
const char *peapver, *value;
|
||||
gboolean success;
|
||||
const char *peapver, *value, *path;
|
||||
gboolean success, added;
|
||||
GString *phase1, *phase2;
|
||||
const GByteArray *array;
|
||||
|
||||
@@ -780,53 +780,163 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
|
||||
}
|
||||
g_string_free (phase2, TRUE);
|
||||
|
||||
if (nm_setting_802_1x_get_system_ca_certs (setting)) {
|
||||
if (!add_string_val (self, SYSTEM_CA_PATH, "ca_path", FALSE, FALSE))
|
||||
/* CA path */
|
||||
path = nm_setting_802_1x_get_ca_path (setting);
|
||||
if (nm_setting_802_1x_get_system_ca_certs (setting))
|
||||
path = SYSTEM_CA_PATH;
|
||||
if (path) {
|
||||
if (!add_string_val (self, path, "ca_path", FALSE, FALSE))
|
||||
return FALSE;
|
||||
} else {
|
||||
ADD_BLOB_VAL (nm_setting_802_1x_get_ca_cert (setting), "ca_cert", connection_uid);
|
||||
}
|
||||
|
||||
array = nm_setting_802_1x_get_private_key (setting);
|
||||
if (array) {
|
||||
ADD_BLOB_VAL (array, "private_key", connection_uid);
|
||||
/* Phase2 CA path */
|
||||
path = nm_setting_802_1x_get_phase2_ca_path (setting);
|
||||
if (nm_setting_802_1x_get_system_ca_certs (setting))
|
||||
path = SYSTEM_CA_PATH;
|
||||
if (path) {
|
||||
if (!add_string_val (self, path, "ca_path2", FALSE, FALSE))
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
switch (nm_setting_802_1x_get_private_key_type (setting)) {
|
||||
case NM_SETTING_802_1X_CK_TYPE_PKCS12:
|
||||
/* Only add the private key password for PKCS#12 keys */
|
||||
/* CA certificate */
|
||||
switch (nm_setting_802_1x_get_ca_cert_scheme (setting)) {
|
||||
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
|
||||
array = nm_setting_802_1x_get_ca_cert_blob (setting);
|
||||
ADD_BLOB_VAL (array, "ca_cert", connection_uid);
|
||||
break;
|
||||
case NM_SETTING_802_1X_CK_SCHEME_PATH:
|
||||
path = nm_setting_802_1x_get_ca_cert_path (setting);
|
||||
if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
|
||||
return FALSE;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/* Phase 2 CA certificate */
|
||||
switch (nm_setting_802_1x_get_phase2_ca_cert_scheme (setting)) {
|
||||
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
|
||||
array = nm_setting_802_1x_get_phase2_ca_cert_blob (setting);
|
||||
ADD_BLOB_VAL (array, "ca_cert2", connection_uid);
|
||||
break;
|
||||
case NM_SETTING_802_1X_CK_SCHEME_PATH:
|
||||
path = nm_setting_802_1x_get_phase2_ca_cert_path (setting);
|
||||
if (!add_string_val (self, path, "ca_cert2", FALSE, FALSE))
|
||||
return FALSE;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/* Private key */
|
||||
added = FALSE;
|
||||
switch (nm_setting_802_1x_get_private_key_scheme (setting)) {
|
||||
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
|
||||
array = nm_setting_802_1x_get_private_key_blob (setting);
|
||||
ADD_BLOB_VAL (array, "private_key", connection_uid);
|
||||
added = TRUE;
|
||||
break;
|
||||
case NM_SETTING_802_1X_CK_SCHEME_PATH:
|
||||
path = nm_setting_802_1x_get_private_key_path (setting);
|
||||
if (!add_string_val (self, path, "private_key", FALSE, FALSE))
|
||||
return FALSE;
|
||||
added = TRUE;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if (added) {
|
||||
NMSetting8021xCKFormat format;
|
||||
NMSetting8021xCKScheme scheme;
|
||||
|
||||
format = nm_setting_802_1x_get_private_key_format (setting);
|
||||
scheme = nm_setting_802_1x_get_private_key_scheme (setting);
|
||||
|
||||
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PATH
|
||||
|| format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
|
||||
/* Only add the private key password for PKCS#12 blobs and
|
||||
* all path schemes, since in both of these cases the private key
|
||||
* isn't decrypted at all.
|
||||
*/
|
||||
value = nm_setting_802_1x_get_private_key_password (setting);
|
||||
if (!add_string_val (self, value, "private_key_passwd", FALSE, TRUE))
|
||||
return FALSE;
|
||||
break;
|
||||
default:
|
||||
/* Only add the client cert if the private key is not PKCS#12 */
|
||||
ADD_BLOB_VAL (nm_setting_802_1x_get_client_cert (setting), "client_cert", connection_uid);
|
||||
break;
|
||||
}
|
||||
|
||||
if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
|
||||
/* Only add the client cert if the private key is not PKCS#12, as
|
||||
* wpa_supplicant configuration directs us to do.
|
||||
*/
|
||||
switch (nm_setting_802_1x_get_client_cert_scheme (setting)) {
|
||||
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
|
||||
array = nm_setting_802_1x_get_client_cert_blob (setting);
|
||||
ADD_BLOB_VAL (array, "client_cert", connection_uid);
|
||||
break;
|
||||
case NM_SETTING_802_1X_CK_SCHEME_PATH:
|
||||
path = nm_setting_802_1x_get_client_cert_path (setting);
|
||||
if (!add_string_val (self, path, "client_cert", FALSE, FALSE))
|
||||
return FALSE;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (nm_setting_802_1x_get_system_ca_certs (setting)) {
|
||||
if (!add_string_val (self, SYSTEM_CA_PATH, "ca_path2", FALSE, FALSE))
|
||||
/* Phase 2 private key */
|
||||
added = FALSE;
|
||||
switch (nm_setting_802_1x_get_phase2_private_key_scheme (setting)) {
|
||||
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
|
||||
array = nm_setting_802_1x_get_phase2_private_key_blob (setting);
|
||||
ADD_BLOB_VAL (array, "private_key2", connection_uid);
|
||||
added = TRUE;
|
||||
break;
|
||||
case NM_SETTING_802_1X_CK_SCHEME_PATH:
|
||||
path = nm_setting_802_1x_get_phase2_private_key_path (setting);
|
||||
if (!add_string_val (self, path, "private_key2", FALSE, FALSE))
|
||||
return FALSE;
|
||||
} else {
|
||||
ADD_BLOB_VAL (nm_setting_802_1x_get_phase2_ca_cert (setting), "ca_cert2", connection_uid);
|
||||
added = TRUE;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
array = nm_setting_802_1x_get_phase2_private_key (setting);
|
||||
if (array) {
|
||||
ADD_BLOB_VAL (array, "private_key2", connection_uid);
|
||||
if (added) {
|
||||
NMSetting8021xCKFormat format;
|
||||
NMSetting8021xCKScheme scheme;
|
||||
|
||||
switch (nm_setting_802_1x_get_phase2_private_key_type (setting)) {
|
||||
case NM_SETTING_802_1X_CK_TYPE_PKCS12:
|
||||
/* Only add the private key password for PKCS#12 keys */
|
||||
format = nm_setting_802_1x_get_phase2_private_key_format (setting);
|
||||
scheme = nm_setting_802_1x_get_phase2_private_key_scheme (setting);
|
||||
|
||||
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PATH
|
||||
|| format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
|
||||
/* Only add the private key password for PKCS#12 blobs and
|
||||
* all path schemes, since in both of these cases the private key
|
||||
* isn't decrypted at all.
|
||||
*/
|
||||
value = nm_setting_802_1x_get_phase2_private_key_password (setting);
|
||||
if (!add_string_val (self, value, "private_key2_passwd", FALSE, TRUE))
|
||||
if (!add_string_val (self, value, "private_key_passwd2", FALSE, TRUE))
|
||||
return FALSE;
|
||||
break;
|
||||
default:
|
||||
/* Only add the client cert if the private key is not PKCS#12 */
|
||||
ADD_BLOB_VAL (nm_setting_802_1x_get_phase2_client_cert (setting), "client_cert2", connection_uid);
|
||||
break;
|
||||
}
|
||||
|
||||
if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
|
||||
/* Only add the client cert if the private key is not PKCS#12, as
|
||||
* wpa_supplicant configuration directs us to do.
|
||||
*/
|
||||
switch (nm_setting_802_1x_get_phase2_client_cert_scheme (setting)) {
|
||||
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
|
||||
array = nm_setting_802_1x_get_phase2_client_cert_blob (setting);
|
||||
ADD_BLOB_VAL (array, "client_cert2", connection_uid);
|
||||
break;
|
||||
case NM_SETTING_802_1X_CK_SCHEME_PATH:
|
||||
path = nm_setting_802_1x_get_phase2_client_cert_path (setting);
|
||||
if (!add_string_val (self, path, "client_cert2", FALSE, FALSE))
|
||||
return FALSE;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -38,24 +38,6 @@
|
||||
#define TYPE_ETHERNET "Ethernet"
|
||||
#define TYPE_WIRELESS "Wireless"
|
||||
|
||||
#define TAG_CA_CERT_PATH "ca-cert-path"
|
||||
#define TAG_CA_CERT_HASH "ca-cert-hash"
|
||||
|
||||
#define TAG_CLIENT_CERT_PATH "client-cert-path"
|
||||
#define TAG_CLIENT_CERT_HASH "client-cert-hash"
|
||||
|
||||
#define TAG_PRIVATE_KEY_PATH "private-key-path"
|
||||
#define TAG_PRIVATE_KEY_HASH "private-key-hash"
|
||||
|
||||
#define TAG_PHASE2_CA_CERT_PATH "phase2-ca-cert-path"
|
||||
#define TAG_PHASE2_CA_CERT_HASH "phase2-ca-cert-hash"
|
||||
|
||||
#define TAG_PHASE2_CLIENT_CERT_PATH "phase2-client-cert-path"
|
||||
#define TAG_PHASE2_CLIENT_CERT_HASH "phase2-client-cert-hash"
|
||||
|
||||
#define TAG_PHASE2_PRIVATE_KEY_PATH "phase2-private-key-path"
|
||||
#define TAG_PHASE2_PRIVATE_KEY_HASH "phase2-private-key-hash"
|
||||
|
||||
GQuark ifcfg_plugin_error_quark (void);
|
||||
|
||||
|
||||
|
||||
@@ -1201,21 +1201,6 @@ get_cert_file (const char *ifcfg_path, const char *cert_path)
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void
|
||||
set_file_path (NMSetting8021x *s_8021x,
|
||||
const char *path_tag,
|
||||
const char *hash_tag,
|
||||
const char *path,
|
||||
const char *setting_key)
|
||||
{
|
||||
GByteArray *data = NULL;
|
||||
|
||||
g_object_set_data_full (G_OBJECT (s_8021x), path_tag, g_strdup (path), g_free);
|
||||
g_object_get (G_OBJECT (s_8021x), setting_key, &data, NULL);
|
||||
if (data)
|
||||
g_object_set_data_full (G_OBJECT (s_8021x), hash_tag, utils_hash_byte_array (data), g_free);
|
||||
}
|
||||
|
||||
static gboolean
|
||||
eap_tls_reader (const char *eap_method,
|
||||
shvarFile *ifcfg,
|
||||
@@ -1231,7 +1216,7 @@ eap_tls_reader (const char *eap_method,
|
||||
char *privkey = NULL;
|
||||
char *privkey_password = NULL;
|
||||
gboolean success = FALSE;
|
||||
NMSetting8021xCKType privkey_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
|
||||
NMSetting8021xCKFormat privkey_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
|
||||
|
||||
value = svGetValue (ifcfg, "IEEE_8021X_IDENTITY", FALSE);
|
||||
if (!value) {
|
||||
@@ -1249,21 +1234,19 @@ eap_tls_reader (const char *eap_method,
|
||||
if (ca_cert) {
|
||||
real_path = get_cert_file (ifcfg->fileName, ca_cert);
|
||||
if (phase2) {
|
||||
if (!nm_setting_802_1x_set_phase2_ca_cert_from_file (s_8021x, real_path, NULL, error))
|
||||
if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_PHASE2_CA_CERT_PATH,
|
||||
TAG_PHASE2_CA_CERT_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_PHASE2_CA_CERT);
|
||||
} else {
|
||||
if (!nm_setting_802_1x_set_ca_cert_from_file (s_8021x, real_path, NULL, error))
|
||||
if (!nm_setting_802_1x_set_ca_cert (s_8021x,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_CA_CERT_PATH,
|
||||
TAG_CA_CERT_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
}
|
||||
} else {
|
||||
PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing %s for EAP"
|
||||
@@ -1306,56 +1289,30 @@ eap_tls_reader (const char *eap_method,
|
||||
g_free (real_path);
|
||||
real_path = get_cert_file (ifcfg->fileName, privkey);
|
||||
if (phase2) {
|
||||
if (!nm_setting_802_1x_set_phase2_private_key_from_file (s_8021x, real_path, privkey_password, &privkey_type, error))
|
||||
if (!nm_setting_802_1x_set_phase2_private_key (s_8021x,
|
||||
real_path,
|
||||
privkey_password,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
&privkey_format,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_PHASE2_PRIVATE_KEY_PATH,
|
||||
TAG_PHASE2_PRIVATE_KEY_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
|
||||
} else {
|
||||
if (!nm_setting_802_1x_set_private_key_from_file (s_8021x, real_path, privkey_password, &privkey_type, error))
|
||||
if (!nm_setting_802_1x_set_private_key (s_8021x,
|
||||
real_path,
|
||||
privkey_password,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
&privkey_format,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_PRIVATE_KEY_PATH,
|
||||
TAG_PRIVATE_KEY_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_PRIVATE_KEY);
|
||||
}
|
||||
|
||||
/* Per NM requirements, if the private key is pkcs12, set the client cert to the
|
||||
* same data as the private key, since pkcs12 files contain both.
|
||||
/* Only set the client certificate if the private key is not PKCS#12 format,
|
||||
* as NM (due to supplicant restrictions) requires. If the key was PKCS#12,
|
||||
* then nm_setting_802_1x_set_private_key() already set the client certificate
|
||||
* to the same value as the private key.
|
||||
*/
|
||||
if (privkey_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) {
|
||||
/* Set the private key password if PKCS#12, because PKCS#12 doesn't get
|
||||
* decrypted when being stored in the Setting.
|
||||
*/
|
||||
if (phase2)
|
||||
g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
|
||||
else
|
||||
g_object_set (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
|
||||
|
||||
if (phase2) {
|
||||
if (!nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, real_path, NULL, error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_PHASE2_CLIENT_CERT_PATH,
|
||||
TAG_PHASE2_CLIENT_CERT_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
|
||||
} else {
|
||||
if (!nm_setting_802_1x_set_client_cert_from_file (s_8021x, real_path, NULL, error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_CLIENT_CERT_PATH,
|
||||
TAG_CLIENT_CERT_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_CLIENT_CERT);
|
||||
}
|
||||
} else {
|
||||
/* Otherwise, private key is "traditional" OpenSSL format, so
|
||||
* client certificate will be a separate file.
|
||||
*/
|
||||
if ( privkey_format == NM_SETTING_802_1X_CK_FORMAT_RAW_KEY
|
||||
|| privkey_format == NM_SETTING_802_1X_CK_FORMAT_X509) {
|
||||
client_cert = svGetValue (ifcfg,
|
||||
phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT",
|
||||
FALSE);
|
||||
@@ -1370,21 +1327,19 @@ eap_tls_reader (const char *eap_method,
|
||||
g_free (real_path);
|
||||
real_path = get_cert_file (ifcfg->fileName, client_cert);
|
||||
if (phase2) {
|
||||
if (!nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, real_path, NULL, error))
|
||||
if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_PHASE2_CLIENT_CERT_PATH,
|
||||
TAG_PHASE2_CLIENT_CERT_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
|
||||
} else {
|
||||
if (!nm_setting_802_1x_set_client_cert_from_file (s_8021x, real_path, NULL, error))
|
||||
if (!nm_setting_802_1x_set_client_cert (s_8021x,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_CLIENT_CERT_PATH,
|
||||
TAG_CLIENT_CERT_HASH,
|
||||
real_path,
|
||||
NM_SETTING_802_1X_CLIENT_CERT);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1418,13 +1373,12 @@ eap_peap_reader (const char *eap_method,
|
||||
ca_cert = svGetValue (ifcfg, "IEEE_8021X_CA_CERT", FALSE);
|
||||
if (ca_cert) {
|
||||
real_cert_path = get_cert_file (ifcfg->fileName, ca_cert);
|
||||
if (!nm_setting_802_1x_set_ca_cert_from_file (s_8021x, real_cert_path, NULL, error))
|
||||
if (!nm_setting_802_1x_set_ca_cert (s_8021x,
|
||||
real_cert_path,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_CA_CERT_PATH,
|
||||
TAG_CA_CERT_HASH,
|
||||
real_cert_path,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
} else {
|
||||
PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing "
|
||||
"IEEE_8021X_CA_CERT for EAP method '%s'; this is"
|
||||
@@ -1520,13 +1474,12 @@ eap_ttls_reader (const char *eap_method,
|
||||
ca_cert = svGetValue (ifcfg, "IEEE_8021X_CA_CERT", FALSE);
|
||||
if (ca_cert) {
|
||||
real_cert_path = get_cert_file (ifcfg->fileName, ca_cert);
|
||||
if (!nm_setting_802_1x_set_ca_cert_from_file (s_8021x, real_cert_path, NULL, error))
|
||||
if (!nm_setting_802_1x_set_ca_cert (s_8021x,
|
||||
real_cert_path,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
error))
|
||||
goto done;
|
||||
set_file_path (s_8021x,
|
||||
TAG_CA_CERT_PATH,
|
||||
TAG_CA_CERT_HASH,
|
||||
real_cert_path,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
} else {
|
||||
PLUGIN_WARN (IFCFG_PLUGIN_NAME, " warning: missing "
|
||||
"IEEE_8021X_CA_CERT for EAP method '%s'; this is"
|
||||
|
||||
@@ -69,8 +69,9 @@ verify_cert_or_key (CertKeyType ck_type,
|
||||
NMSetting8021x *s_8021x;
|
||||
GError *error = NULL;
|
||||
gboolean success = FALSE;
|
||||
const GByteArray *expected = NULL, *setting = NULL;
|
||||
const char *expected = NULL, *setting = NULL;
|
||||
gboolean phase2 = FALSE;
|
||||
NMSetting8021xCKScheme scheme = NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
|
||||
|
||||
if (strstr (setting_key, "phase2"))
|
||||
phase2 = TRUE;
|
||||
@@ -83,19 +84,19 @@ verify_cert_or_key (CertKeyType ck_type,
|
||||
|
||||
if (ck_type == CK_CA_CERT) {
|
||||
if (phase2)
|
||||
success = nm_setting_802_1x_set_phase2_ca_cert_from_file (s_8021x, file, NULL, &error);
|
||||
success = nm_setting_802_1x_set_phase2_ca_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
|
||||
else
|
||||
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x, file, NULL, &error);
|
||||
success = nm_setting_802_1x_set_ca_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
|
||||
} else if (ck_type == CK_CLIENT_CERT) {
|
||||
if (phase2)
|
||||
success = nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, file, NULL, &error);
|
||||
success = nm_setting_802_1x_set_phase2_client_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
|
||||
else
|
||||
success = nm_setting_802_1x_set_client_cert_from_file (s_8021x, file, NULL, &error);
|
||||
success = nm_setting_802_1x_set_client_cert (s_8021x, file, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
|
||||
} else if (ck_type == CK_PRIV_KEY) {
|
||||
if (phase2)
|
||||
success = nm_setting_802_1x_set_phase2_private_key_from_file (s_8021x, file, privkey_password, NULL, &error);
|
||||
success = nm_setting_802_1x_set_phase2_private_key (s_8021x, file, privkey_password, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
|
||||
else
|
||||
success = nm_setting_802_1x_set_private_key_from_file (s_8021x, file, privkey_password, NULL, &error);
|
||||
success = nm_setting_802_1x_set_private_key (s_8021x, file, privkey_password, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, &error);
|
||||
}
|
||||
ASSERT (success == TRUE,
|
||||
test_name, "failed to verify %s: could not load item for %s / %s: %s",
|
||||
@@ -103,19 +104,39 @@ verify_cert_or_key (CertKeyType ck_type,
|
||||
|
||||
if (ck_type == CK_CA_CERT) {
|
||||
if (phase2)
|
||||
expected = nm_setting_802_1x_get_phase2_ca_cert (s_8021x);
|
||||
scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (s_8021x);
|
||||
else
|
||||
expected = nm_setting_802_1x_get_ca_cert (s_8021x);
|
||||
scheme = nm_setting_802_1x_get_ca_cert_scheme (s_8021x);
|
||||
} else if (ck_type == CK_CLIENT_CERT) {
|
||||
if (phase2)
|
||||
expected = nm_setting_802_1x_get_phase2_client_cert (s_8021x);
|
||||
scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (s_8021x);
|
||||
else
|
||||
expected = nm_setting_802_1x_get_client_cert (s_8021x);
|
||||
scheme = nm_setting_802_1x_get_client_cert_scheme (s_8021x);
|
||||
} else if (ck_type == CK_PRIV_KEY) {
|
||||
if (phase2)
|
||||
expected = nm_setting_802_1x_get_phase2_private_key (s_8021x);
|
||||
scheme = nm_setting_802_1x_get_phase2_private_key_scheme (s_8021x);
|
||||
else
|
||||
expected = nm_setting_802_1x_get_private_key (s_8021x);
|
||||
scheme = nm_setting_802_1x_get_private_key_scheme (s_8021x);
|
||||
}
|
||||
ASSERT (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
test_name, "failed to verify %s: unexpected cert/key scheme for %s / %s",
|
||||
ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key);
|
||||
|
||||
if (ck_type == CK_CA_CERT) {
|
||||
if (phase2)
|
||||
expected = nm_setting_802_1x_get_phase2_ca_cert_path (s_8021x);
|
||||
else
|
||||
expected = nm_setting_802_1x_get_ca_cert_path (s_8021x);
|
||||
} else if (ck_type == CK_CLIENT_CERT) {
|
||||
if (phase2)
|
||||
expected = nm_setting_802_1x_get_phase2_client_cert_path (s_8021x);
|
||||
else
|
||||
expected = nm_setting_802_1x_get_client_cert_path (s_8021x);
|
||||
} else if (ck_type == CK_PRIV_KEY) {
|
||||
if (phase2)
|
||||
expected = nm_setting_802_1x_get_phase2_private_key_path (s_8021x);
|
||||
else
|
||||
expected = nm_setting_802_1x_get_private_key_path (s_8021x);
|
||||
}
|
||||
ASSERT (expected != NULL,
|
||||
test_name, "failed to verify %s: failed to get read item for %s / %s",
|
||||
@@ -123,29 +144,29 @@ verify_cert_or_key (CertKeyType ck_type,
|
||||
|
||||
if (ck_type == CK_CA_CERT) {
|
||||
if (phase2)
|
||||
setting = nm_setting_802_1x_get_phase2_ca_cert (s_compare);
|
||||
setting = nm_setting_802_1x_get_phase2_ca_cert_path (s_compare);
|
||||
else
|
||||
setting = nm_setting_802_1x_get_ca_cert (s_compare);
|
||||
setting = nm_setting_802_1x_get_ca_cert_path (s_compare);
|
||||
} else if (ck_type == CK_CLIENT_CERT) {
|
||||
if (phase2)
|
||||
setting = nm_setting_802_1x_get_phase2_client_cert (s_compare);
|
||||
setting = nm_setting_802_1x_get_phase2_client_cert_path (s_compare);
|
||||
else
|
||||
setting = nm_setting_802_1x_get_client_cert (s_compare);
|
||||
setting = nm_setting_802_1x_get_client_cert_path (s_compare);
|
||||
} else if (ck_type == CK_PRIV_KEY) {
|
||||
if (phase2)
|
||||
setting = nm_setting_802_1x_get_phase2_private_key (s_compare);
|
||||
setting = nm_setting_802_1x_get_phase2_private_key_path (s_compare);
|
||||
else
|
||||
setting = nm_setting_802_1x_get_private_key (s_compare);
|
||||
setting = nm_setting_802_1x_get_private_key_path (s_compare);
|
||||
}
|
||||
ASSERT (setting != NULL,
|
||||
test_name, "failed to verify %s: missing %s / %s key",
|
||||
ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key);
|
||||
|
||||
ASSERT (setting->len == expected->len,
|
||||
ASSERT (strlen (setting) == strlen (expected),
|
||||
test_name, "failed to verify %s: unexpected %s / %s certificate length",
|
||||
test_name, NM_SETTING_802_1X_SETTING_NAME, setting_key);
|
||||
|
||||
ASSERT (memcmp (setting->data, expected->data, setting->len) == 0,
|
||||
ASSERT (strcmp (setting, expected) == 0,
|
||||
test_name, "failed to verify %s: %s / %s key certificate mismatch",
|
||||
ifcfg, NM_SETTING_802_1X_SETTING_NAME, setting_key);
|
||||
|
||||
@@ -1040,8 +1061,8 @@ test_read_wired_8021x_peap_mschapv2 (void)
|
||||
const char *expected_identity = "David Smith";
|
||||
const char *expected_password = "foobar baz";
|
||||
gboolean success = FALSE;
|
||||
const GByteArray *expected_ca_cert;
|
||||
const GByteArray *read_ca_cert;
|
||||
const char *expected_ca_cert_path;
|
||||
const char *read_ca_cert_path;
|
||||
|
||||
connection = connection_from_file (TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
|
||||
NULL,
|
||||
@@ -1166,40 +1187,34 @@ test_read_wired_8021x_peap_mschapv2 (void)
|
||||
ASSERT (tmp_8021x != NULL,
|
||||
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: could not create temp 802.1x setting",
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
NM_SETTING_802_1X_SETTING_NAME);
|
||||
|
||||
success = nm_setting_802_1x_set_ca_cert_from_file (tmp_8021x,
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_ca_cert (tmp_8021x,
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: could not load CA certificate",
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
expected_ca_cert = nm_setting_802_1x_get_ca_cert (tmp_8021x);
|
||||
ASSERT (expected_ca_cert != NULL,
|
||||
expected_ca_cert_path = nm_setting_802_1x_get_ca_cert_path (tmp_8021x);
|
||||
ASSERT (expected_ca_cert_path != NULL,
|
||||
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: failed to get CA certificate",
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
|
||||
read_ca_cert = nm_setting_802_1x_get_ca_cert (s_8021x);
|
||||
ASSERT (read_ca_cert != NULL,
|
||||
read_ca_cert_path = nm_setting_802_1x_get_ca_cert_path (s_8021x);
|
||||
ASSERT (read_ca_cert_path != NULL,
|
||||
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: missing %s / %s key",
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
|
||||
ASSERT (read_ca_cert->len == expected_ca_cert->len,
|
||||
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: unexpected %s / %s certificate length",
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
|
||||
ASSERT (memcmp (read_ca_cert->data, expected_ca_cert->data, read_ca_cert->len) == 0,
|
||||
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: %s / %s key certificate mismatch",
|
||||
ASSERT (strcmp (read_ca_cert_path, expected_ca_cert_path) == 0,
|
||||
"wired-8021x-peap-mschapv2-verify-8021x", "failed to verify %s: unexpected %s / %s certificate path",
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_CA_CERT);
|
||||
@@ -2878,7 +2893,7 @@ test_read_wifi_wpa_eap_tls (void)
|
||||
char *keyfile = NULL;
|
||||
gboolean ignore_error = FALSE;
|
||||
GError *error = NULL;
|
||||
const char *tmp;
|
||||
const char *tmp, *password;
|
||||
const char *expected_identity = "Bill Smith";
|
||||
const char *expected_privkey_password = "test1";
|
||||
|
||||
@@ -2980,7 +2995,14 @@ test_read_wifi_wpa_eap_tls (void)
|
||||
NM_SETTING_802_1X_CLIENT_CERT);
|
||||
|
||||
/* Private Key Password */
|
||||
ASSERT (nm_setting_802_1x_get_private_key_password (s_8021x) == NULL,
|
||||
password = nm_setting_802_1x_get_private_key_password (s_8021x);
|
||||
ASSERT (password != NULL,
|
||||
"wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
|
||||
|
||||
ASSERT (strcmp (password, expected_privkey_password) == 0,
|
||||
"wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
@@ -3013,7 +3035,7 @@ test_read_wifi_wpa_eap_ttls_tls (void)
|
||||
char *keyfile = NULL;
|
||||
gboolean ignore_error = FALSE;
|
||||
GError *error = NULL;
|
||||
const char *tmp;
|
||||
const char *tmp, *password;
|
||||
const char *expected_identity = "Chuck Shumer";
|
||||
const char *expected_privkey_password = "test1";
|
||||
|
||||
@@ -3124,7 +3146,14 @@ test_read_wifi_wpa_eap_ttls_tls (void)
|
||||
NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
|
||||
|
||||
/* Inner Private Key Password */
|
||||
ASSERT (nm_setting_802_1x_get_phase2_private_key_password (s_8021x) == NULL,
|
||||
password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
|
||||
ASSERT (password != NULL,
|
||||
"wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
|
||||
|
||||
ASSERT (strcmp (password, expected_privkey_password) == 0,
|
||||
"wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
|
||||
NM_SETTING_802_1X_SETTING_NAME,
|
||||
@@ -3619,10 +3648,11 @@ test_write_wired_dhcp_8021x_peap_mschapv2 (void)
|
||||
|
||||
nm_setting_802_1x_add_eap_method (s_8021x, "peap");
|
||||
|
||||
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x,
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_ca_cert (s_8021x,
|
||||
TEST_IFCFG_WIRED_8021x_PEAP_MSCHAPV2_CA_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wired-dhcp-8021x-peap-mschapv2write", "failed to verify connection: %s",
|
||||
(error && error->message) ? error->message : "(unknown)");
|
||||
@@ -4548,27 +4578,30 @@ test_write_wifi_wpa_eap_tls (void)
|
||||
|
||||
nm_setting_802_1x_add_eap_method (s_8021x, "tls");
|
||||
|
||||
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_ca_cert (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-tls-write", "failed to set CA certificate '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
|
||||
|
||||
success = nm_setting_802_1x_set_client_cert_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_client_cert (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-tls-write", "failed to set client certificate '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message);
|
||||
|
||||
success = nm_setting_802_1x_set_private_key_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
|
||||
"test1",
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_private_key (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
|
||||
"test1",
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-tls-write", "failed to set private key '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message);
|
||||
@@ -4712,10 +4745,11 @@ test_write_wifi_wpa_eap_ttls_tls (void)
|
||||
NM_SETTING_802_1X_PHASE2_AUTHEAP, "tls",
|
||||
NULL);
|
||||
|
||||
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_ca_cert (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-ttls-tls-write", "failed to set CA certificate '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
|
||||
@@ -4723,29 +4757,32 @@ test_write_wifi_wpa_eap_ttls_tls (void)
|
||||
/* Phase 2 TLS stuff */
|
||||
|
||||
/* phase2 CA cert */
|
||||
success = nm_setting_802_1x_set_phase2_ca_cert_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_phase2_ca_cert (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-ttls-tls-write", "failed to set inner CA certificate '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
|
||||
|
||||
/* phase2 client cert */
|
||||
success = nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_phase2_client_cert (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-ttls-tls-write", "failed to set inner client certificate '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message);
|
||||
|
||||
/* phase2 private key */
|
||||
success = nm_setting_802_1x_set_phase2_private_key_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
|
||||
"test1",
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_phase2_private_key (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
|
||||
"test1",
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-ttls-tls-write", "failed to set private key '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message);
|
||||
@@ -4893,10 +4930,11 @@ test_write_wifi_wpa_eap_ttls_mschapv2 (void)
|
||||
NM_SETTING_802_1X_PHASE2_AUTHEAP, "mschapv2",
|
||||
NULL);
|
||||
|
||||
success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NULL,
|
||||
&error);
|
||||
success = nm_setting_802_1x_set_ca_cert (s_8021x,
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
|
||||
NM_SETTING_802_1X_CK_SCHEME_PATH,
|
||||
NULL,
|
||||
&error);
|
||||
ASSERT (success == TRUE,
|
||||
"wifi-wpa-eap-ttls-mschapv2-write", "failed to set CA certificate '%s': %s",
|
||||
TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
|
||||
|
||||
@@ -116,17 +116,6 @@ utils_hexstr2bin (const char *hex, size_t len)
|
||||
|
||||
/* End from hostap */
|
||||
|
||||
char *
|
||||
utils_hash_byte_array (const GByteArray *data)
|
||||
{
|
||||
unsigned char buf[SHA1_MAC_LEN];
|
||||
static const char *key = "0123456789abcdefghijklmnopqrstuvwxyz";
|
||||
|
||||
memset (buf, 0, sizeof (buf));
|
||||
sha1_mac ((const unsigned char *) key, strlen (key), (const u_int8_t *) data->data, data->len, &buf[0]);
|
||||
return utils_bin2hexstr ((const char *) &buf[0], SHA1_MAC_LEN, SHA1_MAC_LEN * 2);
|
||||
}
|
||||
|
||||
char *
|
||||
utils_cert_path (const char *parent, const char *suffix)
|
||||
{
|
||||
|
||||
@@ -29,8 +29,6 @@ char *utils_bin2hexstr (const char *bytes, int len, int final_len);
|
||||
|
||||
char *utils_hexstr2bin (const char *hex, size_t len);
|
||||
|
||||
char *utils_hash_byte_array (const GByteArray *data);
|
||||
|
||||
char *utils_cert_path (const char *parent, const char *suffix);
|
||||
|
||||
char *utils_get_ifcfg_name (const char *file);
|
||||
|
||||
@@ -144,151 +144,187 @@ out:
|
||||
return success;
|
||||
}
|
||||
|
||||
typedef NMSetting8021xCKScheme (*SchemeFunc)(NMSetting8021x *setting);
|
||||
typedef const char * (*PathFunc) (NMSetting8021x *setting);
|
||||
typedef const GByteArray * (*BlobFunc) (NMSetting8021x *setting);
|
||||
|
||||
typedef struct ObjectType {
|
||||
const char *setting_key;
|
||||
SchemeFunc scheme_func;
|
||||
PathFunc path_func;
|
||||
BlobFunc blob_func;
|
||||
const char *ifcfg_key;
|
||||
const char *path_tag;
|
||||
const char *hash_tag;
|
||||
const char *suffix;
|
||||
} ObjectType;
|
||||
|
||||
static const ObjectType ca_type = {
|
||||
NM_SETTING_802_1X_CA_CERT,
|
||||
nm_setting_802_1x_get_ca_cert_scheme,
|
||||
nm_setting_802_1x_get_ca_cert_path,
|
||||
nm_setting_802_1x_get_ca_cert_blob,
|
||||
"IEEE_8021X_CA_CERT",
|
||||
TAG_CA_CERT_PATH,
|
||||
TAG_CA_CERT_HASH,
|
||||
"ca-cert.der"
|
||||
};
|
||||
|
||||
static const ObjectType phase2_ca_type = {
|
||||
NM_SETTING_802_1X_PHASE2_CA_CERT,
|
||||
nm_setting_802_1x_get_phase2_ca_cert_scheme,
|
||||
nm_setting_802_1x_get_phase2_ca_cert_path,
|
||||
nm_setting_802_1x_get_phase2_ca_cert_blob,
|
||||
"IEEE_8021X_INNER_CA_CERT",
|
||||
TAG_PHASE2_CA_CERT_PATH,
|
||||
TAG_PHASE2_CA_CERT_HASH,
|
||||
"inner-ca-cert.der"
|
||||
};
|
||||
|
||||
static const ObjectType client_type = {
|
||||
NM_SETTING_802_1X_CLIENT_CERT,
|
||||
nm_setting_802_1x_get_client_cert_scheme,
|
||||
nm_setting_802_1x_get_client_cert_path,
|
||||
nm_setting_802_1x_get_client_cert_blob,
|
||||
"IEEE_8021X_CLIENT_CERT",
|
||||
TAG_CLIENT_CERT_PATH,
|
||||
TAG_CLIENT_CERT_HASH,
|
||||
"client-cert.der"
|
||||
};
|
||||
|
||||
static const ObjectType phase2_client_type = {
|
||||
NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
|
||||
nm_setting_802_1x_get_phase2_client_cert_scheme,
|
||||
nm_setting_802_1x_get_phase2_client_cert_path,
|
||||
nm_setting_802_1x_get_phase2_client_cert_blob,
|
||||
"IEEE_8021X_INNER_CLIENT_CERT",
|
||||
TAG_PHASE2_CLIENT_CERT_PATH,
|
||||
TAG_PHASE2_CLIENT_CERT_HASH,
|
||||
"inner-client-cert.der"
|
||||
};
|
||||
|
||||
static const ObjectType pk_type = {
|
||||
NM_SETTING_802_1X_PRIVATE_KEY,
|
||||
nm_setting_802_1x_get_private_key_scheme,
|
||||
nm_setting_802_1x_get_private_key_path,
|
||||
nm_setting_802_1x_get_private_key_blob,
|
||||
"IEEE_8021X_PRIVATE_KEY",
|
||||
TAG_PRIVATE_KEY_PATH,
|
||||
TAG_PRIVATE_KEY_HASH,
|
||||
"private-key.pem"
|
||||
};
|
||||
|
||||
static const ObjectType phase2_pk_type = {
|
||||
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
|
||||
nm_setting_802_1x_get_phase2_private_key_scheme,
|
||||
nm_setting_802_1x_get_phase2_private_key_path,
|
||||
nm_setting_802_1x_get_phase2_private_key_blob,
|
||||
"IEEE_8021X_INNER_PRIVATE_KEY",
|
||||
TAG_PHASE2_PRIVATE_KEY_PATH,
|
||||
TAG_PHASE2_PRIVATE_KEY_HASH,
|
||||
"inner-private-key.pem"
|
||||
};
|
||||
|
||||
static const ObjectType p12_type = {
|
||||
NM_SETTING_802_1X_PRIVATE_KEY,
|
||||
nm_setting_802_1x_get_private_key_scheme,
|
||||
nm_setting_802_1x_get_private_key_path,
|
||||
nm_setting_802_1x_get_private_key_blob,
|
||||
"IEEE_8021X_PRIVATE_KEY",
|
||||
TAG_PRIVATE_KEY_PATH,
|
||||
TAG_PRIVATE_KEY_HASH,
|
||||
"private-key.p12"
|
||||
};
|
||||
|
||||
static const ObjectType phase2_p12_type = {
|
||||
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
|
||||
nm_setting_802_1x_get_phase2_private_key_scheme,
|
||||
nm_setting_802_1x_get_phase2_private_key_path,
|
||||
nm_setting_802_1x_get_phase2_private_key_blob,
|
||||
"IEEE_8021X_INNER_PRIVATE_KEY",
|
||||
TAG_PHASE2_PRIVATE_KEY_PATH,
|
||||
TAG_PHASE2_PRIVATE_KEY_HASH,
|
||||
"inner-private-key.p12"
|
||||
};
|
||||
|
||||
static gboolean
|
||||
write_object (NMSetting8021x *s_8021x,
|
||||
shvarFile *ifcfg,
|
||||
const GByteArray *object,
|
||||
const GByteArray *override_data,
|
||||
const ObjectType *objtype,
|
||||
gboolean *wrote,
|
||||
GError **error)
|
||||
{
|
||||
const char *orig_hash, *orig_file;
|
||||
char *new_hash = NULL, *new_file = NULL;
|
||||
gboolean success = FALSE;
|
||||
GError *write_error = NULL;
|
||||
NMSetting8021xCKScheme scheme;
|
||||
const char *path = NULL;
|
||||
const GByteArray *blob = NULL;
|
||||
|
||||
g_return_val_if_fail (objtype != NULL, FALSE);
|
||||
g_return_val_if_fail (ifcfg != NULL, FALSE);
|
||||
g_return_val_if_fail (wrote != NULL, FALSE);
|
||||
g_return_val_if_fail (objtype != NULL, FALSE);
|
||||
|
||||
*wrote = FALSE;
|
||||
if (override_data) {
|
||||
/* if given explicit data to save, always use that instead of asking
|
||||
* the setting what to do.
|
||||
*/
|
||||
blob = override_data;
|
||||
} else {
|
||||
scheme = (*(objtype->scheme_func))(s_8021x);
|
||||
switch (scheme) {
|
||||
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
|
||||
blob = (*(objtype->blob_func))(s_8021x);
|
||||
break;
|
||||
case NM_SETTING_802_1X_CK_SCHEME_PATH:
|
||||
path = (*(objtype->path_func))(s_8021x);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* If certificate/private key was sent, the connection may no longer be
|
||||
* 802.1x and thus we clear out the paths and certs.
|
||||
*/
|
||||
if (!path && !blob) {
|
||||
char *standard_file;
|
||||
int ignored;
|
||||
|
||||
/* Since no cert/private key is now being used, delete any standard file
|
||||
* that was created for this connection, but leave other files alone.
|
||||
* Thus, for example,
|
||||
* /etc/sysconfig/network-scripts/ca-cert-Test_Write_Wifi_WPA_EAP-TLS.der
|
||||
* will be deleted, but /etc/pki/tls/cert.pem will not.
|
||||
*/
|
||||
standard_file = utils_cert_path (ifcfg->fileName, objtype->suffix);
|
||||
if (g_file_test (standard_file, G_FILE_TEST_EXISTS))
|
||||
ignored = unlink (standard_file);
|
||||
g_free (standard_file);
|
||||
|
||||
if (!object) {
|
||||
svSetValue (ifcfg, objtype->ifcfg_key, NULL, FALSE);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
new_hash = utils_hash_byte_array (object);
|
||||
if (!new_hash) {
|
||||
g_set_error (error, ifcfg_plugin_error_quark (), 0,
|
||||
"Could not hash certificate/key data for %s / %s",
|
||||
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key);
|
||||
return FALSE;
|
||||
/* If the object path was specified, prefer that over any raw cert data that
|
||||
* may have been sent.
|
||||
*/
|
||||
if (path) {
|
||||
svSetValue (ifcfg, objtype->ifcfg_key, path, FALSE);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
orig_hash = g_object_get_data (G_OBJECT (s_8021x), objtype->hash_tag);
|
||||
orig_file = g_object_get_data (G_OBJECT (s_8021x), objtype->path_tag);
|
||||
/* If it's raw certificate data, write the cert data out to the standard file */
|
||||
if (blob) {
|
||||
gboolean success;
|
||||
char *new_file;
|
||||
GError *write_error = NULL;
|
||||
|
||||
if (!orig_hash || !orig_file || strcmp (new_hash, orig_hash)) {
|
||||
/* if the cert data has changed, or there wasn't a cert
|
||||
* originally, write data out to the standard file.
|
||||
*/
|
||||
new_file = utils_cert_path (ifcfg->fileName, objtype->suffix);
|
||||
if (!new_file) {
|
||||
g_set_error (error, ifcfg_plugin_error_quark (), 0,
|
||||
"Could not create file path for %s / %s",
|
||||
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key);
|
||||
goto out;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (!write_secret_file (new_file, (const char *) object->data, object->len, &write_error)) {
|
||||
/* Write the raw certificate data out to the standard file so that we
|
||||
* can use paths from now on instead of pushing around the certificate
|
||||
* data itself.
|
||||
*/
|
||||
success = write_secret_file (new_file, (const char *) blob->data, blob->len, &write_error);
|
||||
if (success) {
|
||||
svSetValue (ifcfg, objtype->ifcfg_key, new_file, FALSE);
|
||||
return TRUE;
|
||||
} else {
|
||||
g_set_error (error, ifcfg_plugin_error_quark (), 0,
|
||||
"Could not write certificate/key for %s / %s: %s",
|
||||
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key,
|
||||
(write_error && write_error->message) ? write_error->message : "(unknown)");
|
||||
g_clear_error (&write_error);
|
||||
goto out;
|
||||
}
|
||||
*wrote = TRUE;
|
||||
|
||||
svSetValue (ifcfg, objtype->ifcfg_key, new_file, FALSE);
|
||||
g_object_set_data_full (G_OBJECT (s_8021x), objtype->path_tag, new_file, g_free);
|
||||
new_file = NULL; /* g_object_set_data_full() took ownership */
|
||||
|
||||
g_object_set_data_full (G_OBJECT (s_8021x), objtype->hash_tag, new_hash, g_free);
|
||||
new_hash = NULL; /* g_object_set_data_full() took ownership */
|
||||
} else {
|
||||
/* cert data hasn't changed */
|
||||
svSetValue (ifcfg, objtype->ifcfg_key, orig_file, FALSE);
|
||||
g_free (new_file);
|
||||
}
|
||||
success = TRUE;
|
||||
|
||||
out:
|
||||
g_free (new_hash);
|
||||
g_free (new_file);
|
||||
return success;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
@@ -297,16 +333,15 @@ write_8021x_certs (NMSetting8021x *s_8021x,
|
||||
shvarFile *ifcfg,
|
||||
GError **error)
|
||||
{
|
||||
const GByteArray *data;
|
||||
GByteArray *enc_key = NULL;
|
||||
const char *password = NULL;
|
||||
char *generated_pw = NULL;
|
||||
gboolean success = FALSE, is_pkcs12 = FALSE, wrote;
|
||||
gboolean success = FALSE, is_pkcs12 = FALSE;
|
||||
const ObjectType *otype = NULL;
|
||||
const char *prop;
|
||||
const GByteArray *blob = NULL;
|
||||
|
||||
/* CA certificate */
|
||||
data = NULL;
|
||||
if (phase2) {
|
||||
prop = NM_SETTING_802_1X_PHASE2_CA_CERT;
|
||||
otype = &phase2_ca_type;
|
||||
@@ -314,24 +349,22 @@ write_8021x_certs (NMSetting8021x *s_8021x,
|
||||
prop = NM_SETTING_802_1X_CA_CERT;
|
||||
otype = &ca_type;
|
||||
}
|
||||
g_object_get (G_OBJECT (s_8021x), prop, &data, NULL);
|
||||
if (!write_object (s_8021x, ifcfg, data, otype, &wrote, error))
|
||||
|
||||
if (!write_object (s_8021x, ifcfg, NULL, otype, error))
|
||||
return FALSE;
|
||||
|
||||
/* Private key */
|
||||
if (phase2) {
|
||||
if (nm_setting_802_1x_get_phase2_private_key (s_8021x)) {
|
||||
if (nm_setting_802_1x_get_phase2_private_key_type (s_8021x) == NM_SETTING_802_1X_CK_TYPE_PKCS12)
|
||||
if (nm_setting_802_1x_get_phase2_private_key_scheme (s_8021x) != NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) {
|
||||
if (nm_setting_802_1x_get_phase2_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
|
||||
is_pkcs12 = TRUE;
|
||||
}
|
||||
prop = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY;
|
||||
password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
|
||||
} else {
|
||||
if (nm_setting_802_1x_get_private_key (s_8021x)) {
|
||||
if (nm_setting_802_1x_get_private_key_type (s_8021x) == NM_SETTING_802_1X_CK_TYPE_PKCS12)
|
||||
if (nm_setting_802_1x_get_private_key_scheme (s_8021x) != NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) {
|
||||
if (nm_setting_802_1x_get_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
|
||||
is_pkcs12 = TRUE;
|
||||
}
|
||||
prop = NM_SETTING_802_1X_PRIVATE_KEY;
|
||||
password = nm_setting_802_1x_get_private_key_password (s_8021x);
|
||||
}
|
||||
|
||||
@@ -340,11 +373,19 @@ write_8021x_certs (NMSetting8021x *s_8021x,
|
||||
else
|
||||
otype = phase2 ? &phase2_pk_type : &pk_type;
|
||||
|
||||
data = NULL;
|
||||
g_object_get (G_OBJECT (s_8021x), prop, &data, NULL);
|
||||
if (data && !is_pkcs12) {
|
||||
if ((*(otype->scheme_func))(s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB)
|
||||
blob = (*(otype->blob_func))(s_8021x);
|
||||
|
||||
/* Only do the private key re-encrypt dance if we got the raw key data, which
|
||||
* by definition will be unencrypted. If we're given a direct path to the
|
||||
* private key file, it'll be encrypted, so we don't need to re-encrypt.
|
||||
*/
|
||||
if (blob && !is_pkcs12) {
|
||||
GByteArray *array;
|
||||
|
||||
/* If the private key is an unencrypted blob, re-encrypt it with a
|
||||
* random password since we don't store unencrypted private keys on disk.
|
||||
*/
|
||||
if (!password) {
|
||||
/* Create a random private key */
|
||||
array = crypto_random (32, error);
|
||||
@@ -356,13 +397,14 @@ write_8021x_certs (NMSetting8021x *s_8021x,
|
||||
g_byte_array_free (array, TRUE);
|
||||
}
|
||||
|
||||
/* Re-encrypt the private key if it's not PKCS#12 (which never decrypted by NM) */
|
||||
enc_key = crypto_key_to_pem (data, password, error);
|
||||
/* Encrypt the unencrypted private key with the fake password */
|
||||
enc_key = crypto_key_to_pem (blob, password, error);
|
||||
if (!enc_key)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (!write_object (s_8021x, ifcfg, enc_key ? enc_key : data, otype, &wrote, error))
|
||||
/* Save the private key */
|
||||
if (!write_object (s_8021x, ifcfg, enc_key, otype, error))
|
||||
goto out;
|
||||
|
||||
/* Private key password */
|
||||
@@ -371,11 +413,6 @@ write_8021x_certs (NMSetting8021x *s_8021x,
|
||||
else
|
||||
set_secret (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", password);
|
||||
|
||||
if (enc_key) {
|
||||
memset (enc_key->data, 0, enc_key->len);
|
||||
g_byte_array_free (enc_key, TRUE);
|
||||
}
|
||||
|
||||
/* Client certificate */
|
||||
if (is_pkcs12) {
|
||||
svSetValue (ifcfg,
|
||||
@@ -389,9 +426,9 @@ write_8021x_certs (NMSetting8021x *s_8021x,
|
||||
prop = NM_SETTING_802_1X_CLIENT_CERT;
|
||||
otype = &client_type;
|
||||
}
|
||||
data = NULL;
|
||||
g_object_get (G_OBJECT (s_8021x), prop, &data, NULL);
|
||||
if (!write_object (s_8021x, ifcfg, data, otype, &wrote, error))
|
||||
|
||||
/* Save the client certificate */
|
||||
if (!write_object (s_8021x, ifcfg, NULL, otype, error))
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -402,6 +439,10 @@ out:
|
||||
memset (generated_pw, 0, strlen (generated_pw));
|
||||
g_free (generated_pw);
|
||||
}
|
||||
if (enc_key) {
|
||||
memset (enc_key->data, 0, enc_key->len);
|
||||
g_byte_array_free (enc_key, TRUE);
|
||||
}
|
||||
return success;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user