Commit Graph

12 Commits

Author SHA1 Message Date
Dan Winship
d04f286327 all: remove pointless NULL checks
g_malloc(), etc, never return NULL, by API contract. Likewise, by
extension, no other glib function ever returns NULL due to lack of
memory. So remove lots of unnecessary checks (the vast majority of
which would have immediately crashed had they ever run anyway, since
g_set_error(), g_warning(), and nm_log_*() all need to allocate
memory).

https://bugzilla.gnome.org/show_bug.cgi?id=693678
2013-02-13 13:38:13 -05:00
Dan Williams
5deb993ff6 libnm-util: recognize PKCS#8 private keys and check passwords (bgo #649326)
Neither gnutls nor NSS fully support PKCS#8 so we don't have complete
support here, but at least recognize the keys and make an attempt to
check the private key if we can.
2011-05-13 14:22:06 -05:00
Dan Williams
5b0ef4c201 libnm-util: don't ever deinit crypto methods (bgo #646300)
Because we can't ever know if we're the last user of NSS or gnutls
when nm_utils_deinit() is called, just don't bother deiniting
the crypto providers.  And atexit handlers are generally frowned
upon for the exact same reason.  You never know what library linked
into your process might be also using NSS or gnutls, so basically
if these libraries suck enough to use global data and not reference
count it, just let the data leak.  If we do clean stuff up that
can lead to crashes when other libraries might try to use NSS or
gnutls after the atexit handler or nm_utils_deinit() has been run.

See also:  https://bugzilla.mozilla.org/show_bug.cgi?id=54189#c1
2011-03-31 13:29:19 -05:00
Kjartan Maraas
6d0d302916 build: do the right thing with config.h (bgo #644664)
1) it shouldn't be included in headers
2) it should be the first thing included in source files
3) it's needed for getting translation right
2011-03-14 01:01:22 -05:00
Dan Williams
8c35e96b60 libnm-util: add nm_utils_rsa_key_encrypt() and fix crypto padding mixups
To be backwards compatible clients need to handle both paths to private
keys and the decrypted private key data, which is what used to get passed
in the private-key and phase2-private-key attributes of the 802.1x setting.
When moving a connection around between system-settings and user-settings,
if the private key is decrypted data, the settings service needs to store
that decrypted data somewhere so that the key can be sent to NM during
the connection process.

But we don't want to store the decrypted private key data, so we have to
re-encrypt it (possibly generating a private key password if one wasn't
sent with the decrypted data) and save it to disk, then send NM a path
to that private key during connection.

To help clients do this, and so that they don't have to carry around
multiple crypto implementations depending on whether they want to use
NSS or gnutls/gcrypt, add a helper to libnm-util.

Furthermore, I misunderstood a bunch of stuff with crypto padding when
writing the encrypt/decrypt functions long ago, so fix that up.  Don't
return padding as part of the decrypted data, and make sure to verify
the padding's expected lengths and values when decrypting.  Many thanks
to Nalin Dahyabhai for pointing me in the right direction.
2009-09-15 16:01:50 -07:00
Dan Williams
e2f65ce12a 2008-11-13 Dan Williams <dcbw@redhat.com>
Add support for PKCS#12 private keys (bgo #558982)

	* libnm-util/crypto.c
	  libnm-util/crypto.h
		- (parse_old_openssl_key_file): rename from parse_key_file(); adapt to
			take a GByteArray instead of a filename
		- (file_to_g_byte_array): handle private key files too
		- (decrypt_key): take a GByteArray rather than data + len
		- (crypto_get_private_key_data): refactor crypto_get_private_key() into
			one function that takes a filename, and one that takes raw data;
			detect pkcs#12 files as well
		- (crypto_load_and_verify_certificate): detect file type
		- (crypto_is_pkcs12_data, crypto_is_pkcs12_file): add pkcs#12 detection
			functions

	* libnm-util/crypto_gnutls.c
		- (crypto_decrypt): take GByteArray rather than data + len; fix a bug
			whereby tail padding was incorrectly handled, leading to erroneous
			successes when trying to decrypt the data
		- (crypto_verify_cert): rework somewhat
		- (crypto_verify_pkcs12): validate pkcs#12 keys

	* libnm-util/crypto_nss.c
		- (crypto_init): enable various pkcs#12 ciphers
		- (crypto_decrypt): take a GByteArray rather than data + len
		- (crypto_verify_cert): clean up
		- (crypto_verify_pkcs12): validate pkcs#12 keys

	* libnm-util/test-crypto.c
		- Handle pkcs#12 keys

	* libnm-util/nm-setting-8021x.c
	  libnm-util/nm-setting-8021x.h
	  libnm-util/libnm-util.ver
		- Add two new properties, 'private-key-password' and
			'phase2-private-key-password', to be used in conjunction with
			pkcs#12 keys
		- (nm_setting_802_1x_set_ca_cert_from_file,
		   nm_setting_802_1x_set_client_cert_from_file,
		   nm_setting_802_1x_set_phase2_ca_cert_from_file,
		   nm_setting_802_1x_set_phase2_client_from_file): return certificate
			type
		- (nm_setting_802_1x_get_private_key_password,
		   nm_setting_802_1x_get_phase2_private_key_password): return private
			key passwords
		- (nm_setting_802_1x_set_private_key_from_file,
		   nm_setting_802_1x_set_phase2_private_key_from_file): set the private
			key from a file, and update the private key password at the same time
		- (nm_setting_802_1x_get_private_key_type,
		   nm_setting_802_1x_get_phase2_private_key_type): return the private
			key type

	* src/supplicant-manager/nm-supplicant-settings-verify.c
		- Whitelist private key passwords

	* src/supplicant-manager/nm-supplicant-config.c
		- (nm_supplicant_config_add_setting_8021x): for pkcs#12 private keys,
			add the private key password to the supplicant config, but do not
			add the client certificate (as required by wpa_supplicant)



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@4280 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
2008-11-13 21:19:08 +00:00
Dan Williams
796829ce62 2008-09-08 Dan Williams <dcbw@redhat.com>
Patch from Alexander Sack <asac@ubuntu.com>

	* libnm-util/crypto_gnutls.c
	  libnm-util/crypto_nss.c
		- (crypto_init, crypto_deinit): just use a boolean instead of a refcount

	* libnm-util/nm-utils.c
	  libnm-util/nm-utils.h
	  libnm-util/libnm-util.ver
		- (nm_utils_init): initialize libnm-util
		- (nm_utils_deinit): de-initialize libnm-util and clean up resources

	* libnm-util/nm-setting-8021x.c
		- (nm_setting_802_1x_class_init): init libnm-util when needed



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@4047 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
2008-09-08 18:35:21 +00:00
Dan Williams
bb6b79a2a6 2008-09-05 Dan Williams <dcbw@redhat.com>
* libnm-util/crypto_nss.c
	  libnm-util/crypto_gnutls.c
	  libnm-util/crypto.h
		- (crypto_init): return error when init fails



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@4042 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
2008-09-05 18:10:39 +00:00
Dan Williams
1e379db07c 2008-08-25 Dan Williams <dcbw@redhat.com>
* libnm-util/crypto_gnutls.c
	  libnm-util/crypto_nss.c
		- (crypto_init, crypto_deinit): refcount init/deinit
		- (crypto_md5_hash): allow NULL salt



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@4011 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
2008-08-26 03:29:18 +00:00
Dan Williams
281791ac77 2008-07-27 Dan Williams <dcbw@redhat.com>
* libnm-util/*
		- Relicense to LGPLv2+



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@3859 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
2008-07-27 20:03:46 +00:00
Dan Williams
b0cf66eda8 2008-06-26 Dan Williams <dcbw@redhat.com>
* Update FSF address in license headers (Michael Biebl <biebl@debian.org>)



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@3775 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
2008-06-26 18:31:52 +00:00
Tambet Ingo
40a69f986c 2008-05-15 Tambet Ingo <tambet@gmail.com>
Move crypto functions from nm-applet to libnm-util.

	* libnm-util/nm-setting-8021x.c (nm_setting_802_1x_set_ca_cert)
	(nm_setting_802_1x_set_client_cert)
	(nm_setting_802_1x_set_phase2_ca_cert)
	(nm_setting_802_1x_set_phase2_client_cert)
	(nm_setting_802_1x_set_private_key)
	(nm_setting_802_1x_set_phase2_private_key): Implement. Given a certificate
	file (or private key and it's password), read the certificate data.

	* libnm-util/crypto_nss.c:
	* libnm-util/crypto_gnutls.c:
	* libnm-util/crypto.[ch]: Move here from nm-applet.

	* configure.in: Check for NSS and gnutls here (moved here from nm-applet).

	* system-settings/plugins/ifcfg-suse/parser.c (read_wpa_eap_settings):
	Imlement WPA-EAP configuration reading from sysconfig.


git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@3673 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
2008-05-19 07:43:13 +00:00