Commit Graph

7 Commits

Author SHA1 Message Date
Dan Winship
d04f286327 all: remove pointless NULL checks
g_malloc(), etc, never return NULL, by API contract. Likewise, by
extension, no other glib function ever returns NULL due to lack of
memory. So remove lots of unnecessary checks (the vast majority of
which would have immediately crashed had they ever run anyway, since
g_set_error(), g_warning(), and nm_log_*() all need to allocate
memory).

https://bugzilla.gnome.org/show_bug.cgi?id=693678
2013-02-13 13:38:13 -05:00
Dan Williams
5deb993ff6 libnm-util: recognize PKCS#8 private keys and check passwords (bgo #649326)
Neither gnutls nor NSS fully support PKCS#8 so we don't have complete
support here, but at least recognize the keys and make an attempt to
check the private key if we can.
2011-05-13 14:22:06 -05:00
Dan Williams
28e6523b8d libnm-util: rework certificate and private key handling
First, it was not easily possible to set a private key without
also providing a password.  This used to be OK, but now with
secret flags it may be the case that when the connection is read,
there's no private key password.  So functions that set the
private key must account for NULL passwords.

Unfortunately, the crytpo code did not handle this case well.
We need to be able to independently (a) verify that a file looks
like a certificate or private key and (b) that a given password
decrypts a private key.  Previously the crypto code would fail
to verify the file when the password was NULL.

So this change fixes up the crytpo code for a more distinct
split between these two operations, such that if no password is
given, the file is still checked to ensure that it's a private
key or a certificate.  If a password is given, the password is
checked against the private key file.

This commit also changes how private keys and certificates were
handled with the BLOB scheme.  Previously only the first certificate
or first private key was included in the property data, while now
the entire file is encoded in the data.  This is intended to fix
cases where multiple private keys or certificates are present in
a PEM file.  It also allows clients to push certificate data to
NetworkManager for storage in system settings locations, which was
not as flexible before when only part of the certificate or key
was sent as the data.
2011-03-02 12:00:47 -06:00
Dan Williams
15497fd10f libnm-util: handle PEM files without an ending newline (rh #507315)
Due to an off-by-one bug if the ending PEM tag was the last thing
in the file, it would get missed.  Add some testcases for that too.
2009-11-18 16:29:48 -08:00
Dan Williams
8c35e96b60 libnm-util: add nm_utils_rsa_key_encrypt() and fix crypto padding mixups
To be backwards compatible clients need to handle both paths to private
keys and the decrypted private key data, which is what used to get passed
in the private-key and phase2-private-key attributes of the 802.1x setting.
When moving a connection around between system-settings and user-settings,
if the private key is decrypted data, the settings service needs to store
that decrypted data somewhere so that the key can be sent to NM during
the connection process.

But we don't want to store the decrypted private key data, so we have to
re-encrypt it (possibly generating a private key password if one wasn't
sent with the decrypted data) and save it to disk, then send NM a path
to that private key during connection.

To help clients do this, and so that they don't have to carry around
multiple crypto implementations depending on whether they want to use
NSS or gnutls/gcrypt, add a helper to libnm-util.

Furthermore, I misunderstood a bunch of stuff with crypto padding when
writing the encrypt/decrypt functions long ago, so fix that up.  Don't
return padding as part of the decrypted data, and make sure to verify
the padding's expected lengths and values when decrypting.  Many thanks
to Nalin Dahyabhai for pointing me in the right direction.
2009-09-15 16:01:50 -07:00
Dan Williams
e5ed391f28 libnm-util: allow certificate/key paths
Overload the certificate and key properties to allow paths to the
certificates and keys using a special prefix for the property data.
Add API to libnm-util for easy certificate path handling, and
documentation for NMSetting8021x.
2009-09-04 09:07:00 -05:00
Dan Williams
203cff4d83 libnm-util: move crypto tests to libnm-util/tests/
Add testing certs and keys; run crypto tests on 'make check'
2009-02-02 01:03:15 -05:00