summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLubomir Rintel <lkundrak@v3.sk>2017-02-09 14:29:12 +0100
committerLubomir Rintel <lkundrak@v3.sk>2017-02-17 14:24:34 +0100
commit70b370f52c7659659b0e50f47282b36991212902 (patch)
treecdd486d0f196a7285451fccf13bbe0d64eb61603
parent4898e2f686f1fd0a365447893cb33adaaf7fad41 (diff)
downloadNetworkManager-70b370f52c7659659b0e50f47282b36991212902.tar.gz
ifcfg-rh: support the pkcs11 scheme for certs/keys
The PKCS#11 URIs start with the "pkcs11:" scheme. There's a slight possiblity of a clash with file names relative to the ifcfg file, but that's probably is unlikely enough the leave us not worried. The alteratives are probably more horrible (using a different key, or using a separate key for the scheme alone) and it's already simple enough to avoid a clash by using an absolute file name.
Diffstat
-rw-r--r--src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c94
-rw-r--r--src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c22
2 files changed, 60 insertions, 56 deletions
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index ab0a200e4f..1adc7f8cb3 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -2545,6 +2545,19 @@ get_full_file_path (const char *ifcfg_path, const char *file_path)
return ret;
}
+static char *
+get_cert_value (const char *ifcfg_path, const char *value,
+ NMSetting8021xCKScheme *out_scheme)
+{
+ if (strncmp (value, "pkcs11:", 7) == 0) {
+ *out_scheme = NM_SETTING_802_1X_CK_SCHEME_PKCS11;
+ return g_strdup (value);
+ }
+
+ *out_scheme = NM_SETTING_802_1X_CK_SCHEME_PATH;
+ return get_full_file_path (ifcfg_path, value);
+}
+
static gboolean
eap_tls_reader (const char *eap_method,
shvarFile *ifcfg,
@@ -2555,7 +2568,7 @@ eap_tls_reader (const char *eap_method,
{
char *value;
char *ca_cert = NULL;
- char *real_path = NULL;
+ char *real_cert_value = NULL;
char *client_cert = NULL;
char *privkey = NULL;
char *privkey_password = NULL;
@@ -2568,6 +2581,7 @@ eap_tls_reader (const char *eap_method,
const char *pk_pw_flags_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS": "IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS";
const char *pk_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS : NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS;
NMSettingSecretFlags flags;
+ NMSetting8021xCKScheme scheme;
value = svGetValueString (ifcfg, "IEEE_8021X_IDENTITY");
if (value) {
@@ -2577,24 +2591,16 @@ eap_tls_reader (const char *eap_method,
ca_cert = svGetValueString (ifcfg, ca_cert_key);
if (ca_cert) {
- real_path = get_full_file_path (svFileGetName (ifcfg), ca_cert);
+ real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme);
if (phase2) {
- if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x,
- real_path,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL,
- error))
+ if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
- if (!nm_setting_802_1x_set_ca_cert (s_8021x,
- real_path,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL,
- error))
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
}
- g_free (real_path);
- real_path = NULL;
+ g_free (real_cert_value);
+ real_cert_value = NULL;
} else {
PARSE_WARNING ("missing %s for EAP method '%s'; this is insecure!",
ca_cert_key, eap_method);
@@ -2632,26 +2638,26 @@ eap_tls_reader (const char *eap_method,
goto done;
}
- real_path = get_full_file_path (svFileGetName (ifcfg), privkey);
+ real_cert_value = get_cert_value (svFileGetName (ifcfg), privkey, &scheme);
if (phase2) {
if (!nm_setting_802_1x_set_phase2_private_key (s_8021x,
- real_path,
+ real_cert_value,
privkey_password,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
+ scheme,
&privkey_format,
error))
goto done;
} else {
if (!nm_setting_802_1x_set_private_key (s_8021x,
- real_path,
+ real_cert_value,
privkey_password,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
+ scheme,
&privkey_format,
error))
goto done;
}
- g_free (real_path);
- real_path = NULL;
+ g_free (real_cert_value);
+ real_cert_value = NULL;
/* Only set the client certificate if the private key is not PKCS#12 format,
* as NM (due to supplicant restrictions) requires. If the key was PKCS#12,
@@ -2669,30 +2675,22 @@ eap_tls_reader (const char *eap_method,
goto done;
}
- real_path = get_full_file_path (svFileGetName (ifcfg), client_cert);
+ real_cert_value = get_cert_value (svFileGetName (ifcfg), client_cert, &scheme);
if (phase2) {
- if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x,
- real_path,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL,
- error))
+ if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
- if (!nm_setting_802_1x_set_client_cert (s_8021x,
- real_path,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL,
- error))
+ if (!nm_setting_802_1x_set_client_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
}
- g_free (real_path);
- real_path = NULL;
+ g_free (real_cert_value);
+ real_cert_value = NULL;
}
success = TRUE;
done:
- g_free (real_path);
+ g_free (real_cert_value);
g_free (ca_cert);
g_free (client_cert);
g_free (privkey);
@@ -2710,21 +2708,18 @@ eap_peap_reader (const char *eap_method,
{
char *anon_ident = NULL;
char *ca_cert = NULL;
- char *real_cert_path = NULL;
+ char *real_cert_value = NULL;
char *inner_auth = NULL;
char *peapver = NULL;
char *lower;
char **list = NULL, **iter;
gboolean success = FALSE;
+ NMSetting8021xCKScheme scheme;
ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT");
if (ca_cert) {
- real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert);
- if (!nm_setting_802_1x_set_ca_cert (s_8021x,
- real_cert_path,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL,
- error))
+ real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme);
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!",
@@ -2799,7 +2794,7 @@ done:
g_strfreev (list);
g_free (inner_auth);
g_free (peapver);
- g_free (real_cert_path);
+ g_free (real_cert_value);
g_free (ca_cert);
g_free (anon_ident);
return success;
@@ -2816,19 +2811,16 @@ eap_ttls_reader (const char *eap_method,
gboolean success = FALSE;
char *anon_ident = NULL;
char *ca_cert = NULL;
- char *real_cert_path = NULL;
+ char *real_cert_value = NULL;
char *inner_auth = NULL;
char *tmp;
char **list = NULL, **iter;
+ NMSetting8021xCKScheme scheme;
ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT");
if (ca_cert) {
- real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert);
- if (!nm_setting_802_1x_set_ca_cert (s_8021x,
- real_cert_path,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL,
- error))
+ real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme);
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!",
@@ -2887,7 +2879,7 @@ done:
if (list)
g_strfreev (list);
g_free (inner_auth);
- g_free (real_cert_path);
+ g_free (real_cert_value);
g_free (ca_cert);
g_free (anon_ident);
return success;
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
index fa8013b024..1cc6301912 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@@ -151,6 +151,7 @@ typedef struct ObjectType {
NMSetting8021xCKScheme (*scheme_func)(NMSetting8021x *setting);
const char * (*path_func) (NMSetting8021x *setting);
GBytes * (*blob_func) (NMSetting8021x *setting);
+ const char * (*uri_func) (NMSetting8021x *setting);
const char *ifcfg_key;
const char *suffix;
} ObjectType;
@@ -160,6 +161,7 @@ static const ObjectType ca_type = {
nm_setting_802_1x_get_ca_cert_scheme,
nm_setting_802_1x_get_ca_cert_path,
nm_setting_802_1x_get_ca_cert_blob,
+ nm_setting_802_1x_get_ca_cert_uri,
"IEEE_8021X_CA_CERT",
"ca-cert.der"
};
@@ -169,6 +171,7 @@ static const ObjectType phase2_ca_type = {
nm_setting_802_1x_get_phase2_ca_cert_scheme,
nm_setting_802_1x_get_phase2_ca_cert_path,
nm_setting_802_1x_get_phase2_ca_cert_blob,
+ nm_setting_802_1x_get_phase2_ca_cert_uri,
"IEEE_8021X_INNER_CA_CERT",
"inner-ca-cert.der"
};
@@ -178,6 +181,7 @@ static const ObjectType client_type = {
nm_setting_802_1x_get_client_cert_scheme,
nm_setting_802_1x_get_client_cert_path,
nm_setting_802_1x_get_client_cert_blob,
+ nm_setting_802_1x_get_client_cert_uri,
"IEEE_8021X_CLIENT_CERT",
"client-cert.der"
};
@@ -187,6 +191,7 @@ static const ObjectType phase2_client_type = {
nm_setting_802_1x_get_phase2_client_cert_scheme,
nm_setting_802_1x_get_phase2_client_cert_path,
nm_setting_802_1x_get_phase2_client_cert_blob,
+ nm_setting_802_1x_get_phase2_client_cert_uri,
"IEEE_8021X_INNER_CLIENT_CERT",
"inner-client-cert.der"
};
@@ -196,6 +201,7 @@ static const ObjectType pk_type = {
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
+ nm_setting_802_1x_get_private_key_uri,
"IEEE_8021X_PRIVATE_KEY",
"private-key.pem"
};
@@ -205,6 +211,7 @@ static const ObjectType phase2_pk_type = {
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
+ nm_setting_802_1x_get_phase2_private_key_uri,
"IEEE_8021X_INNER_PRIVATE_KEY",
"inner-private-key.pem"
};
@@ -214,6 +221,7 @@ static const ObjectType p12_type = {
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
+ nm_setting_802_1x_get_private_key_uri,
"IEEE_8021X_PRIVATE_KEY",
"private-key.p12"
};
@@ -223,6 +231,7 @@ static const ObjectType phase2_p12_type = {
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
+ nm_setting_802_1x_get_phase2_private_key_uri,
"IEEE_8021X_INNER_PRIVATE_KEY",
"inner-private-key.p12"
};
@@ -234,7 +243,7 @@ write_object (NMSetting8021x *s_8021x,
GError **error)
{
NMSetting8021xCKScheme scheme;
- const char *path = NULL;
+ const char *value = NULL;
GBytes *blob = NULL;
g_return_val_if_fail (ifcfg != NULL, FALSE);
@@ -248,7 +257,10 @@ write_object (NMSetting8021x *s_8021x,
blob = (*(objtype->blob_func))(s_8021x);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
- path = (*(objtype->path_func))(s_8021x);
+ value = (*(objtype->path_func))(s_8021x);
+ break;
+ case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
+ value = (*(objtype->uri_func))(s_8021x);
break;
default:
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED,
@@ -259,7 +271,7 @@ write_object (NMSetting8021x *s_8021x,
/* If certificate/private key wasn't sent, the connection may no longer be
* 802.1x and thus we clear out the paths and certs.
*/
- if (!path && !blob) {
+ if (!value && !blob) {
char *standard_file;
int ignored;
@@ -281,8 +293,8 @@ write_object (NMSetting8021x *s_8021x,
/* If the object path was specified, prefer that over any raw cert data that
* may have been sent.
*/
- if (path) {
- svSetValueString (ifcfg, objtype->ifcfg_key, path);
+ if (value) {
+ svSetValueString (ifcfg, objtype->ifcfg_key, value);
return TRUE;
}
View Lorry Controller Status