diff options
author | Lubomir Rintel <lkundrak@v3.sk> | 2017-02-09 14:29:12 +0100 |
---|---|---|
committer | Lubomir Rintel <lkundrak@v3.sk> | 2017-02-17 14:24:34 +0100 |
commit | 70b370f52c7659659b0e50f47282b36991212902 (patch) | |
tree | cdd486d0f196a7285451fccf13bbe0d64eb61603 | |
parent | 4898e2f686f1fd0a365447893cb33adaaf7fad41 (diff) | |
download | NetworkManager-70b370f52c7659659b0e50f47282b36991212902.tar.gz |
ifcfg-rh: support the pkcs11 scheme for certs/keys
The PKCS#11 URIs start with the "pkcs11:" scheme. There's a slight
possiblity of a clash with file names relative to the ifcfg file, but
that's probably is unlikely enough the leave us not worried.
The alteratives are probably more horrible (using a different key, or
using a separate key for the scheme alone) and it's already simple
enough to avoid a clash by using an absolute file name.
-rw-r--r-- | src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 94 | ||||
-rw-r--r-- | src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 22 |
2 files changed, 60 insertions, 56 deletions
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c index ab0a200e4f..1adc7f8cb3 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c @@ -2545,6 +2545,19 @@ get_full_file_path (const char *ifcfg_path, const char *file_path) return ret; } +static char * +get_cert_value (const char *ifcfg_path, const char *value, + NMSetting8021xCKScheme *out_scheme) +{ + if (strncmp (value, "pkcs11:", 7) == 0) { + *out_scheme = NM_SETTING_802_1X_CK_SCHEME_PKCS11; + return g_strdup (value); + } + + *out_scheme = NM_SETTING_802_1X_CK_SCHEME_PATH; + return get_full_file_path (ifcfg_path, value); +} + static gboolean eap_tls_reader (const char *eap_method, shvarFile *ifcfg, @@ -2555,7 +2568,7 @@ eap_tls_reader (const char *eap_method, { char *value; char *ca_cert = NULL; - char *real_path = NULL; + char *real_cert_value = NULL; char *client_cert = NULL; char *privkey = NULL; char *privkey_password = NULL; @@ -2568,6 +2581,7 @@ eap_tls_reader (const char *eap_method, const char *pk_pw_flags_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS": "IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS"; const char *pk_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS : NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS; NMSettingSecretFlags flags; + NMSetting8021xCKScheme scheme; value = svGetValueString (ifcfg, "IEEE_8021X_IDENTITY"); if (value) { @@ -2577,24 +2591,16 @@ eap_tls_reader (const char *eap_method, ca_cert = svGetValueString (ifcfg, ca_cert_key); if (ca_cert) { - real_path = get_full_file_path (svFileGetName (ifcfg), ca_cert); + real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme); if (phase2) { - if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { - if (!nm_setting_802_1x_set_ca_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } - g_free (real_path); - real_path = NULL; + g_free (real_cert_value); + real_cert_value = NULL; } else { PARSE_WARNING ("missing %s for EAP method '%s'; this is insecure!", ca_cert_key, eap_method); @@ -2632,26 +2638,26 @@ eap_tls_reader (const char *eap_method, goto done; } - real_path = get_full_file_path (svFileGetName (ifcfg), privkey); + real_cert_value = get_cert_value (svFileGetName (ifcfg), privkey, &scheme); if (phase2) { if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, - real_path, + real_cert_value, privkey_password, - NM_SETTING_802_1X_CK_SCHEME_PATH, + scheme, &privkey_format, error)) goto done; } else { if (!nm_setting_802_1x_set_private_key (s_8021x, - real_path, + real_cert_value, privkey_password, - NM_SETTING_802_1X_CK_SCHEME_PATH, + scheme, &privkey_format, error)) goto done; } - g_free (real_path); - real_path = NULL; + g_free (real_cert_value); + real_cert_value = NULL; /* Only set the client certificate if the private key is not PKCS#12 format, * as NM (due to supplicant restrictions) requires. If the key was PKCS#12, @@ -2669,30 +2675,22 @@ eap_tls_reader (const char *eap_method, goto done; } - real_path = get_full_file_path (svFileGetName (ifcfg), client_cert); + real_cert_value = get_cert_value (svFileGetName (ifcfg), client_cert, &scheme); if (phase2) { - if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { - if (!nm_setting_802_1x_set_client_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_client_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } - g_free (real_path); - real_path = NULL; + g_free (real_cert_value); + real_cert_value = NULL; } success = TRUE; done: - g_free (real_path); + g_free (real_cert_value); g_free (ca_cert); g_free (client_cert); g_free (privkey); @@ -2710,21 +2708,18 @@ eap_peap_reader (const char *eap_method, { char *anon_ident = NULL; char *ca_cert = NULL; - char *real_cert_path = NULL; + char *real_cert_value = NULL; char *inner_auth = NULL; char *peapver = NULL; char *lower; char **list = NULL, **iter; gboolean success = FALSE; + NMSetting8021xCKScheme scheme; ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT"); if (ca_cert) { - real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert); - if (!nm_setting_802_1x_set_ca_cert (s_8021x, - real_cert_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme); + if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!", @@ -2799,7 +2794,7 @@ done: g_strfreev (list); g_free (inner_auth); g_free (peapver); - g_free (real_cert_path); + g_free (real_cert_value); g_free (ca_cert); g_free (anon_ident); return success; @@ -2816,19 +2811,16 @@ eap_ttls_reader (const char *eap_method, gboolean success = FALSE; char *anon_ident = NULL; char *ca_cert = NULL; - char *real_cert_path = NULL; + char *real_cert_value = NULL; char *inner_auth = NULL; char *tmp; char **list = NULL, **iter; + NMSetting8021xCKScheme scheme; ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT"); if (ca_cert) { - real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert); - if (!nm_setting_802_1x_set_ca_cert (s_8021x, - real_cert_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme); + if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!", @@ -2887,7 +2879,7 @@ done: if (list) g_strfreev (list); g_free (inner_auth); - g_free (real_cert_path); + g_free (real_cert_value); g_free (ca_cert); g_free (anon_ident); return success; diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c index fa8013b024..1cc6301912 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c @@ -151,6 +151,7 @@ typedef struct ObjectType { NMSetting8021xCKScheme (*scheme_func)(NMSetting8021x *setting); const char * (*path_func) (NMSetting8021x *setting); GBytes * (*blob_func) (NMSetting8021x *setting); + const char * (*uri_func) (NMSetting8021x *setting); const char *ifcfg_key; const char *suffix; } ObjectType; @@ -160,6 +161,7 @@ static const ObjectType ca_type = { nm_setting_802_1x_get_ca_cert_scheme, nm_setting_802_1x_get_ca_cert_path, nm_setting_802_1x_get_ca_cert_blob, + nm_setting_802_1x_get_ca_cert_uri, "IEEE_8021X_CA_CERT", "ca-cert.der" }; @@ -169,6 +171,7 @@ static const ObjectType phase2_ca_type = { nm_setting_802_1x_get_phase2_ca_cert_scheme, nm_setting_802_1x_get_phase2_ca_cert_path, nm_setting_802_1x_get_phase2_ca_cert_blob, + nm_setting_802_1x_get_phase2_ca_cert_uri, "IEEE_8021X_INNER_CA_CERT", "inner-ca-cert.der" }; @@ -178,6 +181,7 @@ static const ObjectType client_type = { nm_setting_802_1x_get_client_cert_scheme, nm_setting_802_1x_get_client_cert_path, nm_setting_802_1x_get_client_cert_blob, + nm_setting_802_1x_get_client_cert_uri, "IEEE_8021X_CLIENT_CERT", "client-cert.der" }; @@ -187,6 +191,7 @@ static const ObjectType phase2_client_type = { nm_setting_802_1x_get_phase2_client_cert_scheme, nm_setting_802_1x_get_phase2_client_cert_path, nm_setting_802_1x_get_phase2_client_cert_blob, + nm_setting_802_1x_get_phase2_client_cert_uri, "IEEE_8021X_INNER_CLIENT_CERT", "inner-client-cert.der" }; @@ -196,6 +201,7 @@ static const ObjectType pk_type = { nm_setting_802_1x_get_private_key_scheme, nm_setting_802_1x_get_private_key_path, nm_setting_802_1x_get_private_key_blob, + nm_setting_802_1x_get_private_key_uri, "IEEE_8021X_PRIVATE_KEY", "private-key.pem" }; @@ -205,6 +211,7 @@ static const ObjectType phase2_pk_type = { nm_setting_802_1x_get_phase2_private_key_scheme, nm_setting_802_1x_get_phase2_private_key_path, nm_setting_802_1x_get_phase2_private_key_blob, + nm_setting_802_1x_get_phase2_private_key_uri, "IEEE_8021X_INNER_PRIVATE_KEY", "inner-private-key.pem" }; @@ -214,6 +221,7 @@ static const ObjectType p12_type = { nm_setting_802_1x_get_private_key_scheme, nm_setting_802_1x_get_private_key_path, nm_setting_802_1x_get_private_key_blob, + nm_setting_802_1x_get_private_key_uri, "IEEE_8021X_PRIVATE_KEY", "private-key.p12" }; @@ -223,6 +231,7 @@ static const ObjectType phase2_p12_type = { nm_setting_802_1x_get_phase2_private_key_scheme, nm_setting_802_1x_get_phase2_private_key_path, nm_setting_802_1x_get_phase2_private_key_blob, + nm_setting_802_1x_get_phase2_private_key_uri, "IEEE_8021X_INNER_PRIVATE_KEY", "inner-private-key.p12" }; @@ -234,7 +243,7 @@ write_object (NMSetting8021x *s_8021x, GError **error) { NMSetting8021xCKScheme scheme; - const char *path = NULL; + const char *value = NULL; GBytes *blob = NULL; g_return_val_if_fail (ifcfg != NULL, FALSE); @@ -248,7 +257,10 @@ write_object (NMSetting8021x *s_8021x, blob = (*(objtype->blob_func))(s_8021x); break; case NM_SETTING_802_1X_CK_SCHEME_PATH: - path = (*(objtype->path_func))(s_8021x); + value = (*(objtype->path_func))(s_8021x); + break; + case NM_SETTING_802_1X_CK_SCHEME_PKCS11: + value = (*(objtype->uri_func))(s_8021x); break; default: g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED, @@ -259,7 +271,7 @@ write_object (NMSetting8021x *s_8021x, /* If certificate/private key wasn't sent, the connection may no longer be * 802.1x and thus we clear out the paths and certs. */ - if (!path && !blob) { + if (!value && !blob) { char *standard_file; int ignored; @@ -281,8 +293,8 @@ write_object (NMSetting8021x *s_8021x, /* If the object path was specified, prefer that over any raw cert data that * may have been sent. */ - if (path) { - svSetValueString (ifcfg, objtype->ifcfg_key, path); + if (value) { + svSetValueString (ifcfg, objtype->ifcfg_key, value); return TRUE; } |