fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-02-05 11:10:31 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

libnm-util: private keys are now required for TLS connections to verify

Browse source 
Since private keys are no longer secret, they must be given in the
connection itself.
This commit is contained in:
Dan Williams 2011-02-02 19:32:30 -06:00
parent a5103bf234
commit 2e0fb2ae4e
2 changed files with 40 additions and 152 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
libnm-util/nm-setting-8021x.c
View file

@ -1847,11 +1847,6 @@ need_secrets_tls (NMSetting8021x *self,
const char *path = NULL;
if (phase2) {
if (!priv->phase2_private_key || !priv->phase2_private_key->len) {
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
return;
}
scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self);
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
path = nm_setting_802_1x_get_phase2_private_key_path (self);
@ -1866,11 +1861,6 @@ need_secrets_tls (NMSetting8021x *self,
if (need_private_key_password (blob, path, priv->phase2_private_key_password))
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
} else {
if (!priv->private_key || !priv->private_key->len) {
g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY);
return;
}
scheme = nm_setting_802_1x_get_private_key_scheme (self);
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
path = nm_setting_802_1x_get_private_key_path (self);
@ -1907,8 +1897,23 @@ verify_tls (NMSetting8021x *self, gboolean phase2, GError **error)
return FALSE;
}
/* Private key is required for TLS */
if (!priv->phase2_private_key) {
g_set_error (error,
NM_SETTING_802_1X_ERROR,
NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
return FALSE;
} else if (!priv->phase2_private_key->len) {
g_set_error (error,
NM_SETTING_802_1X_ERROR,
NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
return FALSE;
}
/* If the private key is PKCS#12, check that it matches the client cert */
if (priv->phase2_private_key && crypto_is_pkcs12_data (priv->phase2_private_key)) {
if (crypto_is_pkcs12_data (priv->phase2_private_key)) {
if (priv->phase2_private_key->len != priv->phase2_client_cert->len) {
g_set_error (error,
NM_SETTING_802_1X_ERROR,
@ -1942,8 +1947,23 @@ verify_tls (NMSetting8021x *self, gboolean phase2, GError **error)
return FALSE;
}
/* Private key is required for TLS */
if (!priv->private_key) {
g_set_error (error,
NM_SETTING_802_1X_ERROR,
NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
NM_SETTING_802_1X_PRIVATE_KEY);
return FALSE;
} else if (!priv->private_key->len) {
g_set_error (error,
NM_SETTING_802_1X_ERROR,
NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
NM_SETTING_802_1X_PRIVATE_KEY);
return FALSE;
}
/* If the private key is PKCS#12, check that it matches the client cert */
if (priv->private_key && crypto_is_pkcs12_data (priv->private_key)) {
if (crypto_is_pkcs12_data (priv->private_key)) {
if (priv->private_key->len != priv->client_cert->len) {
g_set_error (error,
NM_SETTING_802_1X_ERROR,

148
libnm-util/tests/test-need-secrets.c
View file

@ -154,7 +154,6 @@ test_need_tls_secrets_path (void)
NMConnection *connection;
const char *setting_name;
GPtrArray *hints = NULL;
NMSetting8021x *s_8021x;
connection = make_tls_connection ("need-tls-secrets-path-key", NM_SETTING_802_1X_CK_SCHEME_PATH);
ASSERT (connection != NULL,
@ -170,41 +169,9 @@ test_need_tls_secrets_path (void)
"need-tls-secrets-path-key",
"hints should be NULL since no secrets were required");
/* Connection is good; clear secrets and ensure private key is then required */
/* Connection is good; clear secrets and ensure private key password is then required */
nm_connection_clear_secrets (connection);
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name != NULL,
"need-tls-secrets-path-key",
"unexpected secrets success");
ASSERT (strcmp (setting_name, NM_SETTING_802_1X_SETTING_NAME) == 0,
"need-tls-secrets-path-key",
"unexpected setting secrets required");
ASSERT (hints != NULL,
"need-tls-secrets-path-key",
"expected returned secrets hints");
ASSERT (find_hints_item (hints, NM_SETTING_802_1X_PRIVATE_KEY),
"need-tls-secrets-path-key",
"expected to require private key, but it wasn't");
g_object_unref (connection);
/*** Just clear the private key this time ***/
connection = make_tls_connection ("need-tls-secrets-path-key-password", NM_SETTING_802_1X_CK_SCHEME_PATH);
ASSERT (connection != NULL,
"need-tls-secrets-path-key-password",
"error creating test connection");
s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
ASSERT (s_8021x != NULL,
"need-tls-secrets-path-key-password",
"error getting test 802.1x setting");
g_object_set (G_OBJECT (s_8021x), NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, NULL, NULL);
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name != NULL,
@ -230,7 +197,6 @@ test_need_tls_secrets_blob (void)
NMConnection *connection;
const char *setting_name;
GPtrArray *hints = NULL;
NMSetting8021x *s_8021x;
connection = make_tls_connection ("need-tls-secrets-blob-key", NM_SETTING_802_1X_CK_SCHEME_BLOB);
ASSERT (connection != NULL,
@ -246,42 +212,11 @@ test_need_tls_secrets_blob (void)
"need-tls-secrets-blob-key",
"hints should be NULL since no secrets were required");
/* Connection is good; clear secrets and ensure private key is then required */
/* Connection is good; clear secrets and ensure private key password is not
* required because our blob is decrypted.
*/
nm_connection_clear_secrets (connection);
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name != NULL,
"need-tls-secrets-blob-key",
"unexpected secrets success");
ASSERT (strcmp (setting_name, NM_SETTING_802_1X_SETTING_NAME) == 0,
"need-tls-secrets-blob-key",
"unexpected setting secrets required");
ASSERT (hints != NULL,
"need-tls-secrets-blob-key",
"expected returned secrets hints");
ASSERT (find_hints_item (hints, NM_SETTING_802_1X_PRIVATE_KEY),
"need-tls-secrets-blob-key",
"expected to require private key, but it wasn't");
g_object_unref (connection);
/*** Just clear the private key this time ***/
connection = make_tls_connection ("need-tls-secrets-blob-key-password", NM_SETTING_802_1X_CK_SCHEME_BLOB);
ASSERT (connection != NULL,
"need-tls-secrets-blob-key-password",
"error creating test connection");
s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
ASSERT (s_8021x != NULL,
"need-tls-secrets-blob-key-password",
"error getting test 802.1x setting");
g_object_set (G_OBJECT (s_8021x), NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, NULL, NULL);
/* Blobs are already decrypted and don't need a password */
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name == NULL,
@ -396,7 +331,6 @@ test_need_tls_phase2_secrets_path (void)
NMConnection *connection;
const char *setting_name;
GPtrArray *hints = NULL;
NMSetting8021x *s_8021x;
connection = make_tls_phase2_connection ("need-tls-phase2-secrets-path-key",
NM_SETTING_802_1X_CK_SCHEME_PATH);
@ -413,42 +347,9 @@ test_need_tls_phase2_secrets_path (void)
"need-tls-phase2-secrets-path-key",
"hints should be NULL since no secrets were required");
/* Connection is good; clear secrets and ensure private key is then required */
/* Connection is good; clear secrets and ensure private key password is then required */
nm_connection_clear_secrets (connection);
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name != NULL,
"need-tls-phase2-secrets-path-key",
"unexpected secrets success");
ASSERT (strcmp (setting_name, NM_SETTING_802_1X_SETTING_NAME) == 0,
"need-tls-phase2-secrets-path-key",
"unexpected setting secrets required");
ASSERT (hints != NULL,
"need-tls-phase2-secrets-path-key",
"expected returned secrets hints");
ASSERT (find_hints_item (hints, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY),
"need-tls-phase2-secrets-path-key",
"expected to require private key, but it wasn't");
g_object_unref (connection);
/*** Just clear the private key this time ***/
connection = make_tls_phase2_connection ("need-tls-phase2-secrets-path-key-password",
NM_SETTING_802_1X_CK_SCHEME_PATH);
ASSERT (connection != NULL,
"need-tls-phase2-secrets-path-key-password",
"error creating test connection");
s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
ASSERT (s_8021x != NULL,
"need-tls-phase2-secrets-path-key-password",
"error getting test 802.1x setting");
g_object_set (G_OBJECT (s_8021x), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, NULL, NULL);
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name != NULL,
@ -474,7 +375,6 @@ test_need_tls_phase2_secrets_blob (void)
NMConnection *connection;
const char *setting_name;
GPtrArray *hints = NULL;
NMSetting8021x *s_8021x;
connection = make_tls_phase2_connection ("need-tls-phase2-secrets-blob-key",
NM_SETTING_802_1X_CK_SCHEME_BLOB);
@ -491,43 +391,11 @@ test_need_tls_phase2_secrets_blob (void)
"need-tls-phase2-secrets-blob-key",
"hints should be NULL since no secrets were required");
/* Connection is good; clear secrets and ensure private key is then required */
/* Connection is good; clear secrets and ensure private key password is not
* required because our blob is decrypted.
*/
nm_connection_clear_secrets (connection);
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name != NULL,
"need-tls-phase2-secrets-blob-key",
"unexpected secrets success");
ASSERT (strcmp (setting_name, NM_SETTING_802_1X_SETTING_NAME) == 0,
"need-tls-phase2-secrets-blob-key",
"unexpected setting secrets required");
ASSERT (hints != NULL,
"need-tls-phase2-secrets-blob-key",
"expected returned secrets hints");
ASSERT (find_hints_item (hints, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY),
"need-tls-phase2-secrets-blob-key",
"expected to require private key, but it wasn't");
g_object_unref (connection);
/*** Just clear the private key this time ***/
connection = make_tls_phase2_connection ("need-tls-phase2-secrets-blob-key-password",
NM_SETTING_802_1X_CK_SCHEME_BLOB);
ASSERT (connection != NULL,
"need-tls-phase2-secrets-blob-key-password",
"error creating test connection");
s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
ASSERT (s_8021x != NULL,
"need-tls-phase2-secrets-blob-key-password",
"error getting test 802.1x setting");
g_object_set (G_OBJECT (s_8021x), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, NULL, NULL);
/* Blobs are already decrypted and don't need a password */
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name == NULL,