From 40360167c6d02de4399b3f39aa3d93e68953500d Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Tue, 13 Nov 2007 02:16:00 +0000 Subject: [PATCH] 2007-11-12 Dan Williams Make certs actually work. The private key is now a secret, and should be decrypted when requested by NM. The private key and phase2 private key passwords are no longer interesting to NM because they should be used by the settings service to decrypt the private key itself before passing it to NM, and hence have been removed as fields. * libnm-util/nm-setting-wireless-security.h libnm-util/nm-setting-wireless-security.c - Remove private-key-passwd and phase2-private-key-passwd from properties - (need_secrets_password, need_secrets_eappsk, need_secrets_sim, need_secrets): use property #defines instead strings to keep things consistent - (need_secrets_tls): if a client certificate is present but no private key, request the private key - (set_property, get_property, nm_setting_wireless_security_class_init): remove private key password stuff, mark private keys as secret * src/supplicant-manager/nm-supplicant-settings-verify.c - Remove private_key_passwd and private_key2_passwd from opt_table git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@3080 4912f4e0-d625-0410-9fb7-b9a5a253dbdc --- ChangeLog | 23 +++ libnm-util/nm-setting-wireless-security.c | 147 +++++------------- libnm-util/nm-setting-wireless-security.h | 16 +- .../nm-supplicant-settings-verify.c | 2 - 4 files changed, 68 insertions(+), 120 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1479a6cf83..f5cfb22c2d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,26 @@ +2007-11-12 Dan Williams + + Make certs actually work. The private key is now a secret, and should be + decrypted when requested by NM. The private key and phase2 private key + passwords are no longer interesting to NM because they should be used by + the settings service to decrypt the private key itself before passing it + to NM, and hence have been removed as fields. + + * libnm-util/nm-setting-wireless-security.h + libnm-util/nm-setting-wireless-security.c + - Remove private-key-passwd and phase2-private-key-passwd from + properties + - (need_secrets_password, need_secrets_eappsk, need_secrets_sim, + need_secrets): use property #defines instead strings to keep things + consistent + - (need_secrets_tls): if a client certificate is present but no + private key, request the private key + - (set_property, get_property, nm_setting_wireless_security_class_init): + remove private key password stuff, mark private keys as secret + + * src/supplicant-manager/nm-supplicant-settings-verify.c + - Remove private_key_passwd and private_key2_passwd from opt_table + 2007-11-09 Dan Williams Fix vpn-properties setting update_secrets call for new NMSetting stuff. diff --git a/libnm-util/nm-setting-wireless-security.c b/libnm-util/nm-setting-wireless-security.c index 199632e696..31c52e2a61 100644 --- a/libnm-util/nm-setting-wireless-security.c +++ b/libnm-util/nm-setting-wireless-security.c @@ -23,8 +23,6 @@ enum { PROP_CA_CERT, PROP_CA_PATH, PROP_CLIENT_CERT, - PROP_PRIVATE_KEY, - PROP_PRIVATE_KEY_DECRYPTED, PROP_PHASE1_PEAPVER, PROP_PHASE1_PEAPLABEL, PROP_PHASE1_FAST_PROVISIONING, @@ -33,8 +31,6 @@ enum { PROP_PHASE2_CA_CERT, PROP_PHASE2_CA_PATH, PROP_PHASE2_CLIENT_CERT, - PROP_PHASE2_PRIVATE_KEY, - PROP_PHASE2_PRIVATE_KEY_DECRYPTED, PROP_NAI, PROP_WEP_KEY0, PROP_WEP_KEY1, @@ -44,8 +40,8 @@ enum { PROP_PASSWORD, PROP_PIN, PROP_EAPPSK, - PROP_PRIVATE_KEY_PASSWD, - PROP_PHASE2_PRIVATE_KEY_PASSWD, + PROP_PRIVATE_KEY, + PROP_PHASE2_PRIVATE_KEY, LAST_PROP }; @@ -183,7 +179,7 @@ need_secrets_password (NMSettingWirelessSecurity *self, gboolean phase2) { if (!self->password || !strlen (self->password)) - g_ptr_array_add (secrets, "password"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PASSWORD); } static void @@ -192,7 +188,7 @@ need_secrets_eappsk (NMSettingWirelessSecurity *self, gboolean phase2) { if (!self->eappsk || !strlen (self->eappsk)) - g_ptr_array_add (secrets, "eappsk"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_EAPPSK); } static void @@ -201,7 +197,7 @@ need_secrets_sim (NMSettingWirelessSecurity *self, gboolean phase2) { if (!self->pin || !strlen (self->pin)) - g_ptr_array_add (secrets, "eappsk"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PIN); } static void @@ -210,13 +206,13 @@ need_secrets_tls (NMSettingWirelessSecurity *self, gboolean phase2) { if (phase2) { - if ( !self->phase2_private_key_decrypted - && ( !self->phase2_private_key_passwd || !strlen (self->phase2_private_key_passwd))) - g_ptr_array_add (secrets, "phase2-private-key-passwd"); + if ( self->phase2_client_cert + && (!self->phase2_private_key || !self->phase2_private_key->len)) + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY); } else { - if ( !self->private_key_decrypted - && (!self->private_key_passwd || !strlen (self->private_key_passwd))) - g_ptr_array_add (secrets, "private-key-passwd"); + if (self->client_cert + && (!self->private_key || !self->private_key->len)) + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY); } } @@ -306,19 +302,19 @@ need_secrets (NMSetting *setting) /* Static WEP */ if (strcmp (self->key_mgmt, "none") == 0) { if (!verify_wep_key (self->wep_key0)) { - g_ptr_array_add (secrets, "wep-key0"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY0); return secrets; } if (self->wep_tx_keyidx == 1 && !verify_wep_key (self->wep_key1)) { - g_ptr_array_add (secrets, "wep-key1"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY1); return secrets; } if (self->wep_tx_keyidx == 2 && !verify_wep_key (self->wep_key2)) { - g_ptr_array_add (secrets, "wep-key2"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY2); return secrets; } if (self->wep_tx_keyidx == 3 && !verify_wep_key (self->wep_key3)) { - g_ptr_array_add (secrets, "wep-key3"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY3); return secrets; } goto no_secrets; @@ -328,7 +324,7 @@ need_secrets (NMSetting *setting) if ( (strcmp (self->key_mgmt, "wpa-none") == 0) || (strcmp (self->key_mgmt, "wpa-psk") == 0)) { if (!verify_wpa_psk (self->psk)) { - g_ptr_array_add (secrets, "psk"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PSK); return secrets; } goto no_secrets; @@ -340,7 +336,7 @@ need_secrets (NMSetting *setting) && (strcmp (self->auth_alg, "leap") == 0) && (nm_utils_string_list_contains (self->eap, "leap"))) { if (!self->password || !strlen (self->password)) { - g_ptr_array_add (secrets, "password"); + g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PASSWORD); return secrets; } goto no_secrets; @@ -419,8 +415,6 @@ finalize (GObject *object) g_free (self->password); g_free (self->pin); g_free (self->eappsk); - g_free (self->private_key_passwd); - g_free (self->phase2_private_key_passwd); nm_utils_slist_free (self->proto, g_free); nm_utils_slist_free (self->pairwise, g_free); @@ -499,14 +493,6 @@ set_property (GObject *object, guint prop_id, g_byte_array_free (setting->client_cert, TRUE); setting->client_cert = g_value_dup_boxed (value); break; - case PROP_PRIVATE_KEY: - if (setting->private_key) - g_byte_array_free (setting->private_key, TRUE); - setting->private_key = g_value_dup_boxed (value); - break; - case PROP_PRIVATE_KEY_DECRYPTED: - setting->private_key_decrypted = g_value_get_boolean (value); - break; case PROP_PHASE1_PEAPVER: g_free (setting->phase1_peapver); setting->phase1_peapver = g_value_dup_string (value); @@ -541,14 +527,6 @@ set_property (GObject *object, guint prop_id, g_byte_array_free (setting->phase2_client_cert, TRUE); setting->phase2_client_cert = g_value_dup_boxed (value); break; - case PROP_PHASE2_PRIVATE_KEY: - if (setting->phase2_private_key) - g_byte_array_free (setting->phase2_private_key, TRUE); - setting->phase2_private_key = g_value_dup_boxed (value); - break; - case PROP_PHASE2_PRIVATE_KEY_DECRYPTED: - setting->phase2_private_key_decrypted = g_value_get_boolean (value); - break; case PROP_NAI: g_free (setting->nai); setting->nai = g_value_dup_string (value); @@ -585,13 +563,15 @@ set_property (GObject *object, guint prop_id, g_free (setting->eappsk); setting->eappsk = g_value_dup_string (value); break; - case PROP_PRIVATE_KEY_PASSWD: - g_free (setting->private_key_passwd); - setting->private_key_passwd = g_value_dup_string (value); + case PROP_PRIVATE_KEY: + if (setting->private_key) + g_byte_array_free (setting->private_key, TRUE); + setting->private_key = g_value_dup_boxed (value); break; - case PROP_PHASE2_PRIVATE_KEY_PASSWD: - g_free (setting->phase2_private_key_passwd); - setting->phase2_private_key_passwd = g_value_dup_string (value); + case PROP_PHASE2_PRIVATE_KEY: + if (setting->phase2_private_key) + g_byte_array_free (setting->phase2_private_key, TRUE); + setting->phase2_private_key = g_value_dup_boxed (value); break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); @@ -642,12 +622,6 @@ get_property (GObject *object, guint prop_id, case PROP_CLIENT_CERT: g_value_set_boxed (value, setting->client_cert); break; - case PROP_PRIVATE_KEY: - g_value_set_boxed (value, setting->private_key); - break; - case PROP_PRIVATE_KEY_DECRYPTED: - g_value_set_boolean (value, setting->private_key_decrypted); - break; case PROP_PHASE1_PEAPVER: g_value_set_string (value, setting->phase1_peapver); break; @@ -672,12 +646,6 @@ get_property (GObject *object, guint prop_id, case PROP_PHASE2_CLIENT_CERT: g_value_set_boxed (value, setting->phase2_client_cert); break; - case PROP_PHASE2_PRIVATE_KEY: - g_value_set_boxed (value, setting->phase2_private_key); - break; - case PROP_PHASE2_PRIVATE_KEY_DECRYPTED: - g_value_set_boolean (value, setting->phase2_private_key_decrypted); - break; case PROP_NAI: g_value_set_string (value, setting->nai); break; @@ -705,11 +673,11 @@ get_property (GObject *object, guint prop_id, case PROP_EAPPSK: g_value_set_string (value, setting->eappsk); break; - case PROP_PRIVATE_KEY_PASSWD: - g_value_set_string (value, setting->private_key_passwd); + case PROP_PRIVATE_KEY: + g_value_set_boxed (value, setting->private_key); break; - case PROP_PHASE2_PRIVATE_KEY_PASSWD: - g_value_set_string (value, setting->phase2_private_key_passwd); + case PROP_PHASE2_PRIVATE_KEY: + g_value_set_boxed (value, setting->phase2_private_key); break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); @@ -828,22 +796,6 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting DBUS_TYPE_G_UCHAR_ARRAY, G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE)); - g_object_class_install_property - (object_class, PROP_PRIVATE_KEY, - nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY, - "Private key", - "Private key", - DBUS_TYPE_G_UCHAR_ARRAY, - G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE)); - - g_object_class_install_property - (object_class, PROP_PRIVATE_KEY_DECRYPTED, - g_param_spec_boolean (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_DECRYPTED, - "Private key decrypted", - "Private key decrypted", - FALSE, - G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE)); - g_object_class_install_property (object_class, PROP_PHASE1_PEAPVER, g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_PHASE1_PEAPVER, @@ -908,22 +860,6 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting DBUS_TYPE_G_UCHAR_ARRAY, G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE)); - g_object_class_install_property - (object_class, PROP_PHASE2_PRIVATE_KEY, - nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY, - "Phase2 private key", - "Phase2 private key", - DBUS_TYPE_G_UCHAR_ARRAY, - G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE)); - - g_object_class_install_property - (object_class, PROP_PHASE2_PRIVATE_KEY_DECRYPTED, - g_param_spec_boolean (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_DECRYPTED, - "Phase2 private key decrypted", - "Phase2 private key decrypted", - FALSE, - G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE)); - g_object_class_install_property (object_class, PROP_NAI, g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_NAI, @@ -997,19 +933,18 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET)); g_object_class_install_property - (object_class, PROP_PRIVATE_KEY_PASSWD, - g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_PASSWD, - "Private key password", - "Private key password", - NULL, - G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET)); + (object_class, PROP_PRIVATE_KEY, + nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY, + "Private key", + "Private key", + DBUS_TYPE_G_UCHAR_ARRAY, + G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET)); g_object_class_install_property - (object_class, PROP_PHASE2_PRIVATE_KEY_PASSWD, - g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_PASSWD, - "Phase2 private key password", - "Phase2 private key password", - NULL, - G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET)); - + (object_class, PROP_PHASE2_PRIVATE_KEY, + nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY, + "Phase2 private key", + "Phase2 private key", + DBUS_TYPE_G_UCHAR_ARRAY, + G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET)); } diff --git a/libnm-util/nm-setting-wireless-security.h b/libnm-util/nm-setting-wireless-security.h index a8024c50a8..eeeac2cded 100644 --- a/libnm-util/nm-setting-wireless-security.h +++ b/libnm-util/nm-setting-wireless-security.h @@ -28,8 +28,6 @@ G_BEGIN_DECLS #define NM_SETTING_WIRELESS_SECURITY_CA_CERT "ca-cert" #define NM_SETTING_WIRELESS_SECURITY_CA_PATH "ca-path" #define NM_SETTING_WIRELESS_SECURITY_CLIENT_CERT "client-cert" -#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY "private-key" -#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_DECRYPTED "private-key-decrypted" #define NM_SETTING_WIRELESS_SECURITY_PHASE1_PEAPVER "phase1-peapver" #define NM_SETTING_WIRELESS_SECURITY_PHASE1_PEAPLABEL "phase1-peaplabel" #define NM_SETTING_WIRELESS_SECURITY_PHASE1_FAST_PROVISIONING "phase1-fast-provisioning" @@ -38,8 +36,6 @@ G_BEGIN_DECLS #define NM_SETTING_WIRELESS_SECURITY_PHASE2_CA_CERT "phase2-ca-cert" #define NM_SETTING_WIRELESS_SECURITY_PHASE2_CA_PATH "phase2-ca-path" #define NM_SETTING_WIRELESS_SECURITY_PHASE2_CLIENT_CERT "phase2-client-cert" -#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY "phase2-private-key" -#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_DECRYPTED "phase2-private-key-decrypted" #define NM_SETTING_WIRELESS_SECURITY_NAI "nai" #define NM_SETTING_WIRELESS_SECURITY_WEP_KEY0 "wep-key0" #define NM_SETTING_WIRELESS_SECURITY_WEP_KEY1 "wep-key1" @@ -49,8 +45,8 @@ G_BEGIN_DECLS #define NM_SETTING_WIRELESS_SECURITY_PASSWORD "password" #define NM_SETTING_WIRELESS_SECURITY_PIN "pin" #define NM_SETTING_WIRELESS_SECURITY_EAPPSK "eappsk" -#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_PASSWD "private-key-passwd" -#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_PASSWD "phase2-private-key-passwd" +#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY "private-key" +#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY "phase2-private-key" typedef struct { NMSetting parent; @@ -67,8 +63,6 @@ typedef struct { GByteArray *ca_cert; char *ca_path; GByteArray *client_cert; - GByteArray *private_key; - gboolean private_key_decrypted; char *phase1_peapver; char *phase1_peaplabel; char *phase1_fast_provisioning; @@ -77,8 +71,6 @@ typedef struct { GByteArray *phase2_ca_cert; char *phase2_ca_path; GByteArray *phase2_client_cert; - gboolean phase2_private_key_decrypted; - GByteArray *phase2_private_key; char *nai; char *wep_key0; char *wep_key1; @@ -88,8 +80,8 @@ typedef struct { char *password; char *pin; char *eappsk; - char *private_key_passwd; - char *phase2_private_key_passwd; + GByteArray *private_key; + GByteArray *phase2_private_key; } NMSettingWirelessSecurity; typedef struct { diff --git a/src/supplicant-manager/nm-supplicant-settings-verify.c b/src/supplicant-manager/nm-supplicant-settings-verify.c index 077265d0e6..175d0a22b0 100644 --- a/src/supplicant-manager/nm-supplicant-settings-verify.c +++ b/src/supplicant-manager/nm-supplicant-settings-verify.c @@ -104,14 +104,12 @@ static const struct Opt opt_table[] = { { "ca_cert", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "client_cert", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "private_key", TYPE_BYTES, 0, 65536, FALSE, NULL }, - { "private_key_passwd", TYPE_BYTES, 0, 0, FALSE, NULL }, { "phase1", TYPE_KEYWORD, 0, 0, TRUE, phase1_allowed }, { "phase2", TYPE_KEYWORD, 0, 0, TRUE, phase2_allowed }, { "anonymous_identity", TYPE_BYTES, 0, 0, FALSE, NULL }, { "ca_cert2", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "client_cert2", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "private_key2", TYPE_BYTES, 0, 65536, FALSE, NULL }, - { "private_key2_passwd",TYPE_BYTES, 0, 0, FALSE, NULL }, { "pin", TYPE_BYTES, 0, 0, FALSE, NULL }, { "pcsc", TYPE_BYTES, 0, 0, FALSE, NULL }, { "nai", TYPE_BYTES, 0, 0, FALSE, NULL },