From eb9767a6c8c15aa441b31a432bc72ba78505c6c3 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 26 May 2020 15:35:00 +0200 Subject: [PATCH 1/3] build: log system-ca-path configure setting in build scripts (cherry picked from commit f8dcb3fc474a4984c312b537a9d51fcfddc8283b) (cherry picked from commit f3f179728e60d4e3d4026ac829299170263822cd) --- configure.ac | 1 + meson.build | 1 + 2 files changed, 2 insertions(+) diff --git a/configure.ac b/configure.ac index e5298d7507..e7178ea445 100644 --- a/configure.ac +++ b/configure.ac @@ -1298,6 +1298,7 @@ echo " nmlibdir: $nmlibdir" echo " nmdatadir: $nmdatadir" echo " nmstatedir: $nmstatedir" echo " nmrundir: $nmrundir" +echo " system-ca-path: $with_system_ca_path" echo echo "Platform:" diff --git a/meson.build b/meson.build index 382f6a536e..f7d5968c4f 100644 --- a/meson.build +++ b/meson.build @@ -971,6 +971,7 @@ output += ' nmstatedir: ' + nm_pkgstatedir + '\n' output += ' nmrundir: ' + nm_pkgrundir + '\n' output += ' nmvpndir: ' + nm_vpndir + '\n' output += ' nmplugindir: ' + nm_plugindir + '\n' +output += ' system-ca-path: ' + system_ca_path + '\n' output += '\nPlatform:\n' output += ' session tracking: ' + ','.join(session_trackers) + '\n' output += ' suspend/resume: ' + suspend_resume + '\n' From 7a20dd4dbbd51081b598f4d42254190a03271471 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 26 May 2020 15:26:04 +0200 Subject: [PATCH 2/3] ifcfg-rh: fix handling "802-1x.{phase2-,}ca-path" in ifcfg-rh settings plugin https://bugzilla.redhat.com/show_bug.cgi?id=1840210 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448 (cherry picked from commit b6b6639c7c8fa667b8fcbc310b65d88124fdc260) (cherry picked from commit 67f1da27fe95fbe09999a953558a0b3e4dcfdd69) --- src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 8 ++++++++ src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c index 49a900d41d..824d1900b3 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c @@ -3628,6 +3628,14 @@ next: timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0); g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL); + nm_clear_g_free (&value); + v = svGetValueStr (ifcfg, "IEEE_8021X_CA_PATH", &value); + g_object_set (s_8021x, NM_SETTING_802_1X_CA_PATH, v, NULL); + + nm_clear_g_free (&value); + v = svGetValueStr (ifcfg, "IEEE_8021X_PHASE2_CA_PATH", &value); + g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_CA_PATH, v, NULL); + g_object_set (s_8021x, NM_SETTING_802_1X_OPTIONAL, svGetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", FALSE), diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c index 90a1a2b8f6..3afdb2acd1 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c @@ -530,6 +530,11 @@ write_8021x_setting (NMConnection *connection, "IEEE_8021X_OPTIONAL", nm_setting_802_1x_get_optional (s_8021x)); + svSetValue (ifcfg, "IEEE_8021X_CA_PATH", + nm_setting_802_1x_get_ca_path (s_8021x)); + svSetValue (ifcfg, "IEEE_8021X_PHASE2_CA_PATH", + nm_setting_802_1x_get_phase2_ca_path (s_8021x)); + if (!write_8021x_certs (s_8021x, secrets, blobs, FALSE, ifcfg, error)) return FALSE; From 1a989a98bf4c6674710abdd6ab90d8db02efc140 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 26 May 2020 17:28:32 +0200 Subject: [PATCH 3/3] libnm: update documentation for 802-1x ca-cert, ca-path and system-ca-certs (cherry picked from commit 4f21b14b90b49c02cab2b232a5be432a160be358) (cherry picked from commit 0d35d14faf3e547493c183a8776b2609f31908a7) --- clients/common/settings-docs.h.in | 8 ++--- libnm-core/nm-setting-8021x.c | 50 +++++++++++++++++++++---------- 2 files changed, 38 insertions(+), 20 deletions(-) diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in index 354e493929..cec6e485e2 100644 --- a/clients/common/settings-docs.h.in +++ b/clients/common/settings-docs.h.in @@ -44,10 +44,10 @@ #define DESCRIBE_DOC_NM_SETTING_802_1X_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificate's altSubjectName is performed.") #define DESCRIBE_DOC_NM_SETTING_802_1X_ANONYMOUS_IDENTITY N_("Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.") #define DESCRIBE_DOC_NM_SETTING_802_1X_AUTH_TIMEOUT N_("A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT N_("Contains the CA certificate if used by the EAP method specified in the \"eap\" property. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT N_("Contains the CA certificate if used by the EAP method specified in the \"eap\" property. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT_PASSWORD N_("The password used to access the CA certificate stored in \"ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"ca-cert-password\" property.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"ca-cert\" property.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"ca-cert\" property. If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT N_("Contains the client certificate if used by the EAP method specified in the \"eap\" property. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT_PASSWORD N_("The password used to access the client certificate stored in \"client-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"client-cert-password\" property.") @@ -67,10 +67,10 @@ #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner \"phase 2\" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property. Recognized non-EAP \"phase 2\" methods are \"pap\", \"chap\", \"mschap\", \"mschapv2\", \"gtc\", \"otp\", \"md5\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property. Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD N_("The password used to access the \"phase2\" CA certificate stored in \"phase2-ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-ca-cert-password\" property.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"phase2-ca-cert\" property.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"phase2-ca-cert\" property. If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT N_("Contains the \"phase 2\" client certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD N_("The password used to access the \"phase2\" client certificate stored in \"phase2-client-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-client-cert-password\" property.") diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index 8464100d2f..361465c87d 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -3526,15 +3526,18 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * Contains the CA certificate if used by the EAP method specified in the * #NMSetting8021x:eap property. * - * Certificate data is specified using a "scheme"; two are currently - * supported: blob and path. When using the blob scheme (which is backwards - * compatible with NM 0.7.x) this property should be set to the - * certificate's DER encoded data. When using the path scheme, this property - * should be set to the full UTF-8 encoded path of the certificate, prefixed - * with the string "file://" and ending with a terminating NUL byte. This - * property can be unset even if the EAP method supports CA certificates, + * Certificate data is specified using a "scheme"; three are currently + * supported: blob, path and pkcs#11 URL. When using the blob scheme this property + * should be set to the certificate's DER encoded data. When using the path + * scheme, this property should be set to the full UTF-8 encoded path of the + * certificate, prefixed with the string "file://" and ending with a terminating + * NUL byte. + * This property can be unset even if the EAP method supports CA certificates, * but this allows man-in-the-middle attacks and is NOT recommended. * + * Note that enabling NMSetting8021x:system-ca-certs will override this + * setting to use the built-in path, if the built-in path is not a directory. + * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_ca_cert() function instead. **/ @@ -3593,11 +3596,14 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * UTF-8 encoded path to a directory containing PEM or DER formatted * certificates to be added to the verification chain in addition to the * certificate specified in the #NMSetting8021x:ca-cert property. + * + * If NMSetting8021x:system-ca-certs is enabled and the built-in CA + * path is an existing directory, then this setting is ignored. **/ /* ---ifcfg-rh--- * property: ca-path - * variable: (none) - * description: The property is not handled by ifcfg-rh plugin. + * variable: IEEE_8021X_CA_PATH(+) + * description: The search path for the certificate. * ---end--- */ obj_properties[PROP_CA_PATH] = @@ -3889,15 +3895,18 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * in the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap * properties. * - * Certificate data is specified using a "scheme"; two are currently - * supported: blob and path. When using the blob scheme (which is backwards - * compatible with NM 0.7.x) this property should be set to the - * certificate's DER encoded data. When using the path scheme, this property - * should be set to the full UTF-8 encoded path of the certificate, prefixed - * with the string "file://" and ending with a terminating NUL byte. This - * property can be unset even if the EAP method supports CA certificates, + * Certificate data is specified using a "scheme"; three are currently + * supported: blob, path and pkcs#11 URL. When using the blob scheme this property + * should be set to the certificate's DER encoded data. When using the path + * scheme, this property should be set to the full UTF-8 encoded path of the + * certificate, prefixed with the string "file://" and ending with a terminating + * NUL byte. + * This property can be unset even if the EAP method supports CA certificates, * but this allows man-in-the-middle attacks and is NOT recommended. * + * Note that enabling NMSetting8021x:system-ca-certs will override this + * setting to use the built-in path, if the built-in path is not a directory. + * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_phase2_ca_cert() function instead. **/ @@ -3949,7 +3958,16 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * UTF-8 encoded path to a directory containing PEM or DER formatted * certificates to be added to the verification chain in addition to the * certificate specified in the #NMSetting8021x:phase2-ca-cert property. + * + * If NMSetting8021x:system-ca-certs is enabled and the built-in CA + * path is an existing directory, then this setting is ignored. **/ + /* ---ifcfg-rh--- + * property: phase2-ca-path + * variable: IEEE_8021X_PHASE2_CA_PATH(+) + * description: The search path for the certificate. + * ---end--- + */ obj_properties[PROP_PHASE2_CA_PATH] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_PATH, "", "", NULL,