From 359f7f3544a2757d0e11ec15f87fa962b0de19fa Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 26 May 2020 15:35:00 +0200 Subject: [PATCH 1/3] build: log system-ca-path configure setting in build scripts (cherry picked from commit f8dcb3fc474a4984c312b537a9d51fcfddc8283b) (cherry picked from commit f3f179728e60d4e3d4026ac829299170263822cd) (cherry picked from commit eb9767a6c8c15aa441b31a432bc72ba78505c6c3) --- configure.ac | 1 + meson.build | 1 + 2 files changed, 2 insertions(+) diff --git a/configure.ac b/configure.ac index 918ef1e9f4..be6e0b532a 100644 --- a/configure.ac +++ b/configure.ac @@ -1265,6 +1265,7 @@ echo " nmlibdir: $nmlibdir" echo " nmdatadir: $nmdatadir" echo " nmstatedir: $nmstatedir" echo " nmrundir: $nmrundir" +echo " system-ca-path: $with_system_ca_path" echo echo "Platform:" diff --git a/meson.build b/meson.build index 832026de57..8918898cc8 100644 --- a/meson.build +++ b/meson.build @@ -936,6 +936,7 @@ output += ' nmstatedir: ' + nm_pkgstatedir + '\n' output += ' nmrundir: ' + nm_pkgrundir + '\n' output += ' nmvpndir: ' + nm_vpndir + '\n' output += ' nmplugindir: ' + nm_plugindir + '\n' +output += ' system-ca-path: ' + system_ca_path + '\n' output += '\nPlatform:\n' output += ' session tracking: ' + ','.join(session_trackers) + '\n' output += ' suspend/resume: ' + suspend_resume + '\n' From 97b12a3c3488abd5bd81b30559726bf220370510 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 26 May 2020 15:26:04 +0200 Subject: [PATCH 2/3] ifcfg-rh: fix handling "802-1x.{phase2-,}ca-path" in ifcfg-rh settings plugin https://bugzilla.redhat.com/show_bug.cgi?id=1840210 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448 (cherry picked from commit b6b6639c7c8fa667b8fcbc310b65d88124fdc260) (cherry picked from commit 67f1da27fe95fbe09999a953558a0b3e4dcfdd69) (cherry picked from commit 7a20dd4dbbd51081b598f4d42254190a03271471) --- src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 8 ++++++++ src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c index 7971fba56d..cade8d7105 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c @@ -3611,6 +3611,14 @@ next: timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0); g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL); + nm_clear_g_free (&value); + v = svGetValueStr (ifcfg, "IEEE_8021X_CA_PATH", &value); + g_object_set (s_8021x, NM_SETTING_802_1X_CA_PATH, v, NULL); + + nm_clear_g_free (&value); + v = svGetValueStr (ifcfg, "IEEE_8021X_PHASE2_CA_PATH", &value); + g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_CA_PATH, v, NULL); + g_object_set (s_8021x, NM_SETTING_802_1X_OPTIONAL, svGetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", FALSE), diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c index 809d3769f9..8f2bdf49e2 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c @@ -543,6 +543,11 @@ write_8021x_setting (NMConnection *connection, "IEEE_8021X_OPTIONAL", nm_setting_802_1x_get_optional (s_8021x)); + svSetValue (ifcfg, "IEEE_8021X_CA_PATH", + nm_setting_802_1x_get_ca_path (s_8021x)); + svSetValue (ifcfg, "IEEE_8021X_PHASE2_CA_PATH", + nm_setting_802_1x_get_phase2_ca_path (s_8021x)); + if (!write_8021x_certs (s_8021x, secrets, blobs, FALSE, ifcfg, error)) return FALSE; From 388f3e18a9b2e31954d7ea6dfb1125ec51e4b4cc Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 26 May 2020 17:28:32 +0200 Subject: [PATCH 3/3] libnm: update documentation for 802-1x ca-cert, ca-path and system-ca-certs (cherry picked from commit 4f21b14b90b49c02cab2b232a5be432a160be358) (cherry picked from commit 0d35d14faf3e547493c183a8776b2609f31908a7) (cherry picked from commit 1a989a98bf4c6674710abdd6ab90d8db02efc140) --- clients/common/settings-docs.h.in | 8 ++--- libnm-core/nm-setting-8021x.c | 50 +++++++++++++++++++++---------- 2 files changed, 38 insertions(+), 20 deletions(-) diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in index 9119a30ce0..9bbafa32e2 100644 --- a/clients/common/settings-docs.h.in +++ b/clients/common/settings-docs.h.in @@ -44,10 +44,10 @@ #define DESCRIBE_DOC_NM_SETTING_802_1X_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificate's altSubjectName is performed.") #define DESCRIBE_DOC_NM_SETTING_802_1X_ANONYMOUS_IDENTITY N_("Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.") #define DESCRIBE_DOC_NM_SETTING_802_1X_AUTH_TIMEOUT N_("A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT N_("Contains the CA certificate if used by the EAP method specified in the \"eap\" property. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT N_("Contains the CA certificate if used by the EAP method specified in the \"eap\" property. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT_PASSWORD N_("The password used to access the CA certificate stored in \"ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"ca-cert-password\" property.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"ca-cert\" property.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"ca-cert\" property. If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT N_("Contains the client certificate if used by the EAP method specified in the \"eap\" property. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT_PASSWORD N_("The password used to access the client certificate stored in \"client-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"client-cert-password\" property.") @@ -67,10 +67,10 @@ #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner \"phase 2\" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner non-EAP authentication methods when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property. Recognized non-EAP \"phase 2\" methods are \"pap\", \"chap\", \"mschap\", \"mschapv2\", \"gtc\", \"otp\", \"md5\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication methods when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property. Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD N_("The password used to access the \"phase2\" CA certificate stored in \"phase2-ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-ca-cert-password\" property.") -#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"phase2-ca-cert\" property.") +#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_PATH N_("UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the \"phase2-ca-cert\" property. If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT N_("Contains the \"phase 2\" client certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD N_("The password used to access the \"phase2\" client certificate stored in \"phase2-client-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-client-cert-password\" property.") diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index 5056847458..9fa6db9acf 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -3540,15 +3540,18 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * Contains the CA certificate if used by the EAP method specified in the * #NMSetting8021x:eap property. * - * Certificate data is specified using a "scheme"; two are currently - * supported: blob and path. When using the blob scheme (which is backwards - * compatible with NM 0.7.x) this property should be set to the - * certificate's DER encoded data. When using the path scheme, this property - * should be set to the full UTF-8 encoded path of the certificate, prefixed - * with the string "file://" and ending with a terminating NUL byte. This - * property can be unset even if the EAP method supports CA certificates, + * Certificate data is specified using a "scheme"; three are currently + * supported: blob, path and pkcs#11 URL. When using the blob scheme this property + * should be set to the certificate's DER encoded data. When using the path + * scheme, this property should be set to the full UTF-8 encoded path of the + * certificate, prefixed with the string "file://" and ending with a terminating + * NUL byte. + * This property can be unset even if the EAP method supports CA certificates, * but this allows man-in-the-middle attacks and is NOT recommended. * + * Note that enabling NMSetting8021x:system-ca-certs will override this + * setting to use the built-in path, if the built-in path is not a directory. + * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_ca_cert() function instead. **/ @@ -3607,11 +3610,14 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * UTF-8 encoded path to a directory containing PEM or DER formatted * certificates to be added to the verification chain in addition to the * certificate specified in the #NMSetting8021x:ca-cert property. + * + * If NMSetting8021x:system-ca-certs is enabled and the built-in CA + * path is an existing directory, then this setting is ignored. **/ /* ---ifcfg-rh--- * property: ca-path - * variable: (none) - * description: The property is not handled by ifcfg-rh plugin. + * variable: IEEE_8021X_CA_PATH(+) + * description: The search path for the certificate. * ---end--- */ obj_properties[PROP_CA_PATH] = @@ -3903,15 +3909,18 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * in the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap * properties. * - * Certificate data is specified using a "scheme"; two are currently - * supported: blob and path. When using the blob scheme (which is backwards - * compatible with NM 0.7.x) this property should be set to the - * certificate's DER encoded data. When using the path scheme, this property - * should be set to the full UTF-8 encoded path of the certificate, prefixed - * with the string "file://" and ending with a terminating NUL byte. This - * property can be unset even if the EAP method supports CA certificates, + * Certificate data is specified using a "scheme"; three are currently + * supported: blob, path and pkcs#11 URL. When using the blob scheme this property + * should be set to the certificate's DER encoded data. When using the path + * scheme, this property should be set to the full UTF-8 encoded path of the + * certificate, prefixed with the string "file://" and ending with a terminating + * NUL byte. + * This property can be unset even if the EAP method supports CA certificates, * but this allows man-in-the-middle attacks and is NOT recommended. * + * Note that enabling NMSetting8021x:system-ca-certs will override this + * setting to use the built-in path, if the built-in path is not a directory. + * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_phase2_ca_cert() function instead. **/ @@ -3963,7 +3972,16 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass) * UTF-8 encoded path to a directory containing PEM or DER formatted * certificates to be added to the verification chain in addition to the * certificate specified in the #NMSetting8021x:phase2-ca-cert property. + * + * If NMSetting8021x:system-ca-certs is enabled and the built-in CA + * path is an existing directory, then this setting is ignored. **/ + /* ---ifcfg-rh--- + * property: phase2-ca-path + * variable: IEEE_8021X_PHASE2_CA_PATH(+) + * description: The search path for the certificate. + * ---end--- + */ obj_properties[PROP_PHASE2_CA_PATH] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_PATH, "", "", NULL,