system/NetworkManager
system/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager synced 2024-07-21 18:24:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

2007-11-12 Dan Williams <dcbw@redhat.com>

Browse source 
Make certs actually work.  The private key is now a secret, and should be
	decrypted when requested by NM.  The private key and phase2 private key
	passwords are no longer interesting to NM because they should be used by
	the settings service to decrypt the private key itself before passing it
	to NM, and hence have been removed as fields.

	* libnm-util/nm-setting-wireless-security.h
	  libnm-util/nm-setting-wireless-security.c
		- Remove private-key-passwd and phase2-private-key-passwd from
			properties
		- (need_secrets_password, need_secrets_eappsk, need_secrets_sim,
		   need_secrets): use property #defines instead strings to keep things
			consistent
		- (need_secrets_tls): if a client certificate is present but no
			private key, request the private key
		- (set_property, get_property, nm_setting_wireless_security_class_init):
			remove private key password stuff, mark private keys as secret

	* src/supplicant-manager/nm-supplicant-settings-verify.c
		- Remove private_key_passwd and private_key2_passwd from opt_table



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@3080 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
This commit is contained in:
Dan Williams 2007-11-13 02:16:00 +00:00
parent 499b11e9c2
commit 40360167c6
4 changed files with 68 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
ChangeLog
View file

@ -1,3 +1,26 @@
2007-11-12 Dan Williams <dcbw@redhat.com>
Make certs actually work. The private key is now a secret, and should be
decrypted when requested by NM. The private key and phase2 private key
passwords are no longer interesting to NM because they should be used by
the settings service to decrypt the private key itself before passing it
to NM, and hence have been removed as fields.
* libnm-util/nm-setting-wireless-security.h
libnm-util/nm-setting-wireless-security.c
- Remove private-key-passwd and phase2-private-key-passwd from
properties
- (need_secrets_password, need_secrets_eappsk, need_secrets_sim,
need_secrets): use property #defines instead strings to keep things
consistent
- (need_secrets_tls): if a client certificate is present but no
private key, request the private key
- (set_property, get_property, nm_setting_wireless_security_class_init):
remove private key password stuff, mark private keys as secret
* src/supplicant-manager/nm-supplicant-settings-verify.c
- Remove private_key_passwd and private_key2_passwd from opt_table
2007-11-09 Dan Williams <dcbw@redhat.com>
Fix vpn-properties setting update_secrets call for new NMSetting stuff.

147
libnm-util/nm-setting-wireless-security.c
View file

@ -23,8 +23,6 @@ enum {
PROP_CA_CERT,
PROP_CA_PATH,
PROP_CLIENT_CERT,
PROP_PRIVATE_KEY,
PROP_PRIVATE_KEY_DECRYPTED,
PROP_PHASE1_PEAPVER,
PROP_PHASE1_PEAPLABEL,
PROP_PHASE1_FAST_PROVISIONING,
@ -33,8 +31,6 @@ enum {
PROP_PHASE2_CA_CERT,
PROP_PHASE2_CA_PATH,
PROP_PHASE2_CLIENT_CERT,
PROP_PHASE2_PRIVATE_KEY,
PROP_PHASE2_PRIVATE_KEY_DECRYPTED,
PROP_NAI,
PROP_WEP_KEY0,
PROP_WEP_KEY1,
@ -44,8 +40,8 @@ enum {
PROP_PASSWORD,
PROP_PIN,
PROP_EAPPSK,
PROP_PRIVATE_KEY_PASSWD,
PROP_PHASE2_PRIVATE_KEY_PASSWD,
PROP_PRIVATE_KEY,
PROP_PHASE2_PRIVATE_KEY,
LAST_PROP
};
@ -183,7 +179,7 @@ need_secrets_password (NMSettingWirelessSecurity *self,
gboolean phase2)
{
if (!self->password || !strlen (self->password))
g_ptr_array_add (secrets, "password");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PASSWORD);
}
static void
@ -192,7 +188,7 @@ need_secrets_eappsk (NMSettingWirelessSecurity *self,
gboolean phase2)
{
if (!self->eappsk || !strlen (self->eappsk))
g_ptr_array_add (secrets, "eappsk");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_EAPPSK);
}
static void
@ -201,7 +197,7 @@ need_secrets_sim (NMSettingWirelessSecurity *self,
gboolean phase2)
{
if (!self->pin || !strlen (self->pin))
g_ptr_array_add (secrets, "eappsk");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PIN);
}
static void
@ -210,13 +206,13 @@ need_secrets_tls (NMSettingWirelessSecurity *self,
gboolean phase2)
{
if (phase2) {
if ( !self->phase2_private_key_decrypted
&& ( !self->phase2_private_key_passwd || !strlen (self->phase2_private_key_passwd)))
g_ptr_array_add (secrets, "phase2-private-key-passwd");
if ( self->phase2_client_cert
&& (!self->phase2_private_key || !self->phase2_private_key->len))
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY);
} else {
if ( !self->private_key_decrypted
&& (!self->private_key_passwd || !strlen (self->private_key_passwd)))
g_ptr_array_add (secrets, "private-key-passwd");
if (self->client_cert
&& (!self->private_key || !self->private_key->len))
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY);
}
}
@ -306,19 +302,19 @@ need_secrets (NMSetting *setting)
/* Static WEP */
if (strcmp (self->key_mgmt, "none") == 0) {
if (!verify_wep_key (self->wep_key0)) {
g_ptr_array_add (secrets, "wep-key0");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY0);
return secrets;
}
if (self->wep_tx_keyidx == 1 && !verify_wep_key (self->wep_key1)) {
g_ptr_array_add (secrets, "wep-key1");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY1);
return secrets;
}
if (self->wep_tx_keyidx == 2 && !verify_wep_key (self->wep_key2)) {
g_ptr_array_add (secrets, "wep-key2");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY2);
return secrets;
}
if (self->wep_tx_keyidx == 3 && !verify_wep_key (self->wep_key3)) {
g_ptr_array_add (secrets, "wep-key3");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY3);
return secrets;
}
goto no_secrets;
@ -328,7 +324,7 @@ need_secrets (NMSetting *setting)
if ( (strcmp (self->key_mgmt, "wpa-none") == 0)
|| (strcmp (self->key_mgmt, "wpa-psk") == 0)) {
if (!verify_wpa_psk (self->psk)) {
g_ptr_array_add (secrets, "psk");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PSK);
return secrets;
}
goto no_secrets;
@ -340,7 +336,7 @@ need_secrets (NMSetting *setting)
&& (strcmp (self->auth_alg, "leap") == 0)
&& (nm_utils_string_list_contains (self->eap, "leap"))) {
if (!self->password || !strlen (self->password)) {
g_ptr_array_add (secrets, "password");
g_ptr_array_add (secrets, NM_SETTING_WIRELESS_SECURITY_PASSWORD);
return secrets;
}
goto no_secrets;
@ -419,8 +415,6 @@ finalize (GObject *object)
g_free (self->password);
g_free (self->pin);
g_free (self->eappsk);
g_free (self->private_key_passwd);
g_free (self->phase2_private_key_passwd);
nm_utils_slist_free (self->proto, g_free);
nm_utils_slist_free (self->pairwise, g_free);
@ -499,14 +493,6 @@ set_property (GObject *object, guint prop_id,
g_byte_array_free (setting->client_cert, TRUE);
setting->client_cert = g_value_dup_boxed (value);
break;
case PROP_PRIVATE_KEY:
if (setting->private_key)
g_byte_array_free (setting->private_key, TRUE);
setting->private_key = g_value_dup_boxed (value);
break;
case PROP_PRIVATE_KEY_DECRYPTED:
setting->private_key_decrypted = g_value_get_boolean (value);
break;
case PROP_PHASE1_PEAPVER:
g_free (setting->phase1_peapver);
setting->phase1_peapver = g_value_dup_string (value);
@ -541,14 +527,6 @@ set_property (GObject *object, guint prop_id,
g_byte_array_free (setting->phase2_client_cert, TRUE);
setting->phase2_client_cert = g_value_dup_boxed (value);
break;
case PROP_PHASE2_PRIVATE_KEY:
if (setting->phase2_private_key)
g_byte_array_free (setting->phase2_private_key, TRUE);
setting->phase2_private_key = g_value_dup_boxed (value);
break;
case PROP_PHASE2_PRIVATE_KEY_DECRYPTED:
setting->phase2_private_key_decrypted = g_value_get_boolean (value);
break;
case PROP_NAI:
g_free (setting->nai);
setting->nai = g_value_dup_string (value);
@ -585,13 +563,15 @@ set_property (GObject *object, guint prop_id,
g_free (setting->eappsk);
setting->eappsk = g_value_dup_string (value);
break;
case PROP_PRIVATE_KEY_PASSWD:
g_free (setting->private_key_passwd);
setting->private_key_passwd = g_value_dup_string (value);
case PROP_PRIVATE_KEY:
if (setting->private_key)
g_byte_array_free (setting->private_key, TRUE);
setting->private_key = g_value_dup_boxed (value);
break;
case PROP_PHASE2_PRIVATE_KEY_PASSWD:
g_free (setting->phase2_private_key_passwd);
setting->phase2_private_key_passwd = g_value_dup_string (value);
case PROP_PHASE2_PRIVATE_KEY:
if (setting->phase2_private_key)
g_byte_array_free (setting->phase2_private_key, TRUE);
setting->phase2_private_key = g_value_dup_boxed (value);
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
@ -642,12 +622,6 @@ get_property (GObject *object, guint prop_id,
case PROP_CLIENT_CERT:
g_value_set_boxed (value, setting->client_cert);
break;
case PROP_PRIVATE_KEY:
g_value_set_boxed (value, setting->private_key);
break;
case PROP_PRIVATE_KEY_DECRYPTED:
g_value_set_boolean (value, setting->private_key_decrypted);
break;
case PROP_PHASE1_PEAPVER:
g_value_set_string (value, setting->phase1_peapver);
break;
@ -672,12 +646,6 @@ get_property (GObject *object, guint prop_id,
case PROP_PHASE2_CLIENT_CERT:
g_value_set_boxed (value, setting->phase2_client_cert);
break;
case PROP_PHASE2_PRIVATE_KEY:
g_value_set_boxed (value, setting->phase2_private_key);
break;
case PROP_PHASE2_PRIVATE_KEY_DECRYPTED:
g_value_set_boolean (value, setting->phase2_private_key_decrypted);
break;
case PROP_NAI:
g_value_set_string (value, setting->nai);
break;
@ -705,11 +673,11 @@ get_property (GObject *object, guint prop_id,
case PROP_EAPPSK:
g_value_set_string (value, setting->eappsk);
break;
case PROP_PRIVATE_KEY_PASSWD:
g_value_set_string (value, setting->private_key_passwd);
case PROP_PRIVATE_KEY:
g_value_set_boxed (value, setting->private_key);
break;
case PROP_PHASE2_PRIVATE_KEY_PASSWD:
g_value_set_string (value, setting->phase2_private_key_passwd);
case PROP_PHASE2_PRIVATE_KEY:
g_value_set_boxed (value, setting->phase2_private_key);
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
@ -828,22 +796,6 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting
DBUS_TYPE_G_UCHAR_ARRAY,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
g_object_class_install_property
(object_class, PROP_PRIVATE_KEY,
nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY,
"Private key",
"Private key",
DBUS_TYPE_G_UCHAR_ARRAY,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
g_object_class_install_property
(object_class, PROP_PRIVATE_KEY_DECRYPTED,
g_param_spec_boolean (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_DECRYPTED,
"Private key decrypted",
"Private key decrypted",
FALSE,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
g_object_class_install_property
(object_class, PROP_PHASE1_PEAPVER,
g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_PHASE1_PEAPVER,
@ -908,22 +860,6 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting
DBUS_TYPE_G_UCHAR_ARRAY,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
g_object_class_install_property
(object_class, PROP_PHASE2_PRIVATE_KEY,
nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY,
"Phase2 private key",
"Phase2 private key",
DBUS_TYPE_G_UCHAR_ARRAY,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
g_object_class_install_property
(object_class, PROP_PHASE2_PRIVATE_KEY_DECRYPTED,
g_param_spec_boolean (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_DECRYPTED,
"Phase2 private key decrypted",
"Phase2 private key decrypted",
FALSE,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
g_object_class_install_property
(object_class, PROP_NAI,
g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_NAI,
@ -997,19 +933,18 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));
g_object_class_install_property
(object_class, PROP_PRIVATE_KEY_PASSWD,
g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_PASSWD,
"Private key password",
"Private key password",
NULL,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));
(object_class, PROP_PRIVATE_KEY,
nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY,
"Private key",
"Private key",
DBUS_TYPE_G_UCHAR_ARRAY,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));
g_object_class_install_property
(object_class, PROP_PHASE2_PRIVATE_KEY_PASSWD,
g_param_spec_string (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_PASSWD,
"Phase2 private key password",
"Phase2 private key password",
NULL,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));
(object_class, PROP_PHASE2_PRIVATE_KEY,
nm_param_spec_specialized (NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY,
"Phase2 private key",
"Phase2 private key",
DBUS_TYPE_G_UCHAR_ARRAY,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));
}

16
libnm-util/nm-setting-wireless-security.h
View file

@ -28,8 +28,6 @@ G_BEGIN_DECLS
#define NM_SETTING_WIRELESS_SECURITY_CA_CERT "ca-cert"
#define NM_SETTING_WIRELESS_SECURITY_CA_PATH "ca-path"
#define NM_SETTING_WIRELESS_SECURITY_CLIENT_CERT "client-cert"
#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY "private-key"
#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_DECRYPTED "private-key-decrypted"
#define NM_SETTING_WIRELESS_SECURITY_PHASE1_PEAPVER "phase1-peapver"
#define NM_SETTING_WIRELESS_SECURITY_PHASE1_PEAPLABEL "phase1-peaplabel"
#define NM_SETTING_WIRELESS_SECURITY_PHASE1_FAST_PROVISIONING "phase1-fast-provisioning"
@ -38,8 +36,6 @@ G_BEGIN_DECLS
#define NM_SETTING_WIRELESS_SECURITY_PHASE2_CA_CERT "phase2-ca-cert"
#define NM_SETTING_WIRELESS_SECURITY_PHASE2_CA_PATH "phase2-ca-path"
#define NM_SETTING_WIRELESS_SECURITY_PHASE2_CLIENT_CERT "phase2-client-cert"
#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY "phase2-private-key"
#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_DECRYPTED "phase2-private-key-decrypted"
#define NM_SETTING_WIRELESS_SECURITY_NAI "nai"
#define NM_SETTING_WIRELESS_SECURITY_WEP_KEY0 "wep-key0"
#define NM_SETTING_WIRELESS_SECURITY_WEP_KEY1 "wep-key1"
@ -49,8 +45,8 @@ G_BEGIN_DECLS
#define NM_SETTING_WIRELESS_SECURITY_PASSWORD "password"
#define NM_SETTING_WIRELESS_SECURITY_PIN "pin"
#define NM_SETTING_WIRELESS_SECURITY_EAPPSK "eappsk"
#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY_PASSWD "private-key-passwd"
#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY_PASSWD "phase2-private-key-passwd"
#define NM_SETTING_WIRELESS_SECURITY_PRIVATE_KEY "private-key"
#define NM_SETTING_WIRELESS_SECURITY_PHASE2_PRIVATE_KEY "phase2-private-key"
typedef struct {
NMSetting parent;
@ -67,8 +63,6 @@ typedef struct {
GByteArray *ca_cert;
char *ca_path;
GByteArray *client_cert;
GByteArray *private_key;
gboolean private_key_decrypted;
char *phase1_peapver;
char *phase1_peaplabel;
char *phase1_fast_provisioning;
@ -77,8 +71,6 @@ typedef struct {
GByteArray *phase2_ca_cert;
char *phase2_ca_path;
GByteArray *phase2_client_cert;
gboolean phase2_private_key_decrypted;
GByteArray *phase2_private_key;
char *nai;
char *wep_key0;
char *wep_key1;
@ -88,8 +80,8 @@ typedef struct {
char *password;
char *pin;
char *eappsk;
char *private_key_passwd;
char *phase2_private_key_passwd;
GByteArray *private_key;
GByteArray *phase2_private_key;
} NMSettingWirelessSecurity;
typedef struct {

2
src/supplicant-manager/nm-supplicant-settings-verify.c
View file

@ -104,14 +104,12 @@ static const struct Opt opt_table[] = {
{ "ca_cert", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "client_cert", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "private_key", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "private_key_passwd", TYPE_BYTES, 0, 0, FALSE, NULL },
{ "phase1", TYPE_KEYWORD, 0, 0, TRUE, phase1_allowed },
{ "phase2", TYPE_KEYWORD, 0, 0, TRUE, phase2_allowed },
{ "anonymous_identity", TYPE_BYTES, 0, 0, FALSE, NULL },
{ "ca_cert2", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "client_cert2", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "private_key2", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "private_key2_passwd",TYPE_BYTES, 0, 0, FALSE, NULL },
{ "pin", TYPE_BYTES, 0, 0, FALSE, NULL },
{ "pcsc", TYPE_BYTES, 0, 0, FALSE, NULL },
{ "nai", TYPE_BYTES, 0, 0, FALSE, NULL },