mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager
synced 2024-10-15 04:24:32 +00:00
2007-11-16 Dan Williams <dcbw@redhat.com>
* libnm-util/nm-setting-wireless-security.c - (verify_tls, verify_ttls, verify_identity, verify_nai): do some minimal verification of EAP methods too - (verify): verify phase1 eap methods too git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@3096 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
This commit is contained in:
parent
75db31664e
commit
954b5569a8
|
@ -1,3 +1,10 @@
|
|||
2007-11-16 Dan Williams <dcbw@redhat.com>
|
||||
|
||||
* libnm-util/nm-setting-wireless-security.c
|
||||
- (verify_tls, verify_ttls, verify_identity, verify_nai): do some
|
||||
minimal verification of EAP methods too
|
||||
- (verify): verify phase1 eap methods too
|
||||
|
||||
2007-11-15 Dan Williams <dcbw@redhat.com>
|
||||
|
||||
* libnm-glib/nm-device.h
|
||||
|
|
|
@ -52,87 +52,6 @@ nm_setting_wireless_security_new (void)
|
|||
return (NMSetting *) g_object_new (NM_TYPE_SETTING_WIRELESS_SECURITY, NULL);
|
||||
}
|
||||
|
||||
static gboolean
|
||||
verify (NMSetting *setting, GSList *all_settings)
|
||||
{
|
||||
NMSettingWirelessSecurity *self = NM_SETTING_WIRELESS_SECURITY (setting);
|
||||
const char *valid_key_mgmt[] = { "none", "ieee8021x", "wpa-none", "wpa-psk", "wpa-eap", NULL };
|
||||
const char *valid_auth_algs[] = { "open", "shared", "leap", NULL };
|
||||
const char *valid_protos[] = { "wpa", "rsn", NULL };
|
||||
const char *valid_pairwise[] = { "wep40", "wep104", "tkip", "ccmp", NULL };
|
||||
const char *valid_groups[] = { "wep40", "wep104", "tkip", "ccmp", NULL };
|
||||
const char *valid_phase1_peapver[] = { "0", "1", NULL };
|
||||
|
||||
/* Every time a method gets added to the following, add one to EAPMethodNeedSecretsTable */
|
||||
const char *valid_eap[] = { "leap", "md5", "tls", "peap", "ttls", "sim", "psk", "fast", NULL };
|
||||
const char *valid_phase2_auth[] = { "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", "tls", NULL };
|
||||
const char *valid_phase2_autheap[] = { "md5", "mschapv2", "otp", "gtc", "tls", NULL };
|
||||
|
||||
if (!self->key_mgmt || !nm_utils_string_in_list (self->key_mgmt, valid_key_mgmt)) {
|
||||
g_warning ("Missing or invalid key management");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->wep_tx_keyidx > 3) {
|
||||
g_warning ("Invalid WEP key index");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->auth_alg && !nm_utils_string_in_list (self->auth_alg, valid_auth_algs)) {
|
||||
g_warning ("Invalid authentication algorithm");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->proto && !nm_utils_string_slist_validate (self->proto, valid_protos)) {
|
||||
g_warning ("Invalid authentication protocol");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->pairwise && !nm_utils_string_slist_validate (self->pairwise, valid_pairwise)) {
|
||||
g_warning ("Invalid pairwise");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->group && !nm_utils_string_slist_validate (self->group, valid_groups)) {
|
||||
g_warning ("Invalid group");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->eap && !nm_utils_string_slist_validate (self->eap, valid_eap)) {
|
||||
g_warning ("Invalid eap");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase1_peapver && !nm_utils_string_in_list (self->phase1_peapver, valid_phase1_peapver)) {
|
||||
g_warning ("Invalid phase1 peapver");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase1_peaplabel && strcmp (self->phase1_peaplabel, "1")) {
|
||||
g_warning ("Invalid phase1 peaplabel");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase1_fast_provisioning && strcmp (self->phase1_fast_provisioning, "1")) {
|
||||
g_warning ("Invalid phase1 fast provisioning");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase2_auth && !nm_utils_string_in_list (self->phase2_auth, valid_phase2_auth)) {
|
||||
g_warning ("Invalid phase2 authentication");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase2_autheap && !nm_utils_string_in_list (self->phase2_autheap, valid_phase2_autheap)) {
|
||||
g_warning ("Invalid phase2 autheap");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* FIXME: finish */
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
verify_wep_key (const char *key)
|
||||
{
|
||||
|
@ -216,6 +135,44 @@ need_secrets_tls (NMSettingWirelessSecurity *self,
|
|||
}
|
||||
}
|
||||
|
||||
static gboolean
|
||||
verify_tls (NMSettingWirelessSecurity *self, gboolean phase2)
|
||||
{
|
||||
if (phase2) {
|
||||
if (!self->phase2_client_cert || !self->phase2_client_cert->len)
|
||||
return FALSE;
|
||||
} else {
|
||||
if (!self->client_cert || !self->client_cert->len)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
verify_ttls (NMSettingWirelessSecurity *self, gboolean phase2)
|
||||
{
|
||||
if (!self->identity && !self->anonymous_identity)
|
||||
return FALSE;
|
||||
|
||||
if (!self->phase2_auth && !self->phase2_autheap)
|
||||
return FALSE;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
verify_identity (NMSettingWirelessSecurity *self, gboolean phase2)
|
||||
{
|
||||
return self->identity ? TRUE : FALSE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
verify_nai (NMSettingWirelessSecurity *self, gboolean phase2)
|
||||
{
|
||||
return self->nai ? TRUE : FALSE;
|
||||
}
|
||||
|
||||
/* Implemented below... */
|
||||
static void need_secrets_phase2 (NMSettingWirelessSecurity *self,
|
||||
GPtrArray *secrets,
|
||||
|
@ -226,30 +183,34 @@ typedef void (*EAPMethodNeedSecretsFunc) (NMSettingWirelessSecurity *self,
|
|||
GPtrArray *secrets,
|
||||
gboolean phase2);
|
||||
|
||||
typedef gboolean (*EAPMethodValidateFunc)(NMSettingWirelessSecurity *self,
|
||||
gboolean phase2);
|
||||
|
||||
typedef struct {
|
||||
const char *method;
|
||||
EAPMethodNeedSecretsFunc func;
|
||||
} EAPMethodNeedSecretsTable;
|
||||
EAPMethodNeedSecretsFunc ns_func;
|
||||
EAPMethodValidateFunc v_func;
|
||||
} EAPMethodsTable;
|
||||
|
||||
static EAPMethodNeedSecretsTable eap_need_secrets_table[] = {
|
||||
{ "leap", need_secrets_password },
|
||||
{ "md5", need_secrets_password },
|
||||
{ "pap", need_secrets_password },
|
||||
{ "chap", need_secrets_password },
|
||||
{ "mschap", need_secrets_password },
|
||||
{ "mschapv2", need_secrets_password },
|
||||
{ "fast", need_secrets_password },
|
||||
{ "psk", need_secrets_eappsk },
|
||||
{ "pax", need_secrets_eappsk },
|
||||
{ "sake", need_secrets_eappsk },
|
||||
{ "gpsk", need_secrets_eappsk },
|
||||
{ "tls", need_secrets_tls },
|
||||
{ "peap", need_secrets_phase2 },
|
||||
{ "ttls", need_secrets_phase2 },
|
||||
{ "sim", need_secrets_sim },
|
||||
{ "gtc", NULL }, // FIXME: implement
|
||||
{ "otp", NULL }, // FIXME: implement
|
||||
{ NULL, NULL }
|
||||
static EAPMethodsTable eap_methods_table[] = {
|
||||
{ "leap", need_secrets_password, verify_identity },
|
||||
{ "md5", need_secrets_password, verify_identity },
|
||||
{ "pap", need_secrets_password, verify_identity },
|
||||
{ "chap", need_secrets_password, verify_identity },
|
||||
{ "mschap", need_secrets_password, verify_identity },
|
||||
{ "mschapv2", need_secrets_password, verify_identity },
|
||||
{ "fast", need_secrets_password, verify_identity },
|
||||
{ "psk", need_secrets_eappsk, verify_nai },
|
||||
{ "pax", need_secrets_eappsk, NULL },
|
||||
{ "sake", need_secrets_eappsk, verify_nai },
|
||||
{ "gpsk", need_secrets_eappsk, verify_nai },
|
||||
{ "tls", need_secrets_tls, verify_tls },
|
||||
{ "peap", need_secrets_phase2, NULL },
|
||||
{ "ttls", need_secrets_phase2, verify_ttls },
|
||||
{ "sim", need_secrets_sim, NULL },
|
||||
{ "gtc", NULL, NULL }, // FIXME: implement
|
||||
{ "otp", NULL, NULL }, // FIXME: implement
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static void
|
||||
|
@ -274,11 +235,11 @@ need_secrets_phase2 (NMSettingWirelessSecurity *self,
|
|||
}
|
||||
|
||||
/* Ask the configured phase2 method if it needs secrets */
|
||||
for (i = 0; eap_need_secrets_table[i].method; i++) {
|
||||
if (eap_need_secrets_table[i].func == NULL)
|
||||
for (i = 0; eap_methods_table[i].method; i++) {
|
||||
if (eap_methods_table[i].ns_func == NULL)
|
||||
continue;
|
||||
if (strcmp (eap_need_secrets_table[i].method, method)) {
|
||||
(*eap_need_secrets_table[i].func) (self, secrets, TRUE);
|
||||
if (strcmp (eap_methods_table[i].method, method)) {
|
||||
(*eap_methods_table[i].ns_func) (self, secrets, TRUE);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -352,11 +313,11 @@ need_secrets (NMSetting *setting)
|
|||
const char *method = (const char *) iter->data;
|
||||
int i;
|
||||
|
||||
for (i = 0; eap_need_secrets_table[i].method; i++) {
|
||||
if (eap_need_secrets_table[i].func == NULL)
|
||||
for (i = 0; eap_methods_table[i].method; i++) {
|
||||
if (eap_methods_table[i].ns_func == NULL)
|
||||
continue;
|
||||
if (!strcmp (eap_need_secrets_table[i].method, method)) {
|
||||
(*eap_need_secrets_table[i].func) (self, secrets, FALSE);
|
||||
if (!strcmp (eap_methods_table[i].method, method)) {
|
||||
(*eap_methods_table[i].ns_func) (self, secrets, FALSE);
|
||||
|
||||
/* Only break out of the outer loop if this EAP method
|
||||
* needed secrets.
|
||||
|
@ -382,6 +343,107 @@ no_secrets:
|
|||
return NULL;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
verify (NMSetting *setting, GSList *all_settings)
|
||||
{
|
||||
NMSettingWirelessSecurity *self = NM_SETTING_WIRELESS_SECURITY (setting);
|
||||
const char *valid_key_mgmt[] = { "none", "ieee8021x", "wpa-none", "wpa-psk", "wpa-eap", NULL };
|
||||
const char *valid_auth_algs[] = { "open", "shared", "leap", NULL };
|
||||
const char *valid_protos[] = { "wpa", "rsn", NULL };
|
||||
const char *valid_pairwise[] = { "wep40", "wep104", "tkip", "ccmp", NULL };
|
||||
const char *valid_groups[] = { "wep40", "wep104", "tkip", "ccmp", NULL };
|
||||
const char *valid_phase1_peapver[] = { "0", "1", NULL };
|
||||
|
||||
/* Every time a method gets added to the following, add one to EAPMethodNeedSecretsTable */
|
||||
const char *valid_eap[] = { "leap", "md5", "tls", "peap", "ttls", "sim", "psk", "fast", NULL };
|
||||
const char *valid_phase2_auth[] = { "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", "tls", NULL };
|
||||
const char *valid_phase2_autheap[] = { "md5", "mschapv2", "otp", "gtc", "tls", NULL };
|
||||
|
||||
if (!self->key_mgmt || !nm_utils_string_in_list (self->key_mgmt, valid_key_mgmt)) {
|
||||
g_warning ("Missing or invalid key management");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->wep_tx_keyidx > 3) {
|
||||
g_warning ("Invalid WEP key index");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->auth_alg && !nm_utils_string_in_list (self->auth_alg, valid_auth_algs)) {
|
||||
g_warning ("Invalid authentication algorithm");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->proto && !nm_utils_string_slist_validate (self->proto, valid_protos)) {
|
||||
g_warning ("Invalid authentication protocol");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->pairwise && !nm_utils_string_slist_validate (self->pairwise, valid_pairwise)) {
|
||||
g_warning ("Invalid pairwise");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->group && !nm_utils_string_slist_validate (self->group, valid_groups)) {
|
||||
g_warning ("Invalid group");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->eap) {
|
||||
GSList *iter;
|
||||
|
||||
if (!nm_utils_string_slist_validate (self->eap, valid_eap)) {
|
||||
g_warning ("Invalid eap");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* Ask each configured EAP method if its valid */
|
||||
for (iter = self->eap; iter; iter = g_slist_next (iter)) {
|
||||
const char *method = (const char *) iter->data;
|
||||
int i;
|
||||
|
||||
for (i = 0; eap_methods_table[i].method; i++) {
|
||||
if (eap_methods_table[i].v_func == NULL)
|
||||
continue;
|
||||
if (!strcmp (eap_methods_table[i].method, method)) {
|
||||
if (!(*eap_methods_table[i].v_func) (self, FALSE))
|
||||
return FALSE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (self->phase1_peapver && !nm_utils_string_in_list (self->phase1_peapver, valid_phase1_peapver)) {
|
||||
g_warning ("Invalid phase1 peapver");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase1_peaplabel && strcmp (self->phase1_peaplabel, "1")) {
|
||||
g_warning ("Invalid phase1 peaplabel");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase1_fast_provisioning && strcmp (self->phase1_fast_provisioning, "1")) {
|
||||
g_warning ("Invalid phase1 fast provisioning");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase2_auth && !nm_utils_string_in_list (self->phase2_auth, valid_phase2_auth)) {
|
||||
g_warning ("Invalid phase2 authentication");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (self->phase2_autheap && !nm_utils_string_in_list (self->phase2_autheap, valid_phase2_autheap)) {
|
||||
g_warning ("Invalid phase2 autheap");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* FIXME: finish */
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static void
|
||||
nm_setting_wireless_security_init (NMSettingWirelessSecurity *setting)
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue