eap: Use l_settings_get_string where needed

Replace usages of l_settings_get_value with l_settings_get_string, which
will make sure the returned strings are unescaped but also allocates
memeory and forces us to use l_free on most of the strings.  Some of
these strings we explicitly set with l_settings_set_string() in our code
so when we retrieved them with l_settings_get_value() we would receive a
different string if there were any escapable characters in the string.
I didn't replace any of the l_settings_get_value() uses where we're just
checking whether a setting is present, or those which are hexstrings or
EAP method names assuming that they can't have any special characters,
although this isn't future proof.  I did use l_settings_get_string() for
file paths though.

src/eap-gtc.c

@@ -96,7 +96,7 @@ static bool eap_gtc_load_settings(struct eap_state *eap,
 	char *secret;
 
 	snprintf(setting, sizeof(setting), "%sGTC-Secret", prefix);
-	secret = l_strdup(l_settings_get_value(settings, "Security", setting));
+	secret = l_settings_get_string(settings, "Security", setting);
 
 	gtc = l_new(struct eap_gtc_state, 1);
 	gtc->secret = secret;

src/eap-md5.c

@@ -112,7 +112,7 @@ static bool eap_md5_load_settings(struct eap_state *eap,
 	char *secret;
 
 	snprintf(setting, sizeof(setting), "%sMD5-Secret", prefix);
-	secret = l_strdup(l_settings_get_value(settings, "Security", setting));
+	secret = l_settings_get_string(settings, "Security", setting);
 
 	md5 = l_new(struct eap_md5_state, 1);
 	md5->secret = secret;

src/eap-mschapv2.c

@@ -662,22 +662,26 @@ static int eap_mschapv2_check_settings(struct l_settings *settings,
 					const char *prefix,
 					struct l_queue **out_missing)
 {
-	const char *identity, *password = NULL, *password_hash;
+	const char *password_hash;
+	L_AUTO_FREE_VAR(char *, password);
+	L_AUTO_FREE_VAR(char *, identity);
 	const struct eap_secret_info *secret;
 	char setting[64], setting2[64];
 	uint8_t hash[16];
 
 	snprintf(setting, sizeof(setting), "%sIdentity", prefix);
-	identity = l_settings_get_value(settings, "Security", setting);
+	identity = l_settings_get_string(settings, "Security", setting);
 
 	snprintf(setting2, sizeof(setting2), "%sPassword", prefix);
-	password = l_settings_get_value(settings, "Security", setting2);
+	password = l_settings_get_string(settings, "Security", setting2);
 
 	if (!identity) {
 		secret = l_queue_find(secrets, eap_secret_info_match, setting);
 		if (secret) {
-			identity = secret->value;
-			password = secret->value + strlen(secret->value) + 1;
+			l_free(password);
+			identity = l_strdup(secret->value);
+			password = l_strdup(secret->value +
+						strlen(secret->value) + 1);
 
 			goto validate;
 		}
@@ -721,7 +725,7 @@ static int eap_mschapv2_check_settings(struct l_settings *settings,
 		return 0;
 	}
 
-	password = secret->value;
+	password = l_strdup(secret->value);
 
 validate:
 	if (!l_utf8_validate(password, strlen(password), NULL)) {
@@ -740,13 +744,14 @@ static bool eap_mschapv2_load_settings(struct eap_state *eap,
 					const char *prefix)
 {
 	struct eap_mschapv2_state *state;
-	const char *identity, *password;
+	L_AUTO_FREE_VAR(char *, identity);
+	L_AUTO_FREE_VAR(char *, password) = NULL;
 	char setting[64];
 
 	state = l_new(struct eap_mschapv2_state, 1);
 
 	snprintf(setting, sizeof(setting), "%sIdentity", prefix);
-	identity = l_settings_get_value(settings, "Security", setting);
+	identity = l_settings_get_string(settings, "Security", setting);
 	if (!identity)
 		goto error;
 
@@ -755,20 +760,21 @@ static bool eap_mschapv2_load_settings(struct eap_state *eap,
 
 	/* Either read the password-hash from hexdump or password and hash it */
 	snprintf(setting, sizeof(setting), "%sPassword", prefix);
-	password = l_settings_get_value(settings, "Security", setting);
+	password = l_settings_get_string(settings, "Security", setting);
+
 	if (password)
 		set_password_from_string(state, password);
-
-	if (!password) {
+	else {
 		unsigned char *tmp;
 		size_t len;
+		const char *hash_str;
 
 		snprintf(setting, sizeof(setting), "%sPassword-Hash", prefix);
-		password = l_settings_get_value(settings, "Security", setting);
-		if (!password)
+		hash_str = l_settings_get_value(settings, "Security", setting);
+		if (!hash_str)
 			goto error;
 
-		tmp = l_util_from_hexstring(password, &len);
+		tmp = l_util_from_hexstring(hash_str, &len);
 		memcpy(state->password_hash, tmp, 16);
 		l_free(tmp);
 	}

src/eap-peap.c

@@ -848,12 +848,14 @@ static int eap_peap_check_settings(struct l_settings *settings,
 					struct l_queue **out_missing)
 {
 	char entry[64], client_cert_entry[64], passphrase_entry[64];
-	const char *path, *client_cert, *passphrase;
+	L_AUTO_FREE_VAR(char *, path) = NULL;
+	L_AUTO_FREE_VAR(char *, client_cert) = NULL;
+	L_AUTO_FREE_VAR(char *, passphrase) = NULL;
 	uint8_t *cert;
 	size_t size;
 
 	snprintf(entry, sizeof(entry), "%sPEAP-CACert", prefix);
-	path = l_settings_get_value(settings, "Security", entry);
+	path = l_settings_get_string(settings, "Security", entry);
 	if (path) {
 		cert = l_pem_load_certificate(path, &size);
 		if (!cert) {
@@ -866,7 +868,7 @@ static int eap_peap_check_settings(struct l_settings *settings,
 
 	snprintf(client_cert_entry, sizeof(client_cert_entry),
 			"%sPEAP-ClientCert", prefix);
-	client_cert = l_settings_get_value(settings, "Security",
+	client_cert = l_settings_get_string(settings, "Security",
 						client_cert_entry);
 	if (client_cert) {
 		cert = l_pem_load_certificate(client_cert, &size);
@@ -878,8 +880,10 @@ static int eap_peap_check_settings(struct l_settings *settings,
 		l_free(cert);
 	}
 
+	l_free(path);
+
 	snprintf(entry, sizeof(entry), "%sPEAP-ClientKey", prefix);
-	path = l_settings_get_value(settings, "Security", entry);
+	path = l_settings_get_string(settings, "Security", entry);
 
 	if (path && !client_cert) {
 		l_error("%s present but no client certificate (%s)",
@@ -889,7 +893,7 @@ static int eap_peap_check_settings(struct l_settings *settings,
 
 	snprintf(passphrase_entry, sizeof(passphrase_entry),
 			"%sPEAP-ClientKeyPassphrase", prefix);
-	passphrase = l_settings_get_value(settings, "Security",
+	passphrase = l_settings_get_string(settings, "Security",
 						passphrase_entry);
 
 	if (!passphrase) {
@@ -963,20 +967,16 @@ static bool eap_peap_load_settings(struct eap_state *eap,
 	peap->version = PEAP_VERSION_NOT_NEGOTIATED;
 
 	snprintf(entry, sizeof(entry), "%sPEAP-CACert", prefix);
-	peap->ca_cert = l_strdup(l_settings_get_value(settings, "Security",
-									entry));
+	peap->ca_cert = l_settings_get_string(settings, "Security", entry);
 
 	snprintf(entry, sizeof(entry), "%sPEAP-ClientCert", prefix);
-	peap->client_cert = l_strdup(l_settings_get_value(settings, "Security",
-									entry));
+	peap->client_cert = l_settings_get_string(settings, "Security", entry);
 
 	snprintf(entry, sizeof(entry), "%sPEAP-ClientKey", prefix);
-	peap->client_key = l_strdup(l_settings_get_value(settings, "Security",
-									entry));
+	peap->client_key = l_settings_get_string(settings, "Security", entry);
 
 	snprintf(entry, sizeof(entry), "%sPEAP-ClientKeyPassphrase", prefix);
-	peap->passphrase = l_strdup(l_settings_get_value(settings, "Security",
-									entry));
+	peap->passphrase = l_settings_get_string(settings, "Security", entry);
 
 	peap->phase2_eap = eap_new(eap_peap_phase2_send_response,
 					eap_peap_phase2_complete, eap);

src/eap-pwd.c

@@ -721,12 +721,13 @@ static int eap_pwd_check_settings(struct l_settings *settings,
 					const char *prefix,
 					struct l_queue **out_missing)
 {
-	const char *identity, *password = NULL;
+	const char *password;
+	L_AUTO_FREE_VAR(char *, identity);
 	const struct eap_secret_info *secret;
 	char setting[64], setting2[64];
 
 	snprintf(setting, sizeof(setting), "%sIdentity", prefix);
-	identity = l_settings_get_value(settings, "Security", setting);
+	identity = l_settings_get_string(settings, "Security", setting);
 
 	snprintf(setting2, sizeof(setting2), "%sPWD-Password", prefix);
 	password = l_settings_get_value(settings, "Security", setting2);
@@ -766,8 +767,7 @@ static bool eap_pwd_load_settings(struct eap_state *eap,
 	pwd->state = EAP_PWD_STATE_INIT;
 
 	snprintf(setting, sizeof(setting), "%sIdentity", prefix);
-	pwd->identity = l_strdup(l_settings_get_value(settings, "Security",
-			setting));
+	pwd->identity = l_settings_get_string(settings, "Security", setting);
 
 	if (!pwd->identity) {
 		l_error("EAP-Identity is missing");
@@ -775,8 +775,7 @@ static bool eap_pwd_load_settings(struct eap_state *eap,
 	}
 
 	snprintf(setting, sizeof(setting), "%sPWD-Password", prefix);
-	pwd->password = l_strdup(l_settings_get_value(settings, "Security",
-			setting));
+	pwd->password = l_settings_get_string(settings, "Security", setting);
 
 	if (!pwd->password) {
 		l_error("EAP-PWD password is missing");

src/eap-tls.c

@@ -393,12 +393,14 @@ static int eap_tls_check_settings(struct l_settings *settings,
 					struct l_queue **out_missing)
 {
 	char setting[64], client_cert_setting[64], passphrase_setting[64];
-	const char *path, *client_cert, *passphrase;
+	L_AUTO_FREE_VAR(char *, path) = NULL;
+	L_AUTO_FREE_VAR(char *, client_cert) = NULL;
+	L_AUTO_FREE_VAR(char *, passphrase) = NULL;
 	uint8_t *cert;
 	size_t size;
 
 	snprintf(setting, sizeof(setting), "%sTLS-CACert", prefix);
-	path = l_settings_get_value(settings, "Security", setting);
+	path = l_settings_get_string(settings, "Security", setting);
 	if (path) {
 		cert = l_pem_load_certificate(path, &size);
 		if (!cert) {
@@ -411,7 +413,7 @@ static int eap_tls_check_settings(struct l_settings *settings,
 
 	snprintf(client_cert_setting, sizeof(client_cert_setting),
 			"%sTLS-ClientCert", prefix);
-	client_cert = l_settings_get_value(settings, "Security",
+	client_cert = l_settings_get_string(settings, "Security",
 						client_cert_setting);
 	if (client_cert) {
 		cert = l_pem_load_certificate(client_cert, &size);
@@ -423,8 +425,10 @@ static int eap_tls_check_settings(struct l_settings *settings,
 		l_free(cert);
 	}
 
+	l_free(path);
+
 	snprintf(setting, sizeof(setting), "%sTLS-ClientKey", prefix);
-	path = l_settings_get_value(settings, "Security", setting);
+	path = l_settings_get_string(settings, "Security", setting);
 
 	if (path && !client_cert) {
 		l_error("%s present but no client certificate (%s)",
@@ -434,7 +438,7 @@ static int eap_tls_check_settings(struct l_settings *settings,
 
 	snprintf(passphrase_setting, sizeof(passphrase_setting),
 			"%sTLS-ClientKeyPassphrase", prefix);
-	passphrase = l_settings_get_value(settings, "Security",
+	passphrase = l_settings_get_string(settings, "Security",
 						passphrase_setting);
 
 	if (!passphrase) {
@@ -443,7 +447,7 @@ static int eap_tls_check_settings(struct l_settings *settings,
 		secret = l_queue_find(secrets, eap_secret_info_match,
 					passphrase_setting);
 		if (secret)
-			passphrase = secret->value;
+			passphrase = l_strdup(secret->value);
 	}
 
 	if (path) {
@@ -504,20 +508,16 @@ static bool eap_tls_load_settings(struct eap_state *eap,
 	tls = l_new(struct eap_tls_state, 1);
 
 	snprintf(setting, sizeof(setting), "%sTLS-CACert", prefix);
-	tls->ca_cert = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	tls->ca_cert = l_settings_get_string(settings, "Security", setting);
 
 	snprintf(setting, sizeof(setting), "%sTLS-ClientCert", prefix);
-	tls->client_cert = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	tls->client_cert = l_settings_get_string(settings, "Security", setting);
 
 	snprintf(setting, sizeof(setting), "%sTLS-ClientKey", prefix);
-	tls->client_key = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	tls->client_key = l_settings_get_string(settings, "Security", setting);
 
 	snprintf(setting, sizeof(setting), "%sTLS-ClientKeyPassphrase", prefix);
-	tls->passphrase = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	tls->passphrase = l_settings_get_string(settings, "Security", setting);
 
 	eap_set_data(eap, tls);
 

src/eap-ttls.c

@@ -660,12 +660,14 @@ static int eap_ttls_check_settings(struct l_settings *settings,
 					struct l_queue **out_missing)
 {
 	char setting[64], client_cert_setting[64], passphrase_setting[64];
-	const char *path, *client_cert, *passphrase;
+	L_AUTO_FREE_VAR(char *, path) = NULL;
+	L_AUTO_FREE_VAR(char *, client_cert) = NULL;
+	L_AUTO_FREE_VAR(char *, passphrase) = NULL;
 	uint8_t *cert;
 	size_t size;
 
 	snprintf(setting, sizeof(setting), "%sTTLS-CACert", prefix);
-	path = l_settings_get_value(settings, "Security", setting);
+	path = l_settings_get_string(settings, "Security", setting);
 	if (path) {
 		cert = l_pem_load_certificate(path, &size);
 		if (!cert) {
@@ -678,7 +680,7 @@ static int eap_ttls_check_settings(struct l_settings *settings,
 
 	snprintf(client_cert_setting, sizeof(client_cert_setting),
 			"%sTTLS-ClientCert", prefix);
-	client_cert = l_settings_get_value(settings, "Security",
+	client_cert = l_settings_get_string(settings, "Security",
 						client_cert_setting);
 	if (client_cert) {
 		cert = l_pem_load_certificate(client_cert, &size);
@@ -690,8 +692,10 @@ static int eap_ttls_check_settings(struct l_settings *settings,
 		l_free(cert);
 	}
 
+	l_free(path);
+
 	snprintf(setting, sizeof(setting), "%sTTLS-ClientKey", prefix);
-	path = l_settings_get_value(settings, "Security", setting);
+	path = l_settings_get_string(settings, "Security", setting);
 
 	if (path && !client_cert) {
 		l_error("%s present but no client certificate (%s)",
@@ -701,7 +705,7 @@ static int eap_ttls_check_settings(struct l_settings *settings,
 
 	snprintf(passphrase_setting, sizeof(passphrase_setting),
 			"%sTTLS-ClientKeyPassphrase", prefix);
-	passphrase = l_settings_get_value(settings, "Security",
+	passphrase = l_settings_get_string(settings, "Security",
 						passphrase_setting);
 
 	if (!passphrase) {
@@ -774,21 +778,18 @@ static bool eap_ttls_load_settings(struct eap_state *eap,
 	ttls = l_new(struct eap_ttls_state, 1);
 
 	snprintf(setting, sizeof(setting), "%sTTLS-CACert", prefix);
-	ttls->ca_cert = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	ttls->ca_cert = l_settings_get_string(settings, "Security", setting);
 
 	snprintf(setting, sizeof(setting), "%sTTLS-ClientCert", prefix);
-	ttls->client_cert = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	ttls->client_cert = l_settings_get_string(settings,
+							"Security", setting);
 
 	snprintf(setting, sizeof(setting), "%sTTLS-ClientKey", prefix);
-	ttls->client_key = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	ttls->client_key = l_settings_get_string(settings, "Security", setting);
 
 	snprintf(setting, sizeof(setting), "%sTTLS-ClientKeyPassphrase",
 			prefix);
-	ttls->passphrase = l_strdup(l_settings_get_value(settings,
-						"Security", setting));
+	ttls->passphrase = l_settings_get_string(settings, "Security", setting);
 
 	ttls->eap = eap_new(eap_ttls_eap_tx_packet,
 				eap_ttls_eap_complete, eap);

src/eap.c

@@ -509,8 +509,8 @@ bool eap_load_settings(struct eap_state *eap, struct l_settings *settings,
 	/* get identity from settings or from EAP method */
 	if (!eap->method->get_identity) {
 		snprintf(setting, sizeof(setting), "%sIdentity", prefix);
-		eap->identity = l_strdup(l_settings_get_value(settings,
-				"Security", setting));
+		eap->identity = l_settings_get_string(settings,
+							"Security", setting);
 	} else {
 		eap->identity = l_strdup(eap->method->get_identity(eap));
 	}