3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2025-01-09 00:12:36 +01:00

eap-tls: Make use of l_cert_load_container_file

Switch EAP-TLS-ClientCert and EAP-TLS-ClientKey to use
l_cert_load_container_file for file loading so that the file format is
autodetected.  Add new setting EAP-TLS-ClientKeyBundle for loading both
the client certificate and private key from one file.
This commit is contained in:
Andrew Zaborowski 2021-01-25 18:56:12 +01:00 committed by Denis Kenzior
parent b0aa1e4e88
commit 84cae48c1b
3 changed files with 151 additions and 35 deletions

View File

@ -868,12 +868,25 @@ static struct l_queue *eap_tls_load_ca_cert(struct l_settings *settings,
} }
struct l_certchain *eap_tls_load_client_cert(struct l_settings *settings, struct l_certchain *eap_tls_load_client_cert(struct l_settings *settings,
const char *value) const char *value,
const char *passphrase,
bool *out_is_encrypted)
{ {
const char *pem; const char *pem;
if (!is_embedded(value)) if (!is_embedded(value)) {
return l_pem_load_certificate_chain(value); struct l_certchain *certchain;
if (l_cert_load_container_file(value, passphrase,
&certchain, NULL,
out_is_encrypted))
return certchain;
if (out_is_encrypted)
*out_is_encrypted = false;
return NULL;
}
pem = load_embedded_pem(settings, value); pem = load_embedded_pem(settings, value);
if (!pem) if (!pem)
@ -883,20 +896,31 @@ struct l_certchain *eap_tls_load_client_cert(struct l_settings *settings,
} }
struct l_key *eap_tls_load_priv_key(struct l_settings *settings, struct l_key *eap_tls_load_priv_key(struct l_settings *settings,
const char *value, const char *passphrase, const char *value,
bool *is_encrypted) const char *passphrase,
bool *out_is_encrypted)
{ {
const char *pem; const char *pem;
if (!is_embedded(value)) if (!is_embedded(value)) {
return l_pem_load_private_key(value, passphrase, is_encrypted); struct l_key *key;
if (l_cert_load_container_file(value, passphrase, NULL, &key,
out_is_encrypted))
return key;
if (out_is_encrypted)
*out_is_encrypted = false;
return NULL;
}
pem = load_embedded_pem(settings, value); pem = load_embedded_pem(settings, value);
if (!pem) if (!pem)
return NULL; return NULL;
return l_pem_load_private_key_from_data(pem, strlen(pem), return l_pem_load_private_key_from_data(pem, strlen(pem),
passphrase, is_encrypted); passphrase, out_is_encrypted);
} }
int eap_tls_common_settings_check(struct l_settings *settings, int eap_tls_common_settings_check(struct l_settings *settings,

View File

@ -49,10 +49,13 @@ void eap_tls_common_handle_retransmit(struct eap_state *eap,
const uint8_t *pkt, size_t len); const uint8_t *pkt, size_t len);
struct l_certchain *eap_tls_load_client_cert(struct l_settings *settings, struct l_certchain *eap_tls_load_client_cert(struct l_settings *settings,
const char *value); const char *value,
const char *passphrase,
bool *out_is_encrypted);
struct l_key *eap_tls_load_priv_key(struct l_settings *settings, struct l_key *eap_tls_load_priv_key(struct l_settings *settings,
const char *value, const char *passphrase, const char *value,
bool *is_encrypted); const char *passphrase,
bool *out_is_encrypted);
int eap_tls_common_settings_check(struct l_settings *settings, int eap_tls_common_settings_check(struct l_settings *settings,
struct l_queue *secrets, struct l_queue *secrets,

View File

@ -123,13 +123,15 @@ static int eap_tls_settings_check(struct l_settings *settings,
char passphrase_setting[72]; char passphrase_setting[72];
char client_cert_setting[72]; char client_cert_setting[72];
char priv_key_setting[72]; char priv_key_setting[72];
char bundle_setting[72];
L_AUTO_FREE_VAR(char *, passphrase) = NULL; L_AUTO_FREE_VAR(char *, passphrase) = NULL;
L_AUTO_FREE_VAR(char *, client_cert_value) = NULL; L_AUTO_FREE_VAR(char *, client_cert_value) = NULL;
L_AUTO_FREE_VAR(char *, priv_key_value) = NULL; L_AUTO_FREE_VAR(char *, priv_key_value) = NULL;
L_AUTO_FREE_VAR(char *, bundle_value) = NULL;
struct l_certchain *client_cert = NULL; struct l_certchain *client_cert = NULL;
struct l_key *priv_key = NULL; struct l_key *priv_key = NULL;
const char *error_str; const char *error_str;
bool is_encrypted; bool priv_key_encrypted, cert_encrypted;
int ret; int ret;
snprintf(tls_prefix, sizeof(tls_prefix), "%sTLS-", prefix); snprintf(tls_prefix, sizeof(tls_prefix), "%sTLS-", prefix);
@ -149,6 +151,11 @@ static int eap_tls_settings_check(struct l_settings *settings,
priv_key_value = l_settings_get_string(settings, "Security", priv_key_value = l_settings_get_string(settings, "Security",
priv_key_setting); priv_key_setting);
snprintf(bundle_setting, sizeof(bundle_setting),
"%sClientKeyBundle", tls_prefix);
bundle_value = l_settings_get_string(settings, "Security",
bundle_setting);
snprintf(passphrase_setting, sizeof(passphrase_setting), snprintf(passphrase_setting, sizeof(passphrase_setting),
"%sClientKeyPassphrase", tls_prefix); "%sClientKeyPassphrase", tls_prefix);
passphrase = l_settings_get_string(settings, "Security", passphrase = l_settings_get_string(settings, "Security",
@ -167,7 +174,12 @@ static int eap_tls_settings_check(struct l_settings *settings,
* Check whether the combination of settings that are present/missing * Check whether the combination of settings that are present/missing
* makes sense before validating each setting. * makes sense before validating each setting.
*/ */
if (priv_key_value && !client_cert_value) { if (bundle_value && (priv_key_value || client_cert)) {
l_error("Either %s or %s/%s can be used, not both",
bundle_setting, priv_key_setting, client_cert_setting);
ret = -EEXIST;
goto done;
} else if (priv_key_value && !client_cert_value) {
l_error("%s present but no client certificate (%s)", l_error("%s present but no client certificate (%s)",
priv_key_setting, client_cert_setting); priv_key_setting, client_cert_setting);
ret = -ENOENT; ret = -ENOENT;
@ -179,9 +191,9 @@ static int eap_tls_settings_check(struct l_settings *settings,
goto done; goto done;
} }
if (!priv_key_value) { if (!priv_key_value && !bundle_value) {
if (passphrase) { if (passphrase) {
l_error("%s present but no client private key set (%s)", l_error("%s present but no client keys set (%s)",
passphrase_setting, priv_key_setting); passphrase_setting, priv_key_setting);
ret = -ENOENT; ret = -ENOENT;
goto done; goto done;
@ -191,30 +203,77 @@ static int eap_tls_settings_check(struct l_settings *settings,
goto done; goto done;
} }
client_cert = eap_tls_load_client_cert(settings, client_cert_value); if (bundle_value &&
(!l_cert_load_container_file(bundle_value, passphrase,
&client_cert, &priv_key,
&priv_key_encrypted) ||
!client_cert || !priv_key)) {
if (client_cert) {
l_error("No private key loaded from %s", bundle_value);
ret = -ENOKEY;
goto done;
} else if (priv_key) {
l_error("No certificates loaded from %s", bundle_value);
ret = -ENOKEY;
goto done;
} else if (!priv_key_encrypted) {
l_error("Error loading %s", bundle_value);
ret = -EIO;
goto done;
} else if (passphrase) {
l_error("Error loading key pair from encrypted file %s",
bundle_value);
ret = -EACCES;
goto done;
}
/*
* We've got an encrypted file and passphrase was not saved
* in the network settings, need to request the passphrase.
*/
eap_append_secret(out_missing,
EAP_SECRET_LOCAL_PKEY_PASSPHRASE,
passphrase_setting, NULL,
bundle_value, EAP_CACHE_TEMPORARY);
ret = 0;
goto done;
}
if (bundle_value)
goto validate_keys;
client_cert = eap_tls_load_client_cert(settings, client_cert_value,
passphrase, &cert_encrypted);
if (!client_cert) { if (!client_cert) {
if (!cert_encrypted) {
l_error("Failed to load %s", client_cert_value); l_error("Failed to load %s", client_cert_value);
ret = -EIO; ret = -EIO;
goto done; goto done;
} }
if (passphrase) {
l_error("Error loading certificate from encrypted "
"file %s", client_cert_value);
ret = -EACCES;
goto done;
}
/* /*
* Sanity check that certchain provided is valid. We do not verify * We've got an encrypted file and passphrase was not saved
* the certchain against the provided CA since the CA that issued * in the network settings, need to request the passphrase.
* user certificates might be different from the one that is used
* to verify the peer.
*/ */
if (!l_certchain_verify(client_cert, NULL, &error_str)) { eap_append_secret(out_missing,
l_error("Certificate chain %s fails verification: %s", EAP_SECRET_LOCAL_PKEY_PASSPHRASE,
client_cert_value, error_str); passphrase_setting, NULL,
ret = -EINVAL; client_cert_value, EAP_CACHE_TEMPORARY);
ret = 0;
goto done; goto done;
} }
priv_key = eap_tls_load_priv_key(settings, priv_key_value, passphrase, priv_key = eap_tls_load_priv_key(settings, priv_key_value, passphrase,
&is_encrypted); &priv_key_encrypted);
if (!priv_key) { if (!priv_key) {
if (!is_encrypted) { if (!priv_key_encrypted) {
l_error("Error loading client private key %s", l_error("Error loading client private key %s",
priv_key_value); priv_key_value);
ret = -EIO; ret = -EIO;
@ -240,13 +299,27 @@ static int eap_tls_settings_check(struct l_settings *settings,
goto done; goto done;
} }
if (passphrase && !is_encrypted) { validate_keys:
l_error("%s present but client private key %s is not encrypted", if (passphrase && !priv_key_encrypted && !cert_encrypted) {
passphrase_setting, priv_key_value); l_error("%s present but keys are not encrypted",
passphrase_setting);
ret = -ENOENT; ret = -ENOENT;
goto done; goto done;
} }
/*
* Sanity check that certchain provided is valid. We do not verify
* the certchain against the provided CA since the CA that issued
* user certificates might be different from the one that is used
* to verify the peer.
*/
if (!l_certchain_verify(client_cert, NULL, &error_str)) {
l_error("Certificate chain %s fails verification: %s",
client_cert_value, error_str);
ret = -EINVAL;
goto done;
}
ret = eap_tls_check_keys_match(priv_key, ret = eap_tls_check_keys_match(priv_key,
l_certchain_get_leaf(client_cert), l_certchain_get_leaf(client_cert),
priv_key_value, client_cert_value); priv_key_value, client_cert_value);
@ -290,7 +363,8 @@ static bool eap_tls_settings_load(struct eap_state *eap,
snprintf(setting_key, sizeof(setting_key), "%sClientCert", tls_prefix); snprintf(setting_key, sizeof(setting_key), "%sClientCert", tls_prefix);
value = l_settings_get_string(settings, "Security", setting_key); value = l_settings_get_string(settings, "Security", setting_key);
if (value) { if (value) {
client_cert = eap_tls_load_client_cert(settings, value); client_cert = eap_tls_load_client_cert(settings, value,
passphrase, NULL);
if (!client_cert) if (!client_cert)
goto load_error; goto load_error;
} }
@ -306,6 +380,21 @@ static bool eap_tls_settings_load(struct eap_state *eap,
goto load_error; goto load_error;
} }
l_free(value);
snprintf(setting_key, sizeof(setting_key), "%sClientKeyBundle",
tls_prefix);
value = l_settings_get_string(settings, "Security", setting_key);
if (value && !client_cert && !client_key &&
(!l_cert_load_container_file(value, passphrase,
&client_cert,
&client_key, NULL) ||
!client_cert || !client_key)) {
l_certchain_free(client_cert);
l_key_free(client_key);
goto load_error;
}
eap_tls_common_set_keys(eap, client_cert, client_key); eap_tls_common_set_keys(eap, client_cert, client_key);
return true; return true;