supplicant: allow with_system_ca_path to be a file name (rh #1236548)jk/system-ca-certs-rh1236548

NetworkManager uses wpa_supplicant, which in turn calls OpenSSL for verifying
certificates. wpa_supplicant calls
SSL_CTX_load_verify_locations(ctx, CAfile, CApath)
using its ca_cert and ca_path options as CAfile and CApath parameters.

We have a configure time option with_system_ca_path to override ca_path.
However, it doesn't work when a system (like Fedora) only uses bundled PEM
certificates instead of a directory with hashed certificates ([1], [2]).

So this commit allows setting --with_system_ca_path to a file name (the
trusted certificate bundle). Then the name is used to populate wpa_supplicant's
ca_cert instead of ca_path.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1053882
[2] https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

https://bugzilla.redhat.com/show_bug.cgi?id=1236548

3 files changed, 49 insertions, 28 deletions

diff --git a/contrib/fedora/rpm/NetworkManager.spec b/contrib/fedora/rpm/NetworkManager.spec
index 0bdabe8dec..4bf9cd25c1 100644
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@@ -423,7 +423,7 @@ by nm-connection-editor and nm-applet in a non-graphical environment.
 	--with-suspend-resume=systemd \
 	--with-systemdsystemunitdir=%{systemd_dir} \
 	--with-udev-dir=%{udev_dir} \
-	--with-system-ca-path=/etc/pki/tls/certs \
+	--with-system-ca-path=/etc/pki/tls/cert.pem \
 	--with-tests=yes \
 	--with-valgrind=no \
 	--enable-ifcfg-rh=yes \
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 8024624a2d..18952875e8 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -3933,7 +3933,10 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 	 * specified at configure time with the --system-ca-path switch.  The
 	 * certificates in this directory are added to the verification chain in
 	 * addition to any certificates specified by the #NMSetting8021x:ca-cert and
-	 * #NMSetting8021x:phase2-ca-cert properties.
+	 * #NMSetting8021x:phase2-ca-cert properties. If the path provided with
+	 * --system-ca-path is rather a file name (bundle of trusted CA certificates),
+	 * it overrides #NMSetting8021x:ca-cert and #NMSetting8021x:phase2-ca-cert
+	 * properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).
 	 **/
 	/* ---ifcfg-rh---
 	 * property: system-ca-certs
diff --git a/src/supplicant-manager/nm-supplicant-config.c b/src/supplicant-manager/nm-supplicant-config.c
index 5df7b1e760..8c46dda2f8 100644
--- a/src/supplicant-manager/nm-supplicant-config.c
+++ b/src/supplicant-manager/nm-supplicant-config.c
@@ -733,6 +733,7 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 	gboolean fast = FALSE;
 	guint32 i, num_eap;
 	gboolean fast_provisoning_allowed = FALSE;
+	const char * ca_path_override = NULL, *ca_cert_override = NULL;
 
 	g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
 	g_return_val_if_fail (setting != NULL, FALSE);
@@ -870,10 +871,18 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 		}
 	}
 
+	/* If user wants to use system CA certs, either populate ca_path (if the path
+	 * is a directory) or ca_cert (the path is a file name) */
+	if (nm_setting_802_1x_get_system_ca_certs (setting)) {
+		if (g_file_test (SYSTEM_CA_PATH, G_FILE_TEST_IS_DIR))
+			ca_path_override = SYSTEM_CA_PATH;
+		else
+			ca_cert_override = SYSTEM_CA_PATH;
+	}
+
 	/* CA path */
 	path = nm_setting_802_1x_get_ca_path (setting);
-	if (nm_setting_802_1x_get_system_ca_certs (setting))
-		path = SYSTEM_CA_PATH;
+	path = ca_path_override ? ca_path_override : path;
 	if (path) {
 		if (!add_string_val (self, path, "ca_path", FALSE, FALSE))
 			return FALSE;
@@ -881,41 +890,50 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 
 	/* Phase2 CA path */
 	path = nm_setting_802_1x_get_phase2_ca_path (setting);
-	if (nm_setting_802_1x_get_system_ca_certs (setting))
-		path = SYSTEM_CA_PATH;
+	path = ca_path_override ? ca_path_override : path;
 	if (path) {
 		if (!add_string_val (self, path, "ca_path2", FALSE, FALSE))
 			return FALSE;
 	}
 
 	/* CA certificate */
-	switch (nm_setting_802_1x_get_ca_cert_scheme (setting)) {
-	case NM_SETTING_802_1X_CK_SCHEME_BLOB:
-		bytes = nm_setting_802_1x_get_ca_cert_blob (setting);
-		ADD_BLOB_VAL (bytes, "ca_cert", con_uuid);
-		break;
-	case NM_SETTING_802_1X_CK_SCHEME_PATH:
-		path = nm_setting_802_1x_get_ca_cert_path (setting);
-		if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
+	if (ca_cert_override) {
+		if (!add_string_val (self, ca_cert_override, "ca_cert", FALSE, FALSE))
 			return FALSE;
-		break;
-	default:
-		break;
+	} else {
+		switch (nm_setting_802_1x_get_ca_cert_scheme (setting)) {
+		case NM_SETTING_802_1X_CK_SCHEME_BLOB:
+			bytes = nm_setting_802_1x_get_ca_cert_blob (setting);
+			ADD_BLOB_VAL (bytes, "ca_cert", con_uuid);
+			break;
+		case NM_SETTING_802_1X_CK_SCHEME_PATH:
+			path = nm_setting_802_1x_get_ca_cert_path (setting);
+			if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
+				return FALSE;
+			break;
+		default:
+			break;
+		}
 	}
 
 	/* Phase 2 CA certificate */
-	switch (nm_setting_802_1x_get_phase2_ca_cert_scheme (setting)) {
-	case NM_SETTING_802_1X_CK_SCHEME_BLOB:
-		bytes = nm_setting_802_1x_get_phase2_ca_cert_blob (setting);
-		ADD_BLOB_VAL (bytes, "ca_cert2", con_uuid);
-		break;
-	case NM_SETTING_802_1X_CK_SCHEME_PATH:
-		path = nm_setting_802_1x_get_phase2_ca_cert_path (setting);
-		if (!add_string_val (self, path, "ca_cert2", FALSE, FALSE))
+	if (ca_cert_override) {
+		if (!add_string_val (self, ca_cert_override, "ca_cert2", FALSE, FALSE))
 			return FALSE;
-		break;
-	default:
-		break;
+	} else {
+		switch (nm_setting_802_1x_get_phase2_ca_cert_scheme (setting)) {
+		case NM_SETTING_802_1X_CK_SCHEME_BLOB:
+			bytes = nm_setting_802_1x_get_phase2_ca_cert_blob (setting);
+			ADD_BLOB_VAL (bytes, "ca_cert2", con_uuid);
+			break;
+		case NM_SETTING_802_1X_CK_SCHEME_PATH:
+			path = nm_setting_802_1x_get_phase2_ca_cert_path (setting);
+			if (!add_string_val (self, path, "ca_cert2", FALSE, FALSE))
+				return FALSE;
+			break;
+		default:
+			break;
+		}
 	}
 
 	/* Subject match */