diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2016-10-06 13:44:08 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2016-10-06 13:44:08 +0200 |
commit | e0063db110cc0704d1cd0326de9469f866387b50 (patch) | |
tree | 79fc26e46d83389cb53f017d9e1d10169168e05c | |
parent | 4683a4e60d5a7cc19ad6feff3694fc738f0d2f26 (diff) | |
download | network-manager-applet-e0063db110cc0704d1cd0326de9469f866387b50.tar.gz |
wireless-security: don't silently ignore files with invalid keys/certs
Instead, show all files with a supported extension. For invalid files
we already prevent the save of the connection and show an error
message in the button tooltip.
https://bugzilla.redhat.com/show_bug.cgi?id=1318384
-rw-r--r-- | src/wireless-security/eap-method.c | 93 |
1 files changed, 43 insertions, 50 deletions
diff --git a/src/wireless-security/eap-method.c b/src/wireless-security/eap-method.c index c8c21367..3d43ecb5 100644 --- a/src/wireless-security/eap-method.c +++ b/src/wireless-security/eap-method.c @@ -270,31 +270,6 @@ out: return success; } -#if !LIBNM_BUILD -static const char * -find_tag (const char *tag, const char *buf, gsize len) -{ - gsize i, taglen; - - taglen = strlen (tag); - if (len < taglen) - return NULL; - - for (i = 0; i < len - taglen + 1; i++) { - if (memcmp (buf + i, tag, taglen) == 0) - return buf + i; - } - return NULL; -} - -static const char *pem_rsa_key_begin = "-----BEGIN RSA PRIVATE KEY-----"; -static const char *pem_dsa_key_begin = "-----BEGIN DSA PRIVATE KEY-----"; -static const char *pem_pkcs8_enc_key_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; -static const char *pem_pkcs8_dec_key_begin = "-----BEGIN PRIVATE KEY-----"; -static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----"; -static const char *proc_type_tag = "Proc-Type: 4,ENCRYPTED"; -static const char *dek_info_tag = "DEK-Info:"; - static gboolean file_has_extension (const char *filename, const char *extensions[]) { @@ -320,6 +295,31 @@ file_has_extension (const char *filename, const char *extensions[]) return found; } +#if !LIBNM_BUILD +static const char * +find_tag (const char *tag, const char *buf, gsize len) +{ + gsize i, taglen; + + taglen = strlen (tag); + if (len < taglen) + return NULL; + + for (i = 0; i < len - taglen + 1; i++) { + if (memcmp (buf + i, tag, taglen) == 0) + return buf + i; + } + return NULL; +} + +static const char *pem_rsa_key_begin = "-----BEGIN RSA PRIVATE KEY-----"; +static const char *pem_dsa_key_begin = "-----BEGIN DSA PRIVATE KEY-----"; +static const char *pem_pkcs8_enc_key_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; +static const char *pem_pkcs8_dec_key_begin = "-----BEGIN PRIVATE KEY-----"; +static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----"; +static const char *proc_type_tag = "Proc-Type: 4,ENCRYPTED"; +static const char *dek_info_tag = "DEK-Info:"; + static gboolean pem_file_is_encrypted (const char *buffer, gsize bytes_read) { @@ -403,49 +403,28 @@ out: static gboolean default_filter_privkey (const GtkFileFilterInfo *filter_info, gpointer user_data) { - _nm_unused const char *extensions[] = { ".der", ".pem", ".p12", ".key", NULL }; - gboolean require_encrypted = !!user_data; - gboolean is_encrypted; + const char *extensions[] = { ".der", ".pem", ".p12", ".key", NULL }; if (!filter_info->filename) return FALSE; -#if !LIBNM_BUILD if (!file_has_extension (filter_info->filename, extensions)) return FALSE; - is_encrypted = TRUE; - if ( !file_is_der_or_pem (filter_info->filename, TRUE, &is_encrypted) - && !nm_utils_file_is_pkcs12 (filter_info->filename)) - return FALSE; -#else - is_encrypted = FALSE; - if (!nm_utils_file_is_private_key (filter_info->filename, &is_encrypted)) - return FALSE; -#endif - - return require_encrypted ? is_encrypted : TRUE; + return TRUE; } static gboolean default_filter_cert (const GtkFileFilterInfo *filter_info, gpointer user_data) { - _nm_unused const char *extensions[] = { ".der", ".pem", ".crt", ".cer", NULL }; + const char *extensions[] = { ".der", ".pem", ".crt", ".cer", NULL }; if (!filter_info->filename) return FALSE; -#if !LIBNM_BUILD if (!file_has_extension (filter_info->filename, extensions)) return FALSE; - if (!file_is_der_or_pem (filter_info->filename, FALSE, NULL)) - return FALSE; -#else - if (!nm_utils_file_is_certificate (filter_info->filename)) - return FALSE; -#endif - return TRUE; } @@ -469,8 +448,22 @@ gboolean eap_method_is_encrypted_private_key (const char *path) { GtkFileFilterInfo info = { .filename = path }; + gboolean is_encrypted; + + if (!default_filter_privkey (&info, NULL)) + return FALSE; - return default_filter_privkey (&info, (gpointer) TRUE); +#if LIBNM_BUILD + is_encrypted = FALSE; + if (!nm_utils_file_is_private_key (path, &is_encrypted)) + return FALSE; +#else + is_encrypted = TRUE; + if ( !file_is_der_or_pem (path, TRUE, &is_encrypted) + && !nm_utils_file_is_pkcs12 (path)) + return FALSE; +#endif + return is_encrypted; } /* Some methods (PEAP, TLS, TTLS) require a CA certificate. The user can choose |