File nm-use-system-ca-certs.patch of Package NetworkManager
From 49773f74497922a551e60d8c4d09b882dc3042d6 Mon Sep 17 00:00:00 2001
From: Tambet Ingo <tambet@gmail.com>
Date: Fri, 21 Nov 2008 11:33:57 +0200
Subject: [PATCH] Use system CA certs.
---
configure.in | 11 ++++++
libnm-util/libnm-util.ver | 1 +
libnm-util/nm-setting-8021x.c | 24 +++++++++++++
libnm-util/nm-setting-8021x.h | 3 ++
src/supplicant-manager/nm-supplicant-config.c | 36 ++++++++++++--------
.../nm-supplicant-settings-verify.c | 1 +
6 files changed, 62 insertions(+), 14 deletions(-)
diff --git a/configure.in b/configure.in
index b9a4da2..c9e2304 100644
--- a/configure.in
+++ b/configure.in
@@ -435,6 +435,17 @@ if test -n "${RESOLVCONF_PATH}"; then
AC_DEFINE_UNQUOTED(RESOLVCONF_PATH, "$RESOLVCONF_PATH", [Define if you have a resolvconf implementation])
fi
+# system CA certificates path
+AC_ARG_WITH(system-ca-path, AS_HELP_STRING([--with-system-ca-path=/path/to/ssl/certs], [path to system CA certificates]))
+if test "x${with_system_ca_path}" = x; then
+ SYSTEM_CA_PATH=/etc/ssl/certs
+else
+ SYSTEM_CA_PATH="$with_system_ca_path"
+fi
+AC_DEFINE_UNQUOTED(SYSTEM_CA_PATH, "$SYSTEM_CA_PATH", [Define to path to system CA certificates])
+AC_SUBST(SYSTEM_CA_PATH)
+
+
AC_ARG_ENABLE(more-warnings,
AS_HELP_STRING([--enable-more-warnings], [Maximum compiler warnings]), set_more_warnings="$enableval",set_more_warnings=yes)
AC_MSG_CHECKING(for more warnings, including -Werror)
diff --git a/libnm-util/libnm-util.ver b/libnm-util/libnm-util.ver
index fab0950..2fe187d 100644
--- a/libnm-util/libnm-util.ver
+++ b/libnm-util/libnm-util.ver
@@ -64,6 +64,7 @@ global:
nm_setting_802_1x_get_private_key_password;
nm_setting_802_1x_get_private_key_type;
nm_setting_802_1x_get_psk;
+ nm_setting_802_1x_get_system_ca_certs;
nm_setting_802_1x_get_type;
nm_setting_802_1x_new;
nm_setting_802_1x_remove_eap_method;
diff --git a/libnm-util/nm-setting-8021x.c b/libnm-util/nm-setting-8021x.c
index 36ce41c..161c72e 100644
--- a/libnm-util/nm-setting-8021x.c
+++ b/libnm-util/nm-setting-8021x.c
@@ -97,6 +97,7 @@ typedef struct {
char *pkcs11_module_path;
char *pkcs11_module_init_args;
guint pkcs11_slot;
+ gboolean system_ca_certs;
} NMSetting8021xPrivate;
enum {
@@ -126,6 +127,7 @@ enum {
PROP_PKCS11_MODULE_PATH,
PROP_PKCS11_MODULE_INIT_ARGS,
PROP_PKCS11_SLOT,
+ PROP_SYSTEM_CA_CERTS,
LAST_PROP
};
@@ -719,6 +721,14 @@ nm_setting_802_1x_get_pkcs11_slot (NMSetting8021x *setting)
return NM_SETTING_802_1X_GET_PRIVATE (setting)->pkcs11_slot;
}
+gboolean
+nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting)
+{
+ g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
+
+ return NM_SETTING_802_1X_GET_PRIVATE (setting)->system_ca_certs;
+}
+
static void
need_secrets_password (NMSetting8021x *self,
GPtrArray *secrets,
@@ -1312,6 +1322,9 @@ set_property (GObject *object, guint prop_id,
case PROP_PKCS11_SLOT:
priv->pkcs11_slot = g_value_get_uint (value);
break;
+ case PROP_SYSTEM_CA_CERTS:
+ priv->system_ca_certs = g_value_get_boolean (value);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@@ -1398,6 +1411,9 @@ get_property (GObject *object, guint prop_id,
case PROP_PKCS11_SLOT:
g_value_set_uint (value, priv->pkcs11_slot);
break;
+ case PROP_SYSTEM_CA_CERTS:
+ g_value_set_boolean (value, priv->system_ca_certs);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@@ -1614,6 +1630,14 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
0, 1000, 0,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
+ g_object_class_install_property
+ (object_class, PROP_SYSTEM_CA_CERTS,
+ g_param_spec_boolean (NM_SETTING_802_1X_SYSTEM_CA_CERTS,
+ "Use system CA certificates",
+ "Use system CA certificates",
+ FALSE,
+ G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
+
/* Initialize crypto lbrary. */
if (!nm_utils_init (&error)) {
g_warning ("Couldn't initilize nm-utils/crypto system: %d %s",
diff --git a/libnm-util/nm-setting-8021x.h b/libnm-util/nm-setting-8021x.h
index e327de3..6e33626 100644
--- a/libnm-util/nm-setting-8021x.h
+++ b/libnm-util/nm-setting-8021x.h
@@ -85,6 +85,7 @@ GQuark nm_setting_802_1x_error_quark (void);
#define NM_SETTING_802_1X_PKCS11_MODULE_PATH "pkcs11-module-path"
#define NM_SETTING_802_1X_PKCS11_MODULE_INIT_ARGS "pkcs11-module-init-args"
#define NM_SETTING_802_1X_PKCS11_SLOT "pkcs11-slot"
+#define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
#define NM_SETTING_802_1X_CK_FORMAT_ID "id:"
#define NM_SETTING_802_1X_CK_FORMAT_FILE "file:"
@@ -118,6 +119,8 @@ gboolean nm_setting_802_1x_set_ca_cert_from_file (NMSetting8
NMSetting8021xCKType *out_ck_type,
GError **err);
+gboolean nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting);
+
const GByteArray *nm_setting_802_1x_get_client_cert (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_client_cert_from_file (NMSetting8021x *setting,
const char *filename,
diff --git a/src/supplicant-manager/nm-supplicant-config.c b/src/supplicant-manager/nm-supplicant-config.c
index d128487..c849cdf 100644
--- a/src/supplicant-manager/nm-supplicant-config.c
+++ b/src/supplicant-manager/nm-supplicant-config.c
@@ -19,6 +19,10 @@
* Copyright (C) 2007 - 2008 Novell, Inc.
*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
#include <string.h>
#include <stdlib.h>
#include <glib.h>
@@ -637,20 +641,24 @@ add_certificates (NMSupplicantConfig *self, NMSetting8021x *setting, const char
gboolean send_client_cert;
gboolean success;
- array = nm_setting_802_1x_get_ca_cert (setting);
- if (array && array->data) {
- str = (char *) array->data;
+ if (nm_setting_802_1x_get_system_ca_certs (setting) || nm_setting_802_1x_get_ca_cert (setting) == NULL) {
+ ADD_STRING_VAL (SYSTEM_CA_PATH, "ca_path", FALSE, FALSE, FALSE);
+ } else {
+ array = nm_setting_802_1x_get_ca_cert (setting);
+ if (array && array->data) {
+ str = (char *) array->data;
- if (g_str_has_prefix (str, NM_SETTING_802_1X_CK_FORMAT_ID))
- nm_supplicant_config_add_option (self, "ca_cert_id",
- str + strlen (NM_SETTING_802_1X_CK_FORMAT_ID),
- -1, FALSE);
- else if (g_str_has_prefix (str, NM_SETTING_802_1X_CK_FORMAT_FILE))
- nm_supplicant_config_add_option (self, "ca_cert",
- str + strlen (NM_SETTING_802_1X_CK_FORMAT_FILE),
- -1, FALSE);
- else {
- ADD_BLOB_VAL (array, "ca_cert", connection_uid);
+ if (g_str_has_prefix (str, NM_SETTING_802_1X_CK_FORMAT_ID))
+ nm_supplicant_config_add_option (self, "ca_cert_id",
+ str + strlen (NM_SETTING_802_1X_CK_FORMAT_ID),
+ -1, FALSE);
+ else if (g_str_has_prefix (str, NM_SETTING_802_1X_CK_FORMAT_FILE))
+ nm_supplicant_config_add_option (self, "ca_cert",
+ str + strlen (NM_SETTING_802_1X_CK_FORMAT_FILE),
+ -1, FALSE);
+ else {
+ ADD_BLOB_VAL (array, "ca_cert", connection_uid);
+ }
}
}
diff --git a/src/supplicant-manager/nm-supplicant-settings-verify.c b/src/supplicant-manager/nm-supplicant-settings-verify.c
index 9895d18..3edacf4 100644
--- a/src/supplicant-manager/nm-supplicant-settings-verify.c
+++ b/src/supplicant-manager/nm-supplicant-settings-verify.c
@@ -103,6 +103,7 @@ static const struct Opt opt_table[] = {
{ "password", TYPE_BYTES, 0, 0, FALSE, NULL },
{ "ca_cert", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "ca_cert_id", TYPE_BYTES, 0, 65536, FALSE, NULL },
+ { "ca_path", TYPE_BYTES, 0, 0, FALSE, NULL },
{ "client_cert", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "cert_id", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "private_key", TYPE_BYTES, 0, 65536, FALSE, NULL },
--
1.6.0.2
