/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
* Copyright (C) 2008 - 2011 Red Hat, Inc.
*/
#include "nm-default.h"
#include "nm-setting-8021x.h"
#include "nm-setting-cdma.h"
#include "nm-setting-connection.h"
#include "nm-setting-gsm.h"
#include "nm-setting-ip4-config.h"
#include "nm-setting-ppp.h"
#include "nm-setting-pppoe.h"
#include "nm-setting-vpn.h"
#include "nm-setting-wired.h"
#include "nm-setting-wireless-security.h"
#include "nm-setting-wireless.h"
#include "nm-simple-connection.h"
#include "nm-utils.h"
#include "nm-core-internal.h"
#include "nm-utils/nm-test-utils.h"
#define TEST_CERT_DIR NM_BUILD_SRCDIR "/libnm-core/tests/certs"
#define TEST_NEED_SECRETS_EAP_TLS_CA_CERT TEST_CERT_DIR "/test_ca_cert.pem"
#define TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT TEST_CERT_DIR "/test_key_and_cert.pem"
#define TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY TEST_CERT_DIR "/test_key_and_cert.pem"
static void
_assert_hints_has(GPtrArray *hints, const char *item)
{
guint i;
guint found = 0;
g_assert(hints);
g_assert(item);
for (i = 0; i < hints->len; i++) {
g_assert(hints->pdata[i]);
if (strcmp(hints->pdata[i], item) == 0)
found++;
}
g_assert_cmpint(found, ==, 1);
}
static NMConnection *
make_tls_connection(const char *detail, NMSetting8021xCKScheme scheme)
{
NMConnection * connection;
NMSettingConnection *s_con;
NMSetting8021x * s_8021x;
NMSettingWired * s_wired;
NMSettingIP4Config * s_ip4;
char * uuid;
gboolean success;
GError * error = NULL;
connection = nm_simple_connection_new();
/* Connection setting */
s_con = (NMSettingConnection *) nm_setting_connection_new();
nm_connection_add_setting(connection, NM_SETTING(s_con));
uuid = nm_utils_uuid_generate();
g_object_set(s_con,
NM_SETTING_CONNECTION_ID,
"Test Need TLS Secrets",
NM_SETTING_CONNECTION_UUID,
uuid,
NM_SETTING_CONNECTION_AUTOCONNECT,
TRUE,
NM_SETTING_CONNECTION_TYPE,
NM_SETTING_WIRED_SETTING_NAME,
NULL);
g_free(uuid);
/* Wired setting */
s_wired = (NMSettingWired *) nm_setting_wired_new();
nm_connection_add_setting(connection, NM_SETTING(s_wired));
/* Wireless security setting */
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new();
nm_connection_add_setting(connection, NM_SETTING(s_8021x));
g_object_set(s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL);
nm_setting_802_1x_add_eap_method(s_8021x, "tls");
success = nm_setting_802_1x_set_ca_cert(s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CA_CERT,
scheme,
NULL,
&error);
nmtst_assert_success(success, error);
success = nm_setting_802_1x_set_client_cert(s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT,
scheme,
NULL,
&error);
nmtst_assert_success(success, error);
success = nm_setting_802_1x_set_private_key(s_8021x,
TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY,
"test",
scheme,
NULL,
&error);
nmtst_assert_success(success, error);
success = nm_setting_set_secret_flags(NM_SETTING(s_8021x),
NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD,
NM_SETTING_SECRET_FLAG_AGENT_OWNED,
&error);
nmtst_assert_success(success, error);
/* IP4 setting */
s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new();
nm_connection_add_setting(connection, NM_SETTING(s_ip4));
g_object_set(s_ip4, NM_SETTING_IP_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL);
nmtst_assert_connection_verifies_and_normalizable(connection);
return connection;
}
static void
test_need_tls_secrets_path(void)
{
NMConnection *connection;
const char * setting_name;
GPtrArray * hints = NULL;
connection = make_tls_connection("need-tls-secrets-path-key", NM_SETTING_802_1X_CK_SCHEME_PATH);
/* Ensure we don't need any secrets since we just set up the connection */
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert(!setting_name);
g_assert(!hints);
/* Connection is good; clear secrets and ensure private key password is then required */
nm_connection_clear_secrets(connection);
hints = NULL;
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert_cmpstr(setting_name, ==, NM_SETTING_802_1X_SETTING_NAME);
_assert_hints_has(hints, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
g_ptr_array_free(hints, TRUE);
g_object_unref(connection);
}
static void
test_need_tls_secrets_blob(void)
{
NMConnection *connection;
const char * setting_name;
GPtrArray * hints = NULL;
connection = make_tls_connection("need-tls-secrets-blob-key", NM_SETTING_802_1X_CK_SCHEME_BLOB);
/* Ensure we don't need any secrets since we just set up the connection */
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert(!setting_name);
g_assert(!hints);
/* Clear secrets and ensure password is again required */
nm_connection_clear_secrets(connection);
hints = NULL;
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert_cmpstr(setting_name, ==, NM_SETTING_802_1X_SETTING_NAME);
_assert_hints_has(hints, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
g_ptr_array_free(hints, TRUE);
g_object_unref(connection);
}
static NMConnection *
make_tls_phase2_connection(const char *detail, NMSetting8021xCKScheme scheme)
{
NMConnection * connection;
NMSettingConnection *s_con;
NMSetting8021x * s_8021x;
NMSettingWired * s_wired;
NMSettingIP4Config * s_ip4;
char * uuid;
gboolean success;
GError * error = NULL;
connection = nm_simple_connection_new();
/* Connection setting */
s_con = (NMSettingConnection *) nm_setting_connection_new();
nm_connection_add_setting(connection, NM_SETTING(s_con));
uuid = nm_utils_uuid_generate();
g_object_set(s_con,
NM_SETTING_CONNECTION_ID,
"Test Need TLS Secrets",
NM_SETTING_CONNECTION_UUID,
uuid,
NM_SETTING_CONNECTION_AUTOCONNECT,
TRUE,
NM_SETTING_CONNECTION_TYPE,
NM_SETTING_WIRED_SETTING_NAME,
NULL);
g_free(uuid);
/* Wired setting */
s_wired = (NMSettingWired *) nm_setting_wired_new();
nm_connection_add_setting(connection, NM_SETTING(s_wired));
/* Wireless security setting */
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new();
nm_connection_add_setting(connection, NM_SETTING(s_8021x));
g_object_set(s_8021x, NM_SETTING_802_1X_ANONYMOUS_IDENTITY, "blahblah", NULL);
g_object_set(s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL);
nm_setting_802_1x_add_eap_method(s_8021x, "ttls");
g_object_set(s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "tls", NULL);
success = nm_setting_802_1x_set_phase2_ca_cert(s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CA_CERT,
scheme,
NULL,
&error);
nmtst_assert_success(success, error);
success = nm_setting_802_1x_set_phase2_client_cert(s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT,
scheme,
NULL,
&error);
nmtst_assert_success(success, error);
success = nm_setting_802_1x_set_phase2_private_key(s_8021x,
TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY,
"test",
scheme,
NULL,
&error);
nmtst_assert_success(success, error);
success = nm_setting_set_secret_flags(NM_SETTING(s_8021x),
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD,
NM_SETTING_SECRET_FLAG_AGENT_OWNED,
&error);
nmtst_assert_success(success, error);
/* IP4 setting */
s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new();
nm_connection_add_setting(connection, NM_SETTING(s_ip4));
g_object_set(s_ip4, NM_SETTING_IP_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL);
nmtst_assert_connection_verifies_and_normalizable(connection);
return connection;
}
static void
test_need_tls_phase2_secrets_path(void)
{
NMConnection *connection;
const char * setting_name;
GPtrArray * hints = NULL;
connection = make_tls_phase2_connection("need-tls-phase2-secrets-path-key",
NM_SETTING_802_1X_CK_SCHEME_PATH);
/* Ensure we don't need any secrets since we just set up the connection */
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert(!setting_name);
g_assert(!hints);
/* Connection is good; clear secrets and ensure private key password is then required */
nm_connection_clear_secrets(connection);
hints = NULL;
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert_cmpstr(setting_name, ==, NM_SETTING_802_1X_SETTING_NAME);
_assert_hints_has(hints, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
g_ptr_array_free(hints, TRUE);
g_object_unref(connection);
}
static void
test_need_tls_phase2_secrets_blob(void)
{
NMConnection *connection;
const char * setting_name;
GPtrArray * hints = NULL;
connection = make_tls_phase2_connection("need-tls-phase2-secrets-blob-key",
NM_SETTING_802_1X_CK_SCHEME_BLOB);
/* Ensure we don't need any secrets since we just set up the connection */
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert(!setting_name);
g_assert(!hints);
/* Connection is good; clear secrets and ensure private key password is then required */
nm_connection_clear_secrets(connection);
hints = NULL;
setting_name = nm_connection_need_secrets(connection, &hints);
g_assert_cmpstr(setting_name, ==, NM_SETTING_802_1X_SETTING_NAME);
_assert_hints_has(hints, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
g_ptr_array_free(hints, TRUE);
g_object_unref(connection);
}
static NMConnection *
wifi_connection_new(void)
{
NMConnection * connection;
NMSettingConnection * s_con;
NMSettingWireless * s_wifi;
NMSettingWirelessSecurity *s_wsec;
unsigned char tmpssid[] = {0x31, 0x33, 0x33, 0x37};
char * uuid;
GBytes * ssid;
connection = nm_simple_connection_new();
g_assert(connection);
/* Connection setting */
s_con = (NMSettingConnection *) nm_setting_connection_new();
g_assert(s_con);
uuid = nm_utils_uuid_generate();
g_object_set(s_con,
NM_SETTING_CONNECTION_ID,
"Test Wireless",
NM_SETTING_CONNECTION_UUID,
uuid,
NM_SETTING_CONNECTION_AUTOCONNECT,
FALSE,
NM_SETTING_CONNECTION_TYPE,
NM_SETTING_WIRELESS_SETTING_NAME,
NULL);
g_free(uuid);
nm_connection_add_setting(connection, NM_SETTING(s_con));
/* Wireless setting */
s_wifi = (NMSettingWireless *) nm_setting_wireless_new();
g_assert(s_wifi);
ssid = g_bytes_new(tmpssid, sizeof(tmpssid));
g_object_set(s_wifi, NM_SETTING_WIRELESS_SSID, ssid, NULL);
g_bytes_unref(ssid);
nm_connection_add_setting(connection, NM_SETTING(s_wifi));
/* Wifi security */
s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new();
g_assert(s_wsec);
g_object_set(G_OBJECT(s_wsec), NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "none", NULL);
nm_connection_add_setting(connection, NM_SETTING(s_wsec));
return connection;
}
static GVariant *
build_wep_secrets(const char *wepkey)
{
GVariantBuilder builder;
g_variant_builder_init(&builder, G_VARIANT_TYPE("a{sv}"));
g_variant_builder_add(&builder,
"{sv}",
NM_SETTING_WIRELESS_SECURITY_WEP_KEY0,
g_variant_new_string(wepkey));
g_variant_builder_add(&builder,
"{sv}",
NM_SETTING_WIRELESS_SECURITY_WEP_KEY_TYPE,
g_variant_new_uint32(NM_WEP_KEY_TYPE_KEY));
return g_variant_builder_end(&builder);
}
static void
test_update_secrets_wifi_single_setting(void)
{
NMConnection * connection;
NMSettingWirelessSecurity *s_wsec;
GVariant * secrets;
GError * error = NULL;
gboolean success;
const char * wepkey = "11111111111111111111111111";
const char * tmp;
/* Test update with a hashed setting of 802-11-wireless secrets */
connection = wifi_connection_new();
secrets = build_wep_secrets(wepkey);
success = nm_connection_update_secrets(connection,
NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
secrets,
&error);
g_assert_no_error(error);
g_assert(success);
g_variant_unref(secrets);
/* Make sure the secret is now in the connection */
s_wsec = nm_connection_get_setting_wireless_security(connection);
g_assert(s_wsec);
tmp = nm_setting_wireless_security_get_wep_key(s_wsec, 0);
g_assert_cmpstr(tmp, ==, wepkey);
g_object_unref(connection);
}
static void
test_update_secrets_wifi_full_hash(void)
{
NMConnection * connection;
NMSettingWirelessSecurity *s_wsec;
GVariantBuilder builder;
GVariant * all;
GError * error = NULL;
gboolean success;
const char * wepkey = "11111111111111111111111111";
const char * tmp;
/* Test update with a hashed connection containing only 802-11-wireless
* setting and secrets.
*/
connection = wifi_connection_new();
g_variant_builder_init(&builder, NM_VARIANT_TYPE_CONNECTION);
g_variant_builder_add(&builder,
"{s@a{sv}}",
NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
build_wep_secrets(wepkey));
all = g_variant_builder_end(&builder);
success = nm_connection_update_secrets(connection,
NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
all,
&error);
g_assert_no_error(error);
g_assert(success);
g_variant_unref(all);
/* Make sure the secret is now in the connection */
s_wsec = nm_connection_get_setting_wireless_security(connection);
g_assert(s_wsec);
tmp = nm_setting_wireless_security_get_wep_key(s_wsec, 0);
g_assert_cmpstr(tmp, ==, wepkey);
g_object_unref(connection);
}
static void
test_update_secrets_wifi_bad_setting_name(void)
{
NMConnection *connection;
GVariant * secrets;
GError * error = NULL;
gboolean success;
const char * wepkey = "11111111111111111111111111";
/* Test that passing an invalid setting name to
* nm_connection_update_secrets() fails with the correct error.
*/
connection = wifi_connection_new();
secrets = build_wep_secrets(wepkey);
success = nm_connection_update_secrets(connection, "asdfasdfasdfasf", secrets, &error);
g_assert_error(error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_SETTING_NOT_FOUND);
g_assert(success == FALSE);
g_clear_error(&error);
g_variant_unref(secrets);
g_object_unref(connection);
}
static void
test_update_secrets_whole_connection(void)
{
NMConnection * connection;
NMSettingWirelessSecurity *s_wsec;
GVariant * secrets;
GError * error = NULL;
gboolean success;
const char * wepkey = "11111111111111111111111111";
/* Test calling nm_connection_update_secrets() with an entire hashed
* connection including non-secrets.
*/
connection = wifi_connection_new();
/* Build up the secrets dictionary */
secrets = nm_connection_to_dbus(connection, NM_CONNECTION_SERIALIZE_ALL);
NMTST_VARIANT_EDITOR(secrets,
NMTST_VARIANT_ADD_PROPERTY(NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
NM_SETTING_WIRELESS_SECURITY_WEP_KEY0,
"s",
wepkey););
success = nm_connection_update_secrets(connection, NULL, secrets, &error);
g_assert_no_error(error);
g_assert(success == TRUE);
g_variant_unref(secrets);
s_wsec = nm_connection_get_setting_wireless_security(connection);
g_assert(s_wsec);
g_assert_cmpstr(nm_setting_wireless_security_get_wep_key(s_wsec, 0), ==, wepkey);
g_object_unref(connection);
}
static void
test_update_secrets_whole_connection_empty_hash(void)
{
NMConnection *connection;
GVariant * secrets;
GError * error = NULL;
gboolean success;
/* Test that updating secrets with an empty connection hash returns success */
connection = wifi_connection_new();
secrets = g_variant_new_array(G_VARIANT_TYPE("{sa{sv}}"), NULL, 0);
success = nm_connection_update_secrets(connection, NULL, secrets, &error);
g_assert_no_error(error);
g_assert(success == TRUE);
g_variant_unref(secrets);
g_object_unref(connection);
}
static void
test_update_secrets_whole_connection_bad_setting(void)
{
NMConnection * connection;
NMSettingWirelessSecurity *s_wsec;
GVariant * secrets, *copy, *setting_hash;
const char * setting_name;
GVariantBuilder conn_builder;
GVariantIter conn_iter;
GError * error = NULL;
gboolean success;
const char * wepkey = "11111111111111111111111111";
/* Test that sending a hashed connection containing an invalid setting
* name fails with the right error.
*/
connection = wifi_connection_new();
s_wsec = nm_connection_get_setting_wireless_security(connection);
g_assert(s_wsec != NULL);
g_object_set(G_OBJECT(s_wsec), NM_SETTING_WIRELESS_SECURITY_WEP_KEY0, wepkey, NULL);
/* Build up the secrets hash */
secrets = nm_connection_to_dbus(connection, NM_CONNECTION_SERIALIZE_ALL);
/* Copy the dict, renaming the wireless-security setting in the process
* (so we ensure libnm is returning the right error when it finds an entry
* in the connection hash that doesn't match any setting in the connection).
*/
g_variant_builder_init(&conn_builder, NM_VARIANT_TYPE_CONNECTION);
g_variant_iter_init(&conn_iter, secrets);
while (g_variant_iter_next(&conn_iter, "{&s@a{sv}}", &setting_name, &setting_hash)) {
if (strcmp(setting_name, NM_SETTING_WIRELESS_SECURITY_SETTING_NAME) == 0)
setting_name = "asdfasdfasdfasdf";
g_variant_builder_add(&conn_builder, "{s@a{sv}}", setting_name, setting_hash);
g_variant_unref(setting_hash);
}
copy = g_variant_builder_end(&conn_builder);
g_variant_unref(secrets);
success = nm_connection_update_secrets(connection, NULL, copy, &error);
g_assert_error(error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_SETTING_NOT_FOUND);
g_assert(success == FALSE);
g_clear_error(&error);
g_variant_unref(copy);
g_object_unref(connection);
}
static void
test_update_secrets_whole_connection_empty_base_setting(void)
{
NMConnection *connection;
GVariant * secrets, *setting;
GError * error = NULL;
gboolean success;
/* Test that a hashed connection which does not have any hashed secrets
* for the requested setting returns success.
*/
connection = wifi_connection_new();
secrets = nm_connection_to_dbus(connection, NM_CONNECTION_SERIALIZE_ONLY_SECRETS);
g_assert_cmpint(g_variant_n_children(secrets), ==, 3);
setting = g_variant_lookup_value(secrets, NM_SETTING_WIRELESS_SETTING_NAME, NULL);
g_assert(setting != NULL);
g_variant_unref(setting);
success = nm_connection_update_secrets(connection,
NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
secrets,
&error);
g_assert_no_error(error);
g_assert(success);
g_variant_unref(secrets);
g_object_unref(connection);
}
static void
test_update_secrets_null_setting_name_with_setting_hash(void)
{
NMConnection *connection;
GVariant * secrets;
GError * error = NULL;
gboolean success;
const char * wepkey = "11111111111111111111111111";
/* Ensure that a NULL setting name and only a hashed setting fails */
connection = wifi_connection_new();
secrets = build_wep_secrets(wepkey);
NMTST_EXPECT_LIBNM_CRITICAL(NMTST_G_RETURN_MSG(setting_name || full_connection));
success = nm_connection_update_secrets(connection, NULL, secrets, &error);
g_test_assert_expected_messages();
g_assert_no_error(error);
g_assert(!success);
g_variant_unref(secrets);
g_object_unref(connection);
}
NMTST_DEFINE();
int
main(int argc, char **argv)
{
nmtst_init(&argc, &argv, TRUE);
/* The tests */
g_test_add_func("/libnm/need_tls_secrets_path", test_need_tls_secrets_path);
g_test_add_func("/libnm/need_tls_secrets_blob", test_need_tls_secrets_blob);
g_test_add_func("/libnm/need_tls_phase2_secrets_path", test_need_tls_phase2_secrets_path);
g_test_add_func("/libnm/need_tls_phase2_secrets_blob", test_need_tls_phase2_secrets_blob);
g_test_add_func("/libnm/update_secrets_wifi_single_setting",
test_update_secrets_wifi_single_setting);
g_test_add_func("/libnm/update_secrets_wifi_full_hash", test_update_secrets_wifi_full_hash);
g_test_add_func("/libnm/update_secrets_wifi_bad_setting_name",
test_update_secrets_wifi_bad_setting_name);
g_test_add_func("/libnm/update_secrets_whole_connection", test_update_secrets_whole_connection);
g_test_add_func("/libnm/update_secrets_whole_connection_empty_hash",
test_update_secrets_whole_connection_empty_hash);
g_test_add_func("/libnm/update_secrets_whole_connection_bad_setting",
test_update_secrets_whole_connection_bad_setting);
g_test_add_func("/libnm/update_secrets_whole_connection_empty_base_setting",
test_update_secrets_whole_connection_empty_base_setting);
g_test_add_func("/libnm/update_secrets_null_setting_name_with_setting_hash",
test_update_secrets_null_setting_name_with_setting_hash);
return g_test_run();
}