// SPDX-License-Identifier: LGPL-2.1+ /* * Copyright (C) 2007 - 2013 Red Hat, Inc. * Copyright (C) 2007 - 2008 Novell, Inc. */ #include "nm-default.h" #include "nm-setting-8021x.h" #include "nm-glib-aux/nm-secret-utils.h" #include "nm-utils.h" #include "nm-crypto.h" #include "nm-utils-private.h" #include "nm-setting-private.h" #include "nm-core-enum-types.h" /** * SECTION:nm-setting-8021x * @short_description: Describes 802.1x-authenticated connection properties * * The #NMSetting8021x object is a #NMSetting subclass that describes * properties necessary for connection to 802.1x-authenticated networks, such as * WPA and WPA2 Enterprise Wi-Fi networks and wired 802.1x networks. 802.1x * connections typically use certificates and/or EAP authentication methods to * securely verify, identify, and authenticate the client to the network itself, * instead of simply relying on a widely shared static key. * * It's a good idea to read up on wpa_supplicant configuration before using this * setting extensively, since most of the options here correspond closely with * the relevant wpa_supplicant configuration options. * * Furthermore, to get a good idea of 802.1x, EAP, TLS, TTLS, etc and their * applications to Wi-Fi and wired networks, you'll want to get copies of the * following books. * * 802.11 Wireless Networks: The Definitive Guide, Second Edition * Author: Matthew Gast * ISBN: 978-0596100520 * * Cisco Wireless LAN Security * Authors: Krishna Sankar, Sri Sundaralingam, Darrin Miller, and Andrew Balinsky * ISBN: 978-1587051548 **/ /*****************************************************************************/ static NMSetting8021xCKFormat _crypto_format_to_ck (NMCryptoFileFormat format) { G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_UNKNOWN == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_UNKNOWN) ); G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_X509 == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_X509) ); G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_RAW_KEY == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_RAW_KEY) ); G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_PKCS12 == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_PKCS12) ); nm_assert (NM_IN_SET (format, NM_CRYPTO_FILE_FORMAT_UNKNOWN, NM_CRYPTO_FILE_FORMAT_X509, NM_CRYPTO_FILE_FORMAT_RAW_KEY, NM_CRYPTO_FILE_FORMAT_PKCS12)); return (NMSetting8021xCKFormat) format; } /*****************************************************************************/ typedef void (*EAPMethodNeedSecretsFunc) (NMSetting8021x *self, GPtrArray *secrets, gboolean phase2); typedef gboolean (*EAPMethodValidateFunc)(NMSetting8021x *self, gboolean phase2, GError **error); typedef struct { const char *method; EAPMethodNeedSecretsFunc ns_func; EAPMethodValidateFunc v_func; } EAPMethodsTable; static const EAPMethodsTable eap_methods_table[]; /*****************************************************************************/ NM_GOBJECT_PROPERTIES_DEFINE (NMSetting8021x, PROP_EAP, PROP_IDENTITY, PROP_ANONYMOUS_IDENTITY, PROP_PAC_FILE, PROP_CA_CERT, PROP_CA_CERT_PASSWORD, PROP_CA_CERT_PASSWORD_FLAGS, PROP_CA_PATH, PROP_SUBJECT_MATCH, PROP_ALTSUBJECT_MATCHES, PROP_DOMAIN_SUFFIX_MATCH, PROP_DOMAIN_MATCH, PROP_CLIENT_CERT, PROP_CLIENT_CERT_PASSWORD, PROP_CLIENT_CERT_PASSWORD_FLAGS, PROP_PHASE1_PEAPVER, PROP_PHASE1_PEAPLABEL, PROP_PHASE1_FAST_PROVISIONING, PROP_PHASE1_AUTH_FLAGS, PROP_PHASE2_AUTH, PROP_PHASE2_AUTHEAP, PROP_PHASE2_CA_CERT, PROP_PHASE2_CA_CERT_PASSWORD, PROP_PHASE2_CA_CERT_PASSWORD_FLAGS, PROP_PHASE2_CA_PATH, PROP_PHASE2_SUBJECT_MATCH, PROP_PHASE2_ALTSUBJECT_MATCHES, PROP_PHASE2_DOMAIN_SUFFIX_MATCH, PROP_PHASE2_DOMAIN_MATCH, PROP_PHASE2_CLIENT_CERT, PROP_PHASE2_CLIENT_CERT_PASSWORD, PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS, PROP_PASSWORD, PROP_PASSWORD_FLAGS, PROP_PASSWORD_RAW, PROP_PASSWORD_RAW_FLAGS, PROP_PRIVATE_KEY, PROP_PRIVATE_KEY_PASSWORD, PROP_PRIVATE_KEY_PASSWORD_FLAGS, PROP_PHASE2_PRIVATE_KEY, PROP_PHASE2_PRIVATE_KEY_PASSWORD, PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS, PROP_PIN, PROP_PIN_FLAGS, PROP_SYSTEM_CA_CERTS, PROP_OPTIONAL, PROP_AUTH_TIMEOUT, ); typedef struct { GSList *eap; /* GSList of strings */ char *identity; char *anonymous_identity; char *pac_file; GBytes *ca_cert; char *ca_cert_password; char *ca_path; char *subject_match; GSList *altsubject_matches; char *domain_suffix_match; char *domain_match; GBytes *client_cert; char *client_cert_password; char *phase1_peapver; char *phase1_peaplabel; char *phase1_fast_provisioning; char *phase2_auth; char *phase2_autheap; GBytes *phase2_ca_cert; char *phase2_ca_cert_password; char *phase2_ca_path; char *phase2_subject_match; GSList *phase2_altsubject_matches; char *phase2_domain_suffix_match; char *phase2_domain_match; GBytes *phase2_client_cert; char *phase2_client_cert_password; char *password; GBytes *password_raw; char *pin; GBytes *private_key; char *private_key_password; GBytes *phase2_private_key; char *phase2_private_key_password; int auth_timeout; NMSetting8021xAuthFlags phase1_auth_flags; NMSettingSecretFlags ca_cert_password_flags; NMSettingSecretFlags client_cert_password_flags; NMSettingSecretFlags phase2_ca_cert_password_flags; NMSettingSecretFlags phase2_client_cert_password_flags; NMSettingSecretFlags password_flags; NMSettingSecretFlags password_raw_flags; NMSettingSecretFlags pin_flags; NMSettingSecretFlags private_key_password_flags; NMSettingSecretFlags phase2_private_key_password_flags; bool optional:1; bool system_ca_certs:1; } NMSetting8021xPrivate; G_DEFINE_TYPE (NMSetting8021x, nm_setting_802_1x, NM_TYPE_SETTING) #define NM_SETTING_802_1X_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_SETTING_802_1X, NMSetting8021xPrivate)) /*****************************************************************************/ /** * nm_setting_802_1x_check_cert_scheme: * @pdata: (allow-none): the data pointer * @length: the length of the data * @error: (allow-none) (out): validation reason * * Determines and verifies the blob type. * When setting certificate properties of NMSetting8021x * the blob must be not UNKNOWN (or NULL). * * Returns: the scheme of the blob or %NM_SETTING_802_1X_CK_SCHEME_UNKNOWN. * For NULL it also returns NM_SETTING_802_1X_CK_SCHEME_UNKNOWN. * * Since: 1.2 **/ NMSetting8021xCKScheme nm_setting_802_1x_check_cert_scheme (gconstpointer pdata, gsize length, GError **error) { const char *data = pdata; NMSetting8021xCKScheme scheme; gsize prefix_length; g_return_val_if_fail (!length || data, NM_SETTING_802_1X_CK_SCHEME_UNKNOWN); if (!length || !data) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("binary data missing")); return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN; } if ( length >= NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH) && !memcmp (data, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH, NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH))) { scheme = NM_SETTING_802_1X_CK_SCHEME_PATH; prefix_length = NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); } else if ( length >= NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11) && !memcmp (data, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11, NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11))) { scheme = NM_SETTING_802_1X_CK_SCHEME_PKCS11; prefix_length = NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11); } else { scheme = NM_SETTING_802_1X_CK_SCHEME_BLOB; prefix_length = 0; } if (scheme != NM_SETTING_802_1X_CK_SCHEME_BLOB) { /* An actual URI must be NUL terminated, contain at least * one non-NUL character, and contain only one trailing NUL * character. * And ensure it's UTF-8 valid too so we can pass it through * D-Bus and stuff like that. */ if (data[length - 1] != '\0') { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("URI not NUL terminated")); return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN; } length--; if (length <= prefix_length) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("URI is empty")); return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN; } if (!g_utf8_validate (data + prefix_length, length - prefix_length, NULL)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("URI is not valid UTF-8")); return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN; } } return scheme; } NMSetting8021xCKScheme _nm_setting_802_1x_cert_get_scheme (GBytes *bytes, GError **error) { const char *data; gsize length; if (!bytes) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("data missing")); return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN; } data = g_bytes_get_data (bytes, &length); return nm_setting_802_1x_check_cert_scheme (data, length, error); } static gboolean _cert_verify_scheme (NMSetting8021xCKScheme scheme, GBytes *bytes, GError **error) { GError *local = NULL; NMSetting8021xCKScheme scheme_detected; nm_assert (bytes); scheme_detected = _nm_setting_802_1x_cert_get_scheme (bytes, &local); if (scheme_detected == NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("certificate is invalid: %s"), local->message); return FALSE; } if (scheme_detected != scheme) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("certificate detected as invalid scheme")); return FALSE; } return TRUE; } GBytes * _nm_setting_802_1x_cert_value_to_bytes (NMSetting8021xCKScheme scheme, const guint8 *val_bin, gssize val_len, GError **error) { gs_unref_bytes GBytes *bytes = NULL; guint8 *mem; gsize total_len; nm_assert (val_bin); switch (scheme) { case NM_SETTING_802_1X_CK_SCHEME_PKCS11: if (val_len < 0) val_len = strlen ((char *) val_bin) + 1; bytes = g_bytes_new (val_bin, val_len); break; case NM_SETTING_802_1X_CK_SCHEME_PATH: if (val_len < 0) val_len = strlen ((char *) val_bin) + 1; total_len = NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH) + ((gsize) val_len); mem = g_new (guint8, total_len); memcpy (mem, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH, NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH)); memcpy (&mem[NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH)], val_bin, val_len); bytes = g_bytes_new_take (mem, total_len); break; default: g_return_val_if_reached (NULL); } if (!_cert_verify_scheme (scheme, bytes, error)) return NULL; return g_steal_pointer (&bytes); } static const char * _cert_get_path (GBytes *bytes) { const guint8 *bin; nm_assert (bytes); nm_assert (g_bytes_get_size (bytes) >= NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH)); bin = g_bytes_get_data (bytes, NULL); nm_assert (bin); nm_assert (bin[g_bytes_get_size (bytes) - 1] == '\0'); nm_assert (g_str_has_prefix ((const char *) bin, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH)); return (const char *) &bin[NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH)]; } #define _cert_assert_scheme(cert, check_scheme, ret_val) \ G_STMT_START { \ NMSetting8021xCKScheme scheme; \ \ scheme = _nm_setting_802_1x_cert_get_scheme ((cert), NULL); \ if (scheme != check_scheme) { \ g_return_val_if_fail (scheme == check_scheme, ret_val); \ return ret_val; \ } \ } G_STMT_END #define _cert_impl_get_scheme(setting, cert_field) \ G_STMT_START { \ NMSetting8021x *const _setting = (setting); \ GBytes *_cert; \ \ g_return_val_if_fail (NM_IS_SETTING_802_1X (_setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN); \ \ _cert = NM_SETTING_802_1X_GET_PRIVATE (_setting)->cert_field; \ \ return _nm_setting_802_1x_cert_get_scheme (_cert, NULL); \ } G_STMT_END #define _cert_impl_get_blob(setting, cert_field) \ G_STMT_START { \ NMSetting8021x *const _setting = (setting); \ GBytes *_cert; \ \ g_return_val_if_fail (NM_IS_SETTING_802_1X (_setting), NULL); \ \ _cert = NM_SETTING_802_1X_GET_PRIVATE (_setting)->cert_field; \ \ _cert_assert_scheme (_cert, NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL); \ \ return _cert; \ } G_STMT_END #define _cert_impl_get_path(setting, cert_field) \ G_STMT_START { \ NMSetting8021x *const _setting = (setting); \ GBytes *_cert; \ \ g_return_val_if_fail (NM_IS_SETTING_802_1X (_setting), NULL); \ \ _cert = NM_SETTING_802_1X_GET_PRIVATE (_setting)->cert_field; \ \ _cert_assert_scheme (_cert, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL); \ \ return _cert_get_path (_cert); \ } G_STMT_END #define _cert_impl_get_uri(setting, cert_field) \ G_STMT_START { \ NMSetting8021x *const _setting = (setting); \ GBytes *_cert; \ \ g_return_val_if_fail (NM_IS_SETTING_802_1X (_setting), NULL); \ \ _cert = NM_SETTING_802_1X_GET_PRIVATE (_setting)->cert_field; \ \ _cert_assert_scheme (_cert, NM_SETTING_802_1X_CK_SCHEME_PKCS11, NULL); \ \ return g_bytes_get_data (_cert, NULL); \ } G_STMT_END static gboolean _cert_impl_set (NMSetting8021x *setting, _PropertyEnums property, const char *value, const char *password, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) { NMSetting8021xPrivate *priv; NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN; gs_unref_bytes GBytes *cert = NULL; GBytes **p_cert = NULL; GBytes **p_client_cert = NULL; char **p_password = NULL; _PropertyEnums notify_cert = property; _PropertyEnums notify_password = PROP_0; _PropertyEnums notify_client_cert = PROP_0; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); g_return_val_if_fail (!error || !*error, FALSE); if (value) { g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE); g_return_val_if_fail (NM_IN_SET (scheme, NM_SETTING_802_1X_CK_SCHEME_BLOB, NM_SETTING_802_1X_CK_SCHEME_PATH, NM_SETTING_802_1X_CK_SCHEME_PKCS11), FALSE); } if (!value) { /* coerce password to %NULL. It should be already. */ password = NULL; } priv = NM_SETTING_802_1X_GET_PRIVATE (setting); if (!value) { /* pass. */ } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { cert = _nm_setting_802_1x_cert_value_to_bytes (scheme, (guint8 *) value, -1, error); if (!cert) goto err; } else { gs_unref_bytes GBytes *file = NULL; if (NM_IN_SET (property, PROP_PRIVATE_KEY, PROP_PHASE2_PRIVATE_KEY)) { file = nm_crypto_read_file (value, error); if (!file) goto err; format = nm_crypto_verify_private_key_data (g_bytes_get_data (file, NULL), g_bytes_get_size (file), password, NULL, error); if (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN) goto err; } else { if (!nm_crypto_load_and_verify_certificate (value, &format, &file, error)) goto err; } nm_assert (format != NM_CRYPTO_FILE_FORMAT_UNKNOWN); nm_assert (file); if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) { cert = g_steal_pointer (&file); if (!_cert_verify_scheme (scheme, cert, error)) goto err; } else { cert = _nm_setting_802_1x_cert_value_to_bytes (scheme, (guint8 *) value, -1, error); if (!cert) goto err; } } switch (property) { case PROP_CA_CERT: case PROP_PHASE2_CA_CERT: if ( value && scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11 && format != NM_CRYPTO_FILE_FORMAT_X509) { /* wpa_supplicant can only use raw x509 CA certs */ g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("CA certificate must be in X.509 format")); goto err; } p_cert = (property == PROP_CA_CERT) ? &priv->ca_cert : &priv->phase2_ca_cert; break; case PROP_CLIENT_CERT: case PROP_PHASE2_CLIENT_CERT: if ( value && scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11 && !NM_IN_SET (format, NM_CRYPTO_FILE_FORMAT_X509, NM_CRYPTO_FILE_FORMAT_PKCS12)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("invalid certificate format")); goto err; } p_cert = (property == PROP_CLIENT_CERT) ? &priv->client_cert : &priv->phase2_client_cert; break; case PROP_PRIVATE_KEY: p_cert = &priv->private_key; p_password = &priv->private_key_password; p_client_cert = &priv->client_cert; notify_password = PROP_PRIVATE_KEY_PASSWORD; notify_client_cert = PROP_CLIENT_CERT; break; case PROP_PHASE2_PRIVATE_KEY: p_cert = &priv->phase2_private_key; p_password = &priv->phase2_private_key_password; p_client_cert = &priv->phase2_client_cert; notify_password = PROP_PHASE2_PRIVATE_KEY_PASSWORD; notify_client_cert = PROP_PHASE2_CLIENT_CERT; break; default: nm_assert_not_reached (); break; } /* As required by NM and wpa_supplicant, set the client-cert * property to the same PKCS#12 data. */ if ( cert && p_client_cert && format == NM_CRYPTO_FILE_FORMAT_PKCS12 && !nm_gbytes_equal0 (cert, *p_client_cert)) { g_bytes_unref (*p_client_cert); *p_client_cert = g_bytes_ref (cert); } else notify_client_cert = PROP_0; if ( p_cert && !nm_gbytes_equal0 (cert, *p_cert)) { g_bytes_unref (*p_cert); *p_cert = g_steal_pointer (&cert); } else notify_cert = PROP_0; if ( p_password && !nm_streq0 (password, *p_password)) { nm_free_secret (*p_password); *p_password = g_strdup (password); } else notify_password = PROP_0; nm_gobject_notify_together (setting, notify_cert, notify_password, notify_client_cert); NM_SET_OUT (out_format, _crypto_format_to_ck (format)); return TRUE; err: g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, obj_properties[property]->name); NM_SET_OUT (out_format, NM_SETTING_802_1X_CK_FORMAT_UNKNOWN); return FALSE; } static NMSetting8021xCKFormat _cert_impl_get_key_format_from_bytes (GBytes *private_key) { const char *path; GError *error = NULL; if (!private_key) return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; switch (_nm_setting_802_1x_cert_get_scheme (private_key, NULL)) { case NM_SETTING_802_1X_CK_SCHEME_BLOB: if (nm_crypto_is_pkcs12_data (g_bytes_get_data (private_key, NULL), g_bytes_get_size (private_key), NULL)) return NM_SETTING_802_1X_CK_FORMAT_PKCS12; return NM_SETTING_802_1X_CK_FORMAT_RAW_KEY; case NM_SETTING_802_1X_CK_SCHEME_PATH: path = _cert_get_path (private_key); if (nm_crypto_is_pkcs12_file (path, &error)) return NM_SETTING_802_1X_CK_FORMAT_PKCS12; if (error && error->domain == G_FILE_ERROR) { g_error_free (error); return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; } g_error_free (error); return NM_SETTING_802_1X_CK_FORMAT_RAW_KEY; default: break; } return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; } #define _cert_impl_get_key_format(setting, private_key_field) \ ({ \ NMSetting8021x *_setting = (setting); \ NMSetting8021xPrivate *_priv; \ \ g_return_val_if_fail (NM_IS_SETTING_802_1X (_setting), NM_SETTING_802_1X_CK_FORMAT_UNKNOWN); \ \ _priv = NM_SETTING_802_1X_GET_PRIVATE (_setting); \ _cert_impl_get_key_format_from_bytes (_priv->private_key_field); \ }) static gboolean _cert_verify_property (GBytes *bytes, const char *prop_name, const char *password, const char *password_prop_name, GError **error) { GError *local = NULL; NMSetting8021xCKScheme scheme; if (!bytes) return TRUE; scheme = _nm_setting_802_1x_cert_get_scheme (bytes, &local); if (scheme == NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("certificate is invalid: %s"), local->message); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_name); g_error_free (local); return FALSE; } if (password && (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("password is not supported when certificate is not on a PKCS#11 token")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, password_prop_name); return FALSE; } return TRUE; } /*****************************************************************************/ /** * nm_setting_802_1x_get_num_eap_methods: * @setting: the #NMSetting8021x * * Returns the number of eap methods allowed for use when connecting to the * network. Generally only one EAP method is used. Use the functions * nm_setting_802_1x_get_eap_method(), nm_setting_802_1x_add_eap_method(), * and nm_setting_802_1x_remove_eap_method() for adding, removing, and retrieving * allowed EAP methods. * * Returns: the number of allowed EAP methods **/ guint32 nm_setting_802_1x_get_num_eap_methods (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0); return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->eap); } /** * nm_setting_802_1x_get_eap_method: * @setting: the #NMSetting8021x * @i: the index of the EAP method name to return * * Returns the name of the allowed EAP method at index @i. * * Returns: the name of the allowed EAP method at index @i **/ const char * nm_setting_802_1x_get_eap_method (NMSetting8021x *setting, guint32 i) { NMSetting8021xPrivate *priv; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); g_return_val_if_fail (i <= g_slist_length (priv->eap), NULL); return (const char *) g_slist_nth_data (priv->eap, i); } /** * nm_setting_802_1x_add_eap_method: * @setting: the #NMSetting8021x * @eap: the name of the EAP method to allow for this connection * * Adds an allowed EAP method. The setting is not valid until at least one * EAP method has been added. See #NMSetting8021x:eap property for a list of * allowed EAP methods. * * Returns: %TRUE if the EAP method was successfully added, %FALSE if it was * not a valid method or if it was already allowed. **/ gboolean nm_setting_802_1x_add_eap_method (NMSetting8021x *setting, const char *eap) { NMSetting8021xPrivate *priv; GSList *iter; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); g_return_val_if_fail (eap != NULL, FALSE); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); for (iter = priv->eap; iter; iter = g_slist_next (iter)) { if (!strcmp (eap, (char *) iter->data)) return FALSE; } priv->eap = g_slist_append (priv->eap, g_ascii_strdown (eap, -1)); _notify (setting, PROP_EAP); return TRUE; } /** * nm_setting_802_1x_remove_eap_method: * @setting: the #NMSetting8021x * @i: the index of the EAP method to remove * * Removes the allowed EAP method at the specified index. **/ void nm_setting_802_1x_remove_eap_method (NMSetting8021x *setting, guint32 i) { NMSetting8021xPrivate *priv; GSList *elt; g_return_if_fail (NM_IS_SETTING_802_1X (setting)); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); elt = g_slist_nth (priv->eap, i); g_return_if_fail (elt != NULL); g_free (elt->data); priv->eap = g_slist_delete_link (priv->eap, elt); _notify (setting, PROP_EAP); } /** * nm_setting_802_1x_remove_eap_method_by_value: * @setting: the #NMSetting8021x * @eap: the name of the EAP method to remove * * Removes the allowed EAP method @method. * * Returns: %TRUE if the EAP method was founs and removed, %FALSE if it was not. **/ gboolean nm_setting_802_1x_remove_eap_method_by_value (NMSetting8021x *setting, const char *eap) { NMSetting8021xPrivate *priv; GSList *iter; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); g_return_val_if_fail (eap != NULL, FALSE); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); for (iter = priv->eap; iter; iter = g_slist_next (iter)) { if (!strcmp (eap, (char *) iter->data)) { priv->eap = g_slist_delete_link (priv->eap, iter); _notify (setting, PROP_EAP); return TRUE; } } return FALSE; } /** * nm_setting_802_1x_clear_eap_methods: * @setting: the #NMSetting8021x * * Clears all allowed EAP methods. **/ void nm_setting_802_1x_clear_eap_methods (NMSetting8021x *setting) { NMSetting8021xPrivate *priv; g_return_if_fail (NM_IS_SETTING_802_1X (setting)); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); g_slist_free_full (priv->eap, g_free); priv->eap = NULL; _notify (setting, PROP_EAP); } /** * nm_setting_802_1x_get_identity: * @setting: the #NMSetting8021x * * Returns the identifier used by some EAP methods (like TLS) to * authenticate the user. Often this is a username or login name. * * Returns: the user identifier **/ const char * nm_setting_802_1x_get_identity (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->identity; } /** * nm_setting_802_1x_get_anonymous_identity: * @setting: the #NMSetting8021x * * Returns the anonymous identifier used by some EAP methods (like TTLS) to * authenticate the user in the outer unencrypted "phase 1" authentication. The * inner "phase 2" authentication will use the #NMSetting8021x:identity in * a secure form, if applicable for that EAP method. * * Returns: the anonymous identifier **/ const char * nm_setting_802_1x_get_anonymous_identity (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->anonymous_identity; } /** * nm_setting_802_1x_get_pac_file: * @setting: the #NMSetting8021x * * Returns the file containing PAC credentials used by EAP-FAST method. * * Returns: the PAC file **/ const char * nm_setting_802_1x_get_pac_file (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->pac_file; } /** * nm_setting_802_1x_get_ca_path: * @setting: the #NMSetting8021x * * Returns the path of the CA certificate directory if previously set. Systems * will often have a directory that contains multiple individual CA certificates * which the supplicant can then add to the verification chain. This may be * used in addition to the #NMSetting8021x:ca-cert property to add more CA * certificates for verifying the network to client. * * Returns: the CA certificate directory path **/ const char * nm_setting_802_1x_get_ca_path (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_path; } /** * nm_setting_802_1x_get_system_ca_certs: * @setting: the #NMSetting8021x * * Sets the #NMSetting8021x:system-ca-certs property. The * #NMSetting8021x:ca-path and #NMSetting8021x:phase2-ca-path * properties are ignored if the #NMSetting8021x:system-ca-certs property is * %TRUE, in which case a system-wide CA certificate directory specified at * compile time (using the --system-ca-path configure option) is used in place * of these properties. * * Returns: %TRUE if a system CA certificate path should be used, %FALSE if not **/ gboolean nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->system_ca_certs; } /** * nm_setting_802_1x_get_ca_cert_scheme: * @setting: the #NMSetting8021x * * Returns the scheme used to store the CA certificate. If the returned scheme * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob(); * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path(); * if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_ca_cert_uri(). * * Returns: scheme used to store the CA certificate (blob or path) **/ NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme (NMSetting8021x *setting) { _cert_impl_get_scheme (setting, ca_cert); } /** * nm_setting_802_1x_get_ca_cert_blob: * @setting: the #NMSetting8021x * * Returns the CA certificate blob if the CA certificate is stored using the * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use a * CA certificate (LEAP for example), and those that can take advantage of the * CA certificate allow it to be unset. Note that lack of a CA certificate * reduces security by allowing man-in-the-middle attacks, because the identity * of the network cannot be confirmed by the client. * * Returns: (transfer none): the CA certificate data **/ GBytes * nm_setting_802_1x_get_ca_cert_blob (NMSetting8021x *setting) { _cert_impl_get_blob (setting, ca_cert); } /** * nm_setting_802_1x_get_ca_cert_path: * @setting: the #NMSetting8021x * * Returns the CA certificate path if the CA certificate is stored using the * %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use a * CA certificate (LEAP for example), and those that can take advantage of the * CA certificate allow it to be unset. Note that lack of a CA certificate * reduces security by allowing man-in-the-middle attacks, because the identity * of the network cannot be confirmed by the client. * * Returns: path to the CA certificate file **/ const char * nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting) { _cert_impl_get_path (setting, ca_cert); } /** * nm_setting_802_1x_get_ca_cert_uri: * @setting: the #NMSetting8021x * * Returns the CA certificate URI analogously to * nm_setting_802_1x_get_ca_cert_blob() and * nm_setting_802_1x_get_ca_cert_path(). * * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC * 7512), but may be extended to other schemes in future (such as 'file' URIs * for local files and 'data' URIs for inline certificate data). * * Returns: the URI string * * Since: 1.6 **/ const char * nm_setting_802_1x_get_ca_cert_uri (NMSetting8021x *setting) { _cert_impl_get_uri (setting, ca_cert); } /** * nm_setting_802_1x_set_ca_cert: * @setting: the #NMSetting8021x * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the CA certificate * file (PEM or DER format). The path must be UTF-8 encoded; use * g_filename_to_utf8() to convert if needed. Passing %NULL with any @scheme * clears the CA certificate. * @scheme: desired storage scheme for the certificate * @out_format: on successful return, the type of the certificate added * @error: on unsuccessful return, an error * * Reads a certificate from disk and sets the #NMSetting8021x:ca-cert property * with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB * scheme, or with the path to the certificate file if using the * %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. * * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful **/ gboolean nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting, const char *value, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) { return _cert_impl_set (setting, PROP_CA_CERT, value, NULL, scheme, out_format, error); } /** * nm_setting_802_1x_get_ca_cert_password: * @setting: the #NMSetting8021x * * Returns: the password used to access the CA certificate stored in * #NMSetting8021x:ca-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ const char * nm_setting_802_1x_get_ca_cert_password (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert_password; } /** * nm_setting_802_1x_get_ca_cert_password_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:ca-cert-password * * Since: 1.8 **/ NMSettingSecretFlags nm_setting_802_1x_get_ca_cert_password_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert_password_flags; } /** * nm_setting_802_1x_get_subject_match: * @setting: the #NMSetting8021x * * Returns: the #NMSetting8021x:subject-match property. This is the * substring to be matched against the subject of the authentication * server certificate, or %NULL no subject verification is to be * performed. **/ const char * nm_setting_802_1x_get_subject_match (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->subject_match; } /** * nm_setting_802_1x_get_num_altsubject_matches: * @setting: the #NMSetting8021x * * Returns the number of entries in the * #NMSetting8021x:altsubject-matches property of this setting. * * Returns: the number of altsubject-matches entries. **/ guint32 nm_setting_802_1x_get_num_altsubject_matches (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0); return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->altsubject_matches); } /** * nm_setting_802_1x_get_altsubject_match: * @setting: the #NMSettingConnection * @i: the zero-based index of the array of altSubjectName matches * * Returns the altSubjectName match at index @i. * * Returns: the altSubjectName match at index @i **/ const char * nm_setting_802_1x_get_altsubject_match (NMSetting8021x *setting, guint32 i) { NMSetting8021xPrivate *priv; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); g_return_val_if_fail (i <= g_slist_length (priv->altsubject_matches), NULL); return (const char *) g_slist_nth_data (priv->altsubject_matches, i); } /** * nm_setting_802_1x_add_altsubject_match: * @setting: the #NMSetting8021x * @altsubject_match: the altSubjectName to allow for this connection * * Adds an allowed alternate subject name match. Until at least one * match is added, the altSubjectName of the remote authentication * server is not verified. * * Returns: %TRUE if the alternative subject name match was * successfully added, %FALSE if it was already allowed. **/ gboolean nm_setting_802_1x_add_altsubject_match (NMSetting8021x *setting, const char *altsubject_match) { NMSetting8021xPrivate *priv; GSList *iter; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); g_return_val_if_fail (altsubject_match != NULL, FALSE); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); for (iter = priv->altsubject_matches; iter; iter = g_slist_next (iter)) { if (!strcmp (altsubject_match, (char *) iter->data)) return FALSE; } priv->altsubject_matches = g_slist_append (priv->altsubject_matches, g_strdup (altsubject_match)); _notify (setting, PROP_ALTSUBJECT_MATCHES); return TRUE; } /** * nm_setting_802_1x_remove_altsubject_match: * @setting: the #NMSetting8021x * @i: the index of the altSubjectName match to remove * * Removes the allowed altSubjectName at the specified index. **/ void nm_setting_802_1x_remove_altsubject_match (NMSetting8021x *setting, guint32 i) { NMSetting8021xPrivate *priv; GSList *elt; g_return_if_fail (NM_IS_SETTING_802_1X (setting)); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); elt = g_slist_nth (priv->altsubject_matches, i); g_return_if_fail (elt != NULL); g_free (elt->data); priv->altsubject_matches = g_slist_delete_link (priv->altsubject_matches, elt); _notify (setting, PROP_ALTSUBJECT_MATCHES); } /** * nm_setting_802_1x_remove_altsubject_match_by_value: * @setting: the #NMSetting8021x * @altsubject_match: the altSubjectName to remove * * Removes the allowed altSubjectName @altsubject_match. * * Returns: %TRUE if the alternative subject name match was found and removed, * %FALSE if it was not. **/ gboolean nm_setting_802_1x_remove_altsubject_match_by_value (NMSetting8021x *setting, const char *altsubject_match) { NMSetting8021xPrivate *priv; GSList *iter; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); g_return_val_if_fail (altsubject_match != NULL, FALSE); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); for (iter = priv->altsubject_matches; iter; iter = g_slist_next (iter)) { if (!strcmp (altsubject_match, (char *) iter->data)) { priv->altsubject_matches = g_slist_delete_link (priv->altsubject_matches, iter); _notify (setting, PROP_ALTSUBJECT_MATCHES); return TRUE; } } return FALSE; } /** * nm_setting_802_1x_clear_altsubject_matches: * @setting: the #NMSetting8021x * * Clears all altSubjectName matches. **/ void nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting) { NMSetting8021xPrivate *priv; g_return_if_fail (NM_IS_SETTING_802_1X (setting)); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); g_slist_free_full (priv->altsubject_matches, g_free); priv->altsubject_matches = NULL; _notify (setting, PROP_ALTSUBJECT_MATCHES); } /** * nm_setting_802_1x_get_domain_suffix_match: * @setting: the #NMSetting8021x * * Returns: the #NMSetting8021x:domain-suffix-match property. * * Since: 1.2 **/ const char * nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_suffix_match; } /** * nm_setting_802_1x_get_domain_match: * @setting: the #NMSetting8021x * * Returns: the #NMSetting8021x:domain-match property. * * Since: 1.24 **/ const char * nm_setting_802_1x_get_domain_match (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_match; } /** * nm_setting_802_1x_get_client_cert_scheme: * @setting: the #NMSetting8021x * * Returns the scheme used to store the client certificate. If the returned scheme * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); * if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri(). * * Returns: scheme used to store the client certificate (blob or path) **/ NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting) { _cert_impl_get_scheme (setting, client_cert); } /** * nm_setting_802_1x_get_client_cert_blob: * @setting: the #NMSetting8021x * * Client certificates are used to identify the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: (transfer none): the client certificate data **/ GBytes * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting) { _cert_impl_get_blob (setting, client_cert); } /** * nm_setting_802_1x_get_client_cert_path: * @setting: the #NMSetting8021x * * Client certificates are used to identify the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: path to the client certificate file **/ const char * nm_setting_802_1x_get_client_cert_path (NMSetting8021x *setting) { _cert_impl_get_path (setting, client_cert); } /** * nm_setting_802_1x_get_client_cert_uri: * @setting: the #NMSetting8021x * * Returns the client certificate URI analogously to * nm_setting_802_1x_get_client_cert_blob() and * nm_setting_802_1x_get_client_cert_path(). * * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC * 7512), but may be extended to other schemes in future (such as 'file' URIs * for local files and 'data' URIs for inline certificate data). * * Returns: the URI string * * Since: 1.6 **/ const char * nm_setting_802_1x_get_client_cert_uri (NMSetting8021x *setting) { _cert_impl_get_uri (setting, client_cert); } /** * nm_setting_802_1x_set_client_cert: * @setting: the #NMSetting8021x * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the client * certificate file (PEM, DER, or PKCS#12 format). The path must be UTF-8 * encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with * any @scheme clears the client certificate. * @scheme: desired storage scheme for the certificate * @out_format: on successful return, the type of the certificate added * @error: on unsuccessful return, an error * * Reads a certificate from disk and sets the #NMSetting8021x:client-cert * property with the raw certificate data if using the * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. * * Client certificates are used to identify the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful **/ gboolean nm_setting_802_1x_set_client_cert (NMSetting8021x *setting, const char *value, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) { return _cert_impl_set (setting, PROP_CLIENT_CERT, value, NULL, scheme, out_format, error); } /** * nm_setting_802_1x_get_client_cert_password: * @setting: the #NMSetting8021x * * Returns: the password used to access the client certificate stored in * #NMSetting8021x:client-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ const char * nm_setting_802_1x_get_client_cert_password (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert_password; } /** * nm_setting_802_1x_get_client_cert_password_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:client-cert-password * * Since: 1.8 **/ NMSettingSecretFlags nm_setting_802_1x_get_client_cert_password_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert_password_flags; } /** * nm_setting_802_1x_get_phase1_peapver: * @setting: the #NMSetting8021x * * Returns: the "phase 1" PEAP version to be used when authenticating with * EAP-PEAP as contained in the #NMSetting8021x:phase1-peapver property. Valid * values are %NULL (unset), "0" (PEAP version 0), and "1" (PEAP version 1). **/ const char * nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_peapver; } /** * nm_setting_802_1x_get_phase1_peaplabel: * @setting: the #NMSetting8021x * * Returns: whether the "phase 1" PEAP label is new-style or old-style, to be * used when authenticating with EAP-PEAP, as contained in the * #NMSetting8021x:phase1-peaplabel property. Valid values are %NULL (unset), * "0" (use old-style label), and "1" (use new-style label). See the * wpa_supplicant documentation for more details. **/ const char * nm_setting_802_1x_get_phase1_peaplabel (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_peaplabel; } /** * nm_setting_802_1x_get_phase1_fast_provisioning: * @setting: the #NMSetting8021x * * Returns: whether "phase 1" PEAP fast provisioning should be used, as specified * by the #NMSetting8021x:phase1-fast-provisioning property. See the * wpa_supplicant documentation for more details. **/ const char * nm_setting_802_1x_get_phase1_fast_provisioning (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_fast_provisioning; } /** * nm_setting_802_1x_get_phase1_auth_flags: * @setting: the #NMSetting8021x * * Returns: the authentication flags for "phase 1". * * Since: 1.8 */ NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_auth_flags; } /** * nm_setting_802_1x_get_phase2_auth: * @setting: the #NMSetting8021x * * Returns: the "phase 2" non-EAP (ex MD5) allowed authentication method as * specified by the #NMSetting8021x:phase2-auth property. **/ const char * nm_setting_802_1x_get_phase2_auth (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_auth; } /** * nm_setting_802_1x_get_phase2_autheap: * @setting: the #NMSetting8021x * * Returns: the "phase 2" EAP-based (ex TLS) allowed authentication method as * specified by the #NMSetting8021x:phase2-autheap property. **/ const char * nm_setting_802_1x_get_phase2_autheap (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_autheap; } /** * nm_setting_802_1x_get_phase2_ca_path: * @setting: the #NMSetting8021x * * Returns the path of the "phase 2" CA certificate directory if previously set. * Systems will often have a directory that contains multiple individual CA * certificates which the supplicant can then add to the verification chain. * This may be used in addition to the #NMSetting8021x:phase2-ca-cert property * to add more CA certificates for verifying the network to client. * * Returns: the "phase 2" CA certificate directory path **/ const char * nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_path; } /** * nm_setting_802_1x_get_phase2_ca_cert_scheme: * @setting: the #NMSetting8021x * * Returns the scheme used to store the "phase 2" CA certificate. If the * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use * nm_setting_802_1x_get_ca_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH, * use nm_setting_802_1x_get_ca_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, * use nm_setting_802_1x_get_ca_cert_uri(). * * Returns: scheme used to store the "phase 2" CA certificate (blob or path) **/ NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_ca_cert_scheme (NMSetting8021x *setting) { _cert_impl_get_scheme (setting, phase2_ca_cert); } /** * nm_setting_802_1x_get_phase2_ca_cert_blob: * @setting: the #NMSetting8021x * * Returns the "phase 2" CA certificate blob if the CA certificate is stored * using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use * a CA certificate (LEAP for example), and those that can take advantage of the * CA certificate allow it to be unset. Note that lack of a CA certificate * reduces security by allowing man-in-the-middle attacks, because the identity * of the network cannot be confirmed by the client. * * Returns: (transfer none): the "phase 2" CA certificate data **/ GBytes * nm_setting_802_1x_get_phase2_ca_cert_blob (NMSetting8021x *setting) { _cert_impl_get_blob (setting, phase2_ca_cert); } /** * nm_setting_802_1x_get_phase2_ca_cert_path: * @setting: the #NMSetting8021x * * Returns the "phase 2" CA certificate path if the CA certificate is stored * using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use * a CA certificate (LEAP for example), and those that can take advantage of the * CA certificate allow it to be unset. Note that lack of a CA certificate * reduces security by allowing man-in-the-middle attacks, because the identity * of the network cannot be confirmed by the client. * * Returns: path to the "phase 2" CA certificate file **/ const char * nm_setting_802_1x_get_phase2_ca_cert_path (NMSetting8021x *setting) { _cert_impl_get_path (setting, phase2_ca_cert); } /** * nm_setting_802_1x_get_phase2_ca_cert_uri: * @setting: the #NMSetting8021x * * Returns the "phase 2" CA certificate URI analogously to * nm_setting_802_1x_get_phase2_ca_cert_blob() and * nm_setting_802_1x_get_phase2_ca_cert_path(). * * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC * 7512), but may be extended to other schemes in future (such as 'file' URIs * for local files and 'data' URIs for inline certificate data). * * Returns: the URI string * * Since: 1.6 **/ const char * nm_setting_802_1x_get_phase2_ca_cert_uri (NMSetting8021x *setting) { _cert_impl_get_uri (setting, phase2_ca_cert); } /** * nm_setting_802_1x_set_phase2_ca_cert: * @setting: the #NMSetting8021x * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" CA * certificate file (PEM or DER format). The path must be UTF-8 encoded; use * g_filename_to_utf8() to convert if needed. Passing %NULL with any @scheme * clears the "phase2" CA certificate. * @scheme: desired storage scheme for the certificate * @out_format: on successful return, the type of the certificate added * @error: on unsuccessful return, an error * * Reads a certificate from disk and sets the #NMSetting8021x:phase2-ca-cert * property with the raw certificate data if using the * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. * * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful **/ gboolean nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting, const char *value, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) { return _cert_impl_set (setting, PROP_PHASE2_CA_CERT, value, NULL, scheme, out_format, error); } /** * nm_setting_802_1x_get_phase2_ca_cert_password: * @setting: the #NMSetting8021x * * Returns: the password used to access the "phase2" CA certificate stored in * #NMSetting8021x:phase2-ca-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ const char * nm_setting_802_1x_get_phase2_ca_cert_password (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert_password; } /** * nm_setting_802_1x_get_phase2_ca_cert_password_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:phase2-private-key-password * * Since: 1.8 **/ NMSettingSecretFlags nm_setting_802_1x_get_phase2_ca_cert_password_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert_password_flags; } /** * nm_setting_802_1x_get_phase2_subject_match: * @setting: the #NMSetting8021x * * Returns: the #NMSetting8021x:phase2-subject-match property. This is * the substring to be matched against the subject of the "phase 2" * authentication server certificate, or %NULL no subject verification * is to be performed. **/ const char * nm_setting_802_1x_get_phase2_subject_match (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_subject_match; } /** * nm_setting_802_1x_get_num_phase2_altsubject_matches: * @setting: the #NMSetting8021x * * Returns the number of entries in the * #NMSetting8021x:phase2-altsubject-matches property of this setting. * * Returns: the number of phase2-altsubject-matches entries. **/ guint32 nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0); return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_altsubject_matches); } /** * nm_setting_802_1x_get_phase2_domain_suffix_match: * @setting: the #NMSetting8021x * * Returns: the #NMSetting8021x:phase2-domain-suffix-match property. * * Since: 1.2 **/ const char * nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_suffix_match; } /** * nm_setting_802_1x_get_phase2_domain_match: * @setting: the #NMSetting8021x * * Returns: the #NMSetting8021x:phase2-domain-match property. * * Since: 1.24 **/ const char * nm_setting_802_1x_get_phase2_domain_match (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_match; } /** * nm_setting_802_1x_get_phase2_altsubject_match: * @setting: the #NMSettingConnection * @i: the zero-based index of the array of "phase 2" altSubjectName matches * * Returns the "phase 2" altSubjectName match at index @i. * * Returns: the "phase 2" altSubjectName match at index @i **/ const char * nm_setting_802_1x_get_phase2_altsubject_match (NMSetting8021x *setting, guint32 i) { NMSetting8021xPrivate *priv; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); g_return_val_if_fail (i <= g_slist_length (priv->phase2_altsubject_matches), NULL); return (const char *) g_slist_nth_data (priv->phase2_altsubject_matches, i); } /** * nm_setting_802_1x_add_phase2_altsubject_match: * @setting: the #NMSetting8021x * @phase2_altsubject_match: the "phase 2" altSubjectName to allow for this * connection * * Adds an allowed alternate subject name match for "phase 2". Until * at least one match is added, the altSubjectName of the "phase 2" * remote authentication server is not verified. * * Returns: %TRUE if the "phase 2" alternative subject name match was * successfully added, %FALSE if it was already allowed. **/ gboolean nm_setting_802_1x_add_phase2_altsubject_match (NMSetting8021x *setting, const char *phase2_altsubject_match) { NMSetting8021xPrivate *priv; GSList *iter; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); g_return_val_if_fail (phase2_altsubject_match != NULL, FALSE); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); for (iter = priv->phase2_altsubject_matches; iter; iter = g_slist_next (iter)) { if (!strcmp (phase2_altsubject_match, (char *) iter->data)) return FALSE; } priv->phase2_altsubject_matches = g_slist_append (priv->phase2_altsubject_matches, g_strdup (phase2_altsubject_match)); _notify (setting, PROP_PHASE2_ALTSUBJECT_MATCHES); return TRUE; } /** * nm_setting_802_1x_remove_phase2_altsubject_match: * @setting: the #NMSetting8021x * @i: the index of the "phase 2" altSubjectName match to remove * * Removes the allowed "phase 2" altSubjectName at the specified index. **/ void nm_setting_802_1x_remove_phase2_altsubject_match (NMSetting8021x *setting, guint32 i) { NMSetting8021xPrivate *priv; GSList *elt; g_return_if_fail (NM_IS_SETTING_802_1X (setting)); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); elt = g_slist_nth (priv->phase2_altsubject_matches, i); g_return_if_fail (elt != NULL); g_free (elt->data); priv->phase2_altsubject_matches = g_slist_delete_link (priv->phase2_altsubject_matches, elt); _notify (setting, PROP_PHASE2_ALTSUBJECT_MATCHES); } /** * nm_setting_802_1x_remove_phase2_altsubject_match_by_value: * @setting: the #NMSetting8021x * @phase2_altsubject_match: the "phase 2" altSubjectName to remove * * Removes the allowed "phase 2" altSubjectName @phase2_altsubject_match. * * Returns: %TRUE if the alternative subject name match for "phase 2" was found and removed, * %FALSE if it was not. **/ gboolean nm_setting_802_1x_remove_phase2_altsubject_match_by_value (NMSetting8021x *setting, const char *phase2_altsubject_match) { NMSetting8021xPrivate *priv; GSList *iter; g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); g_return_val_if_fail (phase2_altsubject_match != NULL, FALSE); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); for (iter = priv->phase2_altsubject_matches; iter; iter = g_slist_next (iter)) { if (!strcmp (phase2_altsubject_match, (char *) iter->data)) { priv->phase2_altsubject_matches = g_slist_delete_link (priv->phase2_altsubject_matches, iter); _notify (setting, PROP_PHASE2_ALTSUBJECT_MATCHES); return TRUE; } } return FALSE; } /** * nm_setting_802_1x_clear_phase2_altsubject_matches: * @setting: the #NMSetting8021x * * Clears all "phase 2" altSubjectName matches. **/ void nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting) { NMSetting8021xPrivate *priv; g_return_if_fail (NM_IS_SETTING_802_1X (setting)); priv = NM_SETTING_802_1X_GET_PRIVATE (setting); g_slist_free_full (priv->phase2_altsubject_matches, g_free); priv->phase2_altsubject_matches = NULL; _notify (setting, PROP_PHASE2_ALTSUBJECT_MATCHES); } /** * nm_setting_802_1x_get_phase2_client_cert_scheme: * @setting: the #NMSetting8021x * * Returns the scheme used to store the "phase 2" client certificate. If the * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use * nm_setting_802_1x_get_client_cert_blob(); if * %NM_SETTING_802_1X_CK_SCHEME_PATH, use * nm_setting_802_1x_get_client_cert_path(); if * %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use * nm_setting_802_1x_get_client_cert_uri(). * * Returns: scheme used to store the "phase 2" client certificate (blob or path) **/ NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting) { _cert_impl_get_scheme (setting, phase2_client_cert); } /** * nm_setting_802_1x_get_phase2_client_cert_blob: * @setting: the #NMSetting8021x * * Client certificates are used to identify the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: (transfer none): the "phase 2" client certificate data **/ GBytes * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting) { _cert_impl_get_blob (setting, phase2_client_cert); } /** * nm_setting_802_1x_get_phase2_client_cert_path: * @setting: the #NMSetting8021x * * Client certificates are used to identify the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: path to the "phase 2" client certificate file **/ const char * nm_setting_802_1x_get_phase2_client_cert_path (NMSetting8021x *setting) { _cert_impl_get_path (setting, phase2_client_cert); } /** * nm_setting_802_1x_get_phase2_client_cert_uri: * @setting: the #NMSetting8021x * * Returns the "phase 2" client certificate URI analogously to * nm_setting_802_1x_get_phase2_ca_cert_blob() and * nm_setting_802_1x_get_phase2_ca_cert_path(). * * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC * 7512), but may be extended to other schemes in future (such as 'file' URIs * for local files and 'data' URIs for inline certificate data). * * Returns: the URI string * * Since: 1.6 **/ const char * nm_setting_802_1x_get_phase2_client_cert_uri (NMSetting8021x *setting) { _cert_impl_get_uri (setting, phase2_client_cert); } /** * nm_setting_802_1x_set_phase2_client_cert: * @setting: the #NMSetting8021x * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" client * certificate file (PEM, DER, or PKCS#12 format). The path must be UTF-8 * encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with * any @scheme clears the "phase2" client certificate. * @scheme: desired storage scheme for the certificate * @out_format: on successful return, the type of the certificate added * @error: on unsuccessful return, an error * * Reads a certificate from disk and sets the #NMSetting8021x:phase2-client-cert * property with the raw certificate data if using the * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. * * Client certificates are used to identify the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful **/ gboolean nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *setting, const char *value, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) { return _cert_impl_set (setting, PROP_PHASE2_CLIENT_CERT, value, NULL, scheme, out_format, error); } /** * nm_setting_802_1x_get_phase2_client_cert_password: * @setting: the #NMSetting8021x * * Returns: the password used to access the "phase2" client certificate stored in * #NMSetting8021x:phase2-client-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ const char * nm_setting_802_1x_get_phase2_client_cert_password (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert_password; } /** * nm_setting_802_1x_get_phase2_client_cert_password_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:phase2-client-cert-password * * Since: 1.8 **/ NMSettingSecretFlags nm_setting_802_1x_get_phase2_client_cert_password_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert_password_flags; } /** * nm_setting_802_1x_get_password: * @setting: the #NMSetting8021x * * Returns: the password used by the authentication method, if any, as specified * by the #NMSetting8021x:password property **/ const char * nm_setting_802_1x_get_password (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->password; } /** * nm_setting_802_1x_get_password_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the #NMSetting8021x:password **/ NMSettingSecretFlags nm_setting_802_1x_get_password_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->password_flags; } /** * nm_setting_802_1x_get_password_raw: * @setting: the #NMSetting8021x * * Returns: (transfer none): the password used by the authentication method as a * UTF-8-encoded array of bytes, as specified by the * #NMSetting8021x:password-raw property **/ GBytes * nm_setting_802_1x_get_password_raw (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->password_raw; } /** * nm_setting_802_1x_get_password_raw_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:password-raw **/ NMSettingSecretFlags nm_setting_802_1x_get_password_raw_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->password_raw_flags; } /** * nm_setting_802_1x_get_pin: * @setting: the #NMSetting8021x * * Returns: the PIN used by the authentication method, if any, as specified * by the #NMSetting8021x:pin property **/ const char * nm_setting_802_1x_get_pin (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->pin; } /** * nm_setting_802_1x_get_pin_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:pin **/ NMSettingSecretFlags nm_setting_802_1x_get_pin_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->pin_flags; } /** * nm_setting_802_1x_get_private_key_scheme: * @setting: the #NMSetting8021x * * Returns the scheme used to store the private key. If the returned scheme is * %NM_SETTING_802_1X_CK_SCHEME_BLOB, use * nm_setting_802_1x_get_client_cert_blob(); if * %NM_SETTING_802_1X_CK_SCHEME_PATH, use * nm_setting_802_1x_get_client_cert_path(); if * %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use * nm_setting_802_1x_get_client_cert_uri(). * * Returns: scheme used to store the private key (blob or path) **/ NMSetting8021xCKScheme nm_setting_802_1x_get_private_key_scheme (NMSetting8021x *setting) { _cert_impl_get_scheme (setting, private_key); } /** * nm_setting_802_1x_get_private_key_blob: * @setting: the #NMSetting8021x * * Private keys are used to authenticate the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * WARNING: the private key property is not a "secret" property, and thus * unencrypted private key data may be readable by unprivileged users. Private * keys should always be encrypted with a private key password. * * Returns: (transfer none): the private key data **/ GBytes * nm_setting_802_1x_get_private_key_blob (NMSetting8021x *setting) { _cert_impl_get_blob (setting, private_key); } /** * nm_setting_802_1x_get_private_key_path: * @setting: the #NMSetting8021x * * Private keys are used to authenticate the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: path to the private key file **/ const char * nm_setting_802_1x_get_private_key_path (NMSetting8021x *setting) { _cert_impl_get_path (setting, private_key); } /** * nm_setting_802_1x_get_private_key_uri: * @setting: the #NMSetting8021x * * Returns the private key URI analogously to * nm_setting_802_1x_get_private_key_blob() and * nm_setting_802_1x_get_private_key_path(). * * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC * 7512), but may be extended to other schemes in future (such as 'file' URIs * for local files and 'data' URIs for inline certificate data). * * Returns: the URI string * * Since: 1.6 **/ const char * nm_setting_802_1x_get_private_key_uri (NMSetting8021x *setting) { _cert_impl_get_uri (setting, private_key); } /** * nm_setting_802_1x_set_private_key: * @setting: the #NMSetting8021x * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or * %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the private key file * (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use * g_filename_to_utf8() to convert if needed. Passing %NULL with any @scheme * clears the private key. * @password: password used to decrypt the private key, or %NULL if the password * is unknown. If the password is given but fails to decrypt the private key, * an error is returned. * @scheme: desired storage scheme for the private key * @out_format: on successful return, the type of the private key added * @error: on unsuccessful return, an error * * Private keys are used to authenticate the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * This function reads a private key from disk and sets the * #NMSetting8021x:private-key property with the private key file data if using * the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the private * key file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. * * If @password is given, this function attempts to decrypt the private key to * verify that @password is correct, and if it is, updates the * #NMSetting8021x:private-key-password property with the given @password. If * the decryption is unsuccessful, %FALSE is returned, @error is set, and no * internal data is changed. If no @password is given, the private key is * assumed to be valid, no decryption is performed, and the password may be set * at a later time. * * WARNING: the private key property is not a "secret" property, and thus * unencrypted private key data using the BLOB scheme may be readable by * unprivileged users. Private keys should always be encrypted with a private * key password to prevent unauthorized access to unencrypted private key data. * * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful **/ gboolean nm_setting_802_1x_set_private_key (NMSetting8021x *setting, const char *value, const char *password, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) { return _cert_impl_set (setting, PROP_PRIVATE_KEY, value, password, scheme, out_format, error); } /** * nm_setting_802_1x_get_private_key_password: * @setting: the #NMSetting8021x * * Returns: the private key password used to decrypt the private key if * previously set with nm_setting_802_1x_set_private_key(), or the * #NMSetting8021x:private-key-password property. **/ const char * nm_setting_802_1x_get_private_key_password (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key_password; } /** * nm_setting_802_1x_get_private_key_password_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:private-key-password **/ NMSettingSecretFlags nm_setting_802_1x_get_private_key_password_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key_password_flags; } /** * nm_setting_802_1x_get_private_key_format: * @setting: the #NMSetting8021x * * Returns: the data format of the private key data stored in the * #NMSetting8021x:private-key property **/ NMSetting8021xCKFormat nm_setting_802_1x_get_private_key_format (NMSetting8021x *setting) { return _cert_impl_get_key_format (setting, private_key); } /** * nm_setting_802_1x_get_phase2_private_key_password: * @setting: the #NMSetting8021x * * Returns: the private key password used to decrypt the private key if * previously set with nm_setting_802_1x_set_phase2_private_key() or the * #NMSetting8021x:phase2-private-key-password property. **/ const char * nm_setting_802_1x_get_phase2_private_key_password (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key_password; } /** * nm_setting_802_1x_get_phase2_private_key_password_flags: * @setting: the #NMSetting8021x * * Returns: the #NMSettingSecretFlags pertaining to the * #NMSetting8021x:phase2-private-key-password **/ NMSettingSecretFlags nm_setting_802_1x_get_phase2_private_key_password_flags (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key_password_flags; } /** * nm_setting_802_1x_get_phase2_private_key_scheme: * @setting: the #NMSetting8021x * * Returns the scheme used to store the "phase 2" private key. If the returned * scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use * nm_setting_802_1x_get_client_cert_blob(); if * %NM_SETTING_802_1X_CK_SCHEME_PATH, use * nm_setting_802_1x_get_client_cert_path(); if * %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use * nm_setting_802_1x_get_client_cert_uri(). * * Returns: scheme used to store the "phase 2" private key (blob or path) **/ NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_private_key_scheme (NMSetting8021x *setting) { _cert_impl_get_scheme (setting, phase2_private_key); } /** * nm_setting_802_1x_get_phase2_private_key_blob: * @setting: the #NMSetting8021x * * Private keys are used to authenticate the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * WARNING: the phase2 private key property is not a "secret" property, and thus * unencrypted private key data may be readable by unprivileged users. Private * keys should always be encrypted with a private key password. * * Returns: (transfer none): the "phase 2" private key data **/ GBytes * nm_setting_802_1x_get_phase2_private_key_blob (NMSetting8021x *setting) { _cert_impl_get_blob (setting, phase2_private_key); } /** * nm_setting_802_1x_get_phase2_private_key_path: * @setting: the #NMSetting8021x * * Private keys are used to authenticate the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * Returns: path to the "phase 2" private key file **/ const char * nm_setting_802_1x_get_phase2_private_key_path (NMSetting8021x *setting) { _cert_impl_get_path (setting, phase2_private_key); } /** * nm_setting_802_1x_get_phase2_private_key_uri: * @setting: the #NMSetting8021x * * Returns the "phase 2" private key URI analogously to * nm_setting_802_1x_get_phase2_private_key_blob() and * nm_setting_802_1x_get_phase2_private_key_path(). * * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC * 7512), but may be extended to other schemes in future (such as 'file' URIs * for local files and 'data' URIs for inline certificate data). * * Returns: the URI string * * Since: 1.6 **/ const char * nm_setting_802_1x_get_phase2_private_key_uri (NMSetting8021x *setting) { _cert_impl_get_uri (setting, phase2_private_key); } /** * nm_setting_802_1x_set_phase2_private_key: * @setting: the #NMSetting8021x * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or * %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" private * key file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; * use g_filename_to_utf8() to convert if needed. Passing %NULL with any * @scheme clears the private key. * @password: password used to decrypt the private key, or %NULL if the password * is unknown. If the password is given but fails to decrypt the private key, * an error is returned. * @scheme: desired storage scheme for the private key * @out_format: on successful return, the type of the private key added * @error: on unsuccessful return, an error * * Private keys are used to authenticate the connecting client to the network * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x * authentication method. * * This function reads a private key from disk and sets the * #NMSetting8021x:phase2-private-key property with the private key file data if * using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the * private key file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. * * If @password is given, this function attempts to decrypt the private key to * verify that @password is correct, and if it is, updates the * #NMSetting8021x:phase2-private-key-password property with the given * @password. If the decryption is unsuccessful, %FALSE is returned, @error is * set, and no internal data is changed. If no @password is given, the private * key is assumed to be valid, no decryption is performed, and the password may * be set at a later time. * * WARNING: the "phase2" private key property is not a "secret" property, and * thus unencrypted private key data using the BLOB scheme may be readable by * unprivileged users. Private keys should always be encrypted with a private * key password to prevent unauthorized access to unencrypted private key data. * * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful **/ gboolean nm_setting_802_1x_set_phase2_private_key (NMSetting8021x *setting, const char *value, const char *password, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) { return _cert_impl_set (setting, PROP_PHASE2_PRIVATE_KEY, value, password, scheme, out_format, error); } /** * nm_setting_802_1x_get_phase2_private_key_format: * @setting: the #NMSetting8021x * * Returns: the data format of the "phase 2" private key data stored in the * #NMSetting8021x:phase2-private-key property **/ NMSetting8021xCKFormat nm_setting_802_1x_get_phase2_private_key_format (NMSetting8021x *setting) { return _cert_impl_get_key_format (setting, phase2_private_key); } /** * nm_setting_802_1x_get_auth_timeout: * @setting: the #NMSetting8021x * * Returns the value contained in the #NMSetting8021x:auth-timeout property. * * Returns: the configured authentication timeout in seconds. Zero means the * global default value. * * Since: 1.8 **/ int nm_setting_802_1x_get_auth_timeout (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0); return NM_SETTING_802_1X_GET_PRIVATE (setting)->auth_timeout; } /** * nm_setting_802_1x_get_optional: * @setting: the #NMSetting8021x * * Returns the value contained in the #NMSetting8021x:optional property. * * Returns: %TRUE if the activation should proceed even when the 802.1X * authentication fails; %FALSE otherwise * * Since: 1.22 **/ gboolean nm_setting_802_1x_get_optional (NMSetting8021x *setting) { g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); return NM_SETTING_802_1X_GET_PRIVATE (setting)->optional; } /*****************************************************************************/ static void need_secrets_password (NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); if ( (!priv->password || !strlen (priv->password)) && (!priv->password_raw || !g_bytes_get_size (priv->password_raw))) { g_ptr_array_add (secrets, NM_SETTING_802_1X_PASSWORD); g_ptr_array_add (secrets, NM_SETTING_802_1X_PASSWORD_RAW); } } static void need_secrets_sim (NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); if (!priv->pin || !strlen (priv->pin)) g_ptr_array_add (secrets, NM_SETTING_802_1X_PIN); } static gboolean need_private_key_password (GBytes *blob, NMSetting8021xCKScheme scheme, const char *path, const char *password, NMSettingSecretFlags flags) { NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN; if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) return FALSE; if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 && flags == NM_SETTING_SECRET_FLAG_NONE) return FALSE; /* Private key password is required */ if (password) { if (path) format = nm_crypto_verify_private_key (path, password, NULL, NULL); else if (blob) format = nm_crypto_verify_private_key_data (g_bytes_get_data (blob, NULL), g_bytes_get_size (blob), password, NULL, NULL); else return FALSE; } return (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN); } static void need_secrets_tls (NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); NMSetting8021xCKScheme scheme; GBytes *blob = NULL; const char *path = NULL; if (phase2) { scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) path = nm_setting_802_1x_get_phase2_private_key_path (self); else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) blob = nm_setting_802_1x_get_phase2_private_key_blob (self); else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11) g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme); if (need_private_key_password (blob, scheme, path, priv->phase2_private_key_password, priv->phase2_private_key_password_flags)) g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD); scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self); if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 && !( priv->phase2_ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE || priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !priv->phase2_ca_cert_password) g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD); scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self); if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 && !( priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED || priv->phase2_client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE) && !priv->phase2_client_cert_password) g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD); } else { scheme = nm_setting_802_1x_get_private_key_scheme (self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) path = nm_setting_802_1x_get_private_key_path (self); else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) blob = nm_setting_802_1x_get_private_key_blob (self); else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11) g_warning ("%s: unknown private key scheme %d", __func__, scheme); if (need_private_key_password (blob, scheme, path, priv->private_key_password, priv->private_key_password_flags)) g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD); scheme = nm_setting_802_1x_get_ca_cert_scheme (self); if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 && !( priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED || priv->ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE) && !priv->ca_cert_password) g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD); scheme = nm_setting_802_1x_get_client_cert_scheme (self); if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 && !( priv->client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE || priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !priv->client_cert_password) g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD); } } static gboolean verify_tls (NMSetting8021x *self, gboolean phase2, GError **error) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); if (phase2) { if (!priv->phase2_client_cert) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT); return FALSE; } else if (!g_bytes_get_size (priv->phase2_client_cert)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT); return FALSE; } /* Private key is required for TLS */ if (!priv->phase2_private_key) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY); return FALSE; } else if (!g_bytes_get_size (priv->phase2_private_key)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY); return FALSE; } /* If the private key is PKCS#12, check that it matches the client cert */ if (nm_crypto_is_pkcs12_data (g_bytes_get_data (priv->phase2_private_key, NULL), g_bytes_get_size (priv->phase2_private_key), NULL)) { if (!g_bytes_equal (priv->phase2_private_key, priv->phase2_client_cert)) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("has to match '%s' property for PKCS#12"), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT); return FALSE; } } } else { if (!priv->client_cert) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT); return FALSE; } else if (!g_bytes_get_size (priv->client_cert)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT); return FALSE; } /* Private key is required for TLS */ if (!priv->private_key) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PRIVATE_KEY); return FALSE; } else if (!g_bytes_get_size (priv->private_key)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PRIVATE_KEY); return FALSE; } /* If the private key is PKCS#12, check that it matches the client cert */ if (nm_crypto_is_pkcs12_data (g_bytes_get_data (priv->private_key, NULL), g_bytes_get_size (priv->private_key), NULL)) { if (!g_bytes_equal (priv->private_key, priv->client_cert)) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("has to match '%s' property for PKCS#12"), NM_SETTING_802_1X_PRIVATE_KEY); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT); return FALSE; } } } return TRUE; } static gboolean verify_ttls (NMSetting8021x *self, gboolean phase2, GError **error) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); if ( (!priv->identity || !strlen (priv->identity)) && (!priv->anonymous_identity || !strlen (priv->anonymous_identity))) { if (!priv->identity) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY); } else if (!strlen (priv->identity)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY); } else if (!priv->anonymous_identity) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_ANONYMOUS_IDENTITY); } else { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_ANONYMOUS_IDENTITY); } return FALSE; } if ( (!priv->phase2_auth || !strlen (priv->phase2_auth)) && (!priv->phase2_autheap || !strlen (priv->phase2_autheap))) { if (!priv->phase2_auth) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTH); } else if (!strlen (priv->phase2_auth)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTH); } else if (!priv->phase2_autheap) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTHEAP); } else { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTHEAP); } return FALSE; } return TRUE; } static gboolean verify_identity (NMSetting8021x *self, gboolean phase2, GError **error) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); if (!priv->identity) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY); return FALSE; } else if (!strlen (priv->identity)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY); return FALSE; } return TRUE; } static void need_secrets_phase2 (NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); char *method = NULL; int i; g_return_if_fail (phase2 == FALSE); /* Check phase2_auth and phase2_autheap */ method = priv->phase2_auth; if (!method && priv->phase2_autheap) method = priv->phase2_autheap; if (!method) { g_warning ("Couldn't find EAP method."); g_assert_not_reached(); return; } /* Ask the configured phase2 method if it needs secrets */ for (i = 0; eap_methods_table[i].method; i++) { if (eap_methods_table[i].ns_func == NULL) continue; if (!strcmp (eap_methods_table[i].method, method)) { (*eap_methods_table[i].ns_func) (self, secrets, TRUE); break; } } } static const EAPMethodsTable eap_methods_table[] = { { "leap", need_secrets_password, verify_identity }, { "pwd", need_secrets_password, verify_identity }, { "md5", need_secrets_password, verify_identity }, { "pap", need_secrets_password, verify_identity }, { "chap", need_secrets_password, verify_identity }, { "mschap", need_secrets_password, verify_identity }, { "mschapv2", need_secrets_password, verify_identity }, { "fast", need_secrets_password, verify_identity }, { "tls", need_secrets_tls, verify_tls }, { "peap", need_secrets_phase2, verify_ttls }, { "ttls", need_secrets_phase2, verify_ttls }, { "sim", need_secrets_sim, NULL }, { "gtc", need_secrets_password, verify_identity }, { "otp", NULL, NULL }, // FIXME: implement { "external", NULL, NULL }, { NULL, NULL, NULL } }; static gboolean verify (NMSetting *setting, NMConnection *connection, GError **error) { NMSetting8021x *self = NM_SETTING_802_1X (setting); NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); const char *valid_eap[] = { "leap", "md5", "tls", "peap", "ttls", "sim", "fast", "pwd", "external", NULL }; GSList *iter; if (error) g_return_val_if_fail (*error == NULL, FALSE); if ( connection && priv->optional && !nm_streq0 (nm_connection_get_connection_type (connection), NM_SETTING_WIRED_SETTING_NAME)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("can be enabled only on Ethernet connections")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_OPTIONAL); return FALSE; } if (!priv->eap) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_EAP); return FALSE; } if (!_nm_utils_string_slist_validate (priv->eap, valid_eap)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("property is invalid")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_EAP); return FALSE; } /* Ask each configured EAP method if its valid */ for (iter = priv->eap; iter; iter = g_slist_next (iter)) { const char *method = (const char *) iter->data; int i; for (i = 0; eap_methods_table[i].method; i++) { if (eap_methods_table[i].v_func == NULL) continue; if (!strcmp (eap_methods_table[i].method, method)) { if (!(*eap_methods_table[i].v_func) (self, FALSE, error)) return FALSE; break; } } } if (!NM_IN_STRSET (priv->phase1_peapver, NULL, "0", "1")) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("'%s' is not a valid value for the property"), priv->phase1_peapver); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_PEAPVER); return FALSE; } if (!NM_IN_STRSET (priv->phase1_peaplabel, NULL, "0", "1")) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("'%s' is not a valid value for the property"), priv->phase1_peaplabel); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_PEAPLABEL); return FALSE; } if (!NM_IN_STRSET (priv->phase1_fast_provisioning, NULL, "0", "1", "2", "3")) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("'%s' is not a valid value for the property"), priv->phase1_fast_provisioning); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING); return FALSE; } if (NM_FLAGS_ANY (priv->phase1_auth_flags, ~NM_SETTING_802_1X_AUTH_FLAGS_ALL)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("invalid auth flags")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_AUTH_FLAGS); return FALSE; } if (!NM_IN_STRSET (priv->phase2_auth, NULL, "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", "tls")) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("'%s' is not a valid value for the property"), priv->phase2_auth); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTH); return FALSE; } if (!NM_IN_STRSET (priv->phase2_autheap, NULL, "md5", "mschapv2", "otp", "gtc", "tls")) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, _("'%s' is not a valid value for the property"), priv->phase2_autheap); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTHEAP); return FALSE; } if (!_cert_verify_property (priv->ca_cert, NM_SETTING_802_1X_CA_CERT, priv->ca_cert_password, NM_SETTING_802_1X_CA_CERT_PASSWORD, error)) return FALSE; if (!_cert_verify_property (priv->phase2_ca_cert, NM_SETTING_802_1X_PHASE2_CA_CERT, priv->phase2_ca_cert_password, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD, error)) return FALSE; if (!_cert_verify_property (priv->client_cert, NM_SETTING_802_1X_CLIENT_CERT, priv->client_cert_password, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD, error)) return FALSE; if (!_cert_verify_property (priv->phase2_client_cert, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, priv->phase2_client_cert_password, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD, error)) return FALSE; if (!_cert_verify_property (priv->private_key, NM_SETTING_802_1X_PRIVATE_KEY, NULL, NULL, error)) return FALSE; if (!_cert_verify_property (priv->phase2_private_key, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, NULL, NULL, error)) return FALSE; return TRUE; } /*****************************************************************************/ static GPtrArray * need_secrets (NMSetting *setting) { NMSetting8021x *self = NM_SETTING_802_1X (setting); NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); GSList *iter; GPtrArray *secrets; gboolean eap_method_found = FALSE; secrets = g_ptr_array_sized_new (4); /* Ask each configured EAP method if it needs secrets */ for (iter = priv->eap; iter && !eap_method_found; iter = g_slist_next (iter)) { const char *method = (const char *) iter->data; int i; for (i = 0; eap_methods_table[i].method; i++) { if (eap_methods_table[i].ns_func == NULL) continue; if (!strcmp (eap_methods_table[i].method, method)) { (*eap_methods_table[i].ns_func) (self, secrets, FALSE); /* Only break out of the outer loop if this EAP method * needed secrets. */ if (secrets->len > 0) eap_method_found = TRUE; break; } } } if (secrets->len == 0) { g_ptr_array_free (secrets, TRUE); return NULL; } return secrets; } /*****************************************************************************/ static void get_property (GObject *object, guint prop_id, GValue *value, GParamSpec *pspec) { NMSetting8021x *setting = NM_SETTING_802_1X (object); NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (setting); switch (prop_id) { case PROP_EAP: g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->eap, TRUE)); break; case PROP_IDENTITY: g_value_set_string (value, priv->identity); break; case PROP_ANONYMOUS_IDENTITY: g_value_set_string (value, priv->anonymous_identity); break; case PROP_PAC_FILE: g_value_set_string (value, priv->pac_file); break; case PROP_CA_CERT: g_value_set_boxed (value, priv->ca_cert); break; case PROP_CA_CERT_PASSWORD: g_value_set_string (value, priv->ca_cert_password); break; case PROP_CA_CERT_PASSWORD_FLAGS: g_value_set_flags (value, priv->ca_cert_password_flags); break; case PROP_CA_PATH: g_value_set_string (value, priv->ca_path); break; case PROP_SUBJECT_MATCH: g_value_set_string (value, priv->subject_match); break; case PROP_ALTSUBJECT_MATCHES: g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->altsubject_matches, TRUE)); break; case PROP_DOMAIN_SUFFIX_MATCH: g_value_set_string (value, priv->domain_suffix_match); break; case PROP_DOMAIN_MATCH: g_value_set_string (value, priv->domain_match); break; case PROP_CLIENT_CERT: g_value_set_boxed (value, priv->client_cert); break; case PROP_CLIENT_CERT_PASSWORD: g_value_set_string (value, priv->client_cert_password); break; case PROP_CLIENT_CERT_PASSWORD_FLAGS: g_value_set_flags (value, priv->client_cert_password_flags); break; case PROP_PHASE1_PEAPVER: g_value_set_string (value, priv->phase1_peapver); break; case PROP_PHASE1_PEAPLABEL: g_value_set_string (value, priv->phase1_peaplabel); break; case PROP_PHASE1_FAST_PROVISIONING: g_value_set_string (value, priv->phase1_fast_provisioning); break; case PROP_PHASE1_AUTH_FLAGS: g_value_set_uint (value, priv->phase1_auth_flags); break; case PROP_PHASE2_AUTH: g_value_set_string (value, priv->phase2_auth); break; case PROP_PHASE2_AUTHEAP: g_value_set_string (value, priv->phase2_autheap); break; case PROP_PHASE2_CA_CERT: g_value_set_boxed (value, priv->phase2_ca_cert); break; case PROP_PHASE2_CA_CERT_PASSWORD: g_value_set_string (value, priv->phase2_ca_cert_password); break; case PROP_PHASE2_CA_CERT_PASSWORD_FLAGS: g_value_set_flags (value, priv->phase2_ca_cert_password_flags); break; case PROP_PHASE2_CA_PATH: g_value_set_string (value, priv->phase2_ca_path); break; case PROP_PHASE2_SUBJECT_MATCH: g_value_set_string (value, priv->phase2_subject_match); break; case PROP_PHASE2_ALTSUBJECT_MATCHES: g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->phase2_altsubject_matches, TRUE)); break; case PROP_PHASE2_DOMAIN_SUFFIX_MATCH: g_value_set_string (value, priv->phase2_domain_suffix_match); break; case PROP_PHASE2_DOMAIN_MATCH: g_value_set_string (value, priv->phase2_domain_match); break; case PROP_PHASE2_CLIENT_CERT: g_value_set_boxed (value, priv->phase2_client_cert); break; case PROP_PHASE2_CLIENT_CERT_PASSWORD: g_value_set_string (value, priv->phase2_client_cert_password); break; case PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS: g_value_set_flags (value, priv->phase2_client_cert_password_flags); break; case PROP_PASSWORD: g_value_set_string (value, priv->password); break; case PROP_PASSWORD_FLAGS: g_value_set_flags (value, priv->password_flags); break; case PROP_PASSWORD_RAW: g_value_set_boxed (value, priv->password_raw); break; case PROP_PASSWORD_RAW_FLAGS: g_value_set_flags (value, priv->password_raw_flags); break; case PROP_PRIVATE_KEY: g_value_set_boxed (value, priv->private_key); break; case PROP_PRIVATE_KEY_PASSWORD: g_value_set_string (value, priv->private_key_password); break; case PROP_PRIVATE_KEY_PASSWORD_FLAGS: g_value_set_flags (value, priv->private_key_password_flags); break; case PROP_PHASE2_PRIVATE_KEY: g_value_set_boxed (value, priv->phase2_private_key); break; case PROP_PHASE2_PRIVATE_KEY_PASSWORD: g_value_set_string (value, priv->phase2_private_key_password); break; case PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS: g_value_set_flags (value, priv->phase2_private_key_password_flags); break; case PROP_PIN: g_value_set_string (value, priv->pin); break; case PROP_PIN_FLAGS: g_value_set_flags (value, priv->pin_flags); break; case PROP_SYSTEM_CA_CERTS: g_value_set_boolean (value, priv->system_ca_certs); break; case PROP_AUTH_TIMEOUT: g_value_set_int (value, priv->auth_timeout); break; case PROP_OPTIONAL: g_value_set_boolean (value, priv->optional); break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); break; } } static void set_property (GObject *object, guint prop_id, const GValue *value, GParamSpec *pspec) { NMSetting8021x *setting = NM_SETTING_802_1X (object); NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (setting); switch (prop_id) { case PROP_EAP: g_slist_free_full (priv->eap, g_free); priv->eap = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); break; case PROP_IDENTITY: g_free (priv->identity); priv->identity = g_value_dup_string (value); break; case PROP_ANONYMOUS_IDENTITY: g_free (priv->anonymous_identity); priv->anonymous_identity = g_value_dup_string (value); break; case PROP_PAC_FILE: g_free (priv->pac_file); priv->pac_file = g_value_dup_string (value); break; case PROP_CA_CERT: g_bytes_unref (priv->ca_cert); priv->ca_cert = g_value_dup_boxed (value); break; case PROP_CA_CERT_PASSWORD: g_free (priv->ca_cert_password); priv->ca_cert_password = g_value_dup_string (value); break; case PROP_CA_CERT_PASSWORD_FLAGS: priv->ca_cert_password_flags = g_value_get_flags (value); break; case PROP_CA_PATH: g_free (priv->ca_path); priv->ca_path = g_value_dup_string (value); break; case PROP_SUBJECT_MATCH: g_free (priv->subject_match); priv->subject_match = nm_strdup_not_empty (g_value_get_string (value)); break; case PROP_ALTSUBJECT_MATCHES: g_slist_free_full (priv->altsubject_matches, g_free); priv->altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); break; case PROP_DOMAIN_SUFFIX_MATCH: g_free (priv->domain_suffix_match); priv->domain_suffix_match = nm_strdup_not_empty (g_value_get_string (value)); break; case PROP_DOMAIN_MATCH: g_free (priv->domain_match); priv->domain_match = nm_strdup_not_empty (g_value_get_string (value)); break; case PROP_CLIENT_CERT: g_bytes_unref (priv->client_cert); priv->client_cert = g_value_dup_boxed (value); break; case PROP_CLIENT_CERT_PASSWORD: g_free (priv->client_cert_password); priv->client_cert_password = g_value_dup_string (value); break; case PROP_CLIENT_CERT_PASSWORD_FLAGS: priv->client_cert_password_flags = g_value_get_flags (value); break; case PROP_PHASE1_PEAPVER: g_free (priv->phase1_peapver); priv->phase1_peapver = g_value_dup_string (value); break; case PROP_PHASE1_PEAPLABEL: g_free (priv->phase1_peaplabel); priv->phase1_peaplabel = g_value_dup_string (value); break; case PROP_PHASE1_FAST_PROVISIONING: g_free (priv->phase1_fast_provisioning); priv->phase1_fast_provisioning = g_value_dup_string (value); break; case PROP_PHASE1_AUTH_FLAGS: priv->phase1_auth_flags = g_value_get_uint (value); break; case PROP_PHASE2_AUTH: g_free (priv->phase2_auth); priv->phase2_auth = g_value_dup_string (value); break; case PROP_PHASE2_AUTHEAP: g_free (priv->phase2_autheap); priv->phase2_autheap = g_value_dup_string (value); break; case PROP_PHASE2_CA_CERT: g_bytes_unref (priv->phase2_ca_cert); priv->phase2_ca_cert = g_value_dup_boxed (value); break; case PROP_PHASE2_CA_CERT_PASSWORD: g_free (priv->phase2_ca_cert_password); priv->phase2_ca_cert_password = g_value_dup_string (value); break; case PROP_PHASE2_CA_CERT_PASSWORD_FLAGS: priv->phase2_ca_cert_password_flags = g_value_get_flags (value); break; case PROP_PHASE2_CA_PATH: g_free (priv->phase2_ca_path); priv->phase2_ca_path = g_value_dup_string (value); break; case PROP_PHASE2_SUBJECT_MATCH: g_free (priv->phase2_subject_match); priv->phase2_subject_match = nm_strdup_not_empty (g_value_get_string (value)); break; case PROP_PHASE2_ALTSUBJECT_MATCHES: g_slist_free_full (priv->phase2_altsubject_matches, g_free); priv->phase2_altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); break; case PROP_PHASE2_DOMAIN_SUFFIX_MATCH: g_free (priv->phase2_domain_suffix_match); priv->phase2_domain_suffix_match = nm_strdup_not_empty (g_value_get_string (value)); break; case PROP_PHASE2_DOMAIN_MATCH: g_free (priv->phase2_domain_match); priv->phase2_domain_match = nm_strdup_not_empty (g_value_get_string (value)); break; case PROP_PHASE2_CLIENT_CERT: g_bytes_unref (priv->phase2_client_cert); priv->phase2_client_cert = g_value_dup_boxed (value); break; case PROP_PHASE2_CLIENT_CERT_PASSWORD: g_free (priv->phase2_client_cert_password); priv->phase2_client_cert_password = g_value_dup_string (value); break; case PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS: priv->phase2_client_cert_password_flags = g_value_get_flags (value); break; case PROP_PASSWORD: g_free (priv->password); priv->password = g_value_dup_string (value); break; case PROP_PASSWORD_FLAGS: priv->password_flags = g_value_get_flags (value); break; case PROP_PASSWORD_RAW: g_bytes_unref (priv->password_raw); priv->password_raw = g_value_dup_boxed (value); break; case PROP_PASSWORD_RAW_FLAGS: priv->password_raw_flags = g_value_get_flags (value); break; case PROP_PRIVATE_KEY: g_bytes_unref (priv->private_key); priv->private_key = g_value_dup_boxed (value); break; case PROP_PRIVATE_KEY_PASSWORD: nm_free_secret (priv->private_key_password); priv->private_key_password = g_value_dup_string (value); break; case PROP_PRIVATE_KEY_PASSWORD_FLAGS: priv->private_key_password_flags = g_value_get_flags (value); break; case PROP_PHASE2_PRIVATE_KEY: g_bytes_unref (priv->phase2_private_key); priv->phase2_private_key = g_value_dup_boxed (value); break; case PROP_PHASE2_PRIVATE_KEY_PASSWORD: nm_free_secret (priv->phase2_private_key_password); priv->phase2_private_key_password = g_value_dup_string (value); break; case PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS: priv->phase2_private_key_password_flags = g_value_get_flags (value); break; case PROP_PIN: g_free (priv->pin); priv->pin = g_value_dup_string (value); break; case PROP_PIN_FLAGS: priv->pin_flags = g_value_get_flags (value); break; case PROP_SYSTEM_CA_CERTS: priv->system_ca_certs = g_value_get_boolean (value); break; case PROP_AUTH_TIMEOUT: priv->auth_timeout = g_value_get_int (value); break; case PROP_OPTIONAL: priv->optional = g_value_get_boolean (value); break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); break; } } /*****************************************************************************/ static void nm_setting_802_1x_init (NMSetting8021x *setting) { } /** * nm_setting_802_1x_new: * * Creates a new #NMSetting8021x object with default values. * * Returns: the new empty #NMSetting8021x object **/ NMSetting * nm_setting_802_1x_new (void) { return (NMSetting *) g_object_new (NM_TYPE_SETTING_802_1X, NULL); } static void finalize (GObject *object) { NMSetting8021x *self = NM_SETTING_802_1X (object); NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self); g_free (priv->identity); g_free (priv->anonymous_identity); g_free (priv->ca_path); g_free (priv->subject_match); g_free (priv->domain_suffix_match); g_free (priv->phase1_peapver); g_free (priv->phase1_peaplabel); g_free (priv->phase1_fast_provisioning); g_free (priv->phase2_auth); g_free (priv->phase2_autheap); g_free (priv->phase2_ca_path); g_free (priv->phase2_subject_match); g_free (priv->phase2_domain_suffix_match); g_free (priv->password); g_bytes_unref (priv->password_raw); g_free (priv->pin); g_slist_free_full (priv->eap, g_free); g_slist_free_full (priv->altsubject_matches, g_free); g_slist_free_full (priv->phase2_altsubject_matches, g_free); g_bytes_unref (priv->ca_cert); g_free (priv->ca_cert_password); g_bytes_unref (priv->client_cert); g_free (priv->client_cert_password); g_bytes_unref (priv->private_key); nm_free_secret (priv->private_key_password); g_bytes_unref (priv->phase2_ca_cert); g_free (priv->phase2_ca_cert_password); g_bytes_unref (priv->phase2_client_cert); g_free (priv->phase2_client_cert_password); g_bytes_unref (priv->phase2_private_key); nm_free_secret (priv->phase2_private_key_password); G_OBJECT_CLASS (nm_setting_802_1x_parent_class)->finalize (object); } static void nm_setting_802_1x_class_init (NMSetting8021xClass *klass) { GObjectClass *object_class = G_OBJECT_CLASS (klass); NMSettingClass *setting_class = NM_SETTING_CLASS (klass); g_type_class_add_private (klass, sizeof (NMSetting8021xPrivate)); object_class->get_property = get_property; object_class->set_property = set_property; object_class->finalize = finalize; setting_class->verify = verify; setting_class->need_secrets = need_secrets; /** * NMSetting8021x:eap: * * The allowed EAP method to be used when authenticating to the network with * 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd", * and "fast". Each method requires different configuration using the * properties of this setting; refer to wpa_supplicant documentation for the * allowed combinations. **/ /* ---ifcfg-rh--- * property: eap * variable: IEEE_8021X_EAP_METHODS(+) * values: "LEAP", "PWD", "TLS", "PEAP", "TTLS", "FAST" * description: EAP method for 802.1X authentication. * example: IEEE_8021X_EAP_METHODS=PEAP * ---end--- */ obj_properties[PROP_EAP] = g_param_spec_boxed (NM_SETTING_802_1X_EAP, "", "", G_TYPE_STRV, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:identity: * * Identity string for EAP authentication methods. Often the user's user or * login name. **/ /* ---ifcfg-rh--- * property: identity * variable: IEEE_8021X_IDENTITY(+) * description: Identity for EAP authentication methods. * example: IEEE_8021X_IDENTITY=itsme * ---end--- */ obj_properties[PROP_IDENTITY] = g_param_spec_string (NM_SETTING_802_1X_IDENTITY, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:anonymous-identity: * * Anonymous identity string for EAP authentication methods. Used as the * unencrypted identity with EAP types that support different tunneled * identity like EAP-TTLS. **/ /* ---ifcfg-rh--- * property: anonymous-identity * variable: IEEE_8021X_ANON_IDENTITY(+) * description: Anonymous identity for EAP authentication methods. * ---end--- */ obj_properties[PROP_ANONYMOUS_IDENTITY] = g_param_spec_string (NM_SETTING_802_1X_ANONYMOUS_IDENTITY, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:pac-file: * * UTF-8 encoded file path containing PAC for EAP-FAST. **/ /* ---ifcfg-rh--- * property: pac-file * variable: IEEE_8021X_PAC_FILE(+) * description: File with PAC (Protected Access Credential) for EAP-FAST. * example: IEEE_8021X_PAC_FILE=/home/joe/my-fast.pac * ---end--- */ obj_properties[PROP_PAC_FILE] = g_param_spec_string (NM_SETTING_802_1X_PAC_FILE, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:ca-cert: * * Contains the CA certificate if used by the EAP method specified in the * #NMSetting8021x:eap property. * * Certificate data is specified using a "scheme"; two are currently * supported: blob and path. When using the blob scheme (which is backwards * compatible with NM 0.7.x) this property should be set to the * certificate's DER encoded data. When using the path scheme, this property * should be set to the full UTF-8 encoded path of the certificate, prefixed * with the string "file://" and ending with a terminating NUL byte. This * property can be unset even if the EAP method supports CA certificates, * but this allows man-in-the-middle attacks and is NOT recommended. * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_ca_cert() function instead. **/ /* ---ifcfg-rh--- * property: ca-cert * variable: IEEE_8021X_CA_CERT(+) * description: CA certificate for EAP. * example: IEEE_8021X_CA_CERT=/home/joe/cacert.crt * ---end--- */ obj_properties[PROP_CA_CERT] = g_param_spec_boxed (NM_SETTING_802_1X_CA_CERT, "", "", G_TYPE_BYTES, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:ca-cert-password: * * The password used to access the CA certificate stored in * #NMSetting8021x:ca-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_CA_CERT_PASSWORD] = g_param_spec_string (NM_SETTING_802_1X_CA_CERT_PASSWORD, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:ca-cert-password-flags: * * Flags indicating how to handle the #NMSetting8021x:ca-cert-password property. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_CA_CERT_PASSWORD_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:ca-path: * * UTF-8 encoded path to a directory containing PEM or DER formatted * certificates to be added to the verification chain in addition to the * certificate specified in the #NMSetting8021x:ca-cert property. **/ /* ---ifcfg-rh--- * property: ca-path * variable: (none) * description: The property is not handled by ifcfg-rh plugin. * ---end--- */ obj_properties[PROP_CA_PATH] = g_param_spec_string (NM_SETTING_802_1X_CA_PATH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:subject-match: * * Substring to be matched against the subject of the certificate presented * by the authentication server. When unset, no verification of the * authentication server certificate's subject is performed. This property * provides little security, if any, and its use is deprecated in favor of * NMSetting8021x:domain-suffix-match. **/ /* ---ifcfg-rh--- * property: subject-match * variable: IEEE_8021X_SUBJECT_MATCH(+) * description: Substring to match subject of server certificate against. * example: IEEE_8021X_SUBJECT_MATCH="Red Hat" * ---end--- */ obj_properties[PROP_SUBJECT_MATCH] = g_param_spec_string (NM_SETTING_802_1X_SUBJECT_MATCH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:altsubject-matches: * * List of strings to be matched against the altSubjectName of the * certificate presented by the authentication server. If the list is empty, * no verification of the server certificate's altSubjectName is performed. **/ /* ---ifcfg-rh--- * property: altsubject-matches * variable: IEEE_8021X_ALTSUBJECT_MATCHES(+) * description: List of strings to be matched against the altSubjectName. * example: IEEE_8021X_ALTSUBJECT_MATCHES="s1.domain.cc" * ---end--- */ obj_properties[PROP_ALTSUBJECT_MATCHES] = g_param_spec_boxed (NM_SETTING_802_1X_ALTSUBJECT_MATCHES, "", "", G_TYPE_STRV, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:domain-suffix-match: * * Constraint for server domain name. If set, this FQDN is used as a suffix * match requirement for dNSName element(s) of the certificate presented by * the authentication server. If a matching dNSName is found, this * constraint is met. If no dNSName values are present, this constraint is * matched against SubjectName CN using same suffix match comparison. * Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited * list. * * Since: 1.2 **/ /* ---ifcfg-rh--- * property: domain-suffix-match * description: Suffix to match domain of server certificate against. * variable: IEEE_8021X_DOMAIN_SUFFIX_MATCH(+) * ---end--- */ obj_properties[PROP_DOMAIN_SUFFIX_MATCH] = g_param_spec_string (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:domain-match: * * Constraint for server domain name. If set, this list of FQDNs is used as * a match requirement for dNSName element(s) of the certificate presented * by the authentication server. If a matching dNSName is found, this * constraint is met. If no dNSName values are present, this constraint is * matched against SubjectName CN using the same comparison. * Multiple valid FQDNs can be passed as a ";" delimited list. * * Since: 1.24 **/ /* ---ifcfg-rh--- * property: domain-match * description: Value to match domain of server certificate against. * variable: IEEE_8021X_DOMAIN_MATCH(+) * ---end--- */ obj_properties[PROP_DOMAIN_MATCH] = g_param_spec_string (NM_SETTING_802_1X_DOMAIN_MATCH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:client-cert: * * Contains the client certificate if used by the EAP method specified in * the #NMSetting8021x:eap property. * * Certificate data is specified using a "scheme"; two are currently * supported: blob and path. When using the blob scheme (which is backwards * compatible with NM 0.7.x) this property should be set to the * certificate's DER encoded data. When using the path scheme, this property * should be set to the full UTF-8 encoded path of the certificate, prefixed * with the string "file://" and ending with a terminating NUL byte. * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_client_cert() function instead. **/ /* ---ifcfg-rh--- * property: client-cert * variable: IEEE_8021X_CLIENT_CERT(+) * description: Client certificate for EAP. * example: IEEE_8021X_CLIENT_CERT=/home/joe/mycert.crt * ---end--- */ obj_properties[PROP_CLIENT_CERT] = g_param_spec_boxed (NM_SETTING_802_1X_CLIENT_CERT, "", "", G_TYPE_BYTES, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:client-cert-password: * * The password used to access the client certificate stored in * #NMSetting8021x:client-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_CLIENT_CERT_PASSWORD] = g_param_spec_string (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:client-cert-password-flags: * * Flags indicating how to handle the #NMSetting8021x:client-cert-password property. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_CLIENT_CERT_PASSWORD_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase1-peapver: * * Forces which PEAP version is used when PEAP is set as the EAP method in * the #NMSetting8021x:eap property. When unset, the version reported by * the server will be used. Sometimes when using older RADIUS servers, it * is necessary to force the client to use a particular PEAP version. To do * so, this property may be set to "0" or "1" to force that specific PEAP * version. **/ /* ---ifcfg-rh--- * property: phase1-peapver * variable: IEEE_8021X_PEAP_VERSION(+) * values: 0, 1 * description: Use to force a specific PEAP version. * ---end--- */ obj_properties[PROP_PHASE1_PEAPVER] = g_param_spec_string (NM_SETTING_802_1X_PHASE1_PEAPVER, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase1-peaplabel: * * Forces use of the new PEAP label during key derivation. Some RADIUS * servers may require forcing the new PEAP label to interoperate with * PEAPv1. Set to "1" to force use of the new PEAP label. See the * wpa_supplicant documentation for more details. **/ /* ---ifcfg-rh--- * property: phase1-peaplabel * variable: IEEE_8021X_PEAP_FORCE_NEW_LABEL(+) * values: yes, no * default: no * description: Use to force the new PEAP label during key derivation. * ---end--- */ obj_properties[PROP_PHASE1_PEAPLABEL] = g_param_spec_string (NM_SETTING_802_1X_PHASE1_PEAPLABEL, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase1-fast-provisioning: * * Enables or disables in-line provisioning of EAP-FAST credentials when * FAST is specified as the EAP method in the #NMSetting8021x:eap property. * Recognized values are "0" (disabled), "1" (allow unauthenticated * provisioning), "2" (allow authenticated provisioning), and "3" (allow * both authenticated and unauthenticated provisioning). See the * wpa_supplicant documentation for more details. **/ /* ---ifcfg-rh--- * property: phase1-fast-provisioning * variable: IEEE_8021X_FAST_PROVISIONING(+) * values: space-separated list of these values [allow-auth, allow-unauth] * description: Enable in-line provisioning of EAP-FAST credentials. * example: IEEE_8021X_FAST_PROVISIONING="allow-auth allow-unauth" * ---end--- */ obj_properties[PROP_PHASE1_FAST_PROVISIONING] = g_param_spec_string (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase1-auth-flags: * * Specifies authentication flags to use in "phase 1" outer * authentication using #NMSetting8021xAuthFlags options. * The individual TLS versions can be explicitly disabled. If a certain * TLS disable flag is not set, it is up to the supplicant to allow * or forbid it. The TLS options map to tls_disable_tlsv1_x settings. * See the wpa_supplicant documentation for more details. * * Since: 1.8 */ /* ---ifcfg-rh--- * property: phase1-auth-flags * variable: IEEE_8021X_PHASE1_AUTH_FLAGS(+) * values: space-separated list of authentication flags names * description: Authentication flags for the supplicant * example: IEEE_8021X_PHASE1_AUTH_FLAGS="tls-1-0-disable tls-1-1-disable" * ---end--- */ obj_properties[PROP_PHASE1_AUTH_FLAGS] = g_param_spec_uint (NM_SETTING_802_1X_PHASE1_AUTH_FLAGS, "", "", 0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-auth: * * Specifies the allowed "phase 2" inner non-EAP authentication method when * an EAP method that uses an inner TLS tunnel is specified in the * #NMSetting8021x:eap property. Recognized non-EAP "phase 2" methods are * "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls". * Each "phase 2" inner method requires specific parameters for successful * authentication; see the wpa_supplicant documentation for more details. **/ /* ---ifcfg-rh--- * property: phase2-auth * variable: IEEE_8021X_INNER_AUTH_METHODS(+) * values: "PAP", "CHAP", "MSCHAP", "MSCHAPV2", "GTC", "OTP", "MD5" and "TLS" * description: Inner non-EAP authentication methods. IEEE_8021X_INNER_AUTH_METHODS * can contain values both for 'phase2-auth' and 'phase2-autheap' properties. * example: IEEE_8021X_INNER_AUTH_METHODS=PAP * ---end--- */ obj_properties[PROP_PHASE2_AUTH] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_AUTH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-autheap: * * Specifies the allowed "phase 2" inner EAP-based authentication method * when an EAP method that uses an inner TLS tunnel is specified in the * #NMSetting8021x:eap property. Recognized EAP-based "phase 2" methods are * "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method * requires specific parameters for successful authentication; see the * wpa_supplicant documentation for more details. **/ /* ---ifcfg-rh--- * property: phase2-autheap * variable: IEEE_8021X_INNER_AUTH_METHODS(+) * values: "EAP-MD5", "EAP-MSCHAPV2", "EAP-GTC", "EAP-OTP" and "EAP-TLS" * description: Inner EAP-based authentication methods. Note that * IEEE_8021X_INNER_AUTH_METHODS is also used for 'phase2-auth' values. * example: IEEE_8021X_INNER_AUTH_METHODS="MSCHAPV2 EAP-TLS" * ---end--- */ obj_properties[PROP_PHASE2_AUTHEAP] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_AUTHEAP, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-ca-cert: * * Contains the "phase 2" CA certificate if used by the EAP method specified * in the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap * properties. * * Certificate data is specified using a "scheme"; two are currently * supported: blob and path. When using the blob scheme (which is backwards * compatible with NM 0.7.x) this property should be set to the * certificate's DER encoded data. When using the path scheme, this property * should be set to the full UTF-8 encoded path of the certificate, prefixed * with the string "file://" and ending with a terminating NUL byte. This * property can be unset even if the EAP method supports CA certificates, * but this allows man-in-the-middle attacks and is NOT recommended. * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_phase2_ca_cert() function instead. **/ obj_properties[PROP_PHASE2_CA_CERT] = g_param_spec_boxed (NM_SETTING_802_1X_PHASE2_CA_CERT, "", "", G_TYPE_BYTES, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-ca-cert-password: * * The password used to access the "phase2" CA certificate stored in * #NMSetting8021x:phase2-ca-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_PHASE2_CA_CERT_PASSWORD] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-ca-cert-password-flags: * * Flags indicating how to handle the #NMSetting8021x:phase2-ca-cert-password property. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_PHASE2_CA_CERT_PASSWORD_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-ca-path: * * UTF-8 encoded path to a directory containing PEM or DER formatted * certificates to be added to the verification chain in addition to the * certificate specified in the #NMSetting8021x:phase2-ca-cert property. **/ obj_properties[PROP_PHASE2_CA_PATH] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_PATH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-subject-match: * * Substring to be matched against the subject of the certificate presented * by the authentication server during the inner "phase 2" * authentication. When unset, no verification of the authentication server * certificate's subject is performed. This property provides little security, * if any, and its use is deprecated in favor of * NMSetting8021x:phase2-domain-suffix-match. **/ /* ---ifcfg-rh--- * property: phase2-subject-match * variable: IEEE_8021X_PHASE2_SUBJECT_MATCH(+) * description: Substring to match subject of server certificate against. * example: IEEE_8021X_PHASE2_SUBJECT_MATCH="Red Hat" * ---end--- */ obj_properties[PROP_PHASE2_SUBJECT_MATCH] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-altsubject-matches: * * List of strings to be matched against the altSubjectName of the * certificate presented by the authentication server during the inner * "phase 2" authentication. If the list is empty, no verification of the * server certificate's altSubjectName is performed. **/ /* ---ifcfg-rh--- * property: phase2-altsubject-matches * variable: IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES(+) * ---end--- */ obj_properties[PROP_PHASE2_ALTSUBJECT_MATCHES] = g_param_spec_boxed (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES, "", "", G_TYPE_STRV, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-domain-suffix-match: * * Constraint for server domain name. If set, this FQDN is used as a suffix * match requirement for dNSName element(s) of the certificate presented by * the authentication server during the inner "phase 2" authentication. If * a matching dNSName is found, this constraint is met. If no dNSName * values are present, this constraint is matched against SubjectName CN * using same suffix match comparison. * Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited * list. * * Since: 1.2 **/ /* ---ifcfg-rh--- * property: phase2-domain-suffix-match * description: Suffix to match domain of server certificate for phase 2 against. * variable: IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH(+) * ---end--- */ obj_properties[PROP_PHASE2_DOMAIN_SUFFIX_MATCH] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-domain-match: * * Constraint for server domain name. If set, this list of FQDNs is used as * a match requirement for dNSName element(s) of the certificate presented * by the authentication server during the inner "phase 2" authentication. * If a matching dNSName is found, this constraint is met. If no dNSName * values are present, this constraint is matched against SubjectName CN * using the same comparison. * Multiple valid FQDNs can be passed as a ";" delimited list. * * Since: 1.24 **/ /* ---ifcfg-rh--- * property: phase2-domain-match * description: Value to match domain of server certificate for phase 2 against. * variable: IEEE_8021X_PHASE2_DOMAIN_MATCH(+) * ---end--- */ obj_properties[PROP_PHASE2_DOMAIN_MATCH] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH, "", "", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-client-cert: * * Contains the "phase 2" client certificate if used by the EAP method * specified in the #NMSetting8021x:phase2-auth or * #NMSetting8021x:phase2-autheap properties. * * Certificate data is specified using a "scheme"; two are currently * supported: blob and path. When using the blob scheme (which is backwards * compatible with NM 0.7.x) this property should be set to the * certificate's DER encoded data. When using the path scheme, this property * should be set to the full UTF-8 encoded path of the certificate, prefixed * with the string "file://" and ending with a terminating NUL byte. This * property can be unset even if the EAP method supports CA certificates, * but this allows man-in-the-middle attacks and is NOT recommended. * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_phase2_client_cert() function instead. **/ /* ---ifcfg-rh--- * property: phase2-client-cert * variable: IEEE_8021X_INNER_CLIENT_CERT(+) * description: Client certificate for inner EAP method. * example: IEEE_8021X_INNER_CLIENT_CERT=/home/joe/mycert.crt * ---end--- */ obj_properties[PROP_PHASE2_CLIENT_CERT] = g_param_spec_boxed (NM_SETTING_802_1X_PHASE2_CLIENT_CERT, "", "", G_TYPE_BYTES, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-client-cert-password: * * The password used to access the "phase2" client certificate stored in * #NMSetting8021x:phase2-client-cert property. Only makes sense if the certificate * is stored on a PKCS#11 token that requires a login. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_PHASE2_CLIENT_CERT_PASSWORD] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-client-cert-password-flags: * * Flags indicating how to handle the #NMSetting8021x:phase2-client-cert-password property. * * Since: 1.8 **/ /* ---ifcfg-rh--- * ---end--- */ obj_properties[PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:password: * * UTF-8 encoded password used for EAP authentication methods. If both the * #NMSetting8021x:password property and the #NMSetting8021x:password-raw * property are specified, #NMSetting8021x:password is preferred. **/ /* ---ifcfg-rh--- * property: password * variable: IEEE_8021X_PASSWORD(+) * description: UTF-8 encoded password used for EAP. It can also go to "key-" * lookaside file, or it can be owned by a secret agent. * ---end--- */ obj_properties[PROP_PASSWORD] = g_param_spec_string (NM_SETTING_802_1X_PASSWORD, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:password-flags: * * Flags indicating how to handle the #NMSetting8021x:password property. **/ /* ---ifcfg-rh--- * property: password-flags * variable: IEEE_8021X_PASSWORD_FLAGS(+) * format: NMSettingSecretFlags * description: Password flags for IEEE_8021X_PASSWORD password. * ---end--- */ obj_properties[PROP_PASSWORD_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_PASSWORD_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:password-raw: * * Password used for EAP authentication methods, given as a byte array to * allow passwords in other encodings than UTF-8 to be used. If both the * #NMSetting8021x:password property and the #NMSetting8021x:password-raw * property are specified, #NMSetting8021x:password is preferred. **/ /* ---ifcfg-rh--- * property: password-raw * variable: IEEE_8021X_PASSWORD_RAW(+) * description: password used for EAP, encoded as a hexadecimal string. It * can also go to "key-" lookaside file. * example: IEEE_8021X_PASSWORD_RAW=041c8320083aa4bf * ---end--- */ obj_properties[PROP_PASSWORD_RAW] = g_param_spec_boxed (NM_SETTING_802_1X_PASSWORD_RAW, "", "", G_TYPE_BYTES, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:password-raw-flags: * * Flags indicating how to handle the #NMSetting8021x:password-raw property. **/ /* ---ifcfg-rh--- * property: password-raw-flags * variable: (none) * description: The property is not handled by ifcfg-rh plugin. * ---end--- */ obj_properties[PROP_PASSWORD_RAW_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:private-key: * * Contains the private key when the #NMSetting8021x:eap property is set to * "tls". * * Key data is specified using a "scheme"; two are currently supported: blob * and path. When using the blob scheme and private keys, this property * should be set to the key's encrypted PEM encoded data. When using private * keys with the path scheme, this property should be set to the full UTF-8 * encoded path of the key, prefixed with the string "file://" and ending * with a terminating NUL byte. When using PKCS#12 format private * keys and the blob scheme, this property should be set to the * PKCS#12 data and the #NMSetting8021x:private-key-password * property must be set to password used to decrypt the PKCS#12 * certificate and key. When using PKCS#12 files and the path * scheme, this property should be set to the full UTF-8 encoded path of the * key, prefixed with the string "file://" and ending with a terminating * NUL byte, and as with the blob scheme the "private-key-password" property * must be set to the password used to decode the PKCS#12 private * key and certificate. * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_private_key() function instead. * * WARNING: #NMSetting8021x:private-key is not a "secret" property, and thus * unencrypted private key data using the BLOB scheme may be readable by * unprivileged users. Private keys should always be encrypted with a * private key password to prevent unauthorized access to unencrypted * private key data. **/ /* ---ifcfg-rh--- * property: private-key * variable: IEEE_8021X_PRIVATE_KEY(+) * description: Private key for EAP-TLS. * example: IEEE_8021X_PRIVATE_KEY=/home/joe/mykey.p12 * ---end--- */ obj_properties[PROP_PRIVATE_KEY] = g_param_spec_boxed (NM_SETTING_802_1X_PRIVATE_KEY, "", "", G_TYPE_BYTES, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:private-key-password: * * The password used to decrypt the private key specified in the * #NMSetting8021x:private-key property when the private key either uses the * path scheme, or if the private key is a PKCS#12 format key. Setting this * property directly is not generally necessary except when returning * secrets to NetworkManager; it is generally set automatically when setting * the private key by the nm_setting_802_1x_set_private_key() function. **/ /* ---ifcfg-rh--- * property: private-key-password * variable: IEEE_8021X_PRIVATE_KEY_PASSWORD(+) * description: Password for IEEE_8021X_PRIVATE_KEY. It can also go to "key-" * lookaside file, or it can be owned by a secret agent. * ---end--- */ obj_properties[PROP_PRIVATE_KEY_PASSWORD] = g_param_spec_string (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:private-key-password-flags: * * Flags indicating how to handle the #NMSetting8021x:private-key-password * property. **/ /* ---ifcfg-rh--- * property: private-key-password-flags * variable: IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS(+) * format: NMSettingSecretFlags * description: Password flags for IEEE_8021X_PRIVATE_KEY_PASSWORD password. * ---end--- */ obj_properties[PROP_PRIVATE_KEY_PASSWORD_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-private-key: * * Contains the "phase 2" inner private key when the * #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap property is * set to "tls". * * Key data is specified using a "scheme"; two are currently supported: blob * and path. When using the blob scheme and private keys, this property * should be set to the key's encrypted PEM encoded data. When using private * keys with the path scheme, this property should be set to the full UTF-8 * encoded path of the key, prefixed with the string "file://" and ending * with a terminating NUL byte. When using PKCS#12 format private * keys and the blob scheme, this property should be set to the * PKCS#12 data and the #NMSetting8021x:phase2-private-key-password * property must be set to password used to decrypt the PKCS#12 * certificate and key. When using PKCS#12 files and the path * scheme, this property should be set to the full UTF-8 encoded path of the * key, prefixed with the string "file://" and ending with a terminating * NUL byte, and as with the blob scheme the * #NMSetting8021x:phase2-private-key-password property must be set to the * password used to decode the PKCS#12 private key and certificate. * * Setting this property directly is discouraged; use the * nm_setting_802_1x_set_phase2_private_key() function instead. **/ /* ---ifcfg-rh--- * property: phase2-private-key * variable: IEEE_8021X_INNER_PRIVATE_KEY(+) * description: Private key for inner authentication method for EAP-TLS. * ---end--- */ obj_properties[PROP_PHASE2_PRIVATE_KEY] = g_param_spec_boxed (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, "", "", G_TYPE_BYTES, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-private-key-password: * * The password used to decrypt the "phase 2" private key specified in the * #NMSetting8021x:phase2-private-key property when the private key either * uses the path scheme, or is a PKCS#12 format key. Setting this * property directly is not generally necessary except when returning * secrets to NetworkManager; it is generally set automatically when setting * the private key by the nm_setting_802_1x_set_phase2_private_key() * function. **/ /* ---ifcfg-rh--- * property: phase2-private-key-password * variable: IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD(+) * description: Password for IEEE_8021X_INNER_PRIVATE_KEY. It can also go to "key-" * lookaside file, or it can be owned by a secret agent. * ---end--- */ obj_properties[PROP_PHASE2_PRIVATE_KEY_PASSWORD] = g_param_spec_string (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:phase2-private-key-password-flags: * * Flags indicating how to handle the * #NMSetting8021x:phase2-private-key-password property. **/ /* ---ifcfg-rh--- * property: phase2-private-key-password-flags * variable: IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS(+) * format: NMSettingSecretFlags * description: Password flags for IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD password. * ---end--- */ obj_properties[PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:pin: * * PIN used for EAP authentication methods. **/ /* ---ifcfg-rh--- * property: pin * variable: (none) * description: The property is not handled by ifcfg-rh plugin. * ---end--- */ obj_properties[PROP_PIN] = g_param_spec_string (NM_SETTING_802_1X_PIN, "", "", NULL, G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:pin-flags: * * Flags indicating how to handle the #NMSetting8021x:pin property. **/ /* ---ifcfg-rh--- * property: pin-flags * variable: (none) * description: The property is not handled by ifcfg-rh plugin. * ---end--- */ obj_properties[PROP_PIN_FLAGS] = g_param_spec_flags (NM_SETTING_802_1X_PIN_FLAGS, "", "", NM_TYPE_SETTING_SECRET_FLAGS, NM_SETTING_SECRET_FLAG_NONE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:system-ca-certs: * * When %TRUE, overrides the #NMSetting8021x:ca-path and * #NMSetting8021x:phase2-ca-path properties using the system CA directory * specified at configure time with the --system-ca-path switch. The * certificates in this directory are added to the verification chain in * addition to any certificates specified by the #NMSetting8021x:ca-cert and * #NMSetting8021x:phase2-ca-cert properties. If the path provided with * --system-ca-path is rather a file name (bundle of trusted CA certificates), * it overrides #NMSetting8021x:ca-cert and #NMSetting8021x:phase2-ca-cert * properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant). **/ /* ---ifcfg-rh--- * property: system-ca-certs * variable: (none) * description: The property is not handled by ifcfg-rh plugin. * ---end--- */ obj_properties[PROP_SYSTEM_CA_CERTS] = g_param_spec_boolean (NM_SETTING_802_1X_SYSTEM_CA_CERTS, "", "", FALSE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:auth-timeout: * * A timeout for the authentication. Zero means the global default; if the * global default is not set, the authentication timeout is 25 seconds. * * Since: 1.8 **/ /* ---ifcfg-rh--- * property: auth-timeout * variable: IEEE_8021X_AUTH_TIMEOUT(+) * default: 0 * description: Timeout in seconds for the 802.1X authentication. Zero means the global default or 25. * ---end--- */ obj_properties[PROP_AUTH_TIMEOUT] = g_param_spec_int (NM_SETTING_802_1X_AUTH_TIMEOUT, "", "", 0, G_MAXINT32, 0, G_PARAM_READWRITE | NM_SETTING_PARAM_FUZZY_IGNORE | G_PARAM_STATIC_STRINGS); /** * NMSetting8021x:optional: * * Whether the 802.1X authentication is optional. If %TRUE, the activation * will continue even after a timeout or an authentication failure. Setting * the property to %TRUE is currently allowed only for Ethernet connections. * If set to %FALSE, the activation can continue only after a successful * authentication. * * Since: 1.22 **/ /* ---ifcfg-rh--- * property: optional * variable: IEEE_8021X_OPTIONAL(+) * default=no * description: whether the 802.1X authentication is optional * ---end--- */ obj_properties[PROP_OPTIONAL] = g_param_spec_boolean (NM_SETTING_802_1X_OPTIONAL, "", "", FALSE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); _nm_setting_class_commit (setting_class, NM_META_SETTING_TYPE_802_1X); }