1 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2 of the License, or (at your option) any later version.
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the
16 * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
17 * Boston, MA 02110-1301 USA.
19 * Copyright 2007 - 2013 Red Hat, Inc.
20 * Copyright 2007 - 2008 Novell, Inc.
23 #include "nm-default.h"
25 #include "nm-setting-8021x.h"
28 #include <dbus/dbus-glib.h>
30 #include "nm-param-spec-specialized.h"
32 #include "nm-dbus-glib-types.h"
34 #include "nm-utils-private.h"
35 #include "nm-setting-private.h"
38 * SECTION:nm-setting-8021x
39 * @short_description: Describes 802.1x-authenticated connection properties
40 * @include: nm-setting-8021x.h
42 * The #NMSetting8021x object is a #NMSetting subclass that describes
43 * properties necessary for connection to 802.1x-authenticated networks, such as
44 * WPA and WPA2 Enterprise Wi-Fi networks and wired 802.1x networks. 802.1x
45 * connections typically use certificates and/or EAP authentication methods to
46 * securely verify, identify, and authenticate the client to the network itself,
47 * instead of simply relying on a widely shared static key.
49 * It's a good idea to read up on wpa_supplicant configuration before using this
50 * setting extensively, since most of the options here correspond closely with
51 * the relevant wpa_supplicant configuration options.
53 * Furthermore, to get a good idea of 802.1x, EAP, TLS, TTLS, etc and their
54 * applications to Wi-Fi and wired networks, you'll want to get copies of the
57 * 802.11 Wireless Networks: The Definitive Guide, Second Edition
58 * Author: Matthew Gast
59 * ISBN: 978-0596100520
61 * Cisco Wireless LAN Security
62 * Authors: Krishna Sankar, Sri Sundaralingam, Darrin Miller, and Andrew Balinsky
63 * ISBN: 978-1587051548
66 #define SCHEME_PATH "file://"
69 * nm_setting_802_1x_error_quark:
71 * Registers an error quark for #NMSetting8021x if necessary.
73 * Returns: the error quark used for #NMSetting8021x errors.
76 nm_setting_802_1x_error_quark (void)
80 if (G_UNLIKELY (!quark))
81 quark = g_quark_from_static_string ("nm-setting-802-1x-error-quark");
85 G_DEFINE_TYPE_WITH_CODE (NMSetting8021x, nm_setting_802_1x, NM_TYPE_SETTING,
86 _nm_register_setting (NM_SETTING_802_1X_SETTING_NAME,
89 NM_SETTING_802_1X_ERROR))
90 NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_802_1X)
92 #define NM_SETTING_802_1X_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_SETTING_802_1X, NMSetting8021xPrivate))
94 G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_UNKNOWN == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_UNKNOWN) );
95 G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_X509 == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_X509) );
96 G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_RAW_KEY == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_RAW_KEY) );
97 G_STATIC_ASSERT ( (NM_SETTING_802_1X_CK_FORMAT_PKCS12 == (NMSetting8021xCKFormat) NM_CRYPTO_FILE_FORMAT_PKCS12) );
100 GSList *eap; /* GSList of strings */
102 char *anonymous_identity;
107 GSList *altsubject_matches;
108 GByteArray *client_cert;
109 char *phase1_peapver;
110 char *phase1_peaplabel;
111 char *phase1_fast_provisioning;
113 char *phase2_autheap;
114 GByteArray *phase2_ca_cert;
115 char *phase2_ca_path;
116 char *phase2_subject_match;
117 GSList *phase2_altsubject_matches;
118 GByteArray *phase2_client_cert;
120 NMSettingSecretFlags password_flags;
121 GByteArray *password_raw;
122 NMSettingSecretFlags password_raw_flags;
124 NMSettingSecretFlags pin_flags;
125 GByteArray *private_key;
126 char *private_key_password;
127 NMSettingSecretFlags private_key_password_flags;
128 GByteArray *phase2_private_key;
129 char *phase2_private_key_password;
130 NMSettingSecretFlags phase2_private_key_password_flags;
131 gboolean system_ca_certs;
132 } NMSetting8021xPrivate;
138 PROP_ANONYMOUS_IDENTITY,
143 PROP_ALTSUBJECT_MATCHES,
146 PROP_PHASE1_PEAPLABEL,
147 PROP_PHASE1_FAST_PROVISIONING,
152 PROP_PHASE2_SUBJECT_MATCH,
153 PROP_PHASE2_ALTSUBJECT_MATCHES,
154 PROP_PHASE2_CLIENT_CERT,
158 PROP_PASSWORD_RAW_FLAGS,
160 PROP_PRIVATE_KEY_PASSWORD,
161 PROP_PRIVATE_KEY_PASSWORD_FLAGS,
162 PROP_PHASE2_PRIVATE_KEY,
163 PROP_PHASE2_PRIVATE_KEY_PASSWORD,
164 PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS,
167 PROP_SYSTEM_CA_CERTS,
173 * nm_setting_802_1x_new:
175 * Creates a new #NMSetting8021x object with default values.
177 * Returns: the new empty #NMSetting8021x object
180 nm_setting_802_1x_new (void)
182 return (NMSetting *) g_object_new (NM_TYPE_SETTING_802_1X, NULL);
186 * nm_setting_802_1x_get_num_eap_methods:
187 * @setting: the #NMSetting8021x
189 * Returns the number of eap methods allowed for use when connecting to the
190 * network. Generally only one EAP method is used. Use the functions
191 * nm_setting_802_1x_get_eap_method(), nm_setting_802_1x_add_eap_method(),
192 * and nm_setting_802_1x_remove_eap_method() for adding, removing, and retrieving
193 * allowed EAP methods.
195 * Returns: the number of allowed EAP methods
198 nm_setting_802_1x_get_num_eap_methods (NMSetting8021x *setting)
200 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0);
202 return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->eap);
206 * nm_setting_802_1x_get_eap_method:
207 * @setting: the #NMSetting8021x
208 * @i: the index of the EAP method name to return
210 * Returns the name of the allowed EAP method at index @i.
212 * Returns: the name of the allowed EAP method at index @i
215 nm_setting_802_1x_get_eap_method (NMSetting8021x *setting, guint32 i)
217 NMSetting8021xPrivate *priv;
219 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
221 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
222 g_return_val_if_fail (i <= g_slist_length (priv->eap), NULL);
224 return (const char *) g_slist_nth_data (priv->eap, i);
228 * nm_setting_802_1x_add_eap_method:
229 * @setting: the #NMSetting8021x
230 * @eap: the name of the EAP method to allow for this connection
232 * Adds an allowed EAP method. The setting is not valid until at least one
233 * EAP method has been added. See #NMSetting8021x:eap property for a list of
234 * allowed EAP methods.
236 * Returns: %TRUE if the EAP method was successfully added, %FALSE if it was
237 * not a valid method or if it was already allowed.
240 nm_setting_802_1x_add_eap_method (NMSetting8021x *setting, const char *eap)
242 NMSetting8021xPrivate *priv;
245 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
246 g_return_val_if_fail (eap != NULL, FALSE);
248 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
249 for (iter = priv->eap; iter; iter = g_slist_next (iter)) {
250 if (!strcmp (eap, (char *) iter->data))
254 priv->eap = g_slist_append (priv->eap, g_ascii_strdown (eap, -1));
255 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_EAP);
260 * nm_setting_802_1x_remove_eap_method:
261 * @setting: the #NMSetting8021x
262 * @i: the index of the EAP method to remove
264 * Removes the allowed EAP method at the specified index.
267 nm_setting_802_1x_remove_eap_method (NMSetting8021x *setting, guint32 i)
269 NMSetting8021xPrivate *priv;
272 g_return_if_fail (NM_IS_SETTING_802_1X (setting));
274 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
275 elt = g_slist_nth (priv->eap, i);
276 g_return_if_fail (elt != NULL);
279 priv->eap = g_slist_delete_link (priv->eap, elt);
280 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_EAP);
284 * nm_setting_802_1x_remove_eap_method_by_value:
285 * @setting: the #NMSetting8021x
286 * @eap: the name of the EAP method to remove
288 * Removes the allowed EAP method @method.
290 * Returns: %TRUE if the EAP method was founs and removed, %FALSE if it was not.
295 nm_setting_802_1x_remove_eap_method_by_value (NMSetting8021x *setting,
298 NMSetting8021xPrivate *priv;
301 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
302 g_return_val_if_fail (eap != NULL, FALSE);
304 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
305 for (iter = priv->eap; iter; iter = g_slist_next (iter)) {
306 if (!strcmp (eap, (char *) iter->data)) {
307 priv->eap = g_slist_delete_link (priv->eap, iter);
308 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_EAP);
316 * nm_setting_802_1x_clear_eap_methods:
317 * @setting: the #NMSetting8021x
319 * Clears all allowed EAP methods.
322 nm_setting_802_1x_clear_eap_methods (NMSetting8021x *setting)
324 NMSetting8021xPrivate *priv;
326 g_return_if_fail (NM_IS_SETTING_802_1X (setting));
328 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
329 g_slist_free_full (priv->eap, g_free);
331 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_EAP);
335 * nm_setting_802_1x_get_identity:
336 * @setting: the #NMSetting8021x
338 * Returns the identifier used by some EAP methods (like TLS) to
339 * authenticate the user. Often this is a username or login name.
341 * Returns: the user identifier
344 nm_setting_802_1x_get_identity (NMSetting8021x *setting)
346 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
348 return NM_SETTING_802_1X_GET_PRIVATE (setting)->identity;
352 * nm_setting_802_1x_get_anonymous_identity:
353 * @setting: the #NMSetting8021x
355 * Returns the anonymous identifier used by some EAP methods (like TTLS) to
356 * authenticate the user in the outer unencrypted "phase 1" authentication. The
357 * inner "phase 2" authentication will use the #NMSetting8021x:identity in
358 * a secure form, if applicable for that EAP method.
360 * Returns: the anonymous identifier
363 nm_setting_802_1x_get_anonymous_identity (NMSetting8021x *setting)
365 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
367 return NM_SETTING_802_1X_GET_PRIVATE (setting)->anonymous_identity;
371 * nm_setting_802_1x_get_pac_file:
372 * @setting: the #NMSetting8021x
374 * Returns the file containing PAC credentials used by EAP-FAST method.
376 * Returns: the PAC file
379 nm_setting_802_1x_get_pac_file (NMSetting8021x *setting)
381 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
383 return NM_SETTING_802_1X_GET_PRIVATE (setting)->pac_file;
387 * nm_setting_802_1x_get_ca_path:
388 * @setting: the #NMSetting8021x
390 * Returns the path of the CA certificate directory if previously set. Systems
391 * will often have a directory that contains multiple individual CA certificates
392 * which the supplicant can then add to the verification chain. This may be
393 * used in addition to the #NMSetting8021x:ca-cert property to add more CA
394 * certificates for verifying the network to client.
396 * Returns: the CA certificate directory path
399 nm_setting_802_1x_get_ca_path (NMSetting8021x *setting)
401 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
403 return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_path;
407 * nm_setting_802_1x_get_system_ca_certs:
408 * @setting: the #NMSetting8021x
410 * Sets the #NMSetting8021x:system-ca-certs property. The
411 * #NMSetting8021x:ca-path and #NMSetting8021x:phase2-ca-path
412 * properties are ignored if the #NMSetting8021x:system-ca-certs property is
413 * %TRUE, in which case a system-wide CA certificate directory specified at
414 * compile time (using the --system-ca-path configure option) is used in place
415 * of these properties.
417 * Returns: %TRUE if a system CA certificate path should be used, %FALSE if not
420 nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting)
422 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
424 return NM_SETTING_802_1X_GET_PRIVATE (setting)->system_ca_certs;
427 static NMSetting8021xCKScheme
428 get_cert_scheme (GByteArray *array)
430 if (!array || !array->len)
431 return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
433 /* interpret the blob as PATH if it starts with "file://". */
434 if ( array->len >= NM_STRLEN (SCHEME_PATH)
435 && !memcmp (array->data, SCHEME_PATH, NM_STRLEN (SCHEME_PATH))) {
436 /* But it must also be NUL terminated, contain at least
437 * one non-NUL character, and contain only one trailing NUL
439 * And ensure it's UTF-8 valid too so we can pass it through
440 * D-Bus and stuff like that. */
441 if ( array->len > NM_STRLEN (SCHEME_PATH) + 1
442 && array->data[array->len - 1] == '\0'
443 && g_utf8_validate ((const char *) &array->data[NM_STRLEN (SCHEME_PATH)], array->len - (NM_STRLEN (SCHEME_PATH) + 1), NULL))
444 return NM_SETTING_802_1X_CK_SCHEME_PATH;
445 return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
448 return NM_SETTING_802_1X_CK_SCHEME_BLOB;
452 load_and_verify_certificate (const char *cert_path,
453 NMSetting8021xCKScheme scheme,
454 NMCryptoFileFormat *out_file_format,
457 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
460 array = crypto_load_and_verify_certificate (cert_path, &format, error);
462 if (!array || !array->len || format == NM_CRYPTO_FILE_FORMAT_UNKNOWN)
463 format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
464 else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
465 /* If we load the file as blob, we must ensure that the binary data does not
466 * start with file://. NMSetting8021x cannot represent blobs that start with
468 * If that's the case, coerce the format to UNKNOWN. The callers will take care
469 * of that and not set the blob. */
470 if (get_cert_scheme (array) != NM_SETTING_802_1X_CK_SCHEME_BLOB)
471 format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
475 *out_file_format = format;
480 * nm_setting_802_1x_get_ca_cert_scheme:
481 * @setting: the #NMSetting8021x
483 * Returns the scheme used to store the CA certificate. If the returned scheme
484 * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob();
485 * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path().
487 * Returns: scheme used to store the CA certificate (blob or path)
489 NMSetting8021xCKScheme
490 nm_setting_802_1x_get_ca_cert_scheme (NMSetting8021x *setting)
492 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
494 return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert);
498 * nm_setting_802_1x_get_ca_cert_blob:
499 * @setting: the #NMSetting8021x
501 * Returns the CA certificate blob if the CA certificate is stored using the
502 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use a
503 * CA certificate (LEAP for example), and those that can take advantage of the
504 * CA certificate allow it to be unset. Note that lack of a CA certificate
505 * reduces security by allowing man-in-the-middle attacks, because the identity
506 * of the network cannot be confirmed by the client.
508 * Returns: the CA certificate data
511 nm_setting_802_1x_get_ca_cert_blob (NMSetting8021x *setting)
513 NMSetting8021xCKScheme scheme;
515 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
517 scheme = nm_setting_802_1x_get_ca_cert_scheme (setting);
518 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);
520 return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert;
524 * nm_setting_802_1x_get_ca_cert_path:
525 * @setting: the #NMSetting8021x
527 * Returns the CA certificate path if the CA certificate is stored using the
528 * %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use a
529 * CA certificate (LEAP for example), and those that can take advantage of the
530 * CA certificate allow it to be unset. Note that lack of a CA certificate
531 * reduces security by allowing man-in-the-middle attacks, because the identity
532 * of the network cannot be confirmed by the client.
534 * Returns: path to the CA certificate file
537 nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting)
539 NMSetting8021xCKScheme scheme;
541 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
543 scheme = nm_setting_802_1x_get_ca_cert_scheme (setting);
544 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);
546 return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert->data + strlen (SCHEME_PATH));
550 path_to_scheme_value (const char *path)
555 g_return_val_if_fail (path != NULL && path[0], NULL);
559 /* Add the path scheme tag to the front, then the filename */
560 array = g_byte_array_sized_new (len + strlen (SCHEME_PATH) + 1);
561 g_byte_array_append (array, (const guint8 *) SCHEME_PATH, strlen (SCHEME_PATH));
562 g_byte_array_append (array, (const guint8 *) path, len);
563 g_byte_array_append (array, (const guint8 *) "\0", 1);
568 * nm_setting_802_1x_set_ca_cert:
569 * @setting: the #NMSetting8021x
570 * @cert_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH
571 * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the CA certificate
572 * file (PEM or DER format). The path must be UTF-8 encoded; use
573 * g_filename_to_utf8() to convert if needed. Passing %NULL with any @scheme
574 * clears the CA certificate.
575 * @scheme: desired storage scheme for the certificate
576 * @out_format: on successful return, the type of the certificate added
577 * @error: on unsuccessful return, an error
579 * Reads a certificate from disk and sets the #NMSetting8021x:ca-cert property
580 * with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB
581 * scheme, or with the path to the certificate file if using the
582 * %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
584 * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful
587 nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting,
588 const char *cert_path,
589 NMSetting8021xCKScheme scheme,
590 NMSetting8021xCKFormat *out_format,
593 NMSetting8021xPrivate *priv;
594 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
597 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
600 g_return_val_if_fail (g_utf8_validate (cert_path, -1, NULL), FALSE);
601 g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
602 || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
607 g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);
609 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
611 /* Clear out any previous ca_cert blob */
613 g_byte_array_free (priv->ca_cert, TRUE);
614 priv->ca_cert = NULL;
618 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CA_CERT);
622 data = load_and_verify_certificate (cert_path, scheme, &format, error);
624 /* wpa_supplicant can only use raw x509 CA certs */
625 if (format == NM_CRYPTO_FILE_FORMAT_X509) {
627 *out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
629 if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
630 priv->ca_cert = g_byte_array_ref (data);
631 else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
632 priv->ca_cert = path_to_scheme_value (cert_path);
634 g_assert_not_reached ();
636 g_set_error_literal (error,
637 NM_SETTING_802_1X_ERROR,
638 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
639 _("CA certificate must be in X.509 format"));
640 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CA_CERT);
642 g_byte_array_unref (data);
645 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CA_CERT);
646 return priv->ca_cert != NULL;
650 * nm_setting_802_1x_get_subject_match:
651 * @setting: the #NMSetting8021x
653 * Returns: the #NMSetting8021x:subject-match property. This is the
654 * substring to be matched against the subject of the authentication
655 * server certificate, or %NULL no subject verification is to be
659 nm_setting_802_1x_get_subject_match (NMSetting8021x *setting)
661 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
663 return NM_SETTING_802_1X_GET_PRIVATE (setting)->subject_match;
667 * nm_setting_802_1x_get_num_altsubject_matches:
668 * @setting: the #NMSetting8021x
670 * Returns the number of entries in the
671 * #NMSetting8021x:altsubject-matches property of this setting.
673 * Returns: the number of altsubject-matches entries.
676 nm_setting_802_1x_get_num_altsubject_matches (NMSetting8021x *setting)
678 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0);
680 return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->altsubject_matches);
684 * nm_setting_802_1x_get_altsubject_match:
685 * @setting: the #NMSettingConnection
686 * @i: the zero-based index of the array of altSubjectName matches
688 * Returns the altSubjectName match at index @i.
690 * Returns: the altSubjectName match at index @i
693 nm_setting_802_1x_get_altsubject_match (NMSetting8021x *setting, guint32 i)
695 NMSetting8021xPrivate *priv;
697 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
699 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
700 g_return_val_if_fail (i <= g_slist_length (priv->altsubject_matches), NULL);
702 return (const char *) g_slist_nth_data (priv->altsubject_matches, i);
706 * nm_setting_802_1x_add_altsubject_match:
707 * @setting: the #NMSetting8021x
708 * @altsubject_match: the altSubjectName to allow for this connection
710 * Adds an allowed alternate subject name match. Until at least one
711 * match is added, the altSubjectName of the remote authentication
712 * server is not verified.
714 * Returns: %TRUE if the alternative subject name match was
715 * successfully added, %FALSE if it was already allowed.
718 nm_setting_802_1x_add_altsubject_match (NMSetting8021x *setting,
719 const char *altsubject_match)
721 NMSetting8021xPrivate *priv;
724 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
725 g_return_val_if_fail (altsubject_match != NULL, FALSE);
727 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
728 for (iter = priv->altsubject_matches; iter; iter = g_slist_next (iter)) {
729 if (!strcmp (altsubject_match, (char *) iter->data))
733 priv->altsubject_matches = g_slist_append (priv->altsubject_matches,
734 g_strdup (altsubject_match));
735 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES);
740 * nm_setting_802_1x_remove_altsubject_match:
741 * @setting: the #NMSetting8021x
742 * @i: the index of the altSubjectName match to remove
744 * Removes the allowed altSubjectName at the specified index.
747 nm_setting_802_1x_remove_altsubject_match (NMSetting8021x *setting, guint32 i)
749 NMSetting8021xPrivate *priv;
752 g_return_if_fail (NM_IS_SETTING_802_1X (setting));
754 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
755 elt = g_slist_nth (priv->altsubject_matches, i);
756 g_return_if_fail (elt != NULL);
759 priv->altsubject_matches = g_slist_delete_link (priv->altsubject_matches, elt);
760 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES);
764 * nm_setting_802_1x_remove_altsubject_match_by_value:
765 * @setting: the #NMSetting8021x
766 * @altsubject_match: the altSubjectName to remove
768 * Removes the allowed altSubjectName @altsubject_match.
770 * Returns: %TRUE if the alternative subject name match was found and removed,
771 * %FALSE if it was not.
776 nm_setting_802_1x_remove_altsubject_match_by_value (NMSetting8021x *setting,
777 const char *altsubject_match)
779 NMSetting8021xPrivate *priv;
782 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
783 g_return_val_if_fail (altsubject_match != NULL, FALSE);
785 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
786 for (iter = priv->altsubject_matches; iter; iter = g_slist_next (iter)) {
787 if (!strcmp (altsubject_match, (char *) iter->data)) {
788 priv->altsubject_matches = g_slist_delete_link (priv->altsubject_matches, iter);
789 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES);
797 * nm_setting_802_1x_clear_altsubject_matches:
798 * @setting: the #NMSetting8021x
800 * Clears all altSubjectName matches.
803 nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting)
805 NMSetting8021xPrivate *priv;
807 g_return_if_fail (NM_IS_SETTING_802_1X (setting));
809 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
810 g_slist_free_full (priv->altsubject_matches, g_free);
811 priv->altsubject_matches = NULL;
812 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES);
816 * nm_setting_802_1x_get_client_cert_scheme:
817 * @setting: the #NMSetting8021x
819 * Returns the scheme used to store the client certificate. If the returned scheme
820 * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob();
821 * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path().
823 * Returns: scheme used to store the client certificate (blob or path)
825 NMSetting8021xCKScheme
826 nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting)
828 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
830 return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert);
834 * nm_setting_802_1x_get_client_cert_blob:
835 * @setting: the #NMSetting8021x
837 * Client certificates are used to identify the connecting client to the network
838 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
839 * authentication method.
841 * Returns: the client certificate data
844 nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting)
846 NMSetting8021xCKScheme scheme;
848 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
850 scheme = nm_setting_802_1x_get_client_cert_scheme (setting);
851 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);
853 return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert;
857 * nm_setting_802_1x_get_client_cert_path:
858 * @setting: the #NMSetting8021x
860 * Client certificates are used to identify the connecting client to the network
861 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
862 * authentication method.
864 * Returns: path to the client certificate file
867 nm_setting_802_1x_get_client_cert_path (NMSetting8021x *setting)
869 NMSetting8021xCKScheme scheme;
871 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
873 scheme = nm_setting_802_1x_get_client_cert_scheme (setting);
874 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);
876 return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert->data + strlen (SCHEME_PATH));
880 * nm_setting_802_1x_set_client_cert:
881 * @setting: the #NMSetting8021x
882 * @cert_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH
883 * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the client
884 * certificate file (PEM, DER, or PKCS#<!-- -->12 format). The path must be UTF-8
885 * encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with
886 * any @scheme clears the client certificate.
887 * @scheme: desired storage scheme for the certificate
888 * @out_format: on successful return, the type of the certificate added
889 * @error: on unsuccessful return, an error
891 * Reads a certificate from disk and sets the #NMSetting8021x:client-cert
892 * property with the raw certificate data if using the
893 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate
894 * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
896 * Client certificates are used to identify the connecting client to the network
897 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
898 * authentication method.
900 * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful
903 nm_setting_802_1x_set_client_cert (NMSetting8021x *setting,
904 const char *cert_path,
905 NMSetting8021xCKScheme scheme,
906 NMSetting8021xCKFormat *out_format,
909 NMSetting8021xPrivate *priv;
910 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
913 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
916 g_return_val_if_fail (g_utf8_validate (cert_path, -1, NULL), FALSE);
917 g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
918 || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
923 g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);
925 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
927 /* Clear out any previous ca_cert blob */
928 if (priv->client_cert) {
929 g_byte_array_free (priv->client_cert, TRUE);
930 priv->client_cert = NULL;
934 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CLIENT_CERT);
938 data = load_and_verify_certificate (cert_path, scheme, &format, error);
940 gboolean valid = FALSE;
943 case NM_CRYPTO_FILE_FORMAT_X509:
945 *out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
948 case NM_CRYPTO_FILE_FORMAT_PKCS12:
950 *out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
954 g_set_error_literal (error,
955 NM_SETTING_802_1X_ERROR,
956 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
957 _("invalid certificate format"));
958 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT);
963 if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
964 priv->client_cert = g_byte_array_ref (data);
965 else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
966 priv->client_cert = path_to_scheme_value (cert_path);
968 g_assert_not_reached ();
970 g_byte_array_unref (data);
973 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CLIENT_CERT);
974 return priv->client_cert != NULL;
978 * nm_setting_802_1x_get_phase1_peapver:
979 * @setting: the #NMSetting8021x
981 * Returns: the "phase 1" PEAP version to be used when authenticating with
982 * EAP-PEAP as contained in the #NMSetting8021x:phase1-peapver property. Valid
983 * values are %NULL (unset), "0" (PEAP version 0), and "1" (PEAP version 1).
986 nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting)
988 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
990 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_peapver;
994 * nm_setting_802_1x_get_phase1_peaplabel:
995 * @setting: the #NMSetting8021x
997 * Returns: whether the "phase 1" PEAP label is new-style or old-style, to be
998 * used when authenticating with EAP-PEAP, as contained in the
999 * #NMSetting8021x:phase1-peaplabel property. Valid values are %NULL (unset),
1000 * "0" (use old-style label), and "1" (use new-style label). See the
1001 * wpa_supplicant documentation for more details.
1004 nm_setting_802_1x_get_phase1_peaplabel (NMSetting8021x *setting)
1006 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1008 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_peaplabel;
1012 * nm_setting_802_1x_get_phase1_fast_provisioning:
1013 * @setting: the #NMSetting8021x
1015 * Returns: whether "phase 1" PEAP fast provisioning should be used, as specified
1016 * by the #NMSetting8021x:phase1-fast-provisioning property. See the
1017 * wpa_supplicant documentation for more details.
1020 nm_setting_802_1x_get_phase1_fast_provisioning (NMSetting8021x *setting)
1022 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1024 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_fast_provisioning;
1028 * nm_setting_802_1x_get_phase2_auth:
1029 * @setting: the #NMSetting8021x
1031 * Returns: the "phase 2" non-EAP (ex MD5) allowed authentication method as
1032 * specified by the #NMSetting8021x:phase2-auth property.
1035 nm_setting_802_1x_get_phase2_auth (NMSetting8021x *setting)
1037 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1039 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_auth;
1043 * nm_setting_802_1x_get_phase2_autheap:
1044 * @setting: the #NMSetting8021x
1046 * Returns: the "phase 2" EAP-based (ex TLS) allowed authentication method as
1047 * specified by the #NMSetting8021x:phase2-autheap property.
1050 nm_setting_802_1x_get_phase2_autheap (NMSetting8021x *setting)
1052 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1054 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_autheap;
1058 * nm_setting_802_1x_get_phase2_ca_path:
1059 * @setting: the #NMSetting8021x
1061 * Returns the path of the "phase 2" CA certificate directory if previously set.
1062 * Systems will often have a directory that contains multiple individual CA
1063 * certificates which the supplicant can then add to the verification chain.
1064 * This may be used in addition to the #NMSetting8021x:phase2-ca-cert property
1065 * to add more CA certificates for verifying the network to client.
1067 * Returns: the "phase 2" CA certificate directory path
1070 nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting)
1072 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1074 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_path;
1078 * nm_setting_802_1x_get_phase2_ca_cert_scheme:
1079 * @setting: the #NMSetting8021x
1081 * Returns the scheme used to store the "phase 2" CA certificate. If the
1082 * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
1083 * nm_setting_802_1x_get_ca_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH,
1084 * use nm_setting_802_1x_get_ca_cert_path().
1086 * Returns: scheme used to store the "phase 2" CA certificate (blob or path)
1088 NMSetting8021xCKScheme
1089 nm_setting_802_1x_get_phase2_ca_cert_scheme (NMSetting8021x *setting)
1091 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
1093 return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert);
1097 * nm_setting_802_1x_get_phase2_ca_cert_blob:
1098 * @setting: the #NMSetting8021x
1100 * Returns the "phase 2" CA certificate blob if the CA certificate is stored
1101 * using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use
1102 * a CA certificate (LEAP for example), and those that can take advantage of the
1103 * CA certificate allow it to be unset. Note that lack of a CA certificate
1104 * reduces security by allowing man-in-the-middle attacks, because the identity
1105 * of the network cannot be confirmed by the client.
1107 * Returns: the "phase 2" CA certificate data
1110 nm_setting_802_1x_get_phase2_ca_cert_blob (NMSetting8021x *setting)
1112 NMSetting8021xCKScheme scheme;
1114 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1116 scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (setting);
1117 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);
1119 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert;
1123 * nm_setting_802_1x_get_phase2_ca_cert_path:
1124 * @setting: the #NMSetting8021x
1126 * Returns the "phase 2" CA certificate path if the CA certificate is stored
1127 * using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use
1128 * a CA certificate (LEAP for example), and those that can take advantage of the
1129 * CA certificate allow it to be unset. Note that lack of a CA certificate
1130 * reduces security by allowing man-in-the-middle attacks, because the identity
1131 * of the network cannot be confirmed by the client.
1133 * Returns: path to the "phase 2" CA certificate file
1136 nm_setting_802_1x_get_phase2_ca_cert_path (NMSetting8021x *setting)
1138 NMSetting8021xCKScheme scheme;
1140 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1142 scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (setting);
1143 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);
1145 return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert->data + strlen (SCHEME_PATH));
1149 * nm_setting_802_1x_set_phase2_ca_cert:
1150 * @setting: the #NMSetting8021x
1151 * @cert_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH
1152 * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" CA
1153 * certificate file (PEM or DER format). The path must be UTF-8 encoded; use
1154 * g_filename_to_utf8() to convert if needed. Passing %NULL with any @scheme
1155 * clears the "phase2" CA certificate.
1156 * @scheme: desired storage scheme for the certificate
1157 * @out_format: on successful return, the type of the certificate added
1158 * @error: on unsuccessful return, an error
1160 * Reads a certificate from disk and sets the #NMSetting8021x:phase2-ca-cert
1161 * property with the raw certificate data if using the
1162 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate
1163 * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
1165 * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful
1168 nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting,
1169 const char *cert_path,
1170 NMSetting8021xCKScheme scheme,
1171 NMSetting8021xCKFormat *out_format,
1174 NMSetting8021xPrivate *priv;
1175 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
1178 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
1181 g_return_val_if_fail (g_utf8_validate (cert_path, -1, NULL), FALSE);
1182 g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
1183 || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
1188 g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);
1190 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1192 /* Clear out any previous ca_cert blob */
1193 if (priv->phase2_ca_cert) {
1194 g_byte_array_free (priv->phase2_ca_cert, TRUE);
1195 priv->phase2_ca_cert = NULL;
1199 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_CA_CERT);
1203 data = load_and_verify_certificate (cert_path, scheme, &format, error);
1205 /* wpa_supplicant can only use raw x509 CA certs */
1206 if (format == NM_CRYPTO_FILE_FORMAT_X509) {
1208 *out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
1210 if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
1211 priv->phase2_ca_cert = g_byte_array_ref (data);
1212 else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
1213 priv->phase2_ca_cert = path_to_scheme_value (cert_path);
1215 g_assert_not_reached ();
1217 g_set_error_literal (error,
1218 NM_SETTING_802_1X_ERROR,
1219 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
1220 _("invalid certificate format"));
1221 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CA_CERT);
1223 g_byte_array_unref (data);
1226 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_CA_CERT);
1227 return priv->phase2_ca_cert != NULL;
1231 * nm_setting_802_1x_get_phase2_subject_match:
1232 * @setting: the #NMSetting8021x
1234 * Returns: the #NMSetting8021x:phase2-subject-match property. This is
1235 * the substring to be matched against the subject of the "phase 2"
1236 * authentication server certificate, or %NULL no subject verification
1237 * is to be performed.
1240 nm_setting_802_1x_get_phase2_subject_match (NMSetting8021x *setting)
1242 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1244 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_subject_match;
1248 * nm_setting_802_1x_get_num_phase2_altsubject_matches:
1249 * @setting: the #NMSetting8021x
1251 * Returns the number of entries in the
1252 * #NMSetting8021x:phase2-altsubject-matches property of this setting.
1254 * Returns: the number of phase2-altsubject-matches entries.
1257 nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting)
1259 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0);
1261 return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_altsubject_matches);
1265 * nm_setting_802_1x_get_phase2_altsubject_match:
1266 * @setting: the #NMSettingConnection
1267 * @i: the zero-based index of the array of "phase 2" altSubjectName matches
1269 * Returns the "phase 2" altSubjectName match at index @i.
1271 * Returns: the "phase 2" altSubjectName match at index @i
1274 nm_setting_802_1x_get_phase2_altsubject_match (NMSetting8021x *setting, guint32 i)
1276 NMSetting8021xPrivate *priv;
1278 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1280 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1281 g_return_val_if_fail (i <= g_slist_length (priv->phase2_altsubject_matches), NULL);
1283 return (const char *) g_slist_nth_data (priv->phase2_altsubject_matches, i);
1287 * nm_setting_802_1x_add_phase2_altsubject_match:
1288 * @setting: the #NMSetting8021x
1289 * @phase2_altsubject_match: the "phase 2" altSubjectName to allow for this
1292 * Adds an allowed alternate subject name match for "phase 2". Until
1293 * at least one match is added, the altSubjectName of the "phase 2"
1294 * remote authentication server is not verified.
1296 * Returns: %TRUE if the "phase 2" alternative subject name match was
1297 * successfully added, %FALSE if it was already allowed.
1300 nm_setting_802_1x_add_phase2_altsubject_match (NMSetting8021x *setting,
1301 const char *phase2_altsubject_match)
1303 NMSetting8021xPrivate *priv;
1306 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
1307 g_return_val_if_fail (phase2_altsubject_match != NULL, FALSE);
1309 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1310 for (iter = priv->phase2_altsubject_matches; iter; iter = g_slist_next (iter)) {
1311 if (!strcmp (phase2_altsubject_match, (char *) iter->data))
1315 priv->phase2_altsubject_matches = g_slist_append (priv->phase2_altsubject_matches,
1316 g_strdup (phase2_altsubject_match));
1317 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES);
1322 * nm_setting_802_1x_remove_phase2_altsubject_match:
1323 * @setting: the #NMSetting8021x
1324 * @i: the index of the "phase 2" altSubjectName match to remove
1326 * Removes the allowed "phase 2" altSubjectName at the specified index.
1329 nm_setting_802_1x_remove_phase2_altsubject_match (NMSetting8021x *setting, guint32 i)
1331 NMSetting8021xPrivate *priv;
1334 g_return_if_fail (NM_IS_SETTING_802_1X (setting));
1336 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1337 elt = g_slist_nth (priv->phase2_altsubject_matches, i);
1338 g_return_if_fail (elt != NULL);
1341 priv->phase2_altsubject_matches = g_slist_delete_link (priv->phase2_altsubject_matches, elt);
1342 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES);
1347 * nm_setting_802_1x_remove_phase2_altsubject_match_by_value:
1348 * @setting: the #NMSetting8021x
1349 * @phase2_altsubject_match: the "phase 2" altSubjectName to remove
1351 * Removes the allowed "phase 2" altSubjectName @phase2_altsubject_match.
1353 * Returns: %TRUE if the alternative subject name match for "phase 2" was found and removed,
1354 * %FALSE if it was not.
1359 nm_setting_802_1x_remove_phase2_altsubject_match_by_value (NMSetting8021x *setting,
1360 const char *phase2_altsubject_match)
1362 NMSetting8021xPrivate *priv;
1365 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
1366 g_return_val_if_fail (phase2_altsubject_match != NULL, FALSE);
1368 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1369 for (iter = priv->phase2_altsubject_matches; iter; iter = g_slist_next (iter)) {
1370 if (!strcmp (phase2_altsubject_match, (char *) iter->data)) {
1371 priv->phase2_altsubject_matches = g_slist_delete_link (priv->phase2_altsubject_matches, iter);
1372 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES);
1380 * nm_setting_802_1x_clear_phase2_altsubject_matches:
1381 * @setting: the #NMSetting8021x
1383 * Clears all "phase 2" altSubjectName matches.
1386 nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting)
1388 NMSetting8021xPrivate *priv;
1390 g_return_if_fail (NM_IS_SETTING_802_1X (setting));
1392 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1393 g_slist_free_full (priv->phase2_altsubject_matches, g_free);
1394 priv->phase2_altsubject_matches = NULL;
1395 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES);
1399 * nm_setting_802_1x_get_phase2_client_cert_scheme:
1400 * @setting: the #NMSetting8021x
1402 * Returns the scheme used to store the "phase 2" client certificate. If the
1403 * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
1404 * nm_setting_802_1x_get_client_cert_blob(); if
1405 * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
1406 * nm_setting_802_1x_get_client_cert_path().
1408 * Returns: scheme used to store the "phase 2" client certificate (blob or path)
1410 NMSetting8021xCKScheme
1411 nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting)
1413 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
1415 return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert);
1419 * nm_setting_802_1x_get_phase2_client_cert_blob:
1420 * @setting: the #NMSetting8021x
1422 * Client certificates are used to identify the connecting client to the network
1423 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
1424 * authentication method.
1426 * Returns: the "phase 2" client certificate data
1429 nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting)
1431 NMSetting8021xCKScheme scheme;
1433 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1435 scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (setting);
1436 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);
1438 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert;
1442 * nm_setting_802_1x_get_phase2_client_cert_path:
1443 * @setting: the #NMSetting8021x
1445 * Client certificates are used to identify the connecting client to the network
1446 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
1447 * authentication method.
1449 * Returns: path to the "phase 2" client certificate file
1452 nm_setting_802_1x_get_phase2_client_cert_path (NMSetting8021x *setting)
1454 NMSetting8021xCKScheme scheme;
1456 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1458 scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (setting);
1459 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);
1461 return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert->data + strlen (SCHEME_PATH));
1465 * nm_setting_802_1x_set_phase2_client_cert:
1466 * @setting: the #NMSetting8021x
1467 * @cert_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH
1468 * or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" client
1469 * certificate file (PEM, DER, or PKCS#<!-- -->12 format). The path must be UTF-8
1470 * encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with
1471 * any @scheme clears the "phase2" client certificate.
1472 * @scheme: desired storage scheme for the certificate
1473 * @out_format: on successful return, the type of the certificate added
1474 * @error: on unsuccessful return, an error
1476 * Reads a certificate from disk and sets the #NMSetting8021x:phase2-client-cert
1477 * property with the raw certificate data if using the
1478 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate
1479 * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
1481 * Client certificates are used to identify the connecting client to the network
1482 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
1483 * authentication method.
1485 * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful
1488 nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *setting,
1489 const char *cert_path,
1490 NMSetting8021xCKScheme scheme,
1491 NMSetting8021xCKFormat *out_format,
1494 NMSetting8021xPrivate *priv;
1495 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
1498 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
1501 g_return_val_if_fail (g_utf8_validate (cert_path, -1, NULL), FALSE);
1502 g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
1503 || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
1508 g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);
1510 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1512 /* Clear out any previous ca_cert blob */
1513 if (priv->phase2_client_cert) {
1514 g_byte_array_free (priv->phase2_client_cert, TRUE);
1515 priv->phase2_client_cert = NULL;
1519 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
1523 data = load_and_verify_certificate (cert_path, scheme, &format, error);
1525 gboolean valid = FALSE;
1527 /* wpa_supplicant can only use raw x509 CA certs */
1529 case NM_CRYPTO_FILE_FORMAT_X509:
1531 *out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
1534 case NM_CRYPTO_FILE_FORMAT_PKCS12:
1536 *out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
1540 g_set_error_literal (error,
1541 NM_SETTING_802_1X_ERROR,
1542 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
1543 _("invalid certificate format"));
1544 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
1549 if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
1550 priv->phase2_client_cert = g_byte_array_ref (data);
1551 else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
1552 priv->phase2_client_cert = path_to_scheme_value (cert_path);
1554 g_assert_not_reached ();
1556 g_byte_array_unref (data);
1559 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
1560 return priv->phase2_client_cert != NULL;
1564 * nm_setting_802_1x_get_password:
1565 * @setting: the #NMSetting8021x
1567 * Returns: the password used by the authentication method, if any, as specified
1568 * by the #NMSetting8021x:password property
1571 nm_setting_802_1x_get_password (NMSetting8021x *setting)
1573 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1575 return NM_SETTING_802_1X_GET_PRIVATE (setting)->password;
1579 * nm_setting_802_1x_get_password_flags:
1580 * @setting: the #NMSetting8021x
1582 * Returns: the #NMSettingSecretFlags pertaining to the #NMSetting8021x:password
1584 NMSettingSecretFlags
1585 nm_setting_802_1x_get_password_flags (NMSetting8021x *setting)
1587 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
1589 return NM_SETTING_802_1X_GET_PRIVATE (setting)->password_flags;
1593 * nm_setting_802_1x_get_password_raw:
1594 * @setting: the #NMSetting8021x
1596 * Returns: the password used by the authentication method as a
1597 * UTF-8-encoded array of bytes, as specified by the
1598 * #NMSetting8021x:password-raw property
1601 nm_setting_802_1x_get_password_raw (NMSetting8021x *setting)
1603 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1605 return NM_SETTING_802_1X_GET_PRIVATE (setting)->password_raw;
1609 * nm_setting_802_1x_get_password_raw_flags:
1610 * @setting: the #NMSetting8021x
1612 * Returns: the #NMSettingSecretFlags pertaining to the
1613 * #NMSetting8021x:password-raw
1615 NMSettingSecretFlags
1616 nm_setting_802_1x_get_password_raw_flags (NMSetting8021x *setting)
1618 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
1620 return NM_SETTING_802_1X_GET_PRIVATE (setting)->password_raw_flags;
1624 * nm_setting_802_1x_get_pin:
1625 * @setting: the #NMSetting8021x
1627 * Returns: the PIN used by the authentication method, if any, as specified
1628 * by the #NMSetting8021x:pin property
1631 nm_setting_802_1x_get_pin (NMSetting8021x *setting)
1633 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1635 return NM_SETTING_802_1X_GET_PRIVATE (setting)->pin;
1639 * nm_setting_802_1x_get_pin_flags:
1640 * @setting: the #NMSetting8021x
1642 * Returns: the #NMSettingSecretFlags pertaining to the
1643 * #NMSetting8021x:pin
1645 NMSettingSecretFlags
1646 nm_setting_802_1x_get_pin_flags (NMSetting8021x *setting)
1648 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
1650 return NM_SETTING_802_1X_GET_PRIVATE (setting)->pin_flags;
1654 * nm_setting_802_1x_get_private_key_scheme:
1655 * @setting: the #NMSetting8021x
1657 * Returns the scheme used to store the private key. If the returned scheme is
1658 * %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
1659 * nm_setting_802_1x_get_client_cert_blob(); if
1660 * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
1661 * nm_setting_802_1x_get_client_cert_path().
1663 * Returns: scheme used to store the private key (blob or path)
1665 NMSetting8021xCKScheme
1666 nm_setting_802_1x_get_private_key_scheme (NMSetting8021x *setting)
1668 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
1670 return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key);
1674 * nm_setting_802_1x_get_private_key_blob:
1675 * @setting: the #NMSetting8021x
1677 * Private keys are used to authenticate the connecting client to the network
1678 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
1679 * authentication method.
1681 * WARNING: the private key property is not a "secret" property, and thus
1682 * unencrypted private key data may be readable by unprivileged users. Private
1683 * keys should always be encrypted with a private key password.
1685 * Returns: the private key data
1688 nm_setting_802_1x_get_private_key_blob (NMSetting8021x *setting)
1690 NMSetting8021xCKScheme scheme;
1692 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1694 scheme = nm_setting_802_1x_get_private_key_scheme (setting);
1695 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);
1697 return NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key;
1701 * nm_setting_802_1x_get_private_key_path:
1702 * @setting: the #NMSetting8021x
1704 * Private keys are used to authenticate the connecting client to the network
1705 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
1706 * authentication method.
1708 * Returns: path to the private key file
1711 nm_setting_802_1x_get_private_key_path (NMSetting8021x *setting)
1713 NMSetting8021xCKScheme scheme;
1715 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1717 scheme = nm_setting_802_1x_get_private_key_scheme (setting);
1718 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);
1720 return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key->data + strlen (SCHEME_PATH));
1724 file_to_byte_array (const char *filename)
1727 GByteArray *array = NULL;
1730 if (g_file_get_contents (filename, &contents, &length, NULL)) {
1731 array = g_byte_array_sized_new (length);
1732 g_byte_array_append (array, (guint8 *) contents, length);
1733 g_assert (array->len == length);
1740 * nm_setting_802_1x_set_private_key:
1741 * @setting: the #NMSetting8021x
1742 * @key_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
1743 * %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the private key file
1744 * (PEM, DER, or PKCS#<!-- -->12 format). The path must be UTF-8 encoded; use
1745 * g_filename_to_utf8() to convert if needed. Passing %NULL with any @scheme
1746 * clears the private key.
1747 * @password: password used to decrypt the private key, or %NULL if the password
1748 * is unknown. If the password is given but fails to decrypt the private key,
1749 * an error is returned.
1750 * @scheme: desired storage scheme for the private key
1751 * @out_format: on successful return, the type of the private key added
1752 * @error: on unsuccessful return, an error
1754 * Private keys are used to authenticate the connecting client to the network
1755 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
1756 * authentication method.
1758 * This function reads a private key from disk and sets the
1759 * #NMSetting8021x:private-key property with the private key file data if using
1760 * the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the private
1761 * key file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
1763 * If @password is given, this function attempts to decrypt the private key to
1764 * verify that @password is correct, and if it is, updates the
1765 * #NMSetting8021x:private-key-password property with the given @password. If
1766 * the decryption is unsuccessful, %FALSE is returned, @error is set, and no
1767 * internal data is changed. If no @password is given, the private key is
1768 * assumed to be valid, no decryption is performed, and the password may be set
1771 * WARNING: the private key property is not a "secret" property, and thus
1772 * unencrypted private key data using the BLOB scheme may be readable by
1773 * unprivileged users. Private keys should always be encrypted with a private
1774 * key password to prevent unauthorized access to unencrypted private key data.
1776 * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful
1779 nm_setting_802_1x_set_private_key (NMSetting8021x *setting,
1780 const char *key_path,
1781 const char *password,
1782 NMSetting8021xCKScheme scheme,
1783 NMSetting8021xCKFormat *out_format,
1786 NMSetting8021xPrivate *priv;
1787 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
1788 gboolean key_cleared = FALSE, password_cleared = FALSE;
1789 GError *local_err = NULL;
1791 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
1794 g_return_val_if_fail (g_utf8_validate (key_path, -1, NULL), FALSE);
1795 g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
1796 || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
1801 g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);
1803 /* Ensure the private key is a recognized format and if the password was
1804 * given, that it decrypts the private key.
1807 format = crypto_verify_private_key (key_path, password, &local_err);
1808 if (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN) {
1809 g_set_error_literal (error,
1810 NM_SETTING_802_1X_ERROR,
1811 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
1812 local_err ? local_err->message : _("invalid private key"));
1813 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PRIVATE_KEY);
1814 g_clear_error (&local_err);
1819 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1821 /* Clear out any previous private key data */
1822 if (priv->private_key) {
1823 /* Try not to leave the private key around in memory */
1824 memset (priv->private_key->data, 0, priv->private_key->len);
1825 g_byte_array_free (priv->private_key, TRUE);
1826 priv->private_key = NULL;
1830 if (priv->private_key_password) {
1831 g_free (priv->private_key_password);
1832 priv->private_key_password = NULL;
1833 password_cleared = TRUE;
1836 if (key_path == NULL) {
1838 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PRIVATE_KEY);
1839 if (password_cleared)
1840 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
1844 priv->private_key_password = g_strdup (password);
1845 if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
1846 /* Shouldn't fail this since we just verified the private key above */
1847 priv->private_key = file_to_byte_array (key_path);
1848 g_assert (priv->private_key);
1849 } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
1850 priv->private_key = path_to_scheme_value (key_path);
1852 g_assert_not_reached ();
1854 /* As required by NM and wpa_supplicant, set the client-cert
1855 * property to the same PKCS#12 data.
1857 g_assert (format != NM_CRYPTO_FILE_FORMAT_UNKNOWN);
1858 if (format == NM_CRYPTO_FILE_FORMAT_PKCS12) {
1859 if (priv->client_cert)
1860 g_byte_array_free (priv->client_cert, TRUE);
1862 priv->client_cert = g_byte_array_sized_new (priv->private_key->len);
1863 g_byte_array_append (priv->client_cert, priv->private_key->data, priv->private_key->len);
1864 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CLIENT_CERT);
1867 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PRIVATE_KEY);
1868 if (password_cleared || password)
1869 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
1872 *out_format = (NMSetting8021xCKFormat) format;
1873 return priv->private_key != NULL;
1877 * nm_setting_802_1x_get_private_key_password:
1878 * @setting: the #NMSetting8021x
1880 * Returns: the private key password used to decrypt the private key if
1881 * previously set with nm_setting_802_1x_set_private_key(), or the
1882 * #NMSetting8021x:private-key-password property.
1885 nm_setting_802_1x_get_private_key_password (NMSetting8021x *setting)
1887 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1889 return NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key_password;
1893 * nm_setting_802_1x_get_private_key_password_flags:
1894 * @setting: the #NMSetting8021x
1896 * Returns: the #NMSettingSecretFlags pertaining to the
1897 * #NMSetting8021x:private-key-password
1899 NMSettingSecretFlags
1900 nm_setting_802_1x_get_private_key_password_flags (NMSetting8021x *setting)
1902 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
1904 return NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key_password_flags;
1908 * nm_setting_802_1x_get_private_key_format:
1909 * @setting: the #NMSetting8021x
1911 * Returns: the data format of the private key data stored in the
1912 * #NMSetting8021x:private-key property
1914 NMSetting8021xCKFormat
1915 nm_setting_802_1x_get_private_key_format (NMSetting8021x *setting)
1917 NMSetting8021xPrivate *priv;
1919 GError *error = NULL;
1921 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_FORMAT_UNKNOWN);
1922 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
1924 if (!priv->private_key)
1925 return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
1927 switch (nm_setting_802_1x_get_private_key_scheme (setting)) {
1928 case NM_SETTING_802_1X_CK_SCHEME_BLOB:
1929 if (crypto_is_pkcs12_data (priv->private_key))
1930 return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
1931 return NM_SETTING_802_1X_CK_FORMAT_RAW_KEY;
1932 case NM_SETTING_802_1X_CK_SCHEME_PATH:
1933 path = nm_setting_802_1x_get_private_key_path (setting);
1934 if (crypto_is_pkcs12_file (path, &error))
1935 return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
1937 /* Couldn't read the file or something */
1938 g_error_free (error);
1939 return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
1941 return NM_SETTING_802_1X_CK_FORMAT_RAW_KEY;
1946 return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
1950 * nm_setting_802_1x_get_phase2_private_key_password:
1951 * @setting: the #NMSetting8021x
1953 * Returns: the private key password used to decrypt the private key if
1954 * previously set with nm_setting_802_1x_set_phase2_private_key() or the
1955 * #NMSetting8021x:phase2-private-key-password property.
1958 nm_setting_802_1x_get_phase2_private_key_password (NMSetting8021x *setting)
1960 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
1962 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key_password;
1966 * nm_setting_802_1x_get_phase2_private_key_password_flags:
1967 * @setting: the #NMSetting8021x
1969 * Returns: the #NMSettingSecretFlags pertaining to the
1970 * #NMSetting8021x:phase2-private-key-password
1972 NMSettingSecretFlags
1973 nm_setting_802_1x_get_phase2_private_key_password_flags (NMSetting8021x *setting)
1975 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
1977 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key_password_flags;
1981 * nm_setting_802_1x_get_phase2_private_key_scheme:
1982 * @setting: the #NMSetting8021x
1984 * Returns the scheme used to store the "phase 2" private key. If the returned
1985 * scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
1986 * nm_setting_802_1x_get_client_cert_blob(); if
1987 * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
1988 * nm_setting_802_1x_get_client_cert_path().
1990 * Returns: scheme used to store the "phase 2" private key (blob or path)
1992 NMSetting8021xCKScheme
1993 nm_setting_802_1x_get_phase2_private_key_scheme (NMSetting8021x *setting)
1995 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
1997 return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key);
2001 * nm_setting_802_1x_get_phase2_private_key_blob:
2002 * @setting: the #NMSetting8021x
2004 * Private keys are used to authenticate the connecting client to the network
2005 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
2006 * authentication method.
2008 * WARNING: the phase2 private key property is not a "secret" property, and thus
2009 * unencrypted private key data may be readable by unprivileged users. Private
2010 * keys should always be encrypted with a private key password.
2012 * Returns: the "phase 2" private key data
2015 nm_setting_802_1x_get_phase2_private_key_blob (NMSetting8021x *setting)
2017 NMSetting8021xCKScheme scheme;
2019 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
2021 scheme = nm_setting_802_1x_get_phase2_private_key_scheme (setting);
2022 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);
2024 return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key;
2028 * nm_setting_802_1x_get_phase2_private_key_path:
2029 * @setting: the #NMSetting8021x
2031 * Private keys are used to authenticate the connecting client to the network
2032 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
2033 * authentication method.
2035 * Returns: path to the "phase 2" private key file
2038 nm_setting_802_1x_get_phase2_private_key_path (NMSetting8021x *setting)
2040 NMSetting8021xCKScheme scheme;
2042 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
2044 scheme = nm_setting_802_1x_get_phase2_private_key_scheme (setting);
2045 g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);
2047 return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key->data + strlen (SCHEME_PATH));
2051 * nm_setting_802_1x_set_phase2_private_key:
2052 * @setting: the #NMSetting8021x
2053 * @key_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
2054 * %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" private
2055 * key file (PEM, DER, or PKCS#<!-- -->12 format). The path must be UTF-8 encoded;
2056 * use g_filename_to_utf8() to convert if needed. Passing %NULL with any
2057 * @scheme clears the private key.
2058 * @password: password used to decrypt the private key, or %NULL if the password
2059 * is unknown. If the password is given but fails to decrypt the private key,
2060 * an error is returned.
2061 * @scheme: desired storage scheme for the private key
2062 * @out_format: on successful return, the type of the private key added
2063 * @error: on unsuccessful return, an error
2065 * Private keys are used to authenticate the connecting client to the network
2066 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
2067 * authentication method.
2069 * This function reads a private key from disk and sets the
2070 * #NMSetting8021x:phase2-private-key property with the private key file data if
2071 * using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the
2072 * private key file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
2074 * If @password is given, this function attempts to decrypt the private key to
2075 * verify that @password is correct, and if it is, updates the
2076 * #NMSetting8021x:phase2-private-key-password property with the given
2077 * @password. If the decryption is unsuccessful, %FALSE is returned, @error is
2078 * set, and no internal data is changed. If no @password is given, the private
2079 * key is assumed to be valid, no decryption is performed, and the password may
2080 * be set at a later time.
2082 * WARNING: the "phase2" private key property is not a "secret" property, and
2083 * thus unencrypted private key data using the BLOB scheme may be readable by
2084 * unprivileged users. Private keys should always be encrypted with a private
2085 * key password to prevent unauthorized access to unencrypted private key data.
2087 * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful
2090 nm_setting_802_1x_set_phase2_private_key (NMSetting8021x *setting,
2091 const char *key_path,
2092 const char *password,
2093 NMSetting8021xCKScheme scheme,
2094 NMSetting8021xCKFormat *out_format,
2097 NMSetting8021xPrivate *priv;
2098 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
2099 gboolean key_cleared = FALSE, password_cleared = FALSE;
2100 GError *local_err = NULL;
2102 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
2105 g_return_val_if_fail (g_utf8_validate (key_path, -1, NULL), FALSE);
2106 g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
2107 || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
2112 g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);
2114 /* Ensure the private key is a recognized format and if the password was
2115 * given, that it decrypts the private key.
2118 format = crypto_verify_private_key (key_path, password, &local_err);
2119 if (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN) {
2120 g_set_error_literal (error,
2121 NM_SETTING_802_1X_ERROR,
2122 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2123 local_err ? local_err->message : _("invalid phase2 private key"));
2124 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2125 g_clear_error (&local_err);
2130 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
2132 /* Clear out any previous private key data */
2133 if (priv->phase2_private_key) {
2134 /* Try not to leave the private key around in memory */
2135 memset (priv->phase2_private_key->data, 0, priv->phase2_private_key->len);
2136 g_byte_array_free (priv->phase2_private_key, TRUE);
2137 priv->phase2_private_key = NULL;
2141 if (priv->phase2_private_key_password) {
2142 g_free (priv->phase2_private_key_password);
2143 priv->phase2_private_key_password = NULL;
2144 password_cleared = TRUE;
2147 if (key_path == NULL) {
2149 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2150 if (password_cleared)
2151 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
2155 priv->phase2_private_key_password = g_strdup (password);
2156 if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
2157 /* Shouldn't fail this since we just verified the private key above */
2158 priv->phase2_private_key = file_to_byte_array (key_path);
2159 g_assert (priv->phase2_private_key);
2160 } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
2161 priv->phase2_private_key = path_to_scheme_value (key_path);
2163 g_assert_not_reached ();
2165 /* As required by NM and wpa_supplicant, set the client-cert
2166 * property to the same PKCS#12 data.
2168 g_assert (format != NM_CRYPTO_FILE_FORMAT_UNKNOWN);
2169 if (format == NM_CRYPTO_FILE_FORMAT_PKCS12) {
2170 if (priv->phase2_client_cert)
2171 g_byte_array_free (priv->phase2_client_cert, TRUE);
2173 priv->phase2_client_cert = g_byte_array_sized_new (priv->phase2_private_key->len);
2174 g_byte_array_append (priv->phase2_client_cert, priv->phase2_private_key->data, priv->phase2_private_key->len);
2175 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
2178 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2179 if (password_cleared || password)
2180 g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
2183 *out_format = (NMSetting8021xCKFormat) format;
2184 return priv->phase2_private_key != NULL;
2188 * nm_setting_802_1x_get_phase2_private_key_format:
2189 * @setting: the #NMSetting8021x
2191 * Returns: the data format of the "phase 2" private key data stored in the
2192 * #NMSetting8021x:phase2-private-key property
2194 NMSetting8021xCKFormat
2195 nm_setting_802_1x_get_phase2_private_key_format (NMSetting8021x *setting)
2197 NMSetting8021xPrivate *priv;
2199 GError *error = NULL;
2201 g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_FORMAT_UNKNOWN);
2202 priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
2204 if (!priv->phase2_private_key)
2205 return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
2207 switch (nm_setting_802_1x_get_phase2_private_key_scheme (setting)) {
2208 case NM_SETTING_802_1X_CK_SCHEME_BLOB:
2209 if (crypto_is_pkcs12_data (priv->phase2_private_key))
2210 return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
2211 return NM_SETTING_802_1X_CK_FORMAT_RAW_KEY;
2212 case NM_SETTING_802_1X_CK_SCHEME_PATH:
2213 path = nm_setting_802_1x_get_phase2_private_key_path (setting);
2214 if (crypto_is_pkcs12_file (path, &error))
2215 return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
2217 /* Couldn't read the file or something */
2218 g_error_free (error);
2219 return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
2221 return NM_SETTING_802_1X_CK_FORMAT_RAW_KEY;
2226 return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
2230 need_secrets_password (NMSetting8021x *self,
2234 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2236 if ( (!priv->password || !strlen (priv->password))
2237 && (!priv->password_raw || !priv->password_raw->len)) {
2238 g_ptr_array_add (secrets, NM_SETTING_802_1X_PASSWORD);
2239 g_ptr_array_add (secrets, NM_SETTING_802_1X_PASSWORD_RAW);
2244 need_secrets_sim (NMSetting8021x *self,
2248 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2250 if (!priv->pin || !strlen (priv->pin))
2251 g_ptr_array_add (secrets, NM_SETTING_802_1X_PIN);
2255 need_private_key_password (const GByteArray *blob,
2257 const char *password)
2259 NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
2261 /* Private key password is required */
2264 format = crypto_verify_private_key (path, password, NULL);
2266 format = crypto_verify_private_key_data (blob, password, NULL);
2268 g_warning ("%s: unknown private key password scheme", __func__);
2271 return (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN);
2275 need_secrets_tls (NMSetting8021x *self,
2279 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2280 NMSetting8021xCKScheme scheme;
2281 const GByteArray *blob = NULL;
2282 const char *path = NULL;
2285 scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self);
2286 if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
2287 path = nm_setting_802_1x_get_phase2_private_key_path (self);
2288 else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
2289 blob = nm_setting_802_1x_get_phase2_private_key_blob (self);
2291 g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme);
2292 g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2296 if (need_private_key_password (blob, path, priv->phase2_private_key_password))
2297 g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
2299 scheme = nm_setting_802_1x_get_private_key_scheme (self);
2300 if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
2301 path = nm_setting_802_1x_get_private_key_path (self);
2302 else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
2303 blob = nm_setting_802_1x_get_private_key_blob (self);
2305 g_warning ("%s: unknown private key scheme %d", __func__, scheme);
2306 g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY);
2310 if (need_private_key_password (blob, path, priv->private_key_password))
2311 g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
2316 verify_tls (NMSetting8021x *self, gboolean phase2, GError **error)
2318 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2321 if (!priv->phase2_client_cert) {
2322 g_set_error_literal (error,
2323 NM_SETTING_802_1X_ERROR,
2324 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2325 _("property is missing"));
2326 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
2328 } else if (!priv->phase2_client_cert->len) {
2329 g_set_error_literal (error,
2330 NM_SETTING_802_1X_ERROR,
2331 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2332 _("property is empty"));
2333 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
2337 /* Private key is required for TLS */
2338 if (!priv->phase2_private_key) {
2339 g_set_error_literal (error,
2340 NM_SETTING_802_1X_ERROR,
2341 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2342 _("property is missing"));
2343 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2345 } else if (!priv->phase2_private_key->len) {
2346 g_set_error_literal (error,
2347 NM_SETTING_802_1X_ERROR,
2348 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2349 _("property is empty"));
2350 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2354 /* If the private key is PKCS#12, check that it matches the client cert */
2355 if (crypto_is_pkcs12_data (priv->phase2_private_key)) {
2356 if (priv->phase2_private_key->len != priv->phase2_client_cert->len) {
2358 NM_SETTING_802_1X_ERROR,
2359 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2360 _("has to match '%s' property for PKCS#12"),
2361 NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2362 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
2366 if (memcmp (priv->phase2_private_key->data,
2367 priv->phase2_client_cert->data,
2368 priv->phase2_private_key->len)) {
2370 NM_SETTING_802_1X_ERROR,
2371 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2372 _("has to match '%s' property for PKCS#12"),
2373 NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
2374 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
2379 if (!priv->client_cert) {
2380 g_set_error_literal (error,
2381 NM_SETTING_802_1X_ERROR,
2382 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2383 _("property is missing"));
2384 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT);
2386 } else if (!priv->client_cert->len) {
2387 g_set_error_literal (error,
2388 NM_SETTING_802_1X_ERROR,
2389 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2390 _("property is empty"));
2391 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT);
2395 /* Private key is required for TLS */
2396 if (!priv->private_key) {
2397 g_set_error_literal (error,
2398 NM_SETTING_802_1X_ERROR,
2399 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2400 _("property is missing"));
2401 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PRIVATE_KEY);
2403 } else if (!priv->private_key->len) {
2404 g_set_error_literal (error,
2405 NM_SETTING_802_1X_ERROR,
2406 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2407 _("property is empty"));
2408 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PRIVATE_KEY);
2412 /* If the private key is PKCS#12, check that it matches the client cert */
2413 if (crypto_is_pkcs12_data (priv->private_key)) {
2414 if (priv->private_key->len != priv->client_cert->len) {
2416 NM_SETTING_802_1X_ERROR,
2417 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2418 _("has to match '%s' property for PKCS#12"),
2419 NM_SETTING_802_1X_PRIVATE_KEY);
2420 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT);
2424 if (memcmp (priv->private_key->data,
2425 priv->client_cert->data,
2426 priv->private_key->len)) {
2428 NM_SETTING_802_1X_ERROR,
2429 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2430 _("has to match '%s' property for PKCS#12"),
2431 NM_SETTING_802_1X_PRIVATE_KEY);
2432 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_CLIENT_CERT);
2442 verify_ttls (NMSetting8021x *self, gboolean phase2, GError **error)
2444 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2446 if ( (!priv->identity || !strlen (priv->identity))
2447 && (!priv->anonymous_identity || !strlen (priv->anonymous_identity))) {
2448 if (!priv->identity) {
2449 g_set_error_literal (error,
2450 NM_SETTING_802_1X_ERROR,
2451 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2452 _("property is missing"));
2453 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY);
2454 } else if (!strlen (priv->identity)) {
2455 g_set_error_literal (error,
2456 NM_SETTING_802_1X_ERROR,
2457 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2458 _("property is empty"));
2459 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY);
2460 } else if (!priv->anonymous_identity) {
2461 g_set_error_literal (error,
2462 NM_SETTING_802_1X_ERROR,
2463 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2464 _("property is missing"));
2465 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_ANONYMOUS_IDENTITY);
2467 g_set_error_literal (error,
2468 NM_SETTING_802_1X_ERROR,
2469 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2470 _("property is empty"));
2471 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_ANONYMOUS_IDENTITY);
2476 if ( (!priv->phase2_auth || !strlen (priv->phase2_auth))
2477 && (!priv->phase2_autheap || !strlen (priv->phase2_autheap))) {
2478 if (!priv->phase2_auth) {
2479 g_set_error_literal (error,
2480 NM_SETTING_802_1X_ERROR,
2481 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2482 _("property is missing"));
2483 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTH);
2484 } else if (!strlen (priv->phase2_auth)) {
2485 g_set_error_literal (error,
2486 NM_SETTING_802_1X_ERROR,
2487 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2488 _("property is empty"));
2489 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTH);
2490 } else if (!priv->phase2_autheap) {
2491 g_set_error_literal (error,
2492 NM_SETTING_802_1X_ERROR,
2493 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2494 _("property is missing"));
2495 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTHEAP);
2497 g_set_error_literal (error,
2498 NM_SETTING_802_1X_ERROR,
2499 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2500 _("property is empty"));
2501 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTHEAP);
2510 verify_identity (NMSetting8021x *self, gboolean phase2, GError **error)
2512 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2514 if (!priv->identity) {
2515 g_set_error_literal (error,
2516 NM_SETTING_802_1X_ERROR,
2517 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2518 _("property is missing"));
2519 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY);
2521 } else if (!strlen (priv->identity)) {
2522 g_set_error_literal (error,
2523 NM_SETTING_802_1X_ERROR,
2524 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2525 _("property is empty"));
2526 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY);
2533 /* Implemented below... */
2534 static void need_secrets_phase2 (NMSetting8021x *self,
2539 typedef void (*EAPMethodNeedSecretsFunc) (NMSetting8021x *self,
2543 typedef gboolean (*EAPMethodValidateFunc)(NMSetting8021x *self,
2549 EAPMethodNeedSecretsFunc ns_func;
2550 EAPMethodValidateFunc v_func;
2553 static EAPMethodsTable eap_methods_table[] = {
2554 { "leap", need_secrets_password, verify_identity },
2555 { "pwd", need_secrets_password, verify_identity },
2556 { "md5", need_secrets_password, verify_identity },
2557 { "pap", need_secrets_password, verify_identity },
2558 { "chap", need_secrets_password, verify_identity },
2559 { "mschap", need_secrets_password, verify_identity },
2560 { "mschapv2", need_secrets_password, verify_identity },
2561 { "fast", need_secrets_password, verify_identity },
2562 { "tls", need_secrets_tls, verify_tls },
2563 { "peap", need_secrets_phase2, verify_ttls },
2564 { "ttls", need_secrets_phase2, verify_ttls },
2565 { "sim", need_secrets_sim, NULL },
2566 { "gtc", need_secrets_password, verify_identity },
2567 { "otp", NULL, NULL }, // FIXME: implement
2568 { NULL, NULL, NULL }
2572 need_secrets_phase2 (NMSetting8021x *self,
2576 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2577 char *method = NULL;
2580 g_return_if_fail (phase2 == FALSE);
2582 /* Check phase2_auth and phase2_autheap */
2583 method = priv->phase2_auth;
2584 if (!method && priv->phase2_autheap)
2585 method = priv->phase2_autheap;
2588 g_warning ("Couldn't find EAP method.");
2589 g_assert_not_reached();
2593 /* Ask the configured phase2 method if it needs secrets */
2594 for (i = 0; eap_methods_table[i].method; i++) {
2595 if (eap_methods_table[i].ns_func == NULL)
2597 if (!strcmp (eap_methods_table[i].method, method)) {
2598 (*eap_methods_table[i].ns_func) (self, secrets, TRUE);
2606 need_secrets (NMSetting *setting)
2608 NMSetting8021x *self = NM_SETTING_802_1X (setting);
2609 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2612 gboolean eap_method_found = FALSE;
2614 secrets = g_ptr_array_sized_new (4);
2616 /* Ask each configured EAP method if it needs secrets */
2617 for (iter = priv->eap; iter && !eap_method_found; iter = g_slist_next (iter)) {
2618 const char *method = (const char *) iter->data;
2621 for (i = 0; eap_methods_table[i].method; i++) {
2622 if (eap_methods_table[i].ns_func == NULL)
2624 if (!strcmp (eap_methods_table[i].method, method)) {
2625 (*eap_methods_table[i].ns_func) (self, secrets, FALSE);
2627 /* Only break out of the outer loop if this EAP method
2630 if (secrets->len > 0)
2631 eap_method_found = TRUE;
2637 if (secrets->len == 0) {
2638 g_ptr_array_free (secrets, TRUE);
2646 verify_cert (GByteArray *array, const char *prop_name, GError **error)
2649 || get_cert_scheme (array) != NM_SETTING_802_1X_CK_SCHEME_UNKNOWN)
2652 g_set_error_literal (error,
2653 NM_SETTING_802_1X_ERROR,
2654 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2655 _("property is invalid"));
2656 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_name);
2661 verify (NMSetting *setting, GSList *all_settings, GError **error)
2663 NMSetting8021x *self = NM_SETTING_802_1X (setting);
2664 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2665 const char *valid_eap[] = { "leap", "md5", "tls", "peap", "ttls", "sim", "fast", "pwd", NULL };
2666 const char *valid_phase1_peapver[] = { "0", "1", NULL };
2667 const char *valid_phase1_peaplabel[] = { "0", "1", NULL };
2668 const char *valid_phase1_fast_pac[] = { "0", "1", "2", "3", NULL };
2669 const char *valid_phase2_auth[] = { "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", "tls", NULL };
2670 const char *valid_phase2_autheap[] = { "md5", "mschapv2", "otp", "gtc", "tls", NULL };
2674 g_return_val_if_fail (*error == NULL, FALSE);
2677 g_set_error_literal (error,
2678 NM_SETTING_802_1X_ERROR,
2679 NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
2680 _("property is missing"));
2681 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_EAP);
2685 if (!_nm_utils_string_slist_validate (priv->eap, valid_eap)) {
2686 g_set_error_literal (error,
2687 NM_SETTING_802_1X_ERROR,
2688 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2689 _("property is invalid"));
2690 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_EAP);
2694 /* Ask each configured EAP method if its valid */
2695 for (iter = priv->eap; iter; iter = g_slist_next (iter)) {
2696 const char *method = (const char *) iter->data;
2699 for (i = 0; eap_methods_table[i].method; i++) {
2700 if (eap_methods_table[i].v_func == NULL)
2702 if (!strcmp (eap_methods_table[i].method, method)) {
2703 if (!(*eap_methods_table[i].v_func) (self, FALSE, error))
2710 if (priv->phase1_peapver && !_nm_utils_string_in_list (priv->phase1_peapver, valid_phase1_peapver)) {
2712 NM_SETTING_802_1X_ERROR,
2713 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2714 _("'%s' is not a valid value for the property"),
2715 priv->phase1_peapver);
2716 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_PEAPVER);
2720 if (priv->phase1_peaplabel && !_nm_utils_string_in_list (priv->phase1_peaplabel, valid_phase1_peaplabel)) {
2722 NM_SETTING_802_1X_ERROR,
2723 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2724 _("'%s' is not a valid value for the property"),
2725 priv->phase1_peaplabel);
2726 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_PEAPLABEL);
2730 if (priv->phase1_fast_provisioning && !_nm_utils_string_in_list (priv->phase1_fast_provisioning, valid_phase1_fast_pac)) {
2732 NM_SETTING_802_1X_ERROR,
2733 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2734 _("'%s' is not a valid value for the property"),
2735 priv->phase1_fast_provisioning);
2736 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING);
2740 if (priv->phase2_auth && !_nm_utils_string_in_list (priv->phase2_auth, valid_phase2_auth)) {
2742 NM_SETTING_802_1X_ERROR,
2743 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2744 _("'%s' is not a valid value for the property"),
2746 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTH);
2750 if (priv->phase2_autheap && !_nm_utils_string_in_list (priv->phase2_autheap, valid_phase2_autheap)) {
2752 NM_SETTING_802_1X_ERROR,
2753 NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
2754 _("'%s' is not a valid value for the property"),
2755 priv->phase2_autheap);
2756 g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE2_AUTHEAP);
2760 if (!verify_cert (priv->ca_cert, NM_SETTING_802_1X_CA_CERT, error))
2762 if (!verify_cert (priv->phase2_ca_cert, NM_SETTING_802_1X_PHASE2_CA_CERT, error))
2765 if (!verify_cert (priv->client_cert, NM_SETTING_802_1X_CLIENT_CERT, error))
2767 if (!verify_cert (priv->phase2_client_cert, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, error))
2770 if (!verify_cert (priv->private_key, NM_SETTING_802_1X_PRIVATE_KEY, error))
2772 if (!verify_cert (priv->phase2_private_key, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, error))
2781 nm_setting_802_1x_init (NMSetting8021x *setting)
2786 finalize (GObject *object)
2788 NMSetting8021x *self = NM_SETTING_802_1X (object);
2789 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
2791 /* Strings first. g_free() already checks for NULLs so we don't have to */
2793 g_free (priv->identity);
2794 g_free (priv->anonymous_identity);
2795 g_free (priv->ca_path);
2796 g_free (priv->subject_match);
2797 g_free (priv->phase1_peapver);
2798 g_free (priv->phase1_peaplabel);
2799 g_free (priv->phase1_fast_provisioning);
2800 g_free (priv->phase2_auth);
2801 g_free (priv->phase2_autheap);
2802 g_free (priv->phase2_ca_path);
2803 g_free (priv->phase2_subject_match);
2804 g_free (priv->password);
2805 if (priv->password_raw)
2806 g_byte_array_free (priv->password_raw, TRUE);
2809 g_slist_free_full (priv->eap, g_free);
2810 g_slist_free_full (priv->altsubject_matches, g_free);
2811 g_slist_free_full (priv->phase2_altsubject_matches, g_free);
2814 g_byte_array_free (priv->ca_cert, TRUE);
2815 if (priv->client_cert)
2816 g_byte_array_free (priv->client_cert, TRUE);
2817 if (priv->private_key)
2818 g_byte_array_free (priv->private_key, TRUE);
2819 g_free (priv->private_key_password);
2820 if (priv->phase2_ca_cert)
2821 g_byte_array_free (priv->phase2_ca_cert, TRUE);
2822 if (priv->phase2_client_cert)
2823 g_byte_array_free (priv->phase2_client_cert, TRUE);
2824 if (priv->phase2_private_key)
2825 g_byte_array_free (priv->phase2_private_key, TRUE);
2826 g_free (priv->phase2_private_key_password);
2828 G_OBJECT_CLASS (nm_setting_802_1x_parent_class)->finalize (object);
2832 set_cert_prop_helper (const GValue *value, const char *prop_name, GError **error)
2835 GByteArray *data = NULL;
2837 data = g_value_dup_boxed (value);
2838 /* Verify the new data */
2840 valid = verify_cert (data, prop_name, error);
2842 g_byte_array_free (data, TRUE);
2850 set_property (GObject *object, guint prop_id,
2851 const GValue *value, GParamSpec *pspec)
2853 NMSetting8021x *setting = NM_SETTING_802_1X (object);
2854 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
2855 GError *error = NULL;
2859 g_slist_free_full (priv->eap, g_free);
2860 priv->eap = g_value_dup_boxed (value);
2863 g_free (priv->identity);
2864 priv->identity = g_value_dup_string (value);
2866 case PROP_ANONYMOUS_IDENTITY:
2867 g_free (priv->anonymous_identity);
2868 priv->anonymous_identity = g_value_dup_string (value);
2871 g_free (priv->pac_file);
2872 priv->pac_file = g_value_dup_string (value);
2875 if (priv->ca_cert) {
2876 g_byte_array_free (priv->ca_cert, TRUE);
2877 priv->ca_cert = NULL;
2879 priv->ca_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_CA_CERT, &error);
2881 g_warning ("Error setting certificate (invalid data): %s",
2883 g_error_free (error);
2887 g_free (priv->ca_path);
2888 priv->ca_path = g_value_dup_string (value);
2890 case PROP_SUBJECT_MATCH:
2891 g_free (priv->subject_match);
2892 priv->subject_match = g_value_dup_string (value);
2894 case PROP_ALTSUBJECT_MATCHES:
2895 g_slist_free_full (priv->altsubject_matches, g_free);
2896 priv->altsubject_matches = g_value_dup_boxed (value);
2898 case PROP_CLIENT_CERT:
2899 if (priv->client_cert) {
2900 g_byte_array_free (priv->client_cert, TRUE);
2901 priv->client_cert = NULL;
2903 priv->client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_CLIENT_CERT, &error);
2905 g_warning ("Error setting certificate (invalid data): %s",
2907 g_error_free (error);
2910 case PROP_PHASE1_PEAPVER:
2911 g_free (priv->phase1_peapver);
2912 priv->phase1_peapver = g_value_dup_string (value);
2914 case PROP_PHASE1_PEAPLABEL:
2915 g_free (priv->phase1_peaplabel);
2916 priv->phase1_peaplabel = g_value_dup_string (value);
2918 case PROP_PHASE1_FAST_PROVISIONING:
2919 g_free (priv->phase1_fast_provisioning);
2920 priv->phase1_fast_provisioning = g_value_dup_string (value);
2922 case PROP_PHASE2_AUTH:
2923 g_free (priv->phase2_auth);
2924 priv->phase2_auth = g_value_dup_string (value);
2926 case PROP_PHASE2_AUTHEAP:
2927 g_free (priv->phase2_autheap);
2928 priv->phase2_autheap = g_value_dup_string (value);
2930 case PROP_PHASE2_CA_CERT:
2931 if (priv->phase2_ca_cert) {
2932 g_byte_array_free (priv->phase2_ca_cert, TRUE);
2933 priv->phase2_ca_cert = NULL;
2935 priv->phase2_ca_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CA_CERT, &error);
2937 g_warning ("Error setting certificate (invalid data): %s",
2939 g_error_free (error);
2942 case PROP_PHASE2_CA_PATH:
2943 g_free (priv->phase2_ca_path);
2944 priv->phase2_ca_path = g_value_dup_string (value);
2946 case PROP_PHASE2_SUBJECT_MATCH:
2947 g_free (priv->phase2_subject_match);
2948 priv->phase2_subject_match = g_value_dup_string (value);
2950 case PROP_PHASE2_ALTSUBJECT_MATCHES:
2951 g_slist_free_full (priv->phase2_altsubject_matches, g_free);
2952 priv->phase2_altsubject_matches = g_value_dup_boxed (value);
2954 case PROP_PHASE2_CLIENT_CERT:
2955 if (priv->phase2_client_cert) {
2956 g_byte_array_free (priv->phase2_client_cert, TRUE);
2957 priv->phase2_client_cert = NULL;
2959 priv->phase2_client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, &error);
2961 g_warning ("Error setting certificate (invalid data): %s",
2963 g_error_free (error);
2967 g_free (priv->password);
2968 priv->password = g_value_dup_string (value);
2970 case PROP_PASSWORD_FLAGS:
2971 priv->password_flags = g_value_get_uint (value);
2973 case PROP_PASSWORD_RAW:
2974 if (priv->password_raw)
2975 g_byte_array_free (priv->password_raw, TRUE);
2976 priv->password_raw = g_value_dup_boxed (value);
2978 case PROP_PASSWORD_RAW_FLAGS:
2979 priv->password_raw_flags = g_value_get_uint (value);
2981 case PROP_PRIVATE_KEY:
2982 if (priv->private_key) {
2983 g_byte_array_free (priv->private_key, TRUE);
2984 priv->private_key = NULL;
2986 priv->private_key = set_cert_prop_helper (value, NM_SETTING_802_1X_PRIVATE_KEY, &error);
2988 g_warning ("Error setting private key (invalid data): %s",
2990 g_error_free (error);
2993 case PROP_PRIVATE_KEY_PASSWORD:
2994 g_free (priv->private_key_password);
2995 priv->private_key_password = g_value_dup_string (value);
2997 case PROP_PRIVATE_KEY_PASSWORD_FLAGS:
2998 priv->private_key_password_flags = g_value_get_uint (value);
3000 case PROP_PHASE2_PRIVATE_KEY:
3001 if (priv->phase2_private_key) {
3002 g_byte_array_free (priv->phase2_private_key, TRUE);
3003 priv->phase2_private_key = NULL;
3005 priv->phase2_private_key = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, &error);
3007 g_warning ("Error setting private key (invalid data): %s",
3009 g_error_free (error);
3012 case PROP_PHASE2_PRIVATE_KEY_PASSWORD:
3013 g_free (priv->phase2_private_key_password);
3014 priv->phase2_private_key_password = g_value_dup_string (value);
3016 case PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS:
3017 priv->phase2_private_key_password_flags = g_value_get_uint (value);
3021 priv->pin = g_value_dup_string (value);
3023 case PROP_PIN_FLAGS:
3024 priv->pin_flags = g_value_get_uint (value);
3026 case PROP_SYSTEM_CA_CERTS:
3027 priv->system_ca_certs = g_value_get_boolean (value);
3030 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
3036 get_property (GObject *object, guint prop_id,
3037 GValue *value, GParamSpec *pspec)
3039 NMSetting8021x *setting = NM_SETTING_802_1X (object);
3040 NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
3044 g_value_set_boxed (value, priv->eap);
3047 g_value_set_string (value, priv->identity);
3049 case PROP_ANONYMOUS_IDENTITY:
3050 g_value_set_string (value, priv->anonymous_identity);
3053 g_value_set_string (value, priv->pac_file);
3056 g_value_set_boxed (value, priv->ca_cert);
3059 g_value_set_string (value, priv->ca_path);
3061 case PROP_SUBJECT_MATCH:
3062 g_value_set_string (value, priv->subject_match);
3064 case PROP_ALTSUBJECT_MATCHES:
3065 g_value_set_boxed (value, priv->altsubject_matches);
3067 case PROP_CLIENT_CERT:
3068 g_value_set_boxed (value, priv->client_cert);
3070 case PROP_PHASE1_PEAPVER:
3071 g_value_set_string (value, priv->phase1_peapver);
3073 case PROP_PHASE1_PEAPLABEL:
3074 g_value_set_string (value, priv->phase1_peaplabel);
3076 case PROP_PHASE1_FAST_PROVISIONING:
3077 g_value_set_string (value, priv->phase1_fast_provisioning);
3079 case PROP_PHASE2_AUTH:
3080 g_value_set_string (value, priv->phase2_auth);
3082 case PROP_PHASE2_AUTHEAP:
3083 g_value_set_string (value, priv->phase2_autheap);
3085 case PROP_PHASE2_CA_CERT:
3086 g_value_set_boxed (value, priv->phase2_ca_cert);
3088 case PROP_PHASE2_CA_PATH:
3089 g_value_set_string (value, priv->phase2_ca_path);
3091 case PROP_PHASE2_SUBJECT_MATCH:
3092 g_value_set_string (value, priv->phase2_subject_match);
3094 case PROP_PHASE2_ALTSUBJECT_MATCHES:
3095 g_value_set_boxed (value, priv->phase2_altsubject_matches);
3097 case PROP_PHASE2_CLIENT_CERT:
3098 g_value_set_boxed (value, priv->phase2_client_cert);
3101 g_value_set_string (value, priv->password);
3103 case PROP_PASSWORD_FLAGS:
3104 g_value_set_uint (value, priv->password_flags);
3106 case PROP_PASSWORD_RAW:
3107 g_value_set_boxed (value, priv->password_raw);
3109 case PROP_PASSWORD_RAW_FLAGS:
3110 g_value_set_uint (value, priv->password_raw_flags);
3112 case PROP_PRIVATE_KEY:
3113 g_value_set_boxed (value, priv->private_key);
3115 case PROP_PRIVATE_KEY_PASSWORD:
3116 g_value_set_string (value, priv->private_key_password);
3118 case PROP_PRIVATE_KEY_PASSWORD_FLAGS:
3119 g_value_set_uint (value, priv->private_key_password_flags);
3121 case PROP_PHASE2_PRIVATE_KEY:
3122 g_value_set_boxed (value, priv->phase2_private_key);
3124 case PROP_PHASE2_PRIVATE_KEY_PASSWORD:
3125 g_value_set_string (value, priv->phase2_private_key_password);
3127 case PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS:
3128 g_value_set_uint (value, priv->phase2_private_key_password_flags);
3131 g_value_set_string (value, priv->pin);
3133 case PROP_PIN_FLAGS:
3134 g_value_set_uint (value, priv->pin_flags);
3136 case PROP_SYSTEM_CA_CERTS:
3137 g_value_set_boolean (value, priv->system_ca_certs);
3140 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
3146 nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
3148 GObjectClass *object_class = G_OBJECT_CLASS (setting_class);
3149 NMSettingClass *parent_class = NM_SETTING_CLASS (setting_class);
3150 GError *error = NULL;
3152 g_type_class_add_private (setting_class, sizeof (NMSetting8021xPrivate));
3154 /* virtual methods */
3155 object_class->set_property = set_property;
3156 object_class->get_property = get_property;
3157 object_class->finalize = finalize;
3159 parent_class->verify = verify;
3160 parent_class->need_secrets = need_secrets;
3165 * NMSetting8021x:eap:
3167 * The allowed EAP method to be used when authenticating to the network with
3168 * 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd",
3169 * and "fast". Each method requires different configuration using the
3170 * properties of this setting; refer to wpa_supplicant documentation for the
3171 * allowed combinations.
3173 g_object_class_install_property
3174 (object_class, PROP_EAP,
3175 _nm_param_spec_specialized (NM_SETTING_802_1X_EAP, "", "",
3176 DBUS_TYPE_G_LIST_OF_STRING,
3178 G_PARAM_STATIC_STRINGS));
3181 * NMSetting8021x:identity:
3183 * Identity string for EAP authentication methods. Often the user's user or
3186 g_object_class_install_property
3187 (object_class, PROP_IDENTITY,
3188 g_param_spec_string (NM_SETTING_802_1X_IDENTITY, "", "",
3191 G_PARAM_STATIC_STRINGS));
3194 * NMSetting8021x:anonymous-identity:
3196 * Anonymous identity string for EAP authentication methods. Used as the
3197 * unencrypted identity with EAP types that support different tunneled
3198 * identity like EAP-TTLS.
3200 g_object_class_install_property
3201 (object_class, PROP_ANONYMOUS_IDENTITY,
3202 g_param_spec_string (NM_SETTING_802_1X_ANONYMOUS_IDENTITY, "", "",
3205 G_PARAM_STATIC_STRINGS));
3208 * NMSetting8021x:pac-file:
3210 * UTF-8 encoded file path containing PAC for EAP-FAST.
3212 g_object_class_install_property
3213 (object_class, PROP_PAC_FILE,
3214 g_param_spec_string (NM_SETTING_802_1X_PAC_FILE, "", "",
3217 G_PARAM_STATIC_STRINGS));
3220 * NMSetting8021x:ca-cert:
3222 * Contains the CA certificate if used by the EAP method specified in the
3223 * #NMSetting8021x:eap property.
3225 * Certificate data is specified using a "scheme"; two are currently
3226 * supported: blob and path. When using the blob scheme (which is backwards
3227 * compatible with NM 0.7.x) this property should be set to the
3228 * certificate's DER encoded data. When using the path scheme, this property
3229 * should be set to the full UTF-8 encoded path of the certificate, prefixed
3230 * with the string "file://" and ending with a terminating NUL byte. This
3231 * property can be unset even if the EAP method supports CA certificates,
3232 * but this allows man-in-the-middle attacks and is NOT recommended.
3234 * Setting this property directly is discouraged; use the
3235 * nm_setting_802_1x_set_ca_cert() function instead.
3237 g_object_class_install_property
3238 (object_class, PROP_CA_CERT,
3239 _nm_param_spec_specialized (NM_SETTING_802_1X_CA_CERT, "", "",
3240 DBUS_TYPE_G_UCHAR_ARRAY,
3242 G_PARAM_STATIC_STRINGS));
3245 * NMSetting8021x:ca-path:
3247 * UTF-8 encoded path to a directory containing PEM or DER formatted
3248 * certificates to be added to the verification chain in addition to the
3249 * certificate specified in the #NMSetting8021x:ca-cert property.
3251 g_object_class_install_property
3252 (object_class, PROP_CA_PATH,
3253 g_param_spec_string (NM_SETTING_802_1X_CA_PATH, "", "",
3256 G_PARAM_STATIC_STRINGS));
3259 * NMSetting8021x:subject-match:
3261 * Substring to be matched against the subject of the certificate presented
3262 * by the authentication server. When unset, no verification of the
3263 * authentication server certificate's subject is performed.
3265 g_object_class_install_property
3266 (object_class, PROP_SUBJECT_MATCH,
3267 g_param_spec_string (NM_SETTING_802_1X_SUBJECT_MATCH, "", "",
3270 G_PARAM_STATIC_STRINGS));
3273 * NMSetting8021x:altsubject-matches:
3275 * List of strings to be matched against the altSubjectName of the
3276 * certificate presented by the authentication server. If the list is empty,
3277 * no verification of the server certificate's altSubjectName is performed.
3279 g_object_class_install_property
3280 (object_class, PROP_ALTSUBJECT_MATCHES,
3281 _nm_param_spec_specialized (NM_SETTING_802_1X_ALTSUBJECT_MATCHES, "", "",
3282 DBUS_TYPE_G_LIST_OF_STRING,
3284 G_PARAM_STATIC_STRINGS));
3287 * NMSetting8021x:client-cert:
3289 * Contains the client certificate if used by the EAP method specified in
3290 * the #NMSetting8021x:eap property.
3292 * Certificate data is specified using a "scheme"; two are currently
3293 * supported: blob and path. When using the blob scheme (which is backwards
3294 * compatible with NM 0.7.x) this property should be set to the
3295 * certificate's DER encoded data. When using the path scheme, this property
3296 * should be set to the full UTF-8 encoded path of the certificate, prefixed
3297 * with the string "file://" and ending with a terminating NUL byte.
3299 * Setting this property directly is discouraged; use the
3300 * nm_setting_802_1x_set_client_cert() function instead.
3302 g_object_class_install_property
3303 (object_class, PROP_CLIENT_CERT,
3304 _nm_param_spec_specialized (NM_SETTING_802_1X_CLIENT_CERT, "", "",
3305 DBUS_TYPE_G_UCHAR_ARRAY,
3307 G_PARAM_STATIC_STRINGS));
3310 * NMSetting8021x:phase1-peapver:
3312 * Forces which PEAP version is used when PEAP is set as the EAP method in
3313 * the #NMSetting8021x:eap property. When unset, the version reported by
3314 * the server will be used. Sometimes when using older RADIUS servers, it
3315 * is necessary to force the client to use a particular PEAP version. To do
3316 * so, this property may be set to "0" or "1" to force that specific PEAP
3319 g_object_class_install_property
3320 (object_class, PROP_PHASE1_PEAPVER,
3321 g_param_spec_string (NM_SETTING_802_1X_PHASE1_PEAPVER, "", "",
3324 G_PARAM_STATIC_STRINGS));
3327 * NMSetting8021x:phase1-peaplabel:
3329 * Forces use of the new PEAP label during key derivation. Some RADIUS
3330 * servers may require forcing the new PEAP label to interoperate with
3331 * PEAPv1. Set to "1" to force use of the new PEAP label. See the
3332 * wpa_supplicant documentation for more details.
3334 g_object_class_install_property
3335 (object_class, PROP_PHASE1_PEAPLABEL,
3336 g_param_spec_string (NM_SETTING_802_1X_PHASE1_PEAPLABEL, "", "",
3339 G_PARAM_STATIC_STRINGS));
3342 * NMSetting8021x:phase1-fast-provisioning:
3344 * Enables or disables in-line provisioning of EAP-FAST credentials when
3345 * FAST is specified as the EAP method in the #NMSetting8021x:eap property.
3346 * Recognized values are "0" (disabled), "1" (allow unauthenticated
3347 * provisioning), "2" (allow authenticated provisioning), and "3" (allow
3348 * both authenticated and unauthenticated provisioning). See the
3349 * wpa_supplicant documentation for more details.
3351 g_object_class_install_property
3352 (object_class, PROP_PHASE1_FAST_PROVISIONING,
3353 g_param_spec_string (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING, "", "",
3356 G_PARAM_STATIC_STRINGS));
3359 * NMSetting8021x:phase2-auth:
3361 * Specifies the allowed "phase 2" inner non-EAP authentication methods when
3362 * an EAP method that uses an inner TLS tunnel is specified in the
3363 * #NMSetting8021x:eap property. Recognized non-EAP "phase 2" methods are
3364 * "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls".
3365 * Each "phase 2" inner method requires specific parameters for successful
3366 * authentication; see the wpa_supplicant documentation for more details.
3368 g_object_class_install_property
3369 (object_class, PROP_PHASE2_AUTH,
3370 g_param_spec_string (NM_SETTING_802_1X_PHASE2_AUTH, "", "",
3373 G_PARAM_STATIC_STRINGS));
3376 * NMSetting8021x:phase2-autheap:
3378 * Specifies the allowed "phase 2" inner EAP-based authentication methods
3379 * when an EAP method that uses an inner TLS tunnel is specified in the
3380 * #NMSetting8021x:eap property. Recognized EAP-based "phase 2" methods are
3381 * "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method
3382 * requires specific parameters for successful authentication; see the
3383 * wpa_supplicant documentation for more details.
3385 g_object_class_install_property
3386 (object_class, PROP_PHASE2_AUTHEAP,
3387 g_param_spec_string (NM_SETTING_802_1X_PHASE2_AUTHEAP, "", "",
3390 G_PARAM_STATIC_STRINGS));
3393 * NMSetting8021x:phase2-ca-cert:
3395 * Contains the "phase 2" CA certificate if used by the EAP method specified
3396 * in the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap
3399 * Certificate data is specified using a "scheme"; two are currently
3400 * supported: blob and path. When using the blob scheme (which is backwards
3401 * compatible with NM 0.7.x) this property should be set to the
3402 * certificate's DER encoded data. When using the path scheme, this property
3403 * should be set to the full UTF-8 encoded path of the certificate, prefixed
3404 * with the string "file://" and ending with a terminating NUL byte. This
3405 * property can be unset even if the EAP method supports CA certificates,
3406 * but this allows man-in-the-middle attacks and is NOT recommended.
3408 * Setting this property directly is discouraged; use the
3409 * nm_setting_802_1x_set_phase2_ca_cert() function instead.
3411 g_object_class_install_property
3412 (object_class, PROP_PHASE2_CA_CERT,
3413 _nm_param_spec_specialized (NM_SETTING_802_1X_PHASE2_CA_CERT, "", "",
3414 DBUS_TYPE_G_UCHAR_ARRAY,
3416 G_PARAM_STATIC_STRINGS));
3419 * NMSetting8021x:phase2-ca-path:
3421 * UTF-8 encoded path to a directory containing PEM or DER formatted
3422 * certificates to be added to the verification chain in addition to the
3423 * certificate specified in the #NMSetting8021x:phase2-ca-cert property.
3425 g_object_class_install_property
3426 (object_class, PROP_PHASE2_CA_PATH,
3427 g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_PATH, "", "",
3430 G_PARAM_STATIC_STRINGS));
3433 * NMSetting8021x:phase2-subject-match:
3435 * Substring to be matched against the subject of the certificate presented
3436 * by the authentication server during the inner "phase 2"
3437 * authentication. When unset, no verification of the authentication server
3438 * certificate's subject is performed.
3440 g_object_class_install_property
3441 (object_class, PROP_PHASE2_SUBJECT_MATCH,
3442 g_param_spec_string (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH, "", "",
3445 G_PARAM_STATIC_STRINGS));
3448 * NMSetting8021x:phase2-altsubject-matches:
3450 * List of strings to be matched against the altSubjectName of the
3451 * certificate presented by the authentication server during the inner
3452 * "phase 2" authentication. If the list is empty, no verification of the
3453 * server certificate's altSubjectName is performed.
3455 g_object_class_install_property
3456 (object_class, PROP_PHASE2_ALTSUBJECT_MATCHES,
3457 _nm_param_spec_specialized (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES, "", "",
3458 DBUS_TYPE_G_LIST_OF_STRING,
3460 G_PARAM_STATIC_STRINGS));
3463 * NMSetting8021x:phase2-client-cert:
3465 * Contains the "phase 2" client certificate if used by the EAP method
3466 * specified in the #NMSetting8021x:phase2-auth or
3467 * #NMSetting8021x:phase2-autheap properties.
3469 * Certificate data is specified using a "scheme"; two are currently
3470 * supported: blob and path. When using the blob scheme (which is backwards
3471 * compatible with NM 0.7.x) this property should be set to the
3472 * certificate's DER encoded data. When using the path scheme, this property
3473 * should be set to the full UTF-8 encoded path of the certificate, prefixed
3474 * with the string "file://" and ending with a terminating NUL byte. This
3475 * property can be unset even if the EAP method supports CA certificates,
3476 * but this allows man-in-the-middle attacks and is NOT recommended.
3478 * Setting this property directly is discouraged; use the
3479 * nm_setting_802_1x_set_phase2_client_cert() function instead.
3481 g_object_class_install_property
3482 (object_class, PROP_PHASE2_CLIENT_CERT,
3483 _nm_param_spec_specialized (NM_SETTING_802_1X_PHASE2_CLIENT_CERT, "", "",
3484 DBUS_TYPE_G_UCHAR_ARRAY,
3486 G_PARAM_STATIC_STRINGS));
3489 * NMSetting8021x:password:
3491 * UTF-8 encoded password used for EAP authentication methods. If both the
3492 * #NMSetting8021x:password property and the #NMSetting8021x:password-raw
3493 * property are specified, #NMSetting8021x:password is preferred.
3495 g_object_class_install_property
3496 (object_class, PROP_PASSWORD,
3497 g_param_spec_string (NM_SETTING_802_1X_PASSWORD, "", "",
3500 NM_SETTING_PARAM_SECRET |
3501 G_PARAM_STATIC_STRINGS));
3504 * NMSetting8021x:password-flags:
3506 * Flags indicating how to handle the #NMSetting8021x:password property.
3508 g_object_class_install_property
3509 (object_class, PROP_PASSWORD_FLAGS,
3510 g_param_spec_uint (NM_SETTING_802_1X_PASSWORD_FLAGS, "", "",
3511 NM_SETTING_SECRET_FLAG_NONE,
3512 NM_SETTING_SECRET_FLAGS_ALL,
3513 NM_SETTING_SECRET_FLAG_NONE,
3515 G_PARAM_STATIC_STRINGS));
3518 * NMSetting8021x:password-raw:
3520 * Password used for EAP authentication methods, given as a byte array to
3521 * allow passwords in other encodings than UTF-8 to be used. If both the
3522 * #NMSetting8021x:password property and the #NMSetting8021x:password-raw
3523 * property are specified, #NMSetting8021x:password is preferred.
3525 g_object_class_install_property
3526 (object_class, PROP_PASSWORD_RAW,
3527 _nm_param_spec_specialized (NM_SETTING_802_1X_PASSWORD_RAW, "", "",
3528 DBUS_TYPE_G_UCHAR_ARRAY,
3530 NM_SETTING_PARAM_SECRET |
3531 G_PARAM_STATIC_STRINGS));
3534 * NMSetting8021x:password-raw-flags:
3536 * Flags indicating how to handle the #NMSetting8021x:password-raw property.
3538 g_object_class_install_property
3539 (object_class, PROP_PASSWORD_RAW_FLAGS,
3540 g_param_spec_uint (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS, "", "",
3541 NM_SETTING_SECRET_FLAG_NONE,
3542 NM_SETTING_SECRET_FLAGS_ALL,
3543 NM_SETTING_SECRET_FLAG_NONE,
3545 G_PARAM_STATIC_STRINGS));
3548 * NMSetting8021x:private-key:
3550 * Contains the private key when the #NMSetting8021x:eap property is set to
3553 * Key data is specified using a "scheme"; two are currently supported: blob
3554 * and path. When using the blob scheme and private keys, this property
3555 * should be set to the key's encrypted PEM encoded data. When using private
3556 * keys with the path scheme, this property should be set to the full UTF-8
3557 * encoded path of the key, prefixed with the string "file://" and ending
3558 * with a terminating NUL byte. When using PKCS#<!-- -->12 format private keys and
3559 * the blob scheme, this property should be set to the PKCS#<!-- -->12 data and the
3560 * #NMSetting8021x:private-key-password property must be set to password
3561 * used to decrypt the PKCS#<!-- -->12 certificate and key. When using PKCS#<!-- -->12 files
3562 * and the path scheme, this property should be set to the full UTF-8
3563 * encoded path of the key, prefixed with the string "file://" and and
3564 * ending with a terminating NUL byte, and as with the blob scheme the
3565 * "private-key-password" property must be set to the password used to
3566 * decode the PKCS#<!-- -->12 private key and certificate.
3568 * Setting this property directly is discouraged; use the
3569 * nm_setting_802_1x_set_private_key() function instead.
3571 * WARNING: #NMSetting8021x:private-key is not a "secret" property, and thus
3572 * unencrypted private key data using the BLOB scheme may be readable by
3573 * unprivileged users. Private keys should always be encrypted with a
3574 * private key password to prevent unauthorized access to unencrypted
3577 g_object_class_install_property
3578 (object_class, PROP_PRIVATE_KEY,
3579 _nm_param_spec_specialized (NM_SETTING_802_1X_PRIVATE_KEY, "", "",
3580 DBUS_TYPE_G_UCHAR_ARRAY,
3582 G_PARAM_STATIC_STRINGS));
3585 * NMSetting8021x:private-key-password:
3587 * The password used to decrypt the private key specified in the
3588 * #NMSetting8021x:private-key property when the private key either uses the
3589 * path scheme, or if the private key is a PKCS#<!-- -->12 format key. Setting this
3590 * property directly is not generally necessary except when returning
3591 * secrets to NetworkManager; it is generally set automatically when setting
3592 * the private key by the nm_setting_802_1x_set_private_key() function.
3594 g_object_class_install_property
3595 (object_class, PROP_PRIVATE_KEY_PASSWORD,
3596 g_param_spec_string (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, "", "",
3599 NM_SETTING_PARAM_SECRET |
3600 G_PARAM_STATIC_STRINGS));
3603 * NMSetting8021x:private-key-password-flags:
3605 * Flags indicating how to handle the #NMSetting8021x:private-key-password
3608 g_object_class_install_property
3609 (object_class, PROP_PRIVATE_KEY_PASSWORD_FLAGS,
3610 g_param_spec_uint (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS, "", "",
3611 NM_SETTING_SECRET_FLAG_NONE,
3612 NM_SETTING_SECRET_FLAGS_ALL,
3613 NM_SETTING_SECRET_FLAG_NONE,
3615 G_PARAM_STATIC_STRINGS));
3618 * NMSetting8021x:phase2-private-key:
3620 * Contains the "phase 2" inner private key when the
3621 * #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap property is
3624 * Key data is specified using a "scheme"; two are currently supported: blob
3625 * and path. When using the blob scheme and private keys, this property
3626 * should be set to the key's encrypted PEM encoded data. When using private
3627 * keys with the path scheme, this property should be set to the full UTF-8
3628 * encoded path of the key, prefixed with the string "file://" and ending
3629 * with a terminating NUL byte. When using PKCS#<!-- -->12 format private keys and
3630 * the blob scheme, this property should be set to the PKCS#<!-- -->12 data and the
3631 * #NMSetting8021x:phase2-private-key-password property must be set to
3632 * password used to decrypt the PKCS#<!-- -->12 certificate and key. When using
3633 * PKCS#<!-- -->12 files and the path scheme, this property should be set to the
3634 * full UTF-8 encoded path of the key, prefixed with the string "file://"
3635 * and and ending with a terminating NUL byte, and as with the blob scheme
3636 * the #NMSetting8021x:phase2-private-key-password property must be set to
3637 * the password used to decode the PKCS#<!-- -->12 private key and certificate.
3639 * Setting this property directly is discouraged; use the
3640 * nm_setting_802_1x_set_phase2_private_key() function instead.
3642 g_object_class_install_property
3643 (object_class, PROP_PHASE2_PRIVATE_KEY,
3644 _nm_param_spec_specialized (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, "", "",
3645 DBUS_TYPE_G_UCHAR_ARRAY,
3647 G_PARAM_STATIC_STRINGS));
3650 * NMSetting8021x:phase2-private-key-password:
3652 * The password used to decrypt the "phase 2" private key specified in the
3653 * #NMSetting8021x:phase2-private-key property when the private key either
3654 * uses the path scheme, or is a PKCS#<!-- -->12 format key. Setting this property
3655 * directly is not generally necessary except when returning secrets to
3656 * NetworkManager; it is generally set automatically when setting the
3657 * private key by the nm_setting_802_1x_set_phase2_private_key() function.
3659 g_object_class_install_property
3660 (object_class, PROP_PHASE2_PRIVATE_KEY_PASSWORD,
3661 g_param_spec_string (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, "", "",
3664 NM_SETTING_PARAM_SECRET |
3665 G_PARAM_STATIC_STRINGS));
3668 * NMSetting8021x:phase2-private-key-password-flags:
3670 * Flags indicating how to handle the
3671 * #NMSetting8021x:phase2-private-key-password property.
3673 g_object_class_install_property
3674 (object_class, PROP_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS,
3675 g_param_spec_uint (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS, "", "",
3676 NM_SETTING_SECRET_FLAG_NONE,
3677 NM_SETTING_SECRET_FLAGS_ALL,
3678 NM_SETTING_SECRET_FLAG_NONE,
3680 G_PARAM_STATIC_STRINGS));
3683 * NMSetting8021x:pin:
3685 * PIN used for EAP authentication methods.
3687 g_object_class_install_property
3688 (object_class, PROP_PIN,
3689 g_param_spec_string (NM_SETTING_802_1X_PIN, "", "",
3692 NM_SETTING_PARAM_SECRET |
3693 G_PARAM_STATIC_STRINGS));
3696 * NMSetting8021x:pin-flags:
3698 * Flags indicating how to handle the #NMSetting8021x:pin property.
3700 g_object_class_install_property
3701 (object_class, PROP_PIN_FLAGS,
3702 g_param_spec_uint (NM_SETTING_802_1X_PIN_FLAGS, "", "",
3703 NM_SETTING_SECRET_FLAG_NONE,
3704 NM_SETTING_SECRET_FLAGS_ALL,
3705 NM_SETTING_SECRET_FLAG_NONE,
3707 G_PARAM_STATIC_STRINGS));
3710 * NMSetting8021x:system-ca-certs:
3712 * When %TRUE, overrides the #NMSetting8021x:ca-path and
3713 * #NMSetting8021x:phase2-ca-path properties using the system CA directory
3714 * specified at configure time with the --system-ca-path switch. The
3715 * certificates in this directory are added to the verification chain in
3716 * addition to any certificates specified by the #NMSetting8021x:ca-cert and
3717 * #NMSetting8021x:phase2-ca-cert properties.
3719 g_object_class_install_property
3720 (object_class, PROP_SYSTEM_CA_CERTS,
3721 g_param_spec_boolean (NM_SETTING_802_1X_SYSTEM_CA_CERTS, "", "",
3725 G_PARAM_STATIC_STRINGS));
3727 /* Initialize crypto lbrary. */
3728 if (!nm_utils_init (&error)) {
3729 g_warning ("Couldn't initilize nm-utils/crypto system: %s",
3731 g_error_free (error);