fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2025-12-28 09:50:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

merge: branch 'lr/pkcs11-pin'

Browse source 
https://bugzilla.gnome.org/show_bug.cgi?id=778456
This commit is contained in:
Lubomir Rintel 2017-02-17 14:30:43 +01:00
commit b4a976fd11
15 changed files with 1068 additions and 504 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

204
clients/cli/settings.c
View file

@ -128,35 +128,43 @@ NmcOutputField nmc_fields_setting_8021X[] = {
SETTING_FIELD (NM_SETTING_802_1X_ANONYMOUS_IDENTITY), /* 3 */
SETTING_FIELD (NM_SETTING_802_1X_PAC_FILE), /* 4 */
SETTING_FIELD (NM_SETTING_802_1X_CA_CERT), /* 5 */
SETTING_FIELD (NM_SETTING_802_1X_CA_PATH), /* 6 */
SETTING_FIELD (NM_SETTING_802_1X_SUBJECT_MATCH), /* 7 */
SETTING_FIELD (NM_SETTING_802_1X_ALTSUBJECT_MATCHES), /* 8 */
SETTING_FIELD (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH), /* 9 */
SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT), /* 10 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPVER), /* 11 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPLABEL), /* 12 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING), /* 13 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTH), /* 14 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTHEAP), /* 15 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT), /* 16 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_PATH), /* 17 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH), /* 18 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES), /* 19 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH), /* 20 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT), /* 21 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD), /* 22 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_FLAGS), /* 23 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW), /* 24 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS), /* 25 */
SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY), /* 26 */
SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD), /* 27 */
SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS), /* 28 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY), /* 29 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD), /* 30 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS), /* 31 */
SETTING_FIELD (NM_SETTING_802_1X_PIN), /* 32 */
SETTING_FIELD (NM_SETTING_802_1X_PIN_FLAGS), /* 33 */
SETTING_FIELD (NM_SETTING_802_1X_SYSTEM_CA_CERTS), /* 34 */
SETTING_FIELD (NM_SETTING_802_1X_CA_CERT_PASSWORD), /* 6 */
SETTING_FIELD (NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS), /* 7 */
SETTING_FIELD (NM_SETTING_802_1X_CA_PATH), /* 8 */
SETTING_FIELD (NM_SETTING_802_1X_SUBJECT_MATCH), /* 9 */
SETTING_FIELD (NM_SETTING_802_1X_ALTSUBJECT_MATCHES), /* 10 */
SETTING_FIELD (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH), /* 11 */
SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT), /* 12 */
SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD), /* 13 */
SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS), /* 14 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPVER), /* 15 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPLABEL), /* 16 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING), /* 17 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTH), /* 18 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTHEAP), /* 19 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD), /* 20 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS), /* 21 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT), /* 22 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_PATH), /* 23 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH), /* 24 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES), /* 25 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH), /* 26 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT), /* 27 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD), /* 28 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS), /* 29 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD), /* 30 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_FLAGS), /* 31 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW), /* 32 */
SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS), /* 33 */
SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY), /* 34 */
SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD), /* 35 */
SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS), /* 36 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY), /* 37 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD), /* 38 */
SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS), /* 39 */
SETTING_FIELD (NM_SETTING_802_1X_PIN), /* 40 */
SETTING_FIELD (NM_SETTING_802_1X_PIN_FLAGS), /* 41 */
SETTING_FIELD (NM_SETTING_802_1X_SYSTEM_CA_CERTS), /* 42 */
{NULL, NULL, 0, NULL, FALSE, FALSE, 0}
};
#define NMC_FIELDS_SETTING_802_1X_ALL "name"","\
@ -165,22 +173,30 @@ NmcOutputField nmc_fields_setting_8021X[] = {
NM_SETTING_802_1X_ANONYMOUS_IDENTITY","\
NM_SETTING_802_1X_PAC_FILE","\
NM_SETTING_802_1X_CA_CERT","\
NM_SETTING_802_1X_CA_CERT_PASSWORD","\
NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS","\
NM_SETTING_802_1X_CA_PATH","\
NM_SETTING_802_1X_SUBJECT_MATCH","\
NM_SETTING_802_1X_ALTSUBJECT_MATCHES","\
NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH","\
NM_SETTING_802_1X_CLIENT_CERT","\
NM_SETTING_802_1X_CLIENT_CERT_PASSWORD","\
NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS","\
NM_SETTING_802_1X_PHASE1_PEAPVER","\
NM_SETTING_802_1X_PHASE1_PEAPLABEL","\
NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING","\
NM_SETTING_802_1X_PHASE2_AUTH","\
NM_SETTING_802_1X_PHASE2_AUTHEAP","\
NM_SETTING_802_1X_PHASE2_CA_CERT","\
NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD","\
NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS","\
NM_SETTING_802_1X_PHASE2_CA_PATH","\
NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH","\
NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES","\
NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH","\
NM_SETTING_802_1X_PHASE2_CLIENT_CERT","\
NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD","\
NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS","\
NM_SETTING_802_1X_PASSWORD","\
NM_SETTING_802_1X_PASSWORD_FLAGS","\
NM_SETTING_802_1X_PASSWORD_RAW","\
@ -1660,19 +1676,27 @@ DEFINE_GETTER (nmc_property_802_1X_get_eap, NM_SETTING_802_1X_EAP)
DEFINE_GETTER (nmc_property_802_1X_get_identity, NM_SETTING_802_1X_IDENTITY)
DEFINE_GETTER (nmc_property_802_1X_get_anonymous_identity, NM_SETTING_802_1X_ANONYMOUS_IDENTITY)
DEFINE_GETTER (nmc_property_802_1X_get_pac_file, NM_SETTING_802_1X_PAC_FILE)
DEFINE_GETTER (nmc_property_802_1X_get_ca_cert_password, NM_SETTING_802_1X_CA_CERT_PASSWORD)
DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_ca_cert_password_flags, NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS)
DEFINE_GETTER (nmc_property_802_1X_get_ca_path, NM_SETTING_802_1X_CA_PATH)
DEFINE_GETTER (nmc_property_802_1X_get_subject_match, NM_SETTING_802_1X_SUBJECT_MATCH)
DEFINE_GETTER (nmc_property_802_1X_get_altsubject_matches, NM_SETTING_802_1X_ALTSUBJECT_MATCHES)
DEFINE_GETTER (nmc_property_802_1X_get_domain_suffix_match, NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH)
DEFINE_GETTER (nmc_property_802_1X_get_client_cert_password, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD)
DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_client_cert_password_flags, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS)
DEFINE_GETTER (nmc_property_802_1X_get_phase1_peapver, NM_SETTING_802_1X_PHASE1_PEAPVER)
DEFINE_GETTER (nmc_property_802_1X_get_phase1_peaplabel, NM_SETTING_802_1X_PHASE1_PEAPLABEL)
DEFINE_GETTER (nmc_property_802_1X_get_phase1_fast_provisioning, NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_auth, NM_SETTING_802_1X_PHASE2_AUTH)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_autheap, NM_SETTING_802_1X_PHASE2_AUTHEAP)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_ca_cert_password, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD)
DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_phase2_ca_cert_password_flags, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_ca_path, NM_SETTING_802_1X_PHASE2_CA_PATH)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_subject_match, NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_altsubject_matches, NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_domain_suffix_match, NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH)
DEFINE_GETTER (nmc_property_802_1X_get_phase2_client_cert_password, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD)
DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_phase2_client_cert_password_flags, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS)
DEFINE_GETTER (nmc_property_802_1X_get_password, NM_SETTING_802_1X_PASSWORD)
DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_password_flags, NM_SETTING_802_1X_PASSWORD_FLAGS)
DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_password_raw_flags, NM_SETTING_802_1X_PASSWORD_RAW_FLAGS)
@ -6129,6 +6153,20 @@ nmc_properties_init (void)
nmc_property_802_1X_describe_ca_cert,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, CA_CERT_PASSWORD),
nmc_property_802_1X_get_ca_cert_password,
nmc_property_set_string,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, CA_CERT_PASSWORD_FLAGS),
nmc_property_802_1X_get_ca_cert_password_flags,
nmc_property_set_secret_flags,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, CA_PATH),
nmc_property_802_1X_get_ca_path,
nmc_property_set_string,
@ -6164,6 +6202,20 @@ nmc_properties_init (void)
nmc_property_802_1X_describe_client_cert,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, CLIENT_CERT_PASSWORD),
nmc_property_802_1X_get_client_cert_password,
nmc_property_set_string,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, CLIENT_CERT_PASSWORD_FLAGS),
nmc_property_802_1X_get_client_cert_password_flags,
nmc_property_set_secret_flags,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, PHASE1_PEAPVER),
nmc_property_802_1X_get_phase1_peapver,
nmc_property_802_1X_set_phase1_peapver,
@ -6206,6 +6258,20 @@ nmc_properties_init (void)
nmc_property_802_1X_describe_phase2_ca_cert,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CA_CERT_PASSWORD),
nmc_property_802_1X_get_phase2_ca_cert_password,
nmc_property_set_string,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CA_CERT_PASSWORD_FLAGS),
nmc_property_802_1X_get_phase2_ca_cert_password_flags,
nmc_property_set_secret_flags,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CA_PATH),
nmc_property_802_1X_get_phase2_ca_path,
nmc_property_set_string,
@ -6241,6 +6307,20 @@ nmc_properties_init (void)
nmc_property_802_1X_describe_phase2_client_cert,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CLIENT_CERT_PASSWORD),
nmc_property_802_1X_get_phase2_client_cert_password,
nmc_property_set_string,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CLIENT_CERT_PASSWORD_FLAGS),
nmc_property_802_1X_get_phase2_client_cert_password_flags,
nmc_property_set_secret_flags,
NULL,
NULL,
NULL,
NULL);
nmc_add_prop_funcs (GLUE (802_1X, PASSWORD),
nmc_property_802_1X_get_password,
nmc_property_set_string,
@ -8580,35 +8660,43 @@ setting_802_1X_details (NMSetting *setting, NmCli *nmc, const char *one_prop, g
set_val_str (arr, 3, nmc_property_802_1X_get_anonymous_identity (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 4, nmc_property_802_1X_get_pac_file (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 5, nmc_property_802_1X_get_ca_cert (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 6, nmc_property_802_1X_get_ca_path (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 7, nmc_property_802_1X_get_subject_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 8, nmc_property_802_1X_get_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 9, nmc_property_802_1X_get_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 10, nmc_property_802_1X_get_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 11, nmc_property_802_1X_get_phase1_peapver (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 12, nmc_property_802_1X_get_phase1_peaplabel (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 13, nmc_property_802_1X_get_phase1_fast_provisioning (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 14, nmc_property_802_1X_get_phase2_auth (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 15, nmc_property_802_1X_get_phase2_autheap (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 16, nmc_property_802_1X_get_phase2_ca_cert (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 17, nmc_property_802_1X_get_phase2_ca_path (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 18, nmc_property_802_1X_get_phase2_subject_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 19, nmc_property_802_1X_get_phase2_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 20, nmc_property_802_1X_get_phase2_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 21, nmc_property_802_1X_get_phase2_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 22, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password));
set_val_str (arr, 23, nmc_property_802_1X_get_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 24, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password_raw));
set_val_str (arr, 25, nmc_property_802_1X_get_password_raw_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 26, nmc_property_802_1X_get_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 27, GET_SECRET (secrets, setting, nmc_property_802_1X_get_private_key_password));
set_val_str (arr, 28, nmc_property_802_1X_get_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 29, nmc_property_802_1X_get_phase2_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 30, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_private_key_password));
set_val_str (arr, 31, nmc_property_802_1X_get_phase2_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 32, GET_SECRET (secrets, setting, nmc_property_802_1X_get_pin));
set_val_str (arr, 33, nmc_property_802_1X_get_pin_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 34, nmc_property_802_1X_get_system_ca_certs (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 6, GET_SECRET (secrets, setting, nmc_property_802_1X_get_ca_cert_password));
set_val_str (arr, 7, nmc_property_802_1X_get_ca_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 8, nmc_property_802_1X_get_ca_path (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 9, nmc_property_802_1X_get_subject_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 10, nmc_property_802_1X_get_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 11, nmc_property_802_1X_get_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 12, nmc_property_802_1X_get_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 13, GET_SECRET (secrets, setting, nmc_property_802_1X_get_client_cert_password));
set_val_str (arr, 14, nmc_property_802_1X_get_client_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 15, nmc_property_802_1X_get_phase1_peapver (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 16, nmc_property_802_1X_get_phase1_peaplabel (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 17, nmc_property_802_1X_get_phase1_fast_provisioning (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 18, nmc_property_802_1X_get_phase2_auth (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 19, nmc_property_802_1X_get_phase2_autheap (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 20, nmc_property_802_1X_get_phase2_ca_cert (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 21, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_ca_cert_password));
set_val_str (arr, 22, nmc_property_802_1X_get_phase2_ca_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 23, nmc_property_802_1X_get_phase2_ca_path (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 24, nmc_property_802_1X_get_phase2_subject_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 25, nmc_property_802_1X_get_phase2_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 26, nmc_property_802_1X_get_phase2_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 27, nmc_property_802_1X_get_phase2_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 28, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_client_cert_password));
set_val_str (arr, 29, nmc_property_802_1X_get_phase2_client_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 30, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password));
set_val_str (arr, 31, nmc_property_802_1X_get_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 32, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password_raw));
set_val_str (arr, 33, nmc_property_802_1X_get_password_raw_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 34, nmc_property_802_1X_get_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 35, GET_SECRET (secrets, setting, nmc_property_802_1X_get_private_key_password));
set_val_str (arr, 36, nmc_property_802_1X_get_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 37, nmc_property_802_1X_get_phase2_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets));
set_val_str (arr, 38, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_private_key_password));
set_val_str (arr, 39, nmc_property_802_1X_get_phase2_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 40, GET_SECRET (secrets, setting, nmc_property_802_1X_get_pin));
set_val_str (arr, 41, nmc_property_802_1X_get_pin_flags (setting, NMC_PROPERTY_GET_PRETTY));
set_val_str (arr, 42, nmc_property_802_1X_get_system_ca_certs (setting, NMC_PROPERTY_GET_PRETTY));
g_ptr_array_add (nmc->output_data, arr);
print_data (nmc); /* Print all data */

29
libnm-core/nm-core-internal.h
View file

@ -342,4 +342,33 @@ gboolean _nm_utils_inet6_is_token (const struct in6_addr *in6addr);
gboolean _nm_utils_team_config_equal (const char *conf1, const char *conf2, gboolean port);
/*****************************************************************************/
typedef struct {
const char *setting_key;
NMSetting8021xCKScheme (*scheme_func) (NMSetting8021x *setting);
NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting);
const char * (*path_func) (NMSetting8021x *setting);
GBytes * (*blob_func) (NMSetting8021x *setting);
const char * (*uri_func) (NMSetting8021x *setting);
const char * (*passwd_func) (NMSetting8021x *setting);
NMSettingSecretFlags (*pwflag_func) (NMSetting8021x *setting);
const char *file_suffix;
} NMSetting8021xSchemeVtable;
enum {
NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT,
NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT,
NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT,
NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT,
NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY,
NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY,
NM_SETTING_802_1X_SCHEME_TYPE_UNKNOWN,
};
extern const NMSetting8021xSchemeVtable nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_UNKNOWN + 1];
/*****************************************************************************/
#endif

13
libnm-core/nm-keyfile-internal.h
View file

@ -27,6 +27,8 @@
#include "nm-connection.h"
#include "nm-setting-8021x.h"
#include "nm-core-internal.h"
/*****************************************************************************/
#define NM_KEYFILE_CERT_SCHEME_PREFIX_PATH "file://"
@ -138,17 +140,8 @@ typedef gboolean (*NMKeyfileWriteHandler) (NMConnection *connection,
* type %NM_KEYFILE_WRITE_TYPE_CERT.
*/
typedef struct {
const NMSetting8021xSchemeVtable *vtable;
NMSetting8021x *setting;
const char *property_name;
/* The following functions are helpers that simplify the implementation
* of the handler. */
const char *suffix;
NMSetting8021xCKScheme (*scheme_func) (NMSetting8021x *setting);
NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting);
const char * (*path_func) (NMSetting8021x *setting);
GBytes * (*blob_func) (NMSetting8021x *setting);
const char * (*uri_func) (NMSetting8021x *setting);
} NMKeyfileWriteTypeDataCert;

92
libnm-core/nm-keyfile-writer.c
View file

@ -373,68 +373,6 @@ password_raw_writer (KeyfileWriterInfo *info,
nm_keyfile_plugin_kf_set_integer_list_uint8 (info->keyfile, setting_name, key, data, len);
}
typedef struct ObjectType {
const char *key;
const char *suffix;
NMSetting8021xCKScheme (*scheme_func) (NMSetting8021x *setting);
NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting);
const char * (*path_func) (NMSetting8021x *setting);
GBytes * (*blob_func) (NMSetting8021x *setting);
const char * (*uri_func) (NMSetting8021x *setting);
} ObjectType;
static const ObjectType objtypes[10] = {
{ NM_SETTING_802_1X_CA_CERT,
"ca-cert",
nm_setting_802_1x_get_ca_cert_scheme,
NULL,
nm_setting_802_1x_get_ca_cert_path,
nm_setting_802_1x_get_ca_cert_blob,
nm_setting_802_1x_get_ca_cert_uri },
{ NM_SETTING_802_1X_PHASE2_CA_CERT,
"inner-ca-cert",
nm_setting_802_1x_get_phase2_ca_cert_scheme,
NULL,
nm_setting_802_1x_get_phase2_ca_cert_path,
nm_setting_802_1x_get_phase2_ca_cert_blob,
nm_setting_802_1x_get_phase2_ca_cert_uri },
{ NM_SETTING_802_1X_CLIENT_CERT,
"client-cert",
nm_setting_802_1x_get_client_cert_scheme,
NULL,
nm_setting_802_1x_get_client_cert_path,
nm_setting_802_1x_get_client_cert_blob,
nm_setting_802_1x_get_client_cert_uri },
{ NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
"inner-client-cert",
nm_setting_802_1x_get_phase2_client_cert_scheme,
NULL,
nm_setting_802_1x_get_phase2_client_cert_path,
nm_setting_802_1x_get_phase2_client_cert_blob,
nm_setting_802_1x_get_phase2_client_cert_uri },
{ NM_SETTING_802_1X_PRIVATE_KEY,
"private-key",
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_format,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
nm_setting_802_1x_get_private_key_uri },
{ NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
"inner-private-key",
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_format,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
nm_setting_802_1x_get_phase2_private_key_uri },
{ NULL },
};
/*****************************************************************************/
static void
@ -445,13 +383,13 @@ cert_writer_default (NMConnection *connection,
const char *setting_name = nm_setting_get_name (NM_SETTING (cert_data->setting));
NMSetting8021xCKScheme scheme;
scheme = cert_data->scheme_func (cert_data->setting);
scheme = cert_data->vtable->scheme_func (cert_data->setting);
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
const char *path;
char *path_free = NULL, *tmp;
gs_free char *base_dir = NULL;
path = cert_data->path_func (cert_data->setting);
path = cert_data->vtable->path_func (cert_data->setting);
g_assert (path);
/* If the path is relative, make it an absolute path.
@ -475,7 +413,7 @@ cert_writer_default (NMConnection *connection,
/* Path contains at least a '/', hence it cannot be recognized as the old
* binary format consisting of a list of integers. */
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, path);
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, path);
g_free (tmp);
g_free (path_free);
} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
@ -484,19 +422,19 @@ cert_writer_default (NMConnection *connection,
gsize blob_len;
char *blob_base64, *val;
blob = cert_data->blob_func (cert_data->setting);
blob = cert_data->vtable->blob_func (cert_data->setting);
g_assert (blob);
blob_data = g_bytes_get_data (blob, &blob_len);
blob_base64 = g_base64_encode (blob_data, blob_len);
val = g_strconcat (NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB, blob_base64, NULL);
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, val);
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, val);
g_free (val);
g_free (blob_base64);
} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) {
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name,
cert_data->uri_func (cert_data->setting));
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key,
cert_data->vtable->uri_func (cert_data->setting));
} else {
/* scheme_func() returns UNKNOWN in all other cases. The only valid case
* where a scheme is allowed to be UNKNOWN, is unsetting the value. In this
@ -514,13 +452,13 @@ cert_writer (KeyfileWriterInfo *info,
const char *key,
const GValue *value)
{
const ObjectType *objtype = NULL;
const NMSetting8021xSchemeVtable *objtype = NULL;
guint i;
NMKeyfileWriteTypeDataCert type_data = { 0 };
for (i = 0; i < G_N_ELEMENTS (objtypes) && objtypes[i].key; i++) {
if (g_strcmp0 (objtypes[i].key, key) == 0) {
objtype = &objtypes[i];
for (i = 0; nm_setting_8021x_scheme_vtable[i].setting_key; i++) {
if (g_strcmp0 (nm_setting_8021x_scheme_vtable[i].setting_key, key) == 0) {
objtype = &nm_setting_8021x_scheme_vtable[i];
break;
}
}
@ -528,13 +466,7 @@ cert_writer (KeyfileWriterInfo *info,
g_return_if_reached ();
type_data.setting = NM_SETTING_802_1X (setting);
type_data.property_name = key;
type_data.suffix = objtype->suffix;
type_data.scheme_func = objtype->scheme_func;
type_data.format_func = objtype->format_func;
type_data.path_func = objtype->path_func;
type_data.blob_func = objtype->blob_func;
type_data.uri_func = objtype->uri_func;
type_data.vtable = objtype;
if (info->handler) {
if (info->handler (info->connection,

556
libnm-core/nm-setting-8021x.c
View file

@ -77,22 +77,30 @@ typedef struct {
char *anonymous_identity;
char *pac_file;
GBytes *ca_cert;
char *ca_cert_password;
NMSettingSecretFlags ca_cert_password_flags;
char *ca_path;
char *subject_match;
GSList *altsubject_matches;
char *domain_suffix_match;
GBytes *client_cert;
char *client_cert_password;
NMSettingSecretFlags client_cert_password_flags;
char *phase1_peapver;
char *phase1_peaplabel;
char *phase1_fast_provisioning;
char *phase2_auth;
char *phase2_autheap;
GBytes *phase2_ca_cert;
char *phase2_ca_cert_password;
NMSettingSecretFlags phase2_ca_cert_password_flags;
char *phase2_ca_path;
char *phase2_subject_match;
GSList *phase2_altsubject_matches;
char *phase2_domain_suffix_match;
GBytes *phase2_client_cert;
char *phase2_client_cert_password;
NMSettingSecretFlags phase2_client_cert_password_flags;
char *password;
NMSettingSecretFlags password_flags;
GBytes *password_raw;
@ -115,22 +123,30 @@ enum {
PROP_ANONYMOUS_IDENTITY,
PROP_PAC_FILE,
PROP_CA_CERT,
PROP_CA_CERT_PASSWORD,
PROP_CA_CERT_PASSWORD_FLAGS,
PROP_CA_PATH,
PROP_SUBJECT_MATCH,
PROP_ALTSUBJECT_MATCHES,
PROP_DOMAIN_SUFFIX_MATCH,
PROP_CLIENT_CERT,
PROP_CLIENT_CERT_PASSWORD,
PROP_CLIENT_CERT_PASSWORD_FLAGS,
PROP_PHASE1_PEAPVER,
PROP_PHASE1_PEAPLABEL,
PROP_PHASE1_FAST_PROVISIONING,
PROP_PHASE2_AUTH,
PROP_PHASE2_AUTHEAP,
PROP_PHASE2_CA_CERT,
PROP_PHASE2_CA_CERT_PASSWORD,
PROP_PHASE2_CA_CERT_PASSWORD_FLAGS,
PROP_PHASE2_CA_PATH,
PROP_PHASE2_SUBJECT_MATCH,
PROP_PHASE2_ALTSUBJECT_MATCHES,
PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
PROP_PHASE2_CLIENT_CERT,
PROP_PHASE2_CLIENT_CERT_PASSWORD,
PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS,
PROP_PASSWORD,
PROP_PASSWORD_FLAGS,
PROP_PASSWORD_RAW,
@ -161,6 +177,86 @@ nm_setting_802_1x_new (void)
return (NMSetting *) g_object_new (NM_TYPE_SETTING_802_1X, NULL);
}
/*****************************************************************************/
const NMSetting8021xSchemeVtable nm_setting_8021x_scheme_vtable[] = {
[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT] = {
.setting_key = NM_SETTING_802_1X_CA_CERT,
.scheme_func = nm_setting_802_1x_get_ca_cert_scheme,
.format_func = NULL,
.path_func = nm_setting_802_1x_get_ca_cert_path,
.blob_func = nm_setting_802_1x_get_ca_cert_blob,
.uri_func = nm_setting_802_1x_get_ca_cert_uri,
.passwd_func = nm_setting_802_1x_get_ca_cert_password,
.pwflag_func = nm_setting_802_1x_get_ca_cert_password_flags,
.file_suffix = "ca-cert",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] = {
.setting_key = NM_SETTING_802_1X_PHASE2_CA_CERT,
.scheme_func = nm_setting_802_1x_get_phase2_ca_cert_scheme,
.format_func = NULL,
.path_func = nm_setting_802_1x_get_phase2_ca_cert_path,
.blob_func = nm_setting_802_1x_get_phase2_ca_cert_blob,
.uri_func = nm_setting_802_1x_get_phase2_ca_cert_uri,
.passwd_func = nm_setting_802_1x_get_phase2_ca_cert_password,
.pwflag_func = nm_setting_802_1x_get_phase2_ca_cert_password_flags,
.file_suffix = "inner-ca-cert",
},
[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT] = {
.setting_key = NM_SETTING_802_1X_CLIENT_CERT,
.scheme_func = nm_setting_802_1x_get_client_cert_scheme,
.format_func = NULL,
.path_func = nm_setting_802_1x_get_client_cert_path,
.blob_func = nm_setting_802_1x_get_client_cert_blob,
.uri_func = nm_setting_802_1x_get_client_cert_uri,
.passwd_func = nm_setting_802_1x_get_client_cert_password,
.pwflag_func = nm_setting_802_1x_get_client_cert_password_flags,
.file_suffix = "client-cert",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] = {
.setting_key = NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
.scheme_func = nm_setting_802_1x_get_phase2_client_cert_scheme,
.format_func = NULL,
.path_func = nm_setting_802_1x_get_phase2_client_cert_path,
.blob_func = nm_setting_802_1x_get_phase2_client_cert_blob,
.uri_func = nm_setting_802_1x_get_phase2_client_cert_uri,
.passwd_func = nm_setting_802_1x_get_phase2_client_cert_password,
.pwflag_func = nm_setting_802_1x_get_phase2_client_cert_password_flags,
.file_suffix = "inner-client-cert",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY] = {
.setting_key = NM_SETTING_802_1X_PRIVATE_KEY,
.scheme_func = nm_setting_802_1x_get_private_key_scheme,
.format_func = nm_setting_802_1x_get_private_key_format,
.path_func = nm_setting_802_1x_get_private_key_path,
.blob_func = nm_setting_802_1x_get_private_key_blob,
.uri_func = nm_setting_802_1x_get_private_key_uri,
.passwd_func = nm_setting_802_1x_get_private_key_password,
.pwflag_func = nm_setting_802_1x_get_private_key_password_flags,
.file_suffix = "private-key",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY] = {
.setting_key = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
.scheme_func = nm_setting_802_1x_get_phase2_private_key_scheme,
.format_func = nm_setting_802_1x_get_phase2_private_key_format,
.path_func = nm_setting_802_1x_get_phase2_private_key_path,
.blob_func = nm_setting_802_1x_get_phase2_private_key_blob,
.uri_func = nm_setting_802_1x_get_phase2_private_key_uri,
.passwd_func = nm_setting_802_1x_get_phase2_private_key_password,
.pwflag_func = nm_setting_802_1x_get_phase2_private_key_password_flags,
.file_suffix = "inner-private-key",
},
[NM_SETTING_802_1X_SCHEME_TYPE_UNKNOWN] = { NULL },
};
/*****************************************************************************/
/**
* nm_setting_802_1x_get_num_eap_methods:
* @setting: the #NMSetting8021x
@ -739,6 +835,41 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting,
return priv->ca_cert != NULL;
}
/**
* nm_setting_802_1x_get_ca_cert_password:
* @setting: the #NMSetting8021x
*
* Returns: the password used to access the CA certificate stored in
* #NMSetting8021x:ca-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
const char *
nm_setting_802_1x_get_ca_cert_password (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert_password;
}
/**
* nm_setting_802_1x_get_ca_cert_password_flags:
* @setting: the #NMSetting8021x
*
* Returns: the #NMSettingSecretFlags pertaining to the
* #NMSetting8021x:ca-cert-password
*
* Since: 1.8
**/
NMSettingSecretFlags
nm_setting_802_1x_get_ca_cert_password_flags (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert_password_flags;
}
/**
* nm_setting_802_1x_get_subject_match:
* @setting: the #NMSetting8021x
@ -1120,6 +1251,41 @@ nm_setting_802_1x_set_client_cert (NMSetting8021x *setting,
return priv->client_cert != NULL;
}
/**
* nm_setting_802_1x_get_client_cert_password:
* @setting: the #NMSetting8021x
*
* Returns: the password used to access the client certificate stored in
* #NMSetting8021x:client-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
const char *
nm_setting_802_1x_get_client_cert_password (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert_password;
}
/**
* nm_setting_802_1x_get_client_cert_password_flags:
* @setting: the #NMSetting8021x
*
* Returns: the #NMSettingSecretFlags pertaining to the
* #NMSetting8021x:client-cert-password
*
* Since: 1.8
**/
NMSettingSecretFlags
nm_setting_802_1x_get_client_cert_password_flags (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert_password_flags;
}
/**
* nm_setting_802_1x_get_phase1_peapver:
* @setting: the #NMSetting8021x
@ -1412,6 +1578,41 @@ nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting,
return priv->phase2_ca_cert != NULL;
}
/**
* nm_setting_802_1x_get_phase2_ca_cert_password:
* @setting: the #NMSetting8021x
*
* Returns: the password used to access the "phase2" CA certificate stored in
* #NMSetting8021x:phase2-ca-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
const char *
nm_setting_802_1x_get_phase2_ca_cert_password (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert_password;
}
/**
* nm_setting_802_1x_get_phase2_ca_cert_password_flags:
* @setting: the #NMSetting8021x
*
* Returns: the #NMSettingSecretFlags pertaining to the
* #NMSetting8021x:phase2-private-key-password
*
* Since: 1.8
**/
NMSettingSecretFlags
nm_setting_802_1x_get_phase2_ca_cert_password_flags (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert_password_flags;
}
/**
* nm_setting_802_1x_get_phase2_subject_match:
* @setting: the #NMSetting8021x
@ -1799,6 +2000,41 @@ nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *setting,
return priv->phase2_client_cert != NULL;
}
/**
* nm_setting_802_1x_get_phase2_ca_cert_password:
* @setting: the #NMSetting8021x
*
* Returns: the password used to access the "phase2" client certificate stored in
* #NMSetting8021x:phase2-client-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
const char *
nm_setting_802_1x_get_phase2_client_cert_password (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert_password;
}
/**
* nm_setting_802_1x_get_phase2_client_cert_password_flags:
* @setting: the #NMSetting8021x
*
* Returns: the #NMSettingSecretFlags pertaining to the
* #NMSetting8021x:phase2-client-cert-password
*
* Since: 1.8
**/
NMSettingSecretFlags
nm_setting_802_1x_get_phase2_client_cert_password_flags (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert_password_flags;
}
/**
* nm_setting_802_1x_get_password:
* @setting: the #NMSetting8021x
@ -2576,10 +2812,14 @@ need_secrets_sim (NMSetting8021x *self,
static gboolean
need_private_key_password (GBytes *blob,
const char *path,
const char *password)
const char *password,
NMSettingSecretFlags flags)
{
NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
return FALSE;
/* Private key password is required */
if (password) {
if (path)
@ -2589,7 +2829,7 @@ need_private_key_password (GBytes *blob,
g_bytes_get_size (blob),
password, NULL, NULL);
else
g_warning ("%s: unknown private key password scheme", __func__);
return FALSE;
}
return (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN);
@ -2609,34 +2849,52 @@ need_secrets_tls (NMSetting8021x *self,
scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self);
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
path = nm_setting_802_1x_get_phase2_private_key_path (self);
else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11)
return;
else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
blob = nm_setting_802_1x_get_phase2_private_key_blob (self);
else {
else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)
g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme);
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
return;
}
if (need_private_key_password (blob, path, priv->phase2_private_key_password))
if (need_private_key_password (blob, path,
priv->phase2_private_key_password,
priv->phase2_private_key_password_flags))
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
&& !priv->phase2_ca_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD);
scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
&& !priv->phase2_client_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD);
} else {
scheme = nm_setting_802_1x_get_private_key_scheme (self);
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
path = nm_setting_802_1x_get_private_key_path (self);
else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11)
return;
else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
blob = nm_setting_802_1x_get_private_key_blob (self);
else {
else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)
g_warning ("%s: unknown private key scheme %d", __func__, scheme);
g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY);
return;
}
if (need_private_key_password (blob, path, priv->private_key_password))
if (need_private_key_password (blob, path,
priv->private_key_password,
priv->private_key_password_flags))
g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
scheme = nm_setting_802_1x_get_ca_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
&& !priv->ca_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD);
scheme = nm_setting_802_1x_get_client_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
&& !priv->client_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD);
}
}
@ -2951,21 +3209,37 @@ need_secrets (NMSetting *setting)
}
static gboolean
verify_cert (GBytes *bytes, const char *prop_name, GError **error)
verify_cert (GBytes *bytes, const char *prop_name,
const char *password, const char *password_prop_name, GError **error)
{
GError *local = NULL;
NMSetting8021xCKScheme scheme;
if ( !bytes
|| get_cert_scheme (bytes, &local) != NM_SETTING_802_1X_CK_SCHEME_UNKNOWN)
if (bytes)
scheme = get_cert_scheme (bytes, &local);
else
return TRUE;
g_set_error (error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("certificate is invalid: %s"), local->message);
g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_name);
g_error_free (local);
return FALSE;
if (scheme == NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) {
g_set_error (error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("certificate is invalid: %s"), local->message);
g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_name);
g_error_free (local);
return FALSE;
}
if (password && (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)) {
g_set_error (error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("password is not supported when certificate is not on a PKCS#11 token"));
g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, password_prop_name);
return FALSE;
}
return TRUE;
}
static gboolean
@ -3068,19 +3342,23 @@ verify (NMSetting *setting, NMConnection *connection, GError **error)
return FALSE;
}
if (!verify_cert (priv->ca_cert, NM_SETTING_802_1X_CA_CERT, error))
if (!verify_cert (priv->ca_cert, NM_SETTING_802_1X_CA_CERT,
priv->ca_cert_password, NM_SETTING_802_1X_CA_CERT_PASSWORD, error))
return FALSE;
if (!verify_cert (priv->phase2_ca_cert, NM_SETTING_802_1X_PHASE2_CA_CERT, error))
if (!verify_cert (priv->phase2_ca_cert, NM_SETTING_802_1X_PHASE2_CA_CERT,
priv->phase2_ca_cert_password, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD, error))
return FALSE;
if (!verify_cert (priv->client_cert, NM_SETTING_802_1X_CLIENT_CERT, error))
if (!verify_cert (priv->client_cert, NM_SETTING_802_1X_CLIENT_CERT,
priv->client_cert_password, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD, error))
return FALSE;
if (!verify_cert (priv->phase2_client_cert, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, error))
if (!verify_cert (priv->phase2_client_cert, NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
priv->phase2_client_cert_password, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD, error))
return FALSE;
if (!verify_cert (priv->private_key, NM_SETTING_802_1X_PRIVATE_KEY, error))
if (!verify_cert (priv->private_key, NM_SETTING_802_1X_PRIVATE_KEY, NULL, NULL, error))
return FALSE;
if (!verify_cert (priv->phase2_private_key, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, error))
if (!verify_cert (priv->phase2_private_key, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, NULL, NULL, error))
return FALSE;
/* FIXME: finish */
@ -3125,15 +3403,19 @@ finalize (GObject *object)
if (priv->ca_cert)
g_bytes_unref (priv->ca_cert);
g_free (priv->ca_cert_password);
if (priv->client_cert)
g_bytes_unref (priv->client_cert);
g_free (priv->client_cert_password);
if (priv->private_key)
g_bytes_unref (priv->private_key);
g_free (priv->private_key_password);
if (priv->phase2_ca_cert)
g_bytes_unref (priv->phase2_ca_cert);
g_free (priv->phase2_ca_cert_password);
if (priv->phase2_client_cert)
g_bytes_unref (priv->phase2_client_cert);
g_free (priv->phase2_client_cert_password);
if (priv->phase2_private_key)
g_bytes_unref (priv->phase2_private_key);
g_free (priv->phase2_private_key_password);
@ -3150,7 +3432,7 @@ set_cert_prop_helper (const GValue *value, const char *prop_name, GError **error
bytes = g_value_dup_boxed (value);
/* Verify the new data */
if (bytes) {
valid = verify_cert (bytes, prop_name, error);
valid = verify_cert (bytes, prop_name, NULL, NULL, error);
if (!valid)
g_clear_pointer (&bytes, g_bytes_unref);
}
@ -3191,6 +3473,13 @@ set_property (GObject *object, guint prop_id,
g_error_free (error);
}
break;
case PROP_CA_CERT_PASSWORD:
g_free (priv->ca_cert_password);
priv->ca_cert_password = g_value_dup_string (value);
break;
case PROP_CA_CERT_PASSWORD_FLAGS:
priv->ca_cert_password_flags = g_value_get_flags (value);
break;
case PROP_CA_PATH:
g_free (priv->ca_path);
priv->ca_path = g_value_dup_string (value);
@ -3216,6 +3505,13 @@ set_property (GObject *object, guint prop_id,
g_error_free (error);
}
break;
case PROP_CLIENT_CERT_PASSWORD:
g_free (priv->client_cert_password);
priv->client_cert_password = g_value_dup_string (value);
break;
case PROP_CLIENT_CERT_PASSWORD_FLAGS:
priv->client_cert_password_flags = g_value_get_flags (value);
break;
case PROP_PHASE1_PEAPVER:
g_free (priv->phase1_peapver);
priv->phase1_peapver = g_value_dup_string (value);
@ -3245,6 +3541,13 @@ set_property (GObject *object, guint prop_id,
g_error_free (error);
}
break;
case PROP_PHASE2_CA_CERT_PASSWORD:
g_free (priv->phase2_ca_cert_password);
priv->phase2_ca_cert_password = g_value_dup_string (value);
break;
case PROP_PHASE2_CA_CERT_PASSWORD_FLAGS:
priv->phase2_ca_cert_password_flags = g_value_get_flags (value);
break;
case PROP_PHASE2_CA_PATH:
g_free (priv->phase2_ca_path);
priv->phase2_ca_path = g_value_dup_string (value);
@ -3262,6 +3565,7 @@ set_property (GObject *object, guint prop_id,
priv->phase2_domain_suffix_match = nm_strdup_not_empty (g_value_get_string (value));
break;
case PROP_PHASE2_CLIENT_CERT:
if (priv->phase2_client_cert)
g_bytes_unref (priv->phase2_client_cert);
priv->phase2_client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, &error);
@ -3270,6 +3574,13 @@ set_property (GObject *object, guint prop_id,
g_error_free (error);
}
break;
case PROP_PHASE2_CLIENT_CERT_PASSWORD:
g_free (priv->phase2_client_cert_password);
priv->phase2_client_cert_password = g_value_dup_string (value);
break;
case PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS:
priv->phase2_client_cert_password_flags = g_value_get_flags (value);
break;
case PROP_PASSWORD:
g_free (priv->password);
priv->password = g_value_dup_string (value);
@ -3356,6 +3667,12 @@ get_property (GObject *object, guint prop_id,
case PROP_CA_CERT:
g_value_set_boxed (value, priv->ca_cert);
break;
case PROP_CA_CERT_PASSWORD:
g_value_set_string (value, priv->ca_cert_password);
break;
case PROP_CA_CERT_PASSWORD_FLAGS:
g_value_set_flags (value, priv->ca_cert_password_flags);
break;
case PROP_CA_PATH:
g_value_set_string (value, priv->ca_path);
break;
@ -3371,6 +3688,12 @@ get_property (GObject *object, guint prop_id,
case PROP_CLIENT_CERT:
g_value_set_boxed (value, priv->client_cert);
break;
case PROP_CLIENT_CERT_PASSWORD:
g_value_set_string (value, priv->client_cert_password);
break;
case PROP_CLIENT_CERT_PASSWORD_FLAGS:
g_value_set_flags (value, priv->client_cert_password_flags);
break;
case PROP_PHASE1_PEAPVER:
g_value_set_string (value, priv->phase1_peapver);
break;
@ -3389,6 +3712,12 @@ get_property (GObject *object, guint prop_id,
case PROP_PHASE2_CA_CERT:
g_value_set_boxed (value, priv->phase2_ca_cert);
break;
case PROP_PHASE2_CA_CERT_PASSWORD:
g_value_set_string (value, priv->phase2_ca_cert_password);
break;
case PROP_PHASE2_CA_CERT_PASSWORD_FLAGS:
g_value_set_flags (value, priv->phase2_ca_cert_password_flags);
break;
case PROP_PHASE2_CA_PATH:
g_value_set_string (value, priv->phase2_ca_path);
break;
@ -3404,6 +3733,12 @@ get_property (GObject *object, guint prop_id,
case PROP_PHASE2_CLIENT_CERT:
g_value_set_boxed (value, priv->phase2_client_cert);
break;
case PROP_PHASE2_CLIENT_CERT_PASSWORD:
g_value_set_string (value, priv->phase2_client_cert_password);
break;
case PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS:
g_value_set_flags (value, priv->phase2_client_cert_password_flags);
break;
case PROP_PASSWORD:
g_value_set_string (value, priv->password);
break;
@ -3582,6 +3917,44 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:ca-cert-password:
*
* The password used to access the CA certificate stored in
* #NMSetting8021x:ca-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_CA_CERT_PASSWORD,
g_param_spec_string (NM_SETTING_802_1X_CA_CERT_PASSWORD, "", "",
NULL,
G_PARAM_READWRITE |
NM_SETTING_PARAM_SECRET |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:ca-cert-password-flags:
*
* Flags indicating how to handle the #NMSetting8021x:ca-cert-password property.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_CA_CERT_PASSWORD_FLAGS,
g_param_spec_flags (NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS, "", "",
NM_TYPE_SETTING_SECRET_FLAGS,
NM_SETTING_SECRET_FLAG_NONE,
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:ca-path:
*
@ -3700,6 +4073,44 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:client-cert-password:
*
* The password used to access the client certificate stored in
* #NMSetting8021x:client-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_CLIENT_CERT_PASSWORD,
g_param_spec_string (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD, "", "",
NULL,
G_PARAM_READWRITE |
NM_SETTING_PARAM_SECRET |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:client-cert-password-flags:
*
* Flags indicating how to handle the #NMSetting8021x:client-cert-password property.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_CLIENT_CERT_PASSWORD_FLAGS,
g_param_spec_flags (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS, "", "",
NM_TYPE_SETTING_SECRET_FLAGS,
NM_SETTING_SECRET_FLAG_NONE,
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:phase1-peapver:
*
@ -3850,6 +4261,44 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:phase2-ca-cert-password:
*
* The password used to access the "phase2" CA certificate stored in
* #NMSetting8021x:phase2-ca-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_PHASE2_CA_CERT_PASSWORD,
g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD, "", "",
NULL,
G_PARAM_READWRITE |
NM_SETTING_PARAM_SECRET |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:phase2-ca-cert-password-flags:
*
* Flags indicating how to handle the #NMSetting8021x:phase2-ca-cert-password property.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_PHASE2_CA_CERT_PASSWORD_FLAGS,
g_param_spec_flags (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS, "", "",
NM_TYPE_SETTING_SECRET_FLAGS,
NM_SETTING_SECRET_FLAG_NONE,
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:phase2-ca-path:
*
@ -3966,6 +4415,47 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:phase2-client-cert-password:
*
* The password used to access the "phase2" client certificate stored in
* #NMSetting8021x:phase2-client-cert property. Only makes sense if the certificate
* is stored on a PKCS#<!-- -->11 token that requires a login.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_PHASE2_CLIENT_CERT_PASSWORD,
g_param_spec_string (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD, "", "",
NULL,
G_PARAM_READWRITE |
NM_SETTING_PARAM_SECRET |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:phase2-client-cert-password-flags:
*
* Flags indicating how to handle the #NMSetting8021x:phase2-client-cert-password property.
*
* Since: 1.8
**/
/* ---ifcfg-rh---
* ---end---
*/
g_object_class_install_property
(object_class, PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS,
g_param_spec_flags (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS, "", "",
NM_TYPE_SETTING_SECRET_FLAGS,
NM_SETTING_SECRET_FLAG_NONE,
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:password:
*

29
libnm-core/nm-setting-8021x.h
View file

@ -90,22 +90,30 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
#define NM_SETTING_802_1X_ANONYMOUS_IDENTITY "anonymous-identity"
#define NM_SETTING_802_1X_PAC_FILE "pac-file"
#define NM_SETTING_802_1X_CA_CERT "ca-cert"
#define NM_SETTING_802_1X_CA_CERT_PASSWORD "ca-cert-password"
#define NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS "ca-cert-password-flags"
#define NM_SETTING_802_1X_CA_PATH "ca-path"
#define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match"
#define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches"
#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match"
#define NM_SETTING_802_1X_CLIENT_CERT "client-cert"
#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD "client-cert-password"
#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS "client-cert-password-flags"
#define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver"
#define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel"
#define NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING "phase1-fast-provisioning"
#define NM_SETTING_802_1X_PHASE2_AUTH "phase2-auth"
#define NM_SETTING_802_1X_PHASE2_AUTHEAP "phase2-autheap"
#define NM_SETTING_802_1X_PHASE2_CA_CERT "phase2-ca-cert"
#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD "phase2-ca-cert-password"
#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS "phase2-ca-cert-password-flags"
#define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path"
#define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match"
#define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches"
#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match"
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert"
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD "phase2-client-cert-password"
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS "phase2-client-cert-password-flags"
#define NM_SETTING_802_1X_PASSWORD "password"
#define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags"
#define NM_SETTING_802_1X_PASSWORD_RAW "password-raw"
@ -189,6 +197,11 @@ gboolean nm_setting_802_1x_set_ca_cert (NMSetting8
NMSetting8021xCKFormat *out_format,
GError **error);
NM_AVAILABLE_IN_1_8
const char * nm_setting_802_1x_get_ca_cert_password (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_8
NMSettingSecretFlags nm_setting_802_1x_get_ca_cert_password_flags (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_subject_match (NMSetting8021x *setting);
guint32 nm_setting_802_1x_get_num_altsubject_matches (NMSetting8021x *setting);
@ -215,6 +228,11 @@ gboolean nm_setting_802_1x_set_client_cert (NMSetting8
NMSetting8021xCKFormat *out_format,
GError **error);
NM_AVAILABLE_IN_1_8
const char * nm_setting_802_1x_get_client_cert_password (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_8
NMSettingSecretFlags nm_setting_802_1x_get_client_cert_password_flags (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_phase1_peaplabel (NMSetting8021x *setting);
@ -236,6 +254,12 @@ gboolean nm_setting_802_1x_set_phase2_ca_cert (NMSetting8
NMSetting8021xCKFormat *out_format,
GError **error);
NM_AVAILABLE_IN_1_8
const char * nm_setting_802_1x_get_phase2_ca_cert_password (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_8
NMSettingSecretFlags nm_setting_802_1x_get_phase2_ca_cert_password_flags (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_phase2_subject_match (NMSetting8021x *setting);
guint32 nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting);
@ -262,6 +286,11 @@ gboolean nm_setting_802_1x_set_phase2_client_cert (NMSett
NMSetting8021xCKFormat *out_format,
GError **error);
NM_AVAILABLE_IN_1_8
const char * nm_setting_802_1x_get_phase2_client_cert_password (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_8
NMSettingSecretFlags nm_setting_802_1x_get_phase2_client_cert_password_flags (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_password (NMSetting8021x *setting);
NMSettingSecretFlags nm_setting_802_1x_get_password_flags (NMSetting8021x *setting);
GBytes * nm_setting_802_1x_get_password_raw (NMSetting8021x *setting);

12
libnm/libnm.ver
View file

@ -1143,3 +1143,15 @@ global:
nm_utils_version;
nm_utils_is_valid_iface_name;
} libnm_1_4_0;
libnm_1_8_0 {
global:
nm_setting_802_1x_get_ca_cert_password;
nm_setting_802_1x_get_ca_cert_password_flags;
nm_setting_802_1x_get_client_cert_password;
nm_setting_802_1x_get_client_cert_password_flags;
nm_setting_802_1x_get_phase2_ca_cert_password;
nm_setting_802_1x_get_phase2_ca_cert_password_flags;
nm_setting_802_1x_get_phase2_client_cert_password;
nm_setting_802_1x_get_phase2_client_cert_password_flags;
} libnm_1_6_0;

128
src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
View file

@ -2545,6 +2545,19 @@ get_full_file_path (const char *ifcfg_path, const char *file_path)
return ret;
}
static char *
get_cert_value (const char *ifcfg_path, const char *value,
NMSetting8021xCKScheme *out_scheme)
{
if (strncmp (value, "pkcs11:", 7) == 0) {
*out_scheme = NM_SETTING_802_1X_CK_SCHEME_PKCS11;
return g_strdup (value);
}
*out_scheme = NM_SETTING_802_1X_CK_SCHEME_PATH;
return get_full_file_path (ifcfg_path, value);
}
static gboolean
eap_tls_reader (const char *eap_method,
shvarFile *ifcfg,
@ -2555,19 +2568,30 @@ eap_tls_reader (const char *eap_method,
{
char *value;
char *ca_cert = NULL;
char *real_path = NULL;
char *ca_cert_password = NULL;
char *real_cert_value = NULL;
char *client_cert = NULL;
char *client_cert_password = NULL;
char *privkey = NULL;
char *privkey_password = NULL;
gboolean success = FALSE;
NMSetting8021xCKFormat privkey_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
const char *ca_cert_key = phase2 ? "IEEE_8021X_INNER_CA_CERT" : "IEEE_8021X_CA_CERT";
const char *pk_pw_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD": "IEEE_8021X_PRIVATE_KEY_PASSWORD";
const char *pk_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY" : "IEEE_8021X_PRIVATE_KEY";
const char *ca_cert_pw_key = phase2 ? "IEEE_8021X_INNER_CA_CERT_PASSWORD" : "IEEE_8021X_CA_CERT_PASSWORD";
const char *ca_cert_pw_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD : NM_SETTING_802_1X_CA_CERT_PASSWORD;
const char *ca_cert_pw_flags_key = phase2 ? "IEEE_8021X_INNER_CA_CERT_PASSWORD_FLAGS" : "IEEE_8021X_CA_CERT_PASSWORD_FLAGS";
const char *ca_cert_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS : NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS;
const char *cli_cert_key = phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT";
const char *cli_cert_pw_key = phase2 ? "IEEE_8021X_INNER_CLIENT_CERT_PASSWORD" : "IEEE_8021X_CLIENT_CERT_PASSWORD";
const char *cli_cert_pw_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD : NM_SETTING_802_1X_CLIENT_CERT_PASSWORD;
const char *cli_cert_pw_flags_key = phase2 ? "IEEE_8021X_INNER_CLIENT_CERT_PASSWORD_FLAGS" : "IEEE_8021X_CLIENT_CERT_PASSWORD_FLAGS";
const char *cli_cert_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS : NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS;
const char *pk_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY" : "IEEE_8021X_PRIVATE_KEY";
const char *pk_pw_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD": "IEEE_8021X_PRIVATE_KEY_PASSWORD";
const char *pk_pw_flags_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS": "IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS";
const char *pk_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS : NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS;
NMSettingSecretFlags flags;
NMSetting8021xCKScheme scheme;
value = svGetValueString (ifcfg, "IEEE_8021X_IDENTITY");
if (value) {
@ -2577,24 +2601,26 @@ eap_tls_reader (const char *eap_method,
ca_cert = svGetValueString (ifcfg, ca_cert_key);
if (ca_cert) {
real_path = get_full_file_path (svFileGetName (ifcfg), ca_cert);
real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme);
if (phase2) {
if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
if (!nm_setting_802_1x_set_ca_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
}
g_free (real_path);
real_path = NULL;
g_free (real_cert_value);
real_cert_value = NULL;
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) {
flags = read_secret_flags (ifcfg, ca_cert_pw_flags_key);
g_object_set (s_8021x, ca_cert_pw_flags_prop, flags, NULL);
if (flags == NM_SETTING_SECRET_FLAG_NONE) {
ca_cert_password = svGetValueString (ifcfg, ca_cert_pw_key);
g_object_set (s_8021x, ca_cert_pw_prop, ca_cert_password, NULL);
}
}
} else {
PARSE_WARNING ("missing %s for EAP method '%s'; this is insecure!",
ca_cert_key, eap_method);
@ -2632,26 +2658,26 @@ eap_tls_reader (const char *eap_method,
goto done;
}
real_path = get_full_file_path (svFileGetName (ifcfg), privkey);
real_cert_value = get_cert_value (svFileGetName (ifcfg), privkey, &scheme);
if (phase2) {
if (!nm_setting_802_1x_set_phase2_private_key (s_8021x,
real_path,
real_cert_value,
privkey_password,
NM_SETTING_802_1X_CK_SCHEME_PATH,
scheme,
&privkey_format,
error))
goto done;
} else {
if (!nm_setting_802_1x_set_private_key (s_8021x,
real_path,
real_cert_value,
privkey_password,
NM_SETTING_802_1X_CK_SCHEME_PATH,
scheme,
&privkey_format,
error))
goto done;
}
g_free (real_path);
real_path = NULL;
g_free (real_cert_value);
real_cert_value = NULL;
/* Only set the client certificate if the private key is not PKCS#12 format,
* as NM (due to supplicant restrictions) requires. If the key was PKCS#12,
@ -2669,30 +2695,32 @@ eap_tls_reader (const char *eap_method,
goto done;
}
real_path = get_full_file_path (svFileGetName (ifcfg), client_cert);
real_cert_value = get_cert_value (svFileGetName (ifcfg), client_cert, &scheme);
if (phase2) {
if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
if (!nm_setting_802_1x_set_client_cert (s_8021x,
real_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
if (!nm_setting_802_1x_set_client_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
}
g_free (real_path);
real_path = NULL;
g_free (real_cert_value);
real_cert_value = NULL;
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) {
flags = read_secret_flags (ifcfg, cli_cert_pw_flags_key);
g_object_set (s_8021x, cli_cert_pw_flags_prop, flags, NULL);
if (flags == NM_SETTING_SECRET_FLAG_NONE) {
client_cert_password = svGetValueString (ifcfg, cli_cert_pw_key);
g_object_set (s_8021x, cli_cert_pw_prop, client_cert_password, NULL);
}
}
}
success = TRUE;
done:
g_free (real_path);
g_free (real_cert_value);
g_free (ca_cert);
g_free (client_cert);
g_free (privkey);
@ -2710,21 +2738,18 @@ eap_peap_reader (const char *eap_method,
{
char *anon_ident = NULL;
char *ca_cert = NULL;
char *real_cert_path = NULL;
char *real_cert_value = NULL;
char *inner_auth = NULL;
char *peapver = NULL;
char *lower;
char **list = NULL, **iter;
gboolean success = FALSE;
NMSetting8021xCKScheme scheme;
ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT");
if (ca_cert) {
real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert);
if (!nm_setting_802_1x_set_ca_cert (s_8021x,
real_cert_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme);
if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!",
@ -2799,7 +2824,7 @@ done:
g_strfreev (list);
g_free (inner_auth);
g_free (peapver);
g_free (real_cert_path);
g_free (real_cert_value);
g_free (ca_cert);
g_free (anon_ident);
return success;
@ -2816,19 +2841,16 @@ eap_ttls_reader (const char *eap_method,
gboolean success = FALSE;
char *anon_ident = NULL;
char *ca_cert = NULL;
char *real_cert_path = NULL;
char *real_cert_value = NULL;
char *inner_auth = NULL;
char *tmp;
char **list = NULL, **iter;
NMSetting8021xCKScheme scheme;
ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT");
if (ca_cert) {
real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert);
if (!nm_setting_802_1x_set_ca_cert (s_8021x,
real_cert_path,
NM_SETTING_802_1X_CK_SCHEME_PATH,
NULL,
error))
real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme);
if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error))
goto done;
} else {
PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!",
@ -2887,7 +2909,7 @@ done:
if (list)
g_strfreev (list);
g_free (inner_auth);
g_free (real_cert_path);
g_free (real_cert_value);
g_free (ca_cert);
g_free (anon_ident);
return success;

15
src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c
View file

@ -100,19 +100,20 @@ utils_should_ignore_file (const char *filename, gboolean only_ifcfg)
}
char *
utils_cert_path (const char *parent, const char *suffix)
utils_cert_path (const char *parent, const char *suffix, const char *extension)
{
gs_free char *dir = NULL;
const char *name;
char *dir, *path;
g_return_val_if_fail (parent != NULL, NULL);
g_return_val_if_fail (suffix != NULL, NULL);
g_return_val_if_fail (parent, NULL);
g_return_val_if_fail (suffix, NULL);
g_return_val_if_fail (extension, NULL);
name = utils_get_ifcfg_name (parent, FALSE);
g_return_val_if_fail (name, NULL);
dir = g_path_get_dirname (parent);
path = g_strdup_printf ("%s/%s-%s", dir, name, suffix);
g_free (dir);
return path;
return g_strdup_printf ("%s/%s-%s.%s", dir, name, suffix, extension);
}
const char *

2
src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h
View file

@ -31,7 +31,7 @@
#define NM_IFCFG_CONNECTION_LOG_FMTD "%s (%s,\"%s\",%p)"
#define NM_IFCFG_CONNECTION_LOG_ARGD(con) NM_IFCFG_CONNECTION_LOG_PATH (nm_settings_connection_get_filename ((NMSettingsConnection *) (con))), nm_connection_get_uuid ((NMConnection *) (con)), nm_connection_get_id ((NMConnection *) (con)), (con)
char *utils_cert_path (const char *parent, const char *suffix);
char *utils_cert_path (const char *parent, const char *suffix, const char *extension);
const char *utils_get_ifcfg_name (const char *file, gboolean only_ifcfg);

214
src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
View file

@ -146,109 +146,67 @@ error:
svSetValueString (ifcfg, key, value);
}
typedef struct ObjectType {
const char *setting_key;
NMSetting8021xCKScheme (*scheme_func)(NMSetting8021x *setting);
const char * (*path_func) (NMSetting8021x *setting);
GBytes * (*blob_func) (NMSetting8021x *setting);
const char *ifcfg_key;
const char *suffix;
} ObjectType;
typedef struct {
const NMSetting8021xSchemeVtable *vtable;
const char *ifcfg_rh_key;
} Setting8021xSchemeVtable;
static const ObjectType ca_type = {
NM_SETTING_802_1X_CA_CERT,
nm_setting_802_1x_get_ca_cert_scheme,
nm_setting_802_1x_get_ca_cert_path,
nm_setting_802_1x_get_ca_cert_blob,
"IEEE_8021X_CA_CERT",
"ca-cert.der"
};
static const ObjectType phase2_ca_type = {
NM_SETTING_802_1X_PHASE2_CA_CERT,
nm_setting_802_1x_get_phase2_ca_cert_scheme,
nm_setting_802_1x_get_phase2_ca_cert_path,
nm_setting_802_1x_get_phase2_ca_cert_blob,
"IEEE_8021X_INNER_CA_CERT",
"inner-ca-cert.der"
};
static const ObjectType client_type = {
NM_SETTING_802_1X_CLIENT_CERT,
nm_setting_802_1x_get_client_cert_scheme,
nm_setting_802_1x_get_client_cert_path,
nm_setting_802_1x_get_client_cert_blob,
"IEEE_8021X_CLIENT_CERT",
"client-cert.der"
};
static const ObjectType phase2_client_type = {
NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
nm_setting_802_1x_get_phase2_client_cert_scheme,
nm_setting_802_1x_get_phase2_client_cert_path,
nm_setting_802_1x_get_phase2_client_cert_blob,
"IEEE_8021X_INNER_CLIENT_CERT",
"inner-client-cert.der"
};
static const ObjectType pk_type = {
NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
"IEEE_8021X_PRIVATE_KEY",
"private-key.pem"
};
static const ObjectType phase2_pk_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
"IEEE_8021X_INNER_PRIVATE_KEY",
"inner-private-key.pem"
};
static const ObjectType p12_type = {
NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
"IEEE_8021X_PRIVATE_KEY",
"private-key.p12"
};
static const ObjectType phase2_p12_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
"IEEE_8021X_INNER_PRIVATE_KEY",
"inner-private-key.p12"
static const Setting8021xSchemeVtable setting_8021x_scheme_vtable[] = {
[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT],
.ifcfg_rh_key = "IEEE_8021X_CA_CERT",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT],
.ifcfg_rh_key = "IEEE_8021X_INNER_CA_CERT",
},
[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT],
.ifcfg_rh_key = "IEEE_8021X_CLIENT_CERT",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT],
.ifcfg_rh_key = "IEEE_8021X_INNER_CLIENT_CERT",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY],
.ifcfg_rh_key = "IEEE_8021X_PRIVATE_KEY",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY],
.ifcfg_rh_key = "IEEE_8021X_INNER_PRIVATE_KEY",
},
};
static gboolean
write_object (NMSetting8021x *s_8021x,
shvarFile *ifcfg,
const ObjectType *objtype,
const Setting8021xSchemeVtable *objtype,
GError **error)
{
NMSetting8021xCKScheme scheme;
const char *path = NULL;
const char *value = NULL;
GBytes *blob = NULL;
const char *password = NULL;
NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NONE;
char *secret_name, *secret_flags;
const char *extension;
g_return_val_if_fail (ifcfg != NULL, FALSE);
g_return_val_if_fail (objtype != NULL, FALSE);
scheme = (*(objtype->scheme_func))(s_8021x);
scheme = (*(objtype->vtable->scheme_func))(s_8021x);
switch (scheme) {
case NM_SETTING_802_1X_CK_SCHEME_UNKNOWN:
break;
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
blob = (*(objtype->blob_func))(s_8021x);
blob = (*(objtype->vtable->blob_func))(s_8021x);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = (*(objtype->path_func))(s_8021x);
value = (*(objtype->vtable->path_func))(s_8021x);
break;
case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
value = (*(objtype->vtable->uri_func))(s_8021x);
break;
default:
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED,
@ -256,10 +214,26 @@ write_object (NMSetting8021x *s_8021x,
return FALSE;
}
/* Set the password for certificate/private key. */
secret_name = g_strdup_printf ("%s_PASSWORD", objtype->ifcfg_rh_key);
secret_flags = g_strdup_printf ("%s_PASSWORD_FLAGS", objtype->ifcfg_rh_key);
password = (*(objtype->vtable->passwd_func))(s_8021x);
flags = (*(objtype->vtable->pwflag_func))(s_8021x);
set_secret (ifcfg, secret_name, password, secret_flags, flags);
g_free (secret_name);
g_free (secret_flags);
if (!objtype->vtable->format_func)
extension = "der";
else if (objtype->vtable->format_func (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
extension = "p12";
else
extension = "pem";
/* If certificate/private key wasn't sent, the connection may no longer be
* 802.1x and thus we clear out the paths and certs.
*/
if (!path && !blob) {
if (!value && !blob) {
char *standard_file;
int ignored;
@ -269,20 +243,20 @@ write_object (NMSetting8021x *s_8021x,
* /etc/sysconfig/network-scripts/ca-cert-Test_Write_Wifi_WPA_EAP-TLS.der
* will be deleted, but /etc/pki/tls/cert.pem will not.
*/
standard_file = utils_cert_path (svFileGetName (ifcfg), objtype->suffix);
standard_file = utils_cert_path (svFileGetName (ifcfg), objtype->vtable->file_suffix, extension);
if (g_file_test (standard_file, G_FILE_TEST_EXISTS))
ignored = unlink (standard_file);
g_free (standard_file);
svUnsetValue (ifcfg, objtype->ifcfg_key);
svUnsetValue (ifcfg, objtype->ifcfg_rh_key);
return TRUE;
}
/* If the object path was specified, prefer that over any raw cert data that
* may have been sent.
*/
if (path) {
svSetValueString (ifcfg, objtype->ifcfg_key, path);
if (value) {
svSetValueString (ifcfg, objtype->ifcfg_rh_key, value);
return TRUE;
}
@ -292,11 +266,11 @@ write_object (NMSetting8021x *s_8021x,
char *new_file;
GError *write_error = NULL;
new_file = utils_cert_path (svFileGetName (ifcfg), objtype->suffix);
new_file = utils_cert_path (svFileGetName (ifcfg), objtype->vtable->file_suffix, extension);
if (!new_file) {
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED,
"Could not create file path for %s / %s",
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key);
NM_SETTING_802_1X_SETTING_NAME, objtype->vtable->setting_key);
return FALSE;
}
@ -310,13 +284,13 @@ write_object (NMSetting8021x *s_8021x,
0600,
&write_error);
if (success) {
svSetValueString (ifcfg, objtype->ifcfg_key, new_file);
svSetValueString (ifcfg, objtype->ifcfg_rh_key, new_file);
g_free (new_file);
return TRUE;
} else {
g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED,
"Could not write certificate/key for %s / %s: %s",
NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key,
NM_SETTING_802_1X_SETTING_NAME, objtype->vtable->setting_key,
(write_error && write_error->message) ? write_error->message : "(unknown)");
g_clear_error (&write_error);
}
@ -332,55 +306,29 @@ write_8021x_certs (NMSetting8021x *s_8021x,
shvarFile *ifcfg,
GError **error)
{
const char *password = NULL;
gboolean success = FALSE, is_pkcs12 = FALSE;
const ObjectType *otype = NULL;
NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NONE;
gboolean success = FALSE;
const Setting8021xSchemeVtable *otype = NULL;
/* CA certificate */
if (!write_object (s_8021x, ifcfg, phase2 ? &phase2_ca_type : &ca_type, error))
if (!write_object (s_8021x, ifcfg,
phase2
? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT]
: &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT],
error))
return FALSE;
/* Private key */
if (phase2) {
otype = &phase2_pk_type;
if (nm_setting_802_1x_get_phase2_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
otype = &phase2_p12_type;
is_pkcs12 = TRUE;
}
password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
flags = nm_setting_802_1x_get_phase2_private_key_password_flags (s_8021x);
} else {
otype = &pk_type;
if (nm_setting_802_1x_get_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
otype = &p12_type;
is_pkcs12 = TRUE;
}
password = nm_setting_802_1x_get_private_key_password (s_8021x);
flags = nm_setting_802_1x_get_private_key_password_flags (s_8021x);
}
if (phase2)
otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY];
else
otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY];
/* Save the private key */
if (!write_object (s_8021x, ifcfg, otype, error))
goto out;
/* Private key password */
if (phase2) {
set_secret (ifcfg,
"IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD",
password,
"IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS",
flags);
} else {
set_secret (ifcfg,
"IEEE_8021X_PRIVATE_KEY_PASSWORD",
password,
"IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS",
flags);
}
/* Client certificate */
if (is_pkcs12) {
if (otype->vtable->format_func (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
/* Don't need a client certificate with PKCS#12 since the file is both
* the client certificate and the private key in one file.
*/
@ -389,7 +337,11 @@ write_8021x_certs (NMSetting8021x *s_8021x,
NULL);
} else {
/* Save the client certificate */
if (!write_object (s_8021x, ifcfg, phase2 ? &phase2_client_type : &client_type, error))
if (!write_object (s_8021x, ifcfg,
phase2
? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT]
: &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT],
error))
goto out;
}

6
src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c
View file

@ -4486,15 +4486,15 @@ test_write_wired_8021x_tls (gconstpointer test_data)
}
/* Clean up created certs and keys */
tmp = utils_cert_path (testfile, "ca-cert.der");
tmp = utils_cert_path (testfile, "ca-cert", "der");
nmtst_file_unlink_if_exists (tmp);
g_free (tmp);
tmp = utils_cert_path (testfile, "client-cert.der");
tmp = utils_cert_path (testfile, "client-cert", "der");
nmtst_file_unlink_if_exists (tmp);
g_free (tmp);
tmp = utils_cert_path (testfile, "private-key.pem");
tmp = utils_cert_path (testfile, "private-key", "pem");
nmtst_file_unlink_if_exists (tmp);
g_free (tmp);
}

154
src/settings/plugins/ifnet/nms-ifnet-connection-parser.c
View file

@ -1688,96 +1688,43 @@ error:
return NULL;
}
typedef NMSetting8021xCKScheme (*SchemeFunc) (NMSetting8021x * setting);
typedef const char *(*PathFunc) (NMSetting8021x * setting);
typedef GBytes *(*BlobFunc) (NMSetting8021x * setting);
typedef struct Setting8021xSchemeVtable {
const NMSetting8021xSchemeVtable *vtable;
const char *ifnet_key;
} Setting8021xSchemeVtable;
typedef struct ObjectType {
const char *setting_key;
SchemeFunc scheme_func;
PathFunc path_func;
BlobFunc blob_func;
const char *conn_name_key;
const char *suffix;
} ObjectType;
static const ObjectType ca_type = {
NM_SETTING_802_1X_CA_CERT,
nm_setting_802_1x_get_ca_cert_scheme,
nm_setting_802_1x_get_ca_cert_path,
nm_setting_802_1x_get_ca_cert_blob,
"ca_cert",
"ca-cert.der"
};
static const ObjectType phase2_ca_type = {
NM_SETTING_802_1X_PHASE2_CA_CERT,
nm_setting_802_1x_get_phase2_ca_cert_scheme,
nm_setting_802_1x_get_phase2_ca_cert_path,
nm_setting_802_1x_get_phase2_ca_cert_blob,
"ca_cert2",
"inner-ca-cert.der"
};
static const ObjectType client_type = {
NM_SETTING_802_1X_CLIENT_CERT,
nm_setting_802_1x_get_client_cert_scheme,
nm_setting_802_1x_get_client_cert_path,
nm_setting_802_1x_get_client_cert_blob,
"client_cert",
"client-cert.der"
};
static const ObjectType phase2_client_type = {
NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
nm_setting_802_1x_get_phase2_client_cert_scheme,
nm_setting_802_1x_get_phase2_client_cert_path,
nm_setting_802_1x_get_phase2_client_cert_blob,
"client_cert2",
"inner-client-cert.der"
};
static const ObjectType pk_type = {
NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
"private_key",
"private-key.pem"
};
static const ObjectType phase2_pk_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
"private_key2",
"inner-private-key.pem"
};
static const ObjectType p12_type = {
NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
nm_setting_802_1x_get_private_key_blob,
"private_key",
"private-key.p12"
};
static const ObjectType phase2_p12_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
nm_setting_802_1x_get_phase2_private_key_blob,
"private_key2",
"inner-private-key.p12"
static const Setting8021xSchemeVtable setting_8021x_scheme_vtable[] = {
[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT],
.ifnet_key = "ca_cert",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT],
.ifnet_key = "ca_cert2",
},
[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT],
.ifnet_key = "client_cert",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT],
.ifnet_key = "client_cert2",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY],
.ifnet_key = "private_key",
},
[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY] = {
.vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY],
.ifnet_key = "private_key2",
},
};
static gboolean
write_object (NMSetting8021x *s_8021x,
const char *conn_name,
GBytes *override_data,
const ObjectType *objtype,
const Setting8021xSchemeVtable *objtype,
GError **error)
{
NMSetting8021xCKScheme scheme;
@ -1792,13 +1739,13 @@ write_object (NMSetting8021x *s_8021x,
*/
blob = override_data;
else {
scheme = (*(objtype->scheme_func)) (s_8021x);
scheme = (*(objtype->vtable->scheme_func)) (s_8021x);
switch (scheme) {
case NM_SETTING_802_1X_CK_SCHEME_BLOB:
blob = (*(objtype->blob_func)) (s_8021x);
blob = (*(objtype->vtable->blob_func)) (s_8021x);
break;
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = (*(objtype->path_func)) (s_8021x);
path = (*(objtype->vtable->path_func)) (s_8021x);
break;
default:
break;
@ -1809,8 +1756,8 @@ write_object (NMSetting8021x *s_8021x,
* may have been sent.
*/
if (path) {
wpa_set_data (conn_name, (gchar *) objtype->conn_name_key,
(gchar *) path);
wpa_set_data (conn_name, (gchar *) objtype->ifnet_key,
(gchar *) path);
return TRUE;
}
@ -1828,17 +1775,16 @@ write_8021x_certs (NMSetting8021x *s_8021x,
GError **error)
{
char *password = NULL;
const ObjectType *otype = NULL;
const Setting8021xSchemeVtable *otype = NULL;
gboolean is_pkcs12 = FALSE, success = FALSE;
GBytes *blob = NULL;
GBytes *enc_key = NULL;
gchar *generated_pw = NULL;
/* CA certificate */
if (phase2)
otype = &phase2_ca_type;
else
otype = &ca_type;
otype = phase2
? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT]
: &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT];
if (!write_object (s_8021x, conn_name, NULL, otype, error))
return FALSE;
@ -1864,14 +1810,13 @@ write_8021x_certs (NMSetting8021x *s_8021x,
nm_setting_802_1x_get_private_key_password (s_8021x);
}
if (is_pkcs12)
otype = phase2 ? &phase2_p12_type : &p12_type;
else
otype = phase2 ? &phase2_pk_type : &pk_type;
otype = phase2
? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY]
: &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY];
if ((*(otype->scheme_func)) (s_8021x) ==
if ((*(otype->vtable->scheme_func)) (s_8021x) ==
NM_SETTING_802_1X_CK_SCHEME_BLOB)
blob = (*(otype->blob_func)) (s_8021x);
blob = (*(otype->vtable->blob_func)) (s_8021x);
/* Only do the private key re-encrypt dance if we got the raw key data, which
* by definition will be unencrypted. If we're given a direct path to the
@ -1883,7 +1828,7 @@ write_8021x_certs (NMSetting8021x *s_8021x,
/* Encrypt the unencrypted private key with the fake password */
tmp_enc_key =
nm_utils_rsa_key_encrypt (g_bytes_get_data (blob, NULL), g_bytes_get_size (blob),
password, &generated_pw, error);
password, &generated_pw, error);
if (!tmp_enc_key)
goto out;
@ -1906,12 +1851,11 @@ write_8021x_certs (NMSetting8021x *s_8021x,
/* Client certificate */
if (is_pkcs12) {
wpa_set_data (conn_name,
phase2 ? "client_cert2" : "client_cert", NULL);
phase2 ? "client_cert2" : "client_cert", NULL);
} else {
if (phase2)
otype = &phase2_client_type;
else
otype = &client_type;
otype = phase2
? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT]
: &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT];
/* Save the client certificate */
if (!write_object (s_8021x, conn_name, NULL, otype, error))

22
src/settings/plugins/keyfile/nms-keyfile-writer.c
View file

@ -51,12 +51,12 @@ cert_writer (NMConnection *connection,
NMSetting8021xCKFormat format;
const char *path = NULL, *ext = "pem";
scheme = cert_data->scheme_func (cert_data->setting);
scheme = cert_data->vtable->scheme_func (cert_data->setting);
if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
char *tmp = NULL;
const char *accepted_path = NULL;
path = cert_data->path_func (cert_data->setting);
path = cert_data->vtable->path_func (cert_data->setting);
g_assert (path);
if (g_str_has_prefix (path, info->keyfile_dir)) {
@ -92,11 +92,11 @@ cert_writer (NMConnection *connection,
if (!accepted_path)
accepted_path = tmp = g_strconcat (NM_KEYFILE_CERT_SCHEME_PREFIX_PATH, path, NULL);
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, accepted_path);
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, accepted_path);
g_free (tmp);
} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) {
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name,
cert_data->uri_func (cert_data->setting));
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key,
cert_data->vtable->uri_func (cert_data->setting));
} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
GBytes *blob;
const guint8 *blob_data;
@ -105,13 +105,13 @@ cert_writer (NMConnection *connection,
GError *local = NULL;
char *new_path;
blob = cert_data->blob_func (cert_data->setting);
blob = cert_data->vtable->blob_func (cert_data->setting);
g_assert (blob);
blob_data = g_bytes_get_data (blob, &blob_len);
if (cert_data->format_func) {
if (cert_data->vtable->format_func) {
/* Get the extension for a private key */
format = cert_data->format_func (cert_data->setting);
format = cert_data->vtable->format_func (cert_data->setting);
if (format == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
ext = "p12";
} else {
@ -124,17 +124,17 @@ cert_writer (NMConnection *connection,
* from now on instead of pushing around the certificate data.
*/
new_path = g_strdup_printf ("%s/%s-%s.%s", info->keyfile_dir, nm_connection_get_uuid (connection),
cert_data->suffix, ext);
cert_data->vtable->file_suffix, ext);
success = nm_utils_file_set_contents (new_path, (const gchar *) blob_data,
blob_len, 0600, &local);
if (success) {
/* Write the path value to the keyfile.
* We know, that basename(new_path) starts with a UUID, hence no conflict with "data:;base64," */
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, strrchr (new_path, '/') + 1);
nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, strrchr (new_path, '/') + 1);
} else {
nm_log_warn (LOGD_SETTINGS, "keyfile: %s.%s: failed to write certificate to file %s: %s",
setting_name, cert_data->property_name, new_path, local->message);
setting_name, cert_data->vtable->setting_key, new_path, local->message);
g_error_free (local);
}
g_free (new_path);

96
src/supplicant/nm-supplicant-config.c
View file

@ -28,6 +28,7 @@
#include "nm-supplicant-settings-verify.h"
#include "nm-setting.h"
#include "nm-auth-subject.h"
#include "NetworkManagerUtils.h"
#include "nm-utils.h"
@ -828,6 +829,53 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
return TRUE;
}
static gboolean
add_pkcs11_uri_with_pin (NMSupplicantConfig *self,
const char *name,
const char *uri,
const char *pin,
const NMSettingSecretFlags pin_flags,
GError **error)
{
gs_strfreev gchar **split = NULL;
gs_free char *tmp = NULL;
gs_free char *tmp_log = NULL;
gs_free char *pin_qattr = NULL;
char *escaped = NULL;
if (uri == NULL)
return TRUE;
/* We ignore the attributes -- RFC 7512 suggests that some of them
* might be unsafe and we want to be on the safe side. Also, we're
* installing our attributes, so this makes things a bit easier for us. */
split = g_strsplit (uri, "&", 2);
if (split[1])
nm_log_info (LOGD_SUPPLICANT, "URI attributes ignored");
/* Fill in the PIN if required. */
if (pin) {
escaped = g_uri_escape_string (pin, NULL, TRUE);
pin_qattr = g_strdup_printf ("pin-value=%s", escaped);
g_free (escaped);
} else if (!(pin_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) {
/* Include an empty PIN to indicate the login is still needed.
* Probably a token that has a PIN path and the actual PIN will
* be entered using a protected path. */
pin_qattr = g_strdup ("pin-value=");
}
tmp = g_strdup_printf ("%s%s%s", split[0],
(pin_qattr ? "&" : ""),
(pin_qattr ? pin_qattr : ""));
tmp_log = g_strdup_printf ("%s%s%s", split[0],
(pin_qattr ? "&" : ""),
(pin_qattr ? "pin-value=<hidden>" : ""));
return add_string_val (self, tmp, name, FALSE, tmp_log, error);
}
gboolean
nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
NMSetting8021x *setting,
@ -1033,9 +1081,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
return FALSE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
path = nm_setting_802_1x_get_ca_cert_uri (setting);
if (!add_string_val (self, path, "ca_cert", FALSE, NULL, error))
if (!add_pkcs11_uri_with_pin (self, "ca_cert",
nm_setting_802_1x_get_ca_cert_uri (setting),
nm_setting_802_1x_get_ca_cert_password (setting),
nm_setting_802_1x_get_ca_cert_password_flags (setting),
error)) {
return FALSE;
}
break;
default:
break;
@ -1059,9 +1111,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
return FALSE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
path = nm_setting_802_1x_get_phase2_ca_cert_uri (setting);
if (!add_string_val (self, path, "ca_cert2", FALSE, NULL, error))
if (!add_pkcs11_uri_with_pin (self, "ca_cert2",
nm_setting_802_1x_get_phase2_ca_cert_uri (setting),
nm_setting_802_1x_get_phase2_ca_cert_password (setting),
nm_setting_802_1x_get_phase2_ca_cert_password_flags (setting),
error)) {
return FALSE;
}
break;
default:
break;
@ -1106,9 +1162,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
added = TRUE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
path = nm_setting_802_1x_get_private_key_uri (setting);
if (!add_string_val (self, path, "private_key", FALSE, NULL, error))
if (!add_pkcs11_uri_with_pin (self, "private_key",
nm_setting_802_1x_get_private_key_uri (setting),
nm_setting_802_1x_get_private_key_password (setting),
nm_setting_802_1x_get_private_key_password_flags (setting),
error)) {
return FALSE;
}
added = TRUE;
break;
default:
@ -1149,9 +1209,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
return FALSE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
path = nm_setting_802_1x_get_client_cert_uri (setting);
if (!add_string_val (self, path, "client_cert", FALSE, NULL, error))
if (!add_pkcs11_uri_with_pin (self, "client_cert",
nm_setting_802_1x_get_client_cert_uri (setting),
nm_setting_802_1x_get_client_cert_password (setting),
nm_setting_802_1x_get_client_cert_password_flags (setting),
error)) {
return FALSE;
}
break;
default:
break;
@ -1175,9 +1239,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
added = TRUE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
path = nm_setting_802_1x_get_phase2_private_key_uri (setting);
if (!add_string_val (self, path, "private_key2", FALSE, NULL, error))
if (!add_pkcs11_uri_with_pin (self, "private_key2",
nm_setting_802_1x_get_phase2_private_key_uri (setting),
nm_setting_802_1x_get_phase2_private_key_password (setting),
nm_setting_802_1x_get_phase2_private_key_password_flags (setting),
error)) {
return FALSE;
}
added = TRUE;
break;
default:
@ -1218,9 +1286,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
return FALSE;
break;
case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
path = nm_setting_802_1x_get_phase2_client_cert_uri (setting);
if (!add_string_val (self, path, "client_cert2", FALSE, NULL, error))
if (!add_pkcs11_uri_with_pin (self, "client_cert2",
nm_setting_802_1x_get_phase2_client_cert_uri (setting),
nm_setting_802_1x_get_phase2_client_cert_password (setting),
nm_setting_802_1x_get_phase2_client_cert_password_flags (setting),
error)) {
return FALSE;
}
break;
default:
break;