diff options
| author | Lubomir Rintel <lkundrak@v3.sk> | 2017-02-17 14:30:43 +0100 |
|---|---|---|
| committer | Lubomir Rintel <lkundrak@v3.sk> | 2017-02-17 14:30:43 +0100 |
| commit | b4a976fd1175c2311bd2c2ee6b23345cfd56efd7 (patch) | |
| tree | bf69725cd2ec4d7260cb67ebff64460071d70c64 | |
| parent | 4898e2f686f1fd0a365447893cb33adaaf7fad41 (diff) | |
| parent | 324cf7ce8265ce551a977ceeb4d4693ffe45590b (diff) | |
| download | NetworkManager-b4a976fd1175c2311bd2c2ee6b23345cfd56efd7.tar.gz | |
merge: branch 'lr/pkcs11-pin'
https://bugzilla.gnome.org/show_bug.cgi?id=778456
| -rw-r--r-- | clients/cli/settings.c | 204 | ||||
| -rw-r--r-- | libnm-core/nm-core-internal.h | 29 | ||||
| -rw-r--r-- | libnm-core/nm-keyfile-internal.h | 13 | ||||
| -rw-r--r-- | libnm-core/nm-keyfile-writer.c | 92 | ||||
| -rw-r--r-- | libnm-core/nm-setting-8021x.c | 556 | ||||
| -rw-r--r-- | libnm-core/nm-setting-8021x.h | 29 | ||||
| -rw-r--r-- | libnm/libnm.ver | 12 | ||||
| -rw-r--r-- | src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 128 | ||||
| -rw-r--r-- | src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c | 15 | ||||
| -rw-r--r-- | src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h | 2 | ||||
| -rw-r--r-- | src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 216 | ||||
| -rw-r--r-- | src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c | 6 | ||||
| -rw-r--r-- | src/settings/plugins/ifnet/nms-ifnet-connection-parser.c | 156 | ||||
| -rw-r--r-- | src/settings/plugins/keyfile/nms-keyfile-writer.c | 22 | ||||
| -rw-r--r-- | src/supplicant/nm-supplicant-config.c | 96 |
15 files changed, 1070 insertions, 506 deletions
diff --git a/clients/cli/settings.c b/clients/cli/settings.c index a81a4b9c67..032438e58d 100644 --- a/clients/cli/settings.c +++ b/clients/cli/settings.c @@ -128,35 +128,43 @@ NmcOutputField nmc_fields_setting_8021X[] = { SETTING_FIELD (NM_SETTING_802_1X_ANONYMOUS_IDENTITY), /* 3 */ SETTING_FIELD (NM_SETTING_802_1X_PAC_FILE), /* 4 */ SETTING_FIELD (NM_SETTING_802_1X_CA_CERT), /* 5 */ - SETTING_FIELD (NM_SETTING_802_1X_CA_PATH), /* 6 */ - SETTING_FIELD (NM_SETTING_802_1X_SUBJECT_MATCH), /* 7 */ - SETTING_FIELD (NM_SETTING_802_1X_ALTSUBJECT_MATCHES), /* 8 */ - SETTING_FIELD (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH), /* 9 */ - SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT), /* 10 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPVER), /* 11 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPLABEL), /* 12 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING), /* 13 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTH), /* 14 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTHEAP), /* 15 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT), /* 16 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_PATH), /* 17 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH), /* 18 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES), /* 19 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH), /* 20 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT), /* 21 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD), /* 22 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_FLAGS), /* 23 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW), /* 24 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS), /* 25 */ - SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY), /* 26 */ - SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD), /* 27 */ - SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS), /* 28 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY), /* 29 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD), /* 30 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS), /* 31 */ - SETTING_FIELD (NM_SETTING_802_1X_PIN), /* 32 */ - SETTING_FIELD (NM_SETTING_802_1X_PIN_FLAGS), /* 33 */ - SETTING_FIELD (NM_SETTING_802_1X_SYSTEM_CA_CERTS), /* 34 */ + SETTING_FIELD (NM_SETTING_802_1X_CA_CERT_PASSWORD), /* 6 */ + SETTING_FIELD (NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS), /* 7 */ + SETTING_FIELD (NM_SETTING_802_1X_CA_PATH), /* 8 */ + SETTING_FIELD (NM_SETTING_802_1X_SUBJECT_MATCH), /* 9 */ + SETTING_FIELD (NM_SETTING_802_1X_ALTSUBJECT_MATCHES), /* 10 */ + SETTING_FIELD (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH), /* 11 */ + SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT), /* 12 */ + SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD), /* 13 */ + SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS), /* 14 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPVER), /* 15 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPLABEL), /* 16 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING), /* 17 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTH), /* 18 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTHEAP), /* 19 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD), /* 20 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS), /* 21 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT), /* 22 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_PATH), /* 23 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH), /* 24 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES), /* 25 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH), /* 26 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT), /* 27 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD), /* 28 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS), /* 29 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD), /* 30 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_FLAGS), /* 31 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW), /* 32 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS), /* 33 */ + SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY), /* 34 */ + SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD), /* 35 */ + SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS), /* 36 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY), /* 37 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD), /* 38 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS), /* 39 */ + SETTING_FIELD (NM_SETTING_802_1X_PIN), /* 40 */ + SETTING_FIELD (NM_SETTING_802_1X_PIN_FLAGS), /* 41 */ + SETTING_FIELD (NM_SETTING_802_1X_SYSTEM_CA_CERTS), /* 42 */ {NULL, NULL, 0, NULL, FALSE, FALSE, 0} }; #define NMC_FIELDS_SETTING_802_1X_ALL "name"","\ @@ -165,22 +173,30 @@ NmcOutputField nmc_fields_setting_8021X[] = { NM_SETTING_802_1X_ANONYMOUS_IDENTITY","\ NM_SETTING_802_1X_PAC_FILE","\ NM_SETTING_802_1X_CA_CERT","\ + NM_SETTING_802_1X_CA_CERT_PASSWORD","\ + NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS","\ NM_SETTING_802_1X_CA_PATH","\ NM_SETTING_802_1X_SUBJECT_MATCH","\ NM_SETTING_802_1X_ALTSUBJECT_MATCHES","\ NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH","\ NM_SETTING_802_1X_CLIENT_CERT","\ + NM_SETTING_802_1X_CLIENT_CERT_PASSWORD","\ + NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS","\ NM_SETTING_802_1X_PHASE1_PEAPVER","\ NM_SETTING_802_1X_PHASE1_PEAPLABEL","\ NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING","\ NM_SETTING_802_1X_PHASE2_AUTH","\ NM_SETTING_802_1X_PHASE2_AUTHEAP","\ NM_SETTING_802_1X_PHASE2_CA_CERT","\ + NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD","\ + NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS","\ NM_SETTING_802_1X_PHASE2_CA_PATH","\ NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH","\ NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES","\ NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH","\ NM_SETTING_802_1X_PHASE2_CLIENT_CERT","\ + NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD","\ + NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS","\ NM_SETTING_802_1X_PASSWORD","\ NM_SETTING_802_1X_PASSWORD_FLAGS","\ NM_SETTING_802_1X_PASSWORD_RAW","\ @@ -1660,19 +1676,27 @@ DEFINE_GETTER (nmc_property_802_1X_get_eap, NM_SETTING_802_1X_EAP) DEFINE_GETTER (nmc_property_802_1X_get_identity, NM_SETTING_802_1X_IDENTITY) DEFINE_GETTER (nmc_property_802_1X_get_anonymous_identity, NM_SETTING_802_1X_ANONYMOUS_IDENTITY) DEFINE_GETTER (nmc_property_802_1X_get_pac_file, NM_SETTING_802_1X_PAC_FILE) +DEFINE_GETTER (nmc_property_802_1X_get_ca_cert_password, NM_SETTING_802_1X_CA_CERT_PASSWORD) +DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_ca_cert_password_flags, NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS) DEFINE_GETTER (nmc_property_802_1X_get_ca_path, NM_SETTING_802_1X_CA_PATH) DEFINE_GETTER (nmc_property_802_1X_get_subject_match, NM_SETTING_802_1X_SUBJECT_MATCH) DEFINE_GETTER (nmc_property_802_1X_get_altsubject_matches, NM_SETTING_802_1X_ALTSUBJECT_MATCHES) DEFINE_GETTER (nmc_property_802_1X_get_domain_suffix_match, NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH) +DEFINE_GETTER (nmc_property_802_1X_get_client_cert_password, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD) +DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_client_cert_password_flags, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS) DEFINE_GETTER (nmc_property_802_1X_get_phase1_peapver, NM_SETTING_802_1X_PHASE1_PEAPVER) DEFINE_GETTER (nmc_property_802_1X_get_phase1_peaplabel, NM_SETTING_802_1X_PHASE1_PEAPLABEL) DEFINE_GETTER (nmc_property_802_1X_get_phase1_fast_provisioning, NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING) DEFINE_GETTER (nmc_property_802_1X_get_phase2_auth, NM_SETTING_802_1X_PHASE2_AUTH) DEFINE_GETTER (nmc_property_802_1X_get_phase2_autheap, NM_SETTING_802_1X_PHASE2_AUTHEAP) +DEFINE_GETTER (nmc_property_802_1X_get_phase2_ca_cert_password, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD) +DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_phase2_ca_cert_password_flags, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS) DEFINE_GETTER (nmc_property_802_1X_get_phase2_ca_path, NM_SETTING_802_1X_PHASE2_CA_PATH) DEFINE_GETTER (nmc_property_802_1X_get_phase2_subject_match, NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH) DEFINE_GETTER (nmc_property_802_1X_get_phase2_altsubject_matches, NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES) DEFINE_GETTER (nmc_property_802_1X_get_phase2_domain_suffix_match, NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH) +DEFINE_GETTER (nmc_property_802_1X_get_phase2_client_cert_password, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD) +DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_phase2_client_cert_password_flags, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS) DEFINE_GETTER (nmc_property_802_1X_get_password, NM_SETTING_802_1X_PASSWORD) DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_password_flags, NM_SETTING_802_1X_PASSWORD_FLAGS) DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_password_raw_flags, NM_SETTING_802_1X_PASSWORD_RAW_FLAGS) @@ -6129,6 +6153,20 @@ nmc_properties_init (void) nmc_property_802_1X_describe_ca_cert, NULL, NULL); + nmc_add_prop_funcs (GLUE (802_1X, CA_CERT_PASSWORD), + nmc_property_802_1X_get_ca_cert_password, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (802_1X, CA_CERT_PASSWORD_FLAGS), + nmc_property_802_1X_get_ca_cert_password_flags, + nmc_property_set_secret_flags, + NULL, + NULL, + NULL, + NULL); nmc_add_prop_funcs (GLUE (802_1X, CA_PATH), nmc_property_802_1X_get_ca_path, nmc_property_set_string, @@ -6164,6 +6202,20 @@ nmc_properties_init (void) nmc_property_802_1X_describe_client_cert, NULL, NULL); + nmc_add_prop_funcs (GLUE (802_1X, CLIENT_CERT_PASSWORD), + nmc_property_802_1X_get_client_cert_password, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (802_1X, CLIENT_CERT_PASSWORD_FLAGS), + nmc_property_802_1X_get_client_cert_password_flags, + nmc_property_set_secret_flags, + NULL, + NULL, + NULL, + NULL); nmc_add_prop_funcs (GLUE (802_1X, PHASE1_PEAPVER), nmc_property_802_1X_get_phase1_peapver, nmc_property_802_1X_set_phase1_peapver, @@ -6206,6 +6258,20 @@ nmc_properties_init (void) nmc_property_802_1X_describe_phase2_ca_cert, NULL, NULL); + nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CA_CERT_PASSWORD), + nmc_property_802_1X_get_phase2_ca_cert_password, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CA_CERT_PASSWORD_FLAGS), + nmc_property_802_1X_get_phase2_ca_cert_password_flags, + nmc_property_set_secret_flags, + NULL, + NULL, + NULL, + NULL); nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CA_PATH), nmc_property_802_1X_get_phase2_ca_path, nmc_property_set_string, @@ -6241,6 +6307,20 @@ nmc_properties_init (void) nmc_property_802_1X_describe_phase2_client_cert, NULL, NULL); + nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CLIENT_CERT_PASSWORD), + nmc_property_802_1X_get_phase2_client_cert_password, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CLIENT_CERT_PASSWORD_FLAGS), + nmc_property_802_1X_get_phase2_client_cert_password_flags, + nmc_property_set_secret_flags, + NULL, + NULL, + NULL, + NULL); nmc_add_prop_funcs (GLUE (802_1X, PASSWORD), nmc_property_802_1X_get_password, nmc_property_set_string, @@ -8580,35 +8660,43 @@ setting_802_1X_details (NMSetting *setting, NmCli *nmc, const char *one_prop, g set_val_str (arr, 3, nmc_property_802_1X_get_anonymous_identity (setting, NMC_PROPERTY_GET_PRETTY)); set_val_str (arr, 4, nmc_property_802_1X_get_pac_file (setting, NMC_PROPERTY_GET_PRETTY)); set_val_str (arr, 5, nmc_property_802_1X_get_ca_cert (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 6, nmc_property_802_1X_get_ca_path (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 7, nmc_property_802_1X_get_subject_match (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 8, nmc_property_802_1X_get_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 9, nmc_property_802_1X_get_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 10, nmc_property_802_1X_get_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets)); - set_val_str (arr, 11, nmc_property_802_1X_get_phase1_peapver (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 12, nmc_property_802_1X_get_phase1_peaplabel (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 13, nmc_property_802_1X_get_phase1_fast_provisioning (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 14, nmc_property_802_1X_get_phase2_auth (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 15, nmc_property_802_1X_get_phase2_autheap (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 16, nmc_property_802_1X_get_phase2_ca_cert (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 17, nmc_property_802_1X_get_phase2_ca_path (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 18, nmc_property_802_1X_get_phase2_subject_match (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 19, nmc_property_802_1X_get_phase2_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 20, nmc_property_802_1X_get_phase2_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 21, nmc_property_802_1X_get_phase2_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets)); - set_val_str (arr, 22, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password)); - set_val_str (arr, 23, nmc_property_802_1X_get_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 24, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password_raw)); - set_val_str (arr, 25, nmc_property_802_1X_get_password_raw_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 26, nmc_property_802_1X_get_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets)); - set_val_str (arr, 27, GET_SECRET (secrets, setting, nmc_property_802_1X_get_private_key_password)); - set_val_str (arr, 28, nmc_property_802_1X_get_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 29, nmc_property_802_1X_get_phase2_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets)); - set_val_str (arr, 30, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_private_key_password)); - set_val_str (arr, 31, nmc_property_802_1X_get_phase2_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 32, GET_SECRET (secrets, setting, nmc_property_802_1X_get_pin)); - set_val_str (arr, 33, nmc_property_802_1X_get_pin_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 34, nmc_property_802_1X_get_system_ca_certs (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 6, GET_SECRET (secrets, setting, nmc_property_802_1X_get_ca_cert_password)); + set_val_str (arr, 7, nmc_property_802_1X_get_ca_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 8, nmc_property_802_1X_get_ca_path (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 9, nmc_property_802_1X_get_subject_match (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 10, nmc_property_802_1X_get_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 11, nmc_property_802_1X_get_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 12, nmc_property_802_1X_get_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets)); + set_val_str (arr, 13, GET_SECRET (secrets, setting, nmc_property_802_1X_get_client_cert_password)); + set_val_str (arr, 14, nmc_property_802_1X_get_client_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 15, nmc_property_802_1X_get_phase1_peapver (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 16, nmc_property_802_1X_get_phase1_peaplabel (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 17, nmc_property_802_1X_get_phase1_fast_provisioning (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 18, nmc_property_802_1X_get_phase2_auth (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 19, nmc_property_802_1X_get_phase2_autheap (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 20, nmc_property_802_1X_get_phase2_ca_cert (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 21, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_ca_cert_password)); + set_val_str (arr, 22, nmc_property_802_1X_get_phase2_ca_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 23, nmc_property_802_1X_get_phase2_ca_path (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 24, nmc_property_802_1X_get_phase2_subject_match (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 25, nmc_property_802_1X_get_phase2_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 26, nmc_property_802_1X_get_phase2_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 27, nmc_property_802_1X_get_phase2_client_cert (setting, NMC_PROPERTY_GET_PRETTY, secrets)); + set_val_str (arr, 28, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_client_cert_password)); + set_val_str (arr, 29, nmc_property_802_1X_get_phase2_client_cert_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 30, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password)); + set_val_str (arr, 31, nmc_property_802_1X_get_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 32, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password_raw)); + set_val_str (arr, 33, nmc_property_802_1X_get_password_raw_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 34, nmc_property_802_1X_get_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets)); + set_val_str (arr, 35, GET_SECRET (secrets, setting, nmc_property_802_1X_get_private_key_password)); + set_val_str (arr, 36, nmc_property_802_1X_get_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 37, nmc_property_802_1X_get_phase2_private_key (setting, NMC_PROPERTY_GET_PRETTY, secrets)); + set_val_str (arr, 38, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_private_key_password)); + set_val_str (arr, 39, nmc_property_802_1X_get_phase2_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 40, GET_SECRET (secrets, setting, nmc_property_802_1X_get_pin)); + set_val_str (arr, 41, nmc_property_802_1X_get_pin_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 42, nmc_property_802_1X_get_system_ca_certs (setting, NMC_PROPERTY_GET_PRETTY)); g_ptr_array_add (nmc->output_data, arr); print_data (nmc); /* Print all data */ diff --git a/libnm-core/nm-core-internal.h b/libnm-core/nm-core-internal.h index cf085bb2b7..26827d0f37 100644 --- a/libnm-core/nm-core-internal.h +++ b/libnm-core/nm-core-internal.h @@ -342,4 +342,33 @@ gboolean _nm_utils_inet6_is_token (const struct in6_addr *in6addr); gboolean _nm_utils_team_config_equal (const char *conf1, const char *conf2, gboolean port); +/*****************************************************************************/ + +typedef struct { + const char *setting_key; + NMSetting8021xCKScheme (*scheme_func) (NMSetting8021x *setting); + NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting); + const char * (*path_func) (NMSetting8021x *setting); + GBytes * (*blob_func) (NMSetting8021x *setting); + const char * (*uri_func) (NMSetting8021x *setting); + const char * (*passwd_func) (NMSetting8021x *setting); + NMSettingSecretFlags (*pwflag_func) (NMSetting8021x *setting); + const char *file_suffix; +} NMSetting8021xSchemeVtable; + +enum { + NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT, + NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT, + NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT, + NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT, + NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY, + NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY, + + NM_SETTING_802_1X_SCHEME_TYPE_UNKNOWN, +}; + +extern const NMSetting8021xSchemeVtable nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_UNKNOWN + 1]; + +/*****************************************************************************/ + #endif diff --git a/libnm-core/nm-keyfile-internal.h b/libnm-core/nm-keyfile-internal.h index 30c6c200d6..ded86bfc16 100644 --- a/libnm-core/nm-keyfile-internal.h +++ b/libnm-core/nm-keyfile-internal.h @@ -27,6 +27,8 @@ #include "nm-connection.h" #include "nm-setting-8021x.h" +#include "nm-core-internal.h" + /*****************************************************************************/ #define NM_KEYFILE_CERT_SCHEME_PREFIX_PATH "file://" @@ -138,17 +140,8 @@ typedef gboolean (*NMKeyfileWriteHandler) (NMConnection *connection, * type %NM_KEYFILE_WRITE_TYPE_CERT. */ typedef struct { + const NMSetting8021xSchemeVtable *vtable; NMSetting8021x *setting; - const char *property_name; - - /* The following functions are helpers that simplify the implementation - * of the handler. */ - const char *suffix; - NMSetting8021xCKScheme (*scheme_func) (NMSetting8021x *setting); - NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting); - const char * (*path_func) (NMSetting8021x *setting); - GBytes * (*blob_func) (NMSetting8021x *setting); - const char * (*uri_func) (NMSetting8021x *setting); } NMKeyfileWriteTypeDataCert; diff --git a/libnm-core/nm-keyfile-writer.c b/libnm-core/nm-keyfile-writer.c index 3a7007d954..21aeca2fa8 100644 --- a/libnm-core/nm-keyfile-writer.c +++ b/libnm-core/nm-keyfile-writer.c @@ -373,68 +373,6 @@ password_raw_writer (KeyfileWriterInfo *info, nm_keyfile_plugin_kf_set_integer_list_uint8 (info->keyfile, setting_name, key, data, len); } -typedef struct ObjectType { - const char *key; - const char *suffix; - NMSetting8021xCKScheme (*scheme_func) (NMSetting8021x *setting); - NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting); - const char * (*path_func) (NMSetting8021x *setting); - GBytes * (*blob_func) (NMSetting8021x *setting); - const char * (*uri_func) (NMSetting8021x *setting); -} ObjectType; - -static const ObjectType objtypes[10] = { - { NM_SETTING_802_1X_CA_CERT, - "ca-cert", - nm_setting_802_1x_get_ca_cert_scheme, - NULL, - nm_setting_802_1x_get_ca_cert_path, - nm_setting_802_1x_get_ca_cert_blob, - nm_setting_802_1x_get_ca_cert_uri }, - - { NM_SETTING_802_1X_PHASE2_CA_CERT, - "inner-ca-cert", - nm_setting_802_1x_get_phase2_ca_cert_scheme, - NULL, - nm_setting_802_1x_get_phase2_ca_cert_path, - nm_setting_802_1x_get_phase2_ca_cert_blob, - nm_setting_802_1x_get_phase2_ca_cert_uri }, - - { NM_SETTING_802_1X_CLIENT_CERT, - "client-cert", - nm_setting_802_1x_get_client_cert_scheme, - NULL, - nm_setting_802_1x_get_client_cert_path, - nm_setting_802_1x_get_client_cert_blob, - nm_setting_802_1x_get_client_cert_uri }, - - { NM_SETTING_802_1X_PHASE2_CLIENT_CERT, - "inner-client-cert", - nm_setting_802_1x_get_phase2_client_cert_scheme, - NULL, - nm_setting_802_1x_get_phase2_client_cert_path, - nm_setting_802_1x_get_phase2_client_cert_blob, - nm_setting_802_1x_get_phase2_client_cert_uri }, - - { NM_SETTING_802_1X_PRIVATE_KEY, - "private-key", - nm_setting_802_1x_get_private_key_scheme, - nm_setting_802_1x_get_private_key_format, - nm_setting_802_1x_get_private_key_path, - nm_setting_802_1x_get_private_key_blob, - nm_setting_802_1x_get_private_key_uri }, - - { NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, - "inner-private-key", - nm_setting_802_1x_get_phase2_private_key_scheme, - nm_setting_802_1x_get_phase2_private_key_format, - nm_setting_802_1x_get_phase2_private_key_path, - nm_setting_802_1x_get_phase2_private_key_blob, - nm_setting_802_1x_get_phase2_private_key_uri }, - - { NULL }, -}; - /*****************************************************************************/ static void @@ -445,13 +383,13 @@ cert_writer_default (NMConnection *connection, const char *setting_name = nm_setting_get_name (NM_SETTING (cert_data->setting)); NMSetting8021xCKScheme scheme; - scheme = cert_data->scheme_func (cert_data->setting); + scheme = cert_data->vtable->scheme_func (cert_data->setting); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) { const char *path; char *path_free = NULL, *tmp; gs_free char *base_dir = NULL; - path = cert_data->path_func (cert_data->setting); + path = cert_data->vtable->path_func (cert_data->setting); g_assert (path); /* If the path is relative, make it an absolute path. @@ -475,7 +413,7 @@ cert_writer_default (NMConnection *connection, /* Path contains at least a '/', hence it cannot be recognized as the old * binary format consisting of a list of integers. */ - nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, path); + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, path); g_free (tmp); g_free (path_free); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) { @@ -484,19 +422,19 @@ cert_writer_default (NMConnection *connection, gsize blob_len; char *blob_base64, *val; - blob = cert_data->blob_func (cert_data->setting); + blob = cert_data->vtable->blob_func (cert_data->setting); g_assert (blob); blob_data = g_bytes_get_data (blob, &blob_len); blob_base64 = g_base64_encode (blob_data, blob_len); val = g_strconcat (NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB, blob_base64, NULL); - nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, val); + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, val); g_free (val); g_free (blob_base64); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { - nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, - cert_data->uri_func (cert_data->setting)); + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, + cert_data->vtable->uri_func (cert_data->setting)); } else { /* scheme_func() returns UNKNOWN in all other cases. The only valid case * where a scheme is allowed to be UNKNOWN, is unsetting the value. In this @@ -514,13 +452,13 @@ cert_writer (KeyfileWriterInfo *info, const char *key, const GValue *value) { - const ObjectType *objtype = NULL; + const NMSetting8021xSchemeVtable *objtype = NULL; guint i; NMKeyfileWriteTypeDataCert type_data = { 0 }; - for (i = 0; i < G_N_ELEMENTS (objtypes) && objtypes[i].key; i++) { - if (g_strcmp0 (objtypes[i].key, key) == 0) { - objtype = &objtypes[i]; + for (i = 0; nm_setting_8021x_scheme_vtable[i].setting_key; i++) { + if (g_strcmp0 (nm_setting_8021x_scheme_vtable[i].setting_key, key) == 0) { + objtype = &nm_setting_8021x_scheme_vtable[i]; break; } } @@ -528,13 +466,7 @@ cert_writer (KeyfileWriterInfo *info, g_return_if_reached (); type_data.setting = NM_SETTING_802_1X (setting); - type_data.property_name = key; - type_data.suffix = objtype->suffix; - type_data.scheme_func = objtype->scheme_func; - type_data.format_func = objtype->format_func; - type_data.path_func = objtype->path_func; - type_data.blob_func = objtype->blob_func; - type_data.uri_func = objtype->uri_func; + type_data.vtable = objtype; if (info->handler) { if (info->handler (info->connection, diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index 9729665082..e64769e42d 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -77,22 +77,30 @@ typedef struct { char *anonymous_identity; char *pac_file; GBytes *ca_cert; + char *ca_cert_password; + NMSettingSecretFlags ca_cert_password_flags; char *ca_path; char *subject_match; GSList *altsubject_matches; char *domain_suffix_match; GBytes *client_cert; + char *client_cert_password; + NMSettingSecretFlags client_cert_password_flags; char *phase1_peapver; char *phase1_peaplabel; char *phase1_fast_provisioning; char *phase2_auth; char *phase2_autheap; GBytes *phase2_ca_cert; + char *phase2_ca_cert_password; + NMSettingSecretFlags phase2_ca_cert_password_flags; char *phase2_ca_path; char *phase2_subject_match; GSList *phase2_altsubject_matches; char *phase2_domain_suffix_match; GBytes *phase2_client_cert; + char *phase2_client_cert_password; + NMSettingSecretFlags phase2_client_cert_password_flags; char *password; NMSettingSecretFlags password_flags; GBytes *password_raw; @@ -115,22 +123,30 @@ enum { PROP_ANONYMOUS_IDENTITY, PROP_PAC_FILE, PROP_CA_CERT, + PROP_CA_CERT_PASSWORD, + PROP_CA_CERT_PASSWORD_FLAGS, PROP_CA_PATH, PROP_SUBJECT_MATCH, PROP_ALTSUBJECT_MATCHES, PROP_DOMAIN_SUFFIX_MATCH, PROP_CLIENT_CERT, + PROP_CLIENT_CERT_PASSWORD, + PROP_CLIENT_CERT_PASSWORD_FLAGS, PROP_PHASE1_PEAPVER, PROP_PHASE1_PEAPLABEL, PROP_PHASE1_FAST_PROVISIONING, PROP_PHASE2_AUTH, PROP_PHASE2_AUTHEAP, PROP_PHASE2_CA_CERT, + PROP_PHASE2_CA_CERT_PASSWORD, + PROP_PHASE2_CA_CERT_PASSWORD_FLAGS, PROP_PHASE2_CA_PATH, PROP_PHASE2_SUBJECT_MATCH, PROP_PHASE2_ALTSUBJECT_MATCHES, PROP_PHASE2_DOMAIN_SUFFIX_MATCH, PROP_PHASE2_CLIENT_CERT, + PROP_PHASE2_CLIENT_CERT_PASSWORD, + PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS, PROP_PASSWORD, PROP_PASSWORD_FLAGS, PROP_PASSWORD_RAW, @@ -161,6 +177,86 @@ nm_setting_802_1x_new (void) return (NMSetting *) g_object_new (NM_TYPE_SETTING_802_1X, NULL); } +/*****************************************************************************/ + +const NMSetting8021xSchemeVtable nm_setting_8021x_scheme_vtable[] = { + [NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT] = { + .setting_key = NM_SETTING_802_1X_CA_CERT, + .scheme_func = nm_setting_802_1x_get_ca_cert_scheme, + .format_func = NULL, + .path_func = nm_setting_802_1x_get_ca_cert_path, + .blob_func = nm_setting_802_1x_get_ca_cert_blob, + .uri_func = nm_setting_802_1x_get_ca_cert_uri, + .passwd_func = nm_setting_802_1x_get_ca_cert_password, + .pwflag_func = nm_setting_802_1x_get_ca_cert_password_flags, + .file_suffix = "ca-cert", + }, + + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] = { + .setting_key = NM_SETTING_802_1X_PHASE2_CA_CERT, + .scheme_func = nm_setting_802_1x_get_phase2_ca_cert_scheme, + .format_func = NULL, + .path_func = nm_setting_802_1x_get_phase2_ca_cert_path, + .blob_func = nm_setting_802_1x_get_phase2_ca_cert_blob, + .uri_func = nm_setting_802_1x_get_phase2_ca_cert_uri, + .passwd_func = nm_setting_802_1x_get_phase2_ca_cert_password, + .pwflag_func = nm_setting_802_1x_get_phase2_ca_cert_password_flags, + .file_suffix = "inner-ca-cert", + }, + + [NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT] = { + .setting_key = NM_SETTING_802_1X_CLIENT_CERT, + .scheme_func = nm_setting_802_1x_get_client_cert_scheme, + .format_func = NULL, + .path_func = nm_setting_802_1x_get_client_cert_path, + .blob_func = nm_setting_802_1x_get_client_cert_blob, + .uri_func = nm_setting_802_1x_get_client_cert_uri, + .passwd_func = nm_setting_802_1x_get_client_cert_password, + .pwflag_func = nm_setting_802_1x_get_client_cert_password_flags, + .file_suffix = "client-cert", + }, + + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] = { + .setting_key = NM_SETTING_802_1X_PHASE2_CLIENT_CERT, + .scheme_func = nm_setting_802_1x_get_phase2_client_cert_scheme, + .format_func = NULL, + .path_func = nm_setting_802_1x_get_phase2_client_cert_path, + .blob_func = nm_setting_802_1x_get_phase2_client_cert_blob, + .uri_func = nm_setting_802_1x_get_phase2_client_cert_uri, + .passwd_func = nm_setting_802_1x_get_phase2_client_cert_password, + .pwflag_func = nm_setting_802_1x_get_phase2_client_cert_password_flags, + .file_suffix = "inner-client-cert", + }, + + [NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY] = { + .setting_key = NM_SETTING_802_1X_PRIVATE_KEY, + .scheme_func = nm_setting_802_1x_get_private_key_scheme, + .format_func = nm_setting_802_1x_get_private_key_format, + .path_func = nm_setting_802_1x_get_private_key_path, + .blob_func = nm_setting_802_1x_get_private_key_blob, + .uri_func = nm_setting_802_1x_get_private_key_uri, + .passwd_func = nm_setting_802_1x_get_private_key_password, + .pwflag_func = nm_setting_802_1x_get_private_key_password_flags, + .file_suffix = "private-key", + }, + + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY] = { + .setting_key = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, + .scheme_func = nm_setting_802_1x_get_phase2_private_key_scheme, + .format_func = nm_setting_802_1x_get_phase2_private_key_format, + .path_func = nm_setting_802_1x_get_phase2_private_key_path, + .blob_func = nm_setting_802_1x_get_phase2_private_key_blob, + .uri_func = nm_setting_802_1x_get_phase2_private_key_uri, + .passwd_func = nm_setting_802_1x_get_phase2_private_key_password, + .pwflag_func = nm_setting_802_1x_get_phase2_private_key_password_flags, + .file_suffix = "inner-private-key", + }, + + [NM_SETTING_802_1X_SCHEME_TYPE_UNKNOWN] = { NULL }, +}; + +/*****************************************************************************/ + /** * nm_setting_802_1x_get_num_eap_methods: * @setting: the #NMSetting8021x @@ -740,6 +836,41 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting, } /** + * nm_setting_802_1x_get_ca_cert_password: + * @setting: the #NMSetting8021x + * + * Returns: the password used to access the CA certificate stored in + * #NMSetting8021x:ca-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ +const char * +nm_setting_802_1x_get_ca_cert_password (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert_password; +} + +/** + * nm_setting_802_1x_get_ca_cert_password_flags: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSettingSecretFlags pertaining to the + * #NMSetting8021x:ca-cert-password + * + * Since: 1.8 + **/ +NMSettingSecretFlags +nm_setting_802_1x_get_ca_cert_password_flags (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert_password_flags; +} + +/** * nm_setting_802_1x_get_subject_match: * @setting: the #NMSetting8021x * @@ -1121,6 +1252,41 @@ nm_setting_802_1x_set_client_cert (NMSetting8021x *setting, } /** + * nm_setting_802_1x_get_client_cert_password: + * @setting: the #NMSetting8021x + * + * Returns: the password used to access the client certificate stored in + * #NMSetting8021x:client-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ +const char * +nm_setting_802_1x_get_client_cert_password (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert_password; +} + +/** + * nm_setting_802_1x_get_client_cert_password_flags: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSettingSecretFlags pertaining to the + * #NMSetting8021x:client-cert-password + * + * Since: 1.8 + **/ +NMSettingSecretFlags +nm_setting_802_1x_get_client_cert_password_flags (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert_password_flags; +} + +/** * nm_setting_802_1x_get_phase1_peapver: * @setting: the #NMSetting8021x * @@ -1413,6 +1579,41 @@ nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting, } /** + * nm_setting_802_1x_get_phase2_ca_cert_password: + * @setting: the #NMSetting8021x + * + * Returns: the password used to access the "phase2" CA certificate stored in + * #NMSetting8021x:phase2-ca-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ +const char * +nm_setting_802_1x_get_phase2_ca_cert_password (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert_password; +} + +/** + * nm_setting_802_1x_get_phase2_ca_cert_password_flags: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSettingSecretFlags pertaining to the + * #NMSetting8021x:phase2-private-key-password + * + * Since: 1.8 + **/ +NMSettingSecretFlags +nm_setting_802_1x_get_phase2_ca_cert_password_flags (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert_password_flags; +} + +/** * nm_setting_802_1x_get_phase2_subject_match: * @setting: the #NMSetting8021x * @@ -1800,6 +2001,41 @@ nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *setting, } /** + * nm_setting_802_1x_get_phase2_ca_cert_password: + * @setting: the #NMSetting8021x + * + * Returns: the password used to access the "phase2" client certificate stored in + * #NMSetting8021x:phase2-client-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ +const char * +nm_setting_802_1x_get_phase2_client_cert_password (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert_password; +} + +/** + * nm_setting_802_1x_get_phase2_client_cert_password_flags: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSettingSecretFlags pertaining to the + * #NMSetting8021x:phase2-client-cert-password + * + * Since: 1.8 + **/ +NMSettingSecretFlags +nm_setting_802_1x_get_phase2_client_cert_password_flags (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_SECRET_FLAG_NONE); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert_password_flags; +} + +/** * nm_setting_802_1x_get_password: * @setting: the #NMSetting8021x * @@ -2576,10 +2812,14 @@ need_secrets_sim (NMSetting8021x *self, static gboolean need_private_key_password (GBytes *blob, const char *path, - const char *password) + const char *password, + NMSettingSecretFlags flags) { NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN; + if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + return FALSE; + /* Private key password is required */ if (password) { if (path) @@ -2589,7 +2829,7 @@ need_private_key_password (GBytes *blob, g_bytes_get_size (blob), password, NULL, NULL); else - g_warning ("%s: unknown private key password scheme", __func__); + return FALSE; } return (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN); @@ -2609,34 +2849,52 @@ need_secrets_tls (NMSetting8021x *self, scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) path = nm_setting_802_1x_get_phase2_private_key_path (self); - else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) - return; else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) blob = nm_setting_802_1x_get_phase2_private_key_blob (self); - else { + else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11) g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme); - g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY); - return; - } - if (need_private_key_password (blob, path, priv->phase2_private_key_password)) + if (need_private_key_password (blob, path, + priv->phase2_private_key_password, + priv->phase2_private_key_password_flags)) g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD); + + scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->phase2_ca_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD); + + scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->phase2_client_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD); } else { scheme = nm_setting_802_1x_get_private_key_scheme (self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) path = nm_setting_802_1x_get_private_key_path (self); - else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) - return; else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) blob = nm_setting_802_1x_get_private_key_blob (self); - else { + else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11) g_warning ("%s: unknown private key scheme %d", __func__, scheme); - g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY); - return; - } - if (need_private_key_password (blob, path, priv->private_key_password)) + if (need_private_key_password (blob, path, + priv->private_key_password, + priv->private_key_password_flags)) g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD); + + scheme = nm_setting_802_1x_get_ca_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->ca_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD); + + scheme = nm_setting_802_1x_get_client_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->client_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD); } } @@ -2951,21 +3209,37 @@ need_secrets (NMSetting *setting) } static gboolean -verify_cert (GBytes *bytes, const char *prop_name, GError **error) +verify_cert (GBytes *bytes, const char *prop_name, + const char *password, const char *password_prop_name, GError **error) { GError *local = NULL; + NMSetting8021xCKScheme scheme; - if ( !bytes - || get_cert_scheme (bytes, &local) != NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) + if (bytes) + scheme = get_cert_scheme (bytes, &local); + else return TRUE; - g_set_error (error, - NM_CONNECTION_ERROR, - NM_CONNECTION_ERROR_INVALID_PROPERTY, - _("certificate is invalid: %s"), local->message); - g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_name); - g_error_free (local); - return FALSE; + if (scheme == NM_SETTING_802_1X_CK_SCHEME_UNKNOWN) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("certificate is invalid: %s"), local->message); + g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, prop_name); + g_error_free (local); + return FALSE; + } + + if (password && (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("password is not supported when certificate is not on a PKCS#11 token")); + g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, password_prop_name); + return FALSE; + } + + return TRUE; } static gboolean @@ -3068,19 +3342,23 @@ verify (NMSetting *setting, NMConnection *connection, GError **error) return FALSE; } - if (!verify_cert (priv->ca_cert, NM_SETTING_802_1X_CA_CERT, error)) + if (!verify_cert (priv->ca_cert, NM_SETTING_802_1X_CA_CERT, + priv->ca_cert_password, NM_SETTING_802_1X_CA_CERT_PASSWORD, error)) return FALSE; - if (!verify_cert (priv->phase2_ca_cert, NM_SETTING_802_1X_PHASE2_CA_CERT, error)) + if (!verify_cert (priv->phase2_ca_cert, NM_SETTING_802_1X_PHASE2_CA_CERT, + priv->phase2_ca_cert_password, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD, error)) return FALSE; - if (!verify_cert (priv->client_cert, NM_SETTING_802_1X_CLIENT_CERT, error)) + if (!verify_cert (priv->client_cert, NM_SETTING_802_1X_CLIENT_CERT, + priv->client_cert_password, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD, error)) return FALSE; - if (!verify_cert (priv->phase2_client_cert, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, error)) + if (!verify_cert (priv->phase2_client_cert, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, + priv->phase2_client_cert_password, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD, error)) return FALSE; - if (!verify_cert (priv->private_key, NM_SETTING_802_1X_PRIVATE_KEY, error)) + if (!verify_cert (priv->private_key, NM_SETTING_802_1X_PRIVATE_KEY, NULL, NULL, error)) return FALSE; - if (!verify_cert (priv->phase2_private_key, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, error)) + if (!verify_cert (priv->phase2_private_key, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, NULL, NULL, error)) return FALSE; /* FIXME: finish */ @@ -3125,15 +3403,19 @@ finalize (GObject *object) if (priv->ca_cert) g_bytes_unref (priv->ca_cert); + g_free (priv->ca_cert_password); if (priv->client_cert) g_bytes_unref (priv->client_cert); + g_free (priv->client_cert_password); if (priv->private_key) g_bytes_unref (priv->private_key); g_free (priv->private_key_password); if (priv->phase2_ca_cert) g_bytes_unref (priv->phase2_ca_cert); + g_free (priv->phase2_ca_cert_password); if (priv->phase2_client_cert) g_bytes_unref (priv->phase2_client_cert); + g_free (priv->phase2_client_cert_password); if (priv->phase2_private_key) g_bytes_unref (priv->phase2_private_key); g_free (priv->phase2_private_key_password); @@ -3150,7 +3432,7 @@ set_cert_prop_helper (const GValue *value, const char *prop_name, GError **error bytes = g_value_dup_boxed (value); /* Verify the new data */ if (bytes) { - valid = verify_cert (bytes, prop_name, error); + valid = verify_cert (bytes, prop_name, NULL, NULL, error); if (!valid) g_clear_pointer (&bytes, g_bytes_unref); } @@ -3191,6 +3473,13 @@ set_property (GObject *object, guint prop_id, g_error_free (error); } break; + case PROP_CA_CERT_PASSWORD: + g_free (priv->ca_cert_password); + priv->ca_cert_password = g_value_dup_string (value); + break; + case PROP_CA_CERT_PASSWORD_FLAGS: + priv->ca_cert_password_flags = g_value_get_flags (value); + break; case PROP_CA_PATH: g_free (priv->ca_path); priv->ca_path = g_value_dup_string (value); @@ -3216,6 +3505,13 @@ set_property (GObject *object, guint prop_id, g_error_free (error); } break; + case PROP_CLIENT_CERT_PASSWORD: + g_free (priv->client_cert_password); + priv->client_cert_password = g_value_dup_string (value); + break; + case PROP_CLIENT_CERT_PASSWORD_FLAGS: + priv->client_cert_password_flags = g_value_get_flags (value); + break; case PROP_PHASE1_PEAPVER: g_free (priv->phase1_peapver); priv->phase1_peapver = g_value_dup_string (value); @@ -3245,6 +3541,13 @@ set_property (GObject *object, guint prop_id, g_error_free (error); } break; + case PROP_PHASE2_CA_CERT_PASSWORD: + g_free (priv->phase2_ca_cert_password); + priv->phase2_ca_cert_password = g_value_dup_string (value); + break; + case PROP_PHASE2_CA_CERT_PASSWORD_FLAGS: + priv->phase2_ca_cert_password_flags = g_value_get_flags (value); + break; case PROP_PHASE2_CA_PATH: g_free (priv->phase2_ca_path); priv->phase2_ca_path = g_value_dup_string (value); @@ -3262,6 +3565,7 @@ set_property (GObject *object, guint prop_id, priv->phase2_domain_suffix_match = nm_strdup_not_empty (g_value_get_string (value)); break; case PROP_PHASE2_CLIENT_CERT: + if (priv->phase2_client_cert) g_bytes_unref (priv->phase2_client_cert); priv->phase2_client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, &error); @@ -3270,6 +3574,13 @@ set_property (GObject *object, guint prop_id, g_error_free (error); } break; + case PROP_PHASE2_CLIENT_CERT_PASSWORD: + g_free (priv->phase2_client_cert_password); + priv->phase2_client_cert_password = g_value_dup_string (value); + break; + case PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS: + priv->phase2_client_cert_password_flags = g_value_get_flags (value); + break; case PROP_PASSWORD: g_free (priv->password); priv->password = g_value_dup_string (value); @@ -3356,6 +3667,12 @@ get_property (GObject *object, guint prop_id, case PROP_CA_CERT: g_value_set_boxed (value, priv->ca_cert); break; + case PROP_CA_CERT_PASSWORD: + g_value_set_string (value, priv->ca_cert_password); + break; + case PROP_CA_CERT_PASSWORD_FLAGS: + g_value_set_flags (value, priv->ca_cert_password_flags); + break; case PROP_CA_PATH: g_value_set_string (value, priv->ca_path); break; @@ -3371,6 +3688,12 @@ get_property (GObject *object, guint prop_id, case PROP_CLIENT_CERT: g_value_set_boxed (value, priv->client_cert); break; + case PROP_CLIENT_CERT_PASSWORD: + g_value_set_string (value, priv->client_cert_password); + break; + case PROP_CLIENT_CERT_PASSWORD_FLAGS: + g_value_set_flags (value, priv->client_cert_password_flags); + break; case PROP_PHASE1_PEAPVER: g_value_set_string (value, priv->phase1_peapver); break; @@ -3389,6 +3712,12 @@ get_property (GObject *object, guint prop_id, case PROP_PHASE2_CA_CERT: g_value_set_boxed (value, priv->phase2_ca_cert); break; + case PROP_PHASE2_CA_CERT_PASSWORD: + g_value_set_string (value, priv->phase2_ca_cert_password); + break; + case PROP_PHASE2_CA_CERT_PASSWORD_FLAGS: + g_value_set_flags (value, priv->phase2_ca_cert_password_flags); + break; case PROP_PHASE2_CA_PATH: g_value_set_string (value, priv->phase2_ca_path); break; @@ -3404,6 +3733,12 @@ get_property (GObject *object, guint prop_id, case PROP_PHASE2_CLIENT_CERT: g_value_set_boxed (value, priv->phase2_client_cert); break; + case PROP_PHASE2_CLIENT_CERT_PASSWORD: + g_value_set_string (value, priv->phase2_client_cert_password); + break; + case PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS: + g_value_set_flags (value, priv->phase2_client_cert_password_flags); + break; case PROP_PASSWORD: g_value_set_string (value, priv->password); break; @@ -3583,6 +3918,44 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_STATIC_STRINGS)); /** + * NMSetting8021x:ca-cert-password: + * + * The password used to access the CA certificate stored in + * #NMSetting8021x:ca-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_CA_CERT_PASSWORD, + g_param_spec_string (NM_SETTING_802_1X_CA_CERT_PASSWORD, "", "", + NULL, + G_PARAM_READWRITE | + NM_SETTING_PARAM_SECRET | + G_PARAM_STATIC_STRINGS)); + + /** + * NMSetting8021x:ca-cert-password-flags: + * + * Flags indicating how to handle the #NMSetting8021x:ca-cert-password property. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_CA_CERT_PASSWORD_FLAGS, + g_param_spec_flags (NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS, "", "", + NM_TYPE_SETTING_SECRET_FLAGS, + NM_SETTING_SECRET_FLAG_NONE, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + + /** * NMSetting8021x:ca-path: * * UTF-8 encoded path to a directory containing PEM or DER formatted @@ -3701,6 +4074,44 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_STATIC_STRINGS)); /** + * NMSetting8021x:client-cert-password: + * + * The password used to access the client certificate stored in + * #NMSetting8021x:client-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_CLIENT_CERT_PASSWORD, + g_param_spec_string (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD, "", "", + NULL, + G_PARAM_READWRITE | + NM_SETTING_PARAM_SECRET | + G_PARAM_STATIC_STRINGS)); + + /** + * NMSetting8021x:client-cert-password-flags: + * + * Flags indicating how to handle the #NMSetting8021x:client-cert-password property. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_CLIENT_CERT_PASSWORD_FLAGS, + g_param_spec_flags (NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS, "", "", + NM_TYPE_SETTING_SECRET_FLAGS, + NM_SETTING_SECRET_FLAG_NONE, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + + /** * NMSetting8021x:phase1-peapver: * * Forces which PEAP version is used when PEAP is set as the EAP method in @@ -3851,6 +4262,44 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_STATIC_STRINGS)); /** + * NMSetting8021x:phase2-ca-cert-password: + * + * The password used to access the "phase2" CA certificate stored in + * #NMSetting8021x:phase2-ca-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_PHASE2_CA_CERT_PASSWORD, + g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD, "", "", + NULL, + G_PARAM_READWRITE | + NM_SETTING_PARAM_SECRET | + G_PARAM_STATIC_STRINGS)); + + /** + * NMSetting8021x:phase2-ca-cert-password-flags: + * + * Flags indicating how to handle the #NMSetting8021x:phase2-ca-cert-password property. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_PHASE2_CA_CERT_PASSWORD_FLAGS, + g_param_spec_flags (NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS, "", "", + NM_TYPE_SETTING_SECRET_FLAGS, + NM_SETTING_SECRET_FLAG_NONE, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + + /** * NMSetting8021x:phase2-ca-path: * * UTF-8 encoded path to a directory containing PEM or DER formatted @@ -3966,6 +4415,47 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); + + + + /** + * NMSetting8021x:phase2-client-cert-password: + * + * The password used to access the "phase2" client certificate stored in + * #NMSetting8021x:phase2-client-cert property. Only makes sense if the certificate + * is stored on a PKCS#<!-- -->11 token that requires a login. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_PHASE2_CLIENT_CERT_PASSWORD, + g_param_spec_string (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD, "", "", + NULL, + G_PARAM_READWRITE | + NM_SETTING_PARAM_SECRET | + G_PARAM_STATIC_STRINGS)); + + /** + * NMSetting8021x:phase2-client-cert-password-flags: + * + * Flags indicating how to handle the #NMSetting8021x:phase2-client-cert-password property. + * + * Since: 1.8 + **/ + /* ---ifcfg-rh--- + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS, + g_param_spec_flags (NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS, "", "", + NM_TYPE_SETTING_SECRET_FLAGS, + NM_SETTING_SECRET_FLAG_NONE, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + /** * NMSetting8021x:password: * diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h index 9e58e4e225..170843e096 100644 --- a/libnm-core/nm-setting-8021x.h +++ b/libnm-core/nm-setting-8021x.h @@ -90,22 +90,30 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/ #define NM_SETTING_802_1X_ANONYMOUS_IDENTITY "anonymous-identity" #define NM_SETTING_802_1X_PAC_FILE "pac-file" #define NM_SETTING_802_1X_CA_CERT "ca-cert" +#define NM_SETTING_802_1X_CA_CERT_PASSWORD "ca-cert-password" +#define NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS "ca-cert-password-flags" #define NM_SETTING_802_1X_CA_PATH "ca-path" #define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match" #define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches" #define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match" #define NM_SETTING_802_1X_CLIENT_CERT "client-cert" +#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD "client-cert-password" +#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS "client-cert-password-flags" #define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver" #define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel" #define NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING "phase1-fast-provisioning" #define NM_SETTING_802_1X_PHASE2_AUTH "phase2-auth" #define NM_SETTING_802_1X_PHASE2_AUTHEAP "phase2-autheap" #define NM_SETTING_802_1X_PHASE2_CA_CERT "phase2-ca-cert" +#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD "phase2-ca-cert-password" +#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS "phase2-ca-cert-password-flags" #define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path" #define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match" #define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches" #define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match" #define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert" +#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD "phase2-client-cert-password" +#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS "phase2-client-cert-password-flags" #define NM_SETTING_802_1X_PASSWORD "password" #define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags" #define NM_SETTING_802_1X_PASSWORD_RAW "password-raw" @@ -189,6 +197,11 @@ gboolean nm_setting_802_1x_set_ca_cert (NMSetting8 NMSetting8021xCKFormat *out_format, GError **error); +NM_AVAILABLE_IN_1_8 +const char * nm_setting_802_1x_get_ca_cert_password (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_8 +NMSettingSecretFlags nm_setting_802_1x_get_ca_cert_password_flags (NMSetting8021x *setting); + const char * nm_setting_802_1x_get_subject_match (NMSetting8021x *setting); guint32 nm_setting_802_1x_get_num_altsubject_matches (NMSetting8021x *setting); @@ -215,6 +228,11 @@ gboolean nm_setting_802_1x_set_client_cert (NMSetting8 NMSetting8021xCKFormat *out_format, GError **error); +NM_AVAILABLE_IN_1_8 +const char * nm_setting_802_1x_get_client_cert_password (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_8 +NMSettingSecretFlags nm_setting_802_1x_get_client_cert_password_flags (NMSetting8021x *setting); + const char * nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting); const char * nm_setting_802_1x_get_phase1_peaplabel (NMSetting8021x *setting); @@ -236,6 +254,12 @@ gboolean nm_setting_802_1x_set_phase2_ca_cert (NMSetting8 NMSetting8021xCKFormat *out_format, GError **error); + +NM_AVAILABLE_IN_1_8 +const char * nm_setting_802_1x_get_phase2_ca_cert_password (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_8 +NMSettingSecretFlags nm_setting_802_1x_get_phase2_ca_cert_password_flags (NMSetting8021x *setting); + const char * nm_setting_802_1x_get_phase2_subject_match (NMSetting8021x *setting); guint32 nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting); @@ -262,6 +286,11 @@ gboolean nm_setting_802_1x_set_phase2_client_cert (NMSett NMSetting8021xCKFormat *out_format, GError **error); +NM_AVAILABLE_IN_1_8 +const char * nm_setting_802_1x_get_phase2_client_cert_password (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_8 +NMSettingSecretFlags nm_setting_802_1x_get_phase2_client_cert_password_flags (NMSetting8021x *setting); + const char * nm_setting_802_1x_get_password (NMSetting8021x *setting); NMSettingSecretFlags nm_setting_802_1x_get_password_flags (NMSetting8021x *setting); GBytes * nm_setting_802_1x_get_password_raw (NMSetting8021x *setting); diff --git a/libnm/libnm.ver b/libnm/libnm.ver index d0562e2c11..31ec7b0899 100644 --- a/libnm/libnm.ver +++ b/libnm/libnm.ver @@ -1143,3 +1143,15 @@ global: nm_utils_version; nm_utils_is_valid_iface_name; } libnm_1_4_0; + +libnm_1_8_0 { +global: + nm_setting_802_1x_get_ca_cert_password; + nm_setting_802_1x_get_ca_cert_password_flags; + nm_setting_802_1x_get_client_cert_password; + nm_setting_802_1x_get_client_cert_password_flags; + nm_setting_802_1x_get_phase2_ca_cert_password; + nm_setting_802_1x_get_phase2_ca_cert_password_flags; + nm_setting_802_1x_get_phase2_client_cert_password; + nm_setting_802_1x_get_phase2_client_cert_password_flags; +} libnm_1_6_0; diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c index ab0a200e4f..4fcabec66c 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c @@ -2545,6 +2545,19 @@ get_full_file_path (const char *ifcfg_path, const char *file_path) return ret; } +static char * +get_cert_value (const char *ifcfg_path, const char *value, + NMSetting8021xCKScheme *out_scheme) +{ + if (strncmp (value, "pkcs11:", 7) == 0) { + *out_scheme = NM_SETTING_802_1X_CK_SCHEME_PKCS11; + return g_strdup (value); + } + + *out_scheme = NM_SETTING_802_1X_CK_SCHEME_PATH; + return get_full_file_path (ifcfg_path, value); +} + static gboolean eap_tls_reader (const char *eap_method, shvarFile *ifcfg, @@ -2555,19 +2568,30 @@ eap_tls_reader (const char *eap_method, { char *value; char *ca_cert = NULL; - char *real_path = NULL; + char *ca_cert_password = NULL; + char *real_cert_value = NULL; char *client_cert = NULL; + char *client_cert_password = NULL; char *privkey = NULL; char *privkey_password = NULL; gboolean success = FALSE; NMSetting8021xCKFormat privkey_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; const char *ca_cert_key = phase2 ? "IEEE_8021X_INNER_CA_CERT" : "IEEE_8021X_CA_CERT"; - const char *pk_pw_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD": "IEEE_8021X_PRIVATE_KEY_PASSWORD"; - const char *pk_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY" : "IEEE_8021X_PRIVATE_KEY"; + const char *ca_cert_pw_key = phase2 ? "IEEE_8021X_INNER_CA_CERT_PASSWORD" : "IEEE_8021X_CA_CERT_PASSWORD"; + const char *ca_cert_pw_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD : NM_SETTING_802_1X_CA_CERT_PASSWORD; + const char *ca_cert_pw_flags_key = phase2 ? "IEEE_8021X_INNER_CA_CERT_PASSWORD_FLAGS" : "IEEE_8021X_CA_CERT_PASSWORD_FLAGS"; + const char *ca_cert_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS : NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS; const char *cli_cert_key = phase2 ? "IEEE_8021X_INNER_CLIENT_CERT" : "IEEE_8021X_CLIENT_CERT"; + const char *cli_cert_pw_key = phase2 ? "IEEE_8021X_INNER_CLIENT_CERT_PASSWORD" : "IEEE_8021X_CLIENT_CERT_PASSWORD"; + const char *cli_cert_pw_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD : NM_SETTING_802_1X_CLIENT_CERT_PASSWORD; + const char *cli_cert_pw_flags_key = phase2 ? "IEEE_8021X_INNER_CLIENT_CERT_PASSWORD_FLAGS" : "IEEE_8021X_CLIENT_CERT_PASSWORD_FLAGS"; + const char *cli_cert_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS : NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS; + const char *pk_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY" : "IEEE_8021X_PRIVATE_KEY"; + const char *pk_pw_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD": "IEEE_8021X_PRIVATE_KEY_PASSWORD"; const char *pk_pw_flags_key = phase2 ? "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS": "IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS"; const char *pk_pw_flags_prop = phase2 ? NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS : NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS; NMSettingSecretFlags flags; + NMSetting8021xCKScheme scheme; value = svGetValueString (ifcfg, "IEEE_8021X_IDENTITY"); if (value) { @@ -2577,24 +2601,26 @@ eap_tls_reader (const char *eap_method, ca_cert = svGetValueString (ifcfg, ca_cert_key); if (ca_cert) { - real_path = get_full_file_path (svFileGetName (ifcfg), ca_cert); + real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme); if (phase2) { - if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { - if (!nm_setting_802_1x_set_ca_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } - g_free (real_path); - real_path = NULL; + g_free (real_cert_value); + real_cert_value = NULL; + + if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + flags = read_secret_flags (ifcfg, ca_cert_pw_flags_key); + g_object_set (s_8021x, ca_cert_pw_flags_prop, flags, NULL); + + if (flags == NM_SETTING_SECRET_FLAG_NONE) { + ca_cert_password = svGetValueString (ifcfg, ca_cert_pw_key); + g_object_set (s_8021x, ca_cert_pw_prop, ca_cert_password, NULL); + } + } } else { PARSE_WARNING ("missing %s for EAP method '%s'; this is insecure!", ca_cert_key, eap_method); @@ -2632,26 +2658,26 @@ eap_tls_reader (const char *eap_method, goto done; } - real_path = get_full_file_path (svFileGetName (ifcfg), privkey); + real_cert_value = get_cert_value (svFileGetName (ifcfg), privkey, &scheme); if (phase2) { if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, - real_path, + real_cert_value, privkey_password, - NM_SETTING_802_1X_CK_SCHEME_PATH, + scheme, &privkey_format, error)) goto done; } else { if (!nm_setting_802_1x_set_private_key (s_8021x, - real_path, + real_cert_value, privkey_password, - NM_SETTING_802_1X_CK_SCHEME_PATH, + scheme, &privkey_format, error)) goto done; } - g_free (real_path); - real_path = NULL; + g_free (real_cert_value); + real_cert_value = NULL; /* Only set the client certificate if the private key is not PKCS#12 format, * as NM (due to supplicant restrictions) requires. If the key was PKCS#12, @@ -2669,30 +2695,32 @@ eap_tls_reader (const char *eap_method, goto done; } - real_path = get_full_file_path (svFileGetName (ifcfg), client_cert); + real_cert_value = get_cert_value (svFileGetName (ifcfg), client_cert, &scheme); if (phase2) { - if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { - if (!nm_setting_802_1x_set_client_cert (s_8021x, - real_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + if (!nm_setting_802_1x_set_client_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } - g_free (real_path); - real_path = NULL; + g_free (real_cert_value); + real_cert_value = NULL; + + if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + flags = read_secret_flags (ifcfg, cli_cert_pw_flags_key); + g_object_set (s_8021x, cli_cert_pw_flags_prop, flags, NULL); + + if (flags == NM_SETTING_SECRET_FLAG_NONE) { + client_cert_password = svGetValueString (ifcfg, cli_cert_pw_key); + g_object_set (s_8021x, cli_cert_pw_prop, client_cert_password, NULL); + } + } } success = TRUE; done: - g_free (real_path); + g_free (real_cert_value); g_free (ca_cert); g_free (client_cert); g_free (privkey); @@ -2710,21 +2738,18 @@ eap_peap_reader (const char *eap_method, { char *anon_ident = NULL; char *ca_cert = NULL; - char *real_cert_path = NULL; + char *real_cert_value = NULL; char *inner_auth = NULL; char *peapver = NULL; char *lower; char **list = NULL, **iter; gboolean success = FALSE; + NMSetting8021xCKScheme scheme; ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT"); if (ca_cert) { - real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert); - if (!nm_setting_802_1x_set_ca_cert (s_8021x, - real_cert_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme); + if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!", @@ -2799,7 +2824,7 @@ done: g_strfreev (list); g_free (inner_auth); g_free (peapver); - g_free (real_cert_path); + g_free (real_cert_value); g_free (ca_cert); g_free (anon_ident); return success; @@ -2816,19 +2841,16 @@ eap_ttls_reader (const char *eap_method, gboolean success = FALSE; char *anon_ident = NULL; char *ca_cert = NULL; - char *real_cert_path = NULL; + char *real_cert_value = NULL; char *inner_auth = NULL; char *tmp; char **list = NULL, **iter; + NMSetting8021xCKScheme scheme; ca_cert = svGetValueString (ifcfg, "IEEE_8021X_CA_CERT"); if (ca_cert) { - real_cert_path = get_full_file_path (svFileGetName (ifcfg), ca_cert); - if (!nm_setting_802_1x_set_ca_cert (s_8021x, - real_cert_path, - NM_SETTING_802_1X_CK_SCHEME_PATH, - NULL, - error)) + real_cert_value = get_cert_value (svFileGetName (ifcfg), ca_cert, &scheme); + if (!nm_setting_802_1x_set_ca_cert (s_8021x, real_cert_value, scheme, NULL, error)) goto done; } else { PARSE_WARNING ("missing IEEE_8021X_CA_CERT for EAP method '%s'; this is insecure!", @@ -2887,7 +2909,7 @@ done: if (list) g_strfreev (list); g_free (inner_auth); - g_free (real_cert_path); + g_free (real_cert_value); g_free (ca_cert); g_free (anon_ident); return success; diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c index d1c0097649..0a6b16947a 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c @@ -100,19 +100,20 @@ utils_should_ignore_file (const char *filename, gboolean only_ifcfg) } char * -utils_cert_path (const char *parent, const char *suffix) +utils_cert_path (const char *parent, const char *suffix, const char *extension) { + gs_free char *dir = NULL; const char *name; - char *dir, *path; - g_return_val_if_fail (parent != NULL, NULL); - g_return_val_if_fail (suffix != NULL, NULL); + g_return_val_if_fail (parent, NULL); + g_return_val_if_fail (suffix, NULL); + g_return_val_if_fail (extension, NULL); name = utils_get_ifcfg_name (parent, FALSE); + g_return_val_if_fail (name, NULL); + dir = g_path_get_dirname (parent); - path = g_strdup_printf ("%s/%s-%s", dir, name, suffix); - g_free (dir); - return path; + return g_strdup_printf ("%s/%s-%s.%s", dir, name, suffix, extension); } const char * diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h index af0469e66f..d209a0673c 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h @@ -31,7 +31,7 @@ #define NM_IFCFG_CONNECTION_LOG_FMTD "%s (%s,\"%s\",%p)" #define NM_IFCFG_CONNECTION_LOG_ARGD(con) NM_IFCFG_CONNECTION_LOG_PATH (nm_settings_connection_get_filename ((NMSettingsConnection *) (con))), nm_connection_get_uuid ((NMConnection *) (con)), nm_connection_get_id ((NMConnection *) (con)), (con) -char *utils_cert_path (const char *parent, const char *suffix); +char *utils_cert_path (const char *parent, const char *suffix, const char *extension); const char *utils_get_ifcfg_name (const char *file, gboolean only_ifcfg); diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c index fa8013b024..bdfb641fb2 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c @@ -146,109 +146,67 @@ error: svSetValueString (ifcfg, key, value); } -typedef struct ObjectType { - const char *setting_key; - NMSetting8021xCKScheme (*scheme_func)(NMSetting8021x *setting); - const char * (*path_func) (NMSetting8021x *setting); - GBytes * (*blob_func) (NMSetting8021x *setting); - const char *ifcfg_key; - const char *suffix; -} ObjectType; - -static const ObjectType ca_type = { - NM_SETTING_802_1X_CA_CERT, - nm_setting_802_1x_get_ca_cert_scheme, - nm_setting_802_1x_get_ca_cert_path, - nm_setting_802_1x_get_ca_cert_blob, - "IEEE_8021X_CA_CERT", - "ca-cert.der" -}; - -static const ObjectType phase2_ca_type = { - NM_SETTING_802_1X_PHASE2_CA_CERT, - nm_setting_802_1x_get_phase2_ca_cert_scheme, - nm_setting_802_1x_get_phase2_ca_cert_path, - nm_setting_802_1x_get_phase2_ca_cert_blob, - "IEEE_8021X_INNER_CA_CERT", - "inner-ca-cert.der" -}; - -static const ObjectType client_type = { - NM_SETTING_802_1X_CLIENT_CERT, - nm_setting_802_1x_get_client_cert_scheme, - nm_setting_802_1x_get_client_cert_path, - nm_setting_802_1x_get_client_cert_blob, - "IEEE_8021X_CLIENT_CERT", - "client-cert.der" -}; - -static const ObjectType phase2_client_type = { - NM_SETTING_802_1X_PHASE2_CLIENT_CERT, - nm_setting_802_1x_get_phase2_client_cert_scheme, - nm_setting_802_1x_get_phase2_client_cert_path, - nm_setting_802_1x_get_phase2_client_cert_blob, - "IEEE_8021X_INNER_CLIENT_CERT", - "inner-client-cert.der" -}; - -static const ObjectType pk_type = { - NM_SETTING_802_1X_PRIVATE_KEY, - nm_setting_802_1x_get_private_key_scheme, - nm_setting_802_1x_get_private_key_path, - nm_setting_802_1x_get_private_key_blob, - "IEEE_8021X_PRIVATE_KEY", - "private-key.pem" -}; - -static const ObjectType phase2_pk_type = { - NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, - nm_setting_802_1x_get_phase2_private_key_scheme, - nm_setting_802_1x_get_phase2_private_key_path, - nm_setting_802_1x_get_phase2_private_key_blob, - "IEEE_8021X_INNER_PRIVATE_KEY", - "inner-private-key.pem" -}; - -static const ObjectType p12_type = { - NM_SETTING_802_1X_PRIVATE_KEY, - nm_setting_802_1x_get_private_key_scheme, - nm_setting_802_1x_get_private_key_path, - nm_setting_802_1x_get_private_key_blob, - "IEEE_8021X_PRIVATE_KEY", - "private-key.p12" -}; - -static const ObjectType phase2_p12_type = { - NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, - nm_setting_802_1x_get_phase2_private_key_scheme, - nm_setting_802_1x_get_phase2_private_key_path, - nm_setting_802_1x_get_phase2_private_key_blob, - "IEEE_8021X_INNER_PRIVATE_KEY", - "inner-private-key.p12" +typedef struct { + const NMSetting8021xSchemeVtable *vtable; + const char *ifcfg_rh_key; +} Setting8021xSchemeVtable; + +static const Setting8021xSchemeVtable setting_8021x_scheme_vtable[] = { + [NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT], + .ifcfg_rh_key = "IEEE_8021X_CA_CERT", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT], + .ifcfg_rh_key = "IEEE_8021X_INNER_CA_CERT", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT], + .ifcfg_rh_key = "IEEE_8021X_CLIENT_CERT", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT], + .ifcfg_rh_key = "IEEE_8021X_INNER_CLIENT_CERT", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY], + .ifcfg_rh_key = "IEEE_8021X_PRIVATE_KEY", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY], + .ifcfg_rh_key = "IEEE_8021X_INNER_PRIVATE_KEY", + }, }; static gboolean write_object (NMSetting8021x *s_8021x, shvarFile *ifcfg, - const ObjectType *objtype, + const Setting8021xSchemeVtable *objtype, GError **error) { NMSetting8021xCKScheme scheme; - const char *path = NULL; + const char *value = NULL; GBytes *blob = NULL; + const char *password = NULL; + NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NONE; + char *secret_name, *secret_flags; + const char *extension; g_return_val_if_fail (ifcfg != NULL, FALSE); g_return_val_if_fail (objtype != NULL, FALSE); - scheme = (*(objtype->scheme_func))(s_8021x); + scheme = (*(objtype->vtable->scheme_func))(s_8021x); switch (scheme) { case NM_SETTING_802_1X_CK_SCHEME_UNKNOWN: break; case NM_SETTING_802_1X_CK_SCHEME_BLOB: - blob = (*(objtype->blob_func))(s_8021x); + blob = (*(objtype->vtable->blob_func))(s_8021x); break; case NM_SETTING_802_1X_CK_SCHEME_PATH: - path = (*(objtype->path_func))(s_8021x); + value = (*(objtype->vtable->path_func))(s_8021x); + break; + case NM_SETTING_802_1X_CK_SCHEME_PKCS11: + value = (*(objtype->vtable->uri_func))(s_8021x); break; default: g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED, @@ -256,10 +214,26 @@ write_object (NMSetting8021x *s_8021x, return FALSE; } + /* Set the password for certificate/private key. */ + secret_name = g_strdup_printf ("%s_PASSWORD", objtype->ifcfg_rh_key); + secret_flags = g_strdup_printf ("%s_PASSWORD_FLAGS", objtype->ifcfg_rh_key); + password = (*(objtype->vtable->passwd_func))(s_8021x); + flags = (*(objtype->vtable->pwflag_func))(s_8021x); + set_secret (ifcfg, secret_name, password, secret_flags, flags); + g_free (secret_name); + g_free (secret_flags); + + if (!objtype->vtable->format_func) + extension = "der"; + else if (objtype->vtable->format_func (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) + extension = "p12"; + else + extension = "pem"; + /* If certificate/private key wasn't sent, the connection may no longer be * 802.1x and thus we clear out the paths and certs. */ - if (!path && !blob) { + if (!value && !blob) { char *standard_file; int ignored; @@ -269,20 +243,20 @@ write_object (NMSetting8021x *s_8021x, * /etc/sysconfig/network-scripts/ca-cert-Test_Write_Wifi_WPA_EAP-TLS.der * will be deleted, but /etc/pki/tls/cert.pem will not. */ - standard_file = utils_cert_path (svFileGetName (ifcfg), objtype->suffix); + standard_file = utils_cert_path (svFileGetName (ifcfg), objtype->vtable->file_suffix, extension); if (g_file_test (standard_file, G_FILE_TEST_EXISTS)) ignored = unlink (standard_file); g_free (standard_file); - svUnsetValue (ifcfg, objtype->ifcfg_key); + svUnsetValue (ifcfg, objtype->ifcfg_rh_key); return TRUE; } /* If the object path was specified, prefer that over any raw cert data that * may have been sent. */ - if (path) { - svSetValueString (ifcfg, objtype->ifcfg_key, path); + if (value) { + svSetValueString (ifcfg, objtype->ifcfg_rh_key, value); return TRUE; } @@ -292,11 +266,11 @@ write_object (NMSetting8021x *s_8021x, char *new_file; GError *write_error = NULL; - new_file = utils_cert_path (svFileGetName (ifcfg), objtype->suffix); + new_file = utils_cert_path (svFileGetName (ifcfg), objtype->vtable->file_suffix, extension); if (!new_file) { g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED, "Could not create file path for %s / %s", - NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key); + NM_SETTING_802_1X_SETTING_NAME, objtype->vtable->setting_key); return FALSE; } @@ -310,13 +284,13 @@ write_object (NMSetting8021x *s_8021x, 0600, &write_error); if (success) { - svSetValueString (ifcfg, objtype->ifcfg_key, new_file); + svSetValueString (ifcfg, objtype->ifcfg_rh_key, new_file); g_free (new_file); return TRUE; } else { g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED, "Could not write certificate/key for %s / %s: %s", - NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key, + NM_SETTING_802_1X_SETTING_NAME, objtype->vtable->setting_key, (write_error && write_error->message) ? write_error->message : "(unknown)"); g_clear_error (&write_error); } @@ -332,55 +306,29 @@ write_8021x_certs (NMSetting8021x *s_8021x, shvarFile *ifcfg, GError **error) { - const char *password = NULL; - gboolean success = FALSE, is_pkcs12 = FALSE; - const ObjectType *otype = NULL; - NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NONE; + gboolean success = FALSE; + const Setting8021xSchemeVtable *otype = NULL; /* CA certificate */ - if (!write_object (s_8021x, ifcfg, phase2 ? &phase2_ca_type : &ca_type, error)) + if (!write_object (s_8021x, ifcfg, + phase2 + ? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] + : &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT], + error)) return FALSE; /* Private key */ - if (phase2) { - otype = &phase2_pk_type; - if (nm_setting_802_1x_get_phase2_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) { - otype = &phase2_p12_type; - is_pkcs12 = TRUE; - } - password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x); - flags = nm_setting_802_1x_get_phase2_private_key_password_flags (s_8021x); - } else { - otype = &pk_type; - if (nm_setting_802_1x_get_private_key_format (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) { - otype = &p12_type; - is_pkcs12 = TRUE; - } - password = nm_setting_802_1x_get_private_key_password (s_8021x); - flags = nm_setting_802_1x_get_private_key_password_flags (s_8021x); - } + if (phase2) + otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY]; + else + otype = &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY]; /* Save the private key */ if (!write_object (s_8021x, ifcfg, otype, error)) goto out; - /* Private key password */ - if (phase2) { - set_secret (ifcfg, - "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD", - password, - "IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS", - flags); - } else { - set_secret (ifcfg, - "IEEE_8021X_PRIVATE_KEY_PASSWORD", - password, - "IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS", - flags); - } - /* Client certificate */ - if (is_pkcs12) { + if (otype->vtable->format_func (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12) { /* Don't need a client certificate with PKCS#12 since the file is both * the client certificate and the private key in one file. */ @@ -389,7 +337,11 @@ write_8021x_certs (NMSetting8021x *s_8021x, NULL); } else { /* Save the client certificate */ - if (!write_object (s_8021x, ifcfg, phase2 ? &phase2_client_type : &client_type, error)) + if (!write_object (s_8021x, ifcfg, + phase2 + ? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] + : &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT], + error)) goto out; } diff --git a/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c b/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c index f467d864cc..11c412edca 100644 --- a/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c +++ b/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c @@ -4486,15 +4486,15 @@ test_write_wired_8021x_tls (gconstpointer test_data) } /* Clean up created certs and keys */ - tmp = utils_cert_path (testfile, "ca-cert.der"); + tmp = utils_cert_path (testfile, "ca-cert", "der"); nmtst_file_unlink_if_exists (tmp); g_free (tmp); - tmp = utils_cert_path (testfile, "client-cert.der"); + tmp = utils_cert_path (testfile, "client-cert", "der"); nmtst_file_unlink_if_exists (tmp); g_free (tmp); - tmp = utils_cert_path (testfile, "private-key.pem"); + tmp = utils_cert_path (testfile, "private-key", "pem"); nmtst_file_unlink_if_exists (tmp); g_free (tmp); } diff --git a/src/settings/plugins/ifnet/nms-ifnet-connection-parser.c b/src/settings/plugins/ifnet/nms-ifnet-connection-parser.c index 84f2d3f4cc..a1acf831e7 100644 --- a/src/settings/plugins/ifnet/nms-ifnet-connection-parser.c +++ b/src/settings/plugins/ifnet/nms-ifnet-connection-parser.c @@ -1688,96 +1688,43 @@ error: return NULL; } -typedef NMSetting8021xCKScheme (*SchemeFunc) (NMSetting8021x * setting); -typedef const char *(*PathFunc) (NMSetting8021x * setting); -typedef GBytes *(*BlobFunc) (NMSetting8021x * setting); - -typedef struct ObjectType { - const char *setting_key; - SchemeFunc scheme_func; - PathFunc path_func; - BlobFunc blob_func; - const char *conn_name_key; - const char *suffix; -} ObjectType; - -static const ObjectType ca_type = { - NM_SETTING_802_1X_CA_CERT, - nm_setting_802_1x_get_ca_cert_scheme, - nm_setting_802_1x_get_ca_cert_path, - nm_setting_802_1x_get_ca_cert_blob, - "ca_cert", - "ca-cert.der" -}; - -static const ObjectType phase2_ca_type = { - NM_SETTING_802_1X_PHASE2_CA_CERT, - nm_setting_802_1x_get_phase2_ca_cert_scheme, - nm_setting_802_1x_get_phase2_ca_cert_path, - nm_setting_802_1x_get_phase2_ca_cert_blob, - "ca_cert2", - "inner-ca-cert.der" -}; - -static const ObjectType client_type = { - NM_SETTING_802_1X_CLIENT_CERT, - nm_setting_802_1x_get_client_cert_scheme, - nm_setting_802_1x_get_client_cert_path, - nm_setting_802_1x_get_client_cert_blob, - "client_cert", - "client-cert.der" -}; - -static const ObjectType phase2_client_type = { - NM_SETTING_802_1X_PHASE2_CLIENT_CERT, - nm_setting_802_1x_get_phase2_client_cert_scheme, - nm_setting_802_1x_get_phase2_client_cert_path, - nm_setting_802_1x_get_phase2_client_cert_blob, - "client_cert2", - "inner-client-cert.der" -}; - -static const ObjectType pk_type = { - NM_SETTING_802_1X_PRIVATE_KEY, - nm_setting_802_1x_get_private_key_scheme, - nm_setting_802_1x_get_private_key_path, - nm_setting_802_1x_get_private_key_blob, - "private_key", - "private-key.pem" -}; - -static const ObjectType phase2_pk_type = { - NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, - nm_setting_802_1x_get_phase2_private_key_scheme, - nm_setting_802_1x_get_phase2_private_key_path, - nm_setting_802_1x_get_phase2_private_key_blob, - "private_key2", - "inner-private-key.pem" -}; - -static const ObjectType p12_type = { - NM_SETTING_802_1X_PRIVATE_KEY, - nm_setting_802_1x_get_private_key_scheme, - nm_setting_802_1x_get_private_key_path, - nm_setting_802_1x_get_private_key_blob, - "private_key", - "private-key.p12" -}; - -static const ObjectType phase2_p12_type = { - NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, - nm_setting_802_1x_get_phase2_private_key_scheme, - nm_setting_802_1x_get_phase2_private_key_path, - nm_setting_802_1x_get_phase2_private_key_blob, - "private_key2", - "inner-private-key.p12" +typedef struct Setting8021xSchemeVtable { + const NMSetting8021xSchemeVtable *vtable; + const char *ifnet_key; +} Setting8021xSchemeVtable; + +static const Setting8021xSchemeVtable setting_8021x_scheme_vtable[] = { + [NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT], + .ifnet_key = "ca_cert", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT], + .ifnet_key = "ca_cert2", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT], + .ifnet_key = "client_cert", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT], + .ifnet_key = "client_cert2", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY], + .ifnet_key = "private_key", + }, + [NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY] = { + .vtable = &nm_setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY], + .ifnet_key = "private_key2", + }, }; static gboolean write_object (NMSetting8021x *s_8021x, const char *conn_name, GBytes *override_data, - const ObjectType *objtype, + const Setting8021xSchemeVtable *objtype, GError **error) { NMSetting8021xCKScheme scheme; @@ -1792,13 +1739,13 @@ write_object (NMSetting8021x *s_8021x, */ blob = override_data; else { - scheme = (*(objtype->scheme_func)) (s_8021x); + scheme = (*(objtype->vtable->scheme_func)) (s_8021x); switch (scheme) { case NM_SETTING_802_1X_CK_SCHEME_BLOB: - blob = (*(objtype->blob_func)) (s_8021x); + blob = (*(objtype->vtable->blob_func)) (s_8021x); break; case NM_SETTING_802_1X_CK_SCHEME_PATH: - path = (*(objtype->path_func)) (s_8021x); + path = (*(objtype->vtable->path_func)) (s_8021x); break; default: break; @@ -1809,8 +1756,8 @@ write_object (NMSetting8021x *s_8021x, * may have been sent. */ if (path) { - wpa_set_data (conn_name, (gchar *) objtype->conn_name_key, - (gchar *) path); + wpa_set_data (conn_name, (gchar *) objtype->ifnet_key, + (gchar *) path); return TRUE; } @@ -1828,17 +1775,16 @@ write_8021x_certs (NMSetting8021x *s_8021x, GError **error) { char *password = NULL; - const ObjectType *otype = NULL; + const Setting8021xSchemeVtable *otype = NULL; gboolean is_pkcs12 = FALSE, success = FALSE; GBytes *blob = NULL; GBytes *enc_key = NULL; gchar *generated_pw = NULL; /* CA certificate */ - if (phase2) - otype = &phase2_ca_type; - else - otype = &ca_type; + otype = phase2 + ? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CA_CERT] + : &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CA_CERT]; if (!write_object (s_8021x, conn_name, NULL, otype, error)) return FALSE; @@ -1864,14 +1810,13 @@ write_8021x_certs (NMSetting8021x *s_8021x, nm_setting_802_1x_get_private_key_password (s_8021x); } - if (is_pkcs12) - otype = phase2 ? &phase2_p12_type : &p12_type; - else - otype = phase2 ? &phase2_pk_type : &pk_type; + otype = phase2 + ? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_PRIVATE_KEY] + : &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PRIVATE_KEY]; - if ((*(otype->scheme_func)) (s_8021x) == + if ((*(otype->vtable->scheme_func)) (s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB) - blob = (*(otype->blob_func)) (s_8021x); + blob = (*(otype->vtable->blob_func)) (s_8021x); /* Only do the private key re-encrypt dance if we got the raw key data, which * by definition will be unencrypted. If we're given a direct path to the @@ -1883,7 +1828,7 @@ write_8021x_certs (NMSetting8021x *s_8021x, /* Encrypt the unencrypted private key with the fake password */ tmp_enc_key = nm_utils_rsa_key_encrypt (g_bytes_get_data (blob, NULL), g_bytes_get_size (blob), - password, &generated_pw, error); + password, &generated_pw, error); if (!tmp_enc_key) goto out; @@ -1906,12 +1851,11 @@ write_8021x_certs (NMSetting8021x *s_8021x, /* Client certificate */ if (is_pkcs12) { wpa_set_data (conn_name, - phase2 ? "client_cert2" : "client_cert", NULL); + phase2 ? "client_cert2" : "client_cert", NULL); } else { - if (phase2) - otype = &phase2_client_type; - else - otype = &client_type; + otype = phase2 + ? &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_PHASE2_CLIENT_CERT] + : &setting_8021x_scheme_vtable[NM_SETTING_802_1X_SCHEME_TYPE_CLIENT_CERT]; /* Save the client certificate */ if (!write_object (s_8021x, conn_name, NULL, otype, error)) diff --git a/src/settings/plugins/keyfile/nms-keyfile-writer.c b/src/settings/plugins/keyfile/nms-keyfile-writer.c index 95897db38a..a673742050 100644 --- a/src/settings/plugins/keyfile/nms-keyfile-writer.c +++ b/src/settings/plugins/keyfile/nms-keyfile-writer.c @@ -51,12 +51,12 @@ cert_writer (NMConnection *connection, NMSetting8021xCKFormat format; const char *path = NULL, *ext = "pem"; - scheme = cert_data->scheme_func (cert_data->setting); + scheme = cert_data->vtable->scheme_func (cert_data->setting); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) { char *tmp = NULL; const char *accepted_path = NULL; - path = cert_data->path_func (cert_data->setting); + path = cert_data->vtable->path_func (cert_data->setting); g_assert (path); if (g_str_has_prefix (path, info->keyfile_dir)) { @@ -92,11 +92,11 @@ cert_writer (NMConnection *connection, if (!accepted_path) accepted_path = tmp = g_strconcat (NM_KEYFILE_CERT_SCHEME_PREFIX_PATH, path, NULL); - nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, accepted_path); + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, accepted_path); g_free (tmp); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { - nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, - cert_data->uri_func (cert_data->setting)); + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, + cert_data->vtable->uri_func (cert_data->setting)); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) { GBytes *blob; const guint8 *blob_data; @@ -105,13 +105,13 @@ cert_writer (NMConnection *connection, GError *local = NULL; char *new_path; - blob = cert_data->blob_func (cert_data->setting); + blob = cert_data->vtable->blob_func (cert_data->setting); g_assert (blob); blob_data = g_bytes_get_data (blob, &blob_len); - if (cert_data->format_func) { + if (cert_data->vtable->format_func) { /* Get the extension for a private key */ - format = cert_data->format_func (cert_data->setting); + format = cert_data->vtable->format_func (cert_data->setting); if (format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) ext = "p12"; } else { @@ -124,17 +124,17 @@ cert_writer (NMConnection *connection, * from now on instead of pushing around the certificate data. */ new_path = g_strdup_printf ("%s/%s-%s.%s", info->keyfile_dir, nm_connection_get_uuid (connection), - cert_data->suffix, ext); + cert_data->vtable->file_suffix, ext); success = nm_utils_file_set_contents (new_path, (const gchar *) blob_data, blob_len, 0600, &local); if (success) { /* Write the path value to the keyfile. * We know, that basename(new_path) starts with a UUID, hence no conflict with "data:;base64," */ - nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, strrchr (new_path, '/') + 1); + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->vtable->setting_key, strrchr (new_path, '/') + 1); } else { nm_log_warn (LOGD_SETTINGS, "keyfile: %s.%s: failed to write certificate to file %s: %s", - setting_name, cert_data->property_name, new_path, local->message); + setting_name, cert_data->vtable->setting_key, new_path, local->message); g_error_free (local); } g_free (new_path); diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index 8f766d7cb9..03bec72f6d 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -28,6 +28,7 @@ #include "nm-supplicant-settings-verify.h" #include "nm-setting.h" +#include "nm-auth-subject.h" #include "NetworkManagerUtils.h" #include "nm-utils.h" @@ -828,6 +829,53 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self, return TRUE; } +static gboolean +add_pkcs11_uri_with_pin (NMSupplicantConfig *self, + const char *name, + const char *uri, + const char *pin, + const NMSettingSecretFlags pin_flags, + GError **error) +{ + gs_strfreev gchar **split = NULL; + gs_free char *tmp = NULL; + gs_free char *tmp_log = NULL; + gs_free char *pin_qattr = NULL; + char *escaped = NULL; + + if (uri == NULL) + return TRUE; + + /* We ignore the attributes -- RFC 7512 suggests that some of them + * might be unsafe and we want to be on the safe side. Also, we're + * installing our attributes, so this makes things a bit easier for us. */ + split = g_strsplit (uri, "&", 2); + if (split[1]) + nm_log_info (LOGD_SUPPLICANT, "URI attributes ignored"); + + /* Fill in the PIN if required. */ + if (pin) { + escaped = g_uri_escape_string (pin, NULL, TRUE); + pin_qattr = g_strdup_printf ("pin-value=%s", escaped); + g_free (escaped); + } else if (!(pin_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) { + /* Include an empty PIN to indicate the login is still needed. + * Probably a token that has a PIN path and the actual PIN will + * be entered using a protected path. */ + pin_qattr = g_strdup ("pin-value="); + } + + tmp = g_strdup_printf ("%s%s%s", split[0], + (pin_qattr ? "&" : ""), + (pin_qattr ? pin_qattr : "")); + + tmp_log = g_strdup_printf ("%s%s%s", split[0], + (pin_qattr ? "&" : ""), + (pin_qattr ? "pin-value=<hidden>" : "")); + + return add_string_val (self, tmp, name, FALSE, tmp_log, error); +} + gboolean nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, NMSetting8021x *setting, @@ -1033,9 +1081,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, return FALSE; break; case NM_SETTING_802_1X_CK_SCHEME_PKCS11: - path = nm_setting_802_1x_get_ca_cert_uri (setting); - if (!add_string_val (self, path, "ca_cert", FALSE, NULL, error)) + if (!add_pkcs11_uri_with_pin (self, "ca_cert", + nm_setting_802_1x_get_ca_cert_uri (setting), + nm_setting_802_1x_get_ca_cert_password (setting), + nm_setting_802_1x_get_ca_cert_password_flags (setting), + error)) { return FALSE; + } break; default: break; @@ -1059,9 +1111,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, return FALSE; break; case NM_SETTING_802_1X_CK_SCHEME_PKCS11: - path = nm_setting_802_1x_get_phase2_ca_cert_uri (setting); - if (!add_string_val (self, path, "ca_cert2", FALSE, NULL, error)) + if (!add_pkcs11_uri_with_pin (self, "ca_cert2", + nm_setting_802_1x_get_phase2_ca_cert_uri (setting), + nm_setting_802_1x_get_phase2_ca_cert_password (setting), + nm_setting_802_1x_get_phase2_ca_cert_password_flags (setting), + error)) { return FALSE; + } break; default: break; @@ -1106,9 +1162,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, added = TRUE; break; case NM_SETTING_802_1X_CK_SCHEME_PKCS11: - path = nm_setting_802_1x_get_private_key_uri (setting); - if (!add_string_val (self, path, "private_key", FALSE, NULL, error)) + if (!add_pkcs11_uri_with_pin (self, "private_key", + nm_setting_802_1x_get_private_key_uri (setting), + nm_setting_802_1x_get_private_key_password (setting), + nm_setting_802_1x_get_private_key_password_flags (setting), + error)) { return FALSE; + } added = TRUE; break; default: @@ -1149,9 +1209,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, return FALSE; break; case NM_SETTING_802_1X_CK_SCHEME_PKCS11: - path = nm_setting_802_1x_get_client_cert_uri (setting); - if (!add_string_val (self, path, "client_cert", FALSE, NULL, error)) + if (!add_pkcs11_uri_with_pin (self, "client_cert", + nm_setting_802_1x_get_client_cert_uri (setting), + nm_setting_802_1x_get_client_cert_password (setting), + nm_setting_802_1x_get_client_cert_password_flags (setting), + error)) { return FALSE; + } break; default: break; @@ -1175,9 +1239,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, added = TRUE; break; case NM_SETTING_802_1X_CK_SCHEME_PKCS11: - path = nm_setting_802_1x_get_phase2_private_key_uri (setting); - if (!add_string_val (self, path, "private_key2", FALSE, NULL, error)) + if (!add_pkcs11_uri_with_pin (self, "private_key2", + nm_setting_802_1x_get_phase2_private_key_uri (setting), + nm_setting_802_1x_get_phase2_private_key_password (setting), + nm_setting_802_1x_get_phase2_private_key_password_flags (setting), + error)) { return FALSE; + } added = TRUE; break; default: @@ -1218,9 +1286,13 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, return FALSE; break; case NM_SETTING_802_1X_CK_SCHEME_PKCS11: - path = nm_setting_802_1x_get_phase2_client_cert_uri (setting); - if (!add_string_val (self, path, "client_cert2", FALSE, NULL, error)) + if (!add_pkcs11_uri_with_pin (self, "client_cert2", + nm_setting_802_1x_get_phase2_client_cert_uri (setting), + nm_setting_802_1x_get_phase2_client_cert_password (setting), + nm_setting_802_1x_get_phase2_client_cert_password_flags (setting), + error)) { return FALSE; + } break; default: break; |