void
ws_802_1x_fill_connection (WirelessSecurity *sec,
const char *combo_name,
NMConnection *connection)
{
GtkWidget *widget;
NMSettingWireless *s_wireless;
NMSettingWirelessSecurity *s_wireless_sec;
NMSetting8021x *s_8021x;
EAPMethod *eap = NULL;
GtkTreeModel *model;
GtkTreeIter iter;
s_wireless = nm_connection_get_setting_wireless (connection);
g_assert (s_wireless);
g_object_set (s_wireless, NM_SETTING_WIRELESS_SEC, NM_SETTING_WIRELESS_SECURITY_SETTING_NAME, NULL);
/* Blow away the old wireless security setting by adding a clear one */
s_wireless_sec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
nm_connection_add_setting (connection, (NMSetting *) s_wireless_sec);
/* Blow away the old 802.1x setting by adding a clear one */
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
nm_connection_add_setting (connection, (NMSetting *) s_8021x);
widget = GTK_WIDGET (gtk_builder_get_object (sec->builder, combo_name));
model = gtk_combo_box_get_model (GTK_COMBO_BOX (widget));
gtk_combo_box_get_active_iter (GTK_COMBO_BOX (widget), &iter);
gtk_tree_model_get (model, &iter, AUTH_METHOD_COLUMN, &eap, -1);
g_assert (eap);
eap_method_fill_connection (eap, connection);
eap_method_unref (eap);
}
gboolean
eap_method_validate_filepicker (GtkBuilder *builder,
const char *name,
guint32 item_type,
const char *password,
NMSetting8021xCKFormat *out_format)
{
GtkWidget *widget;
char *filename;
NMSetting8021x *setting;
gboolean success = FALSE;
GError *error = NULL;
if (item_type == TYPE_PRIVATE_KEY) {
g_return_val_if_fail (password != NULL, FALSE);
g_return_val_if_fail (strlen (password), FALSE);
}
widget = GTK_WIDGET (gtk_builder_get_object (builder, name));
g_assert (widget);
filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
if (!filename)
return (item_type == TYPE_CA_CERT) ? TRUE : FALSE;
if (!g_file_test (filename, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR))
goto out;
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
if (item_type == TYPE_PRIVATE_KEY) {
if (!nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify private key: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else if (item_type == TYPE_CLIENT_CERT) {
if (!nm_setting_802_1x_set_client_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify client certificate: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else if (item_type == TYPE_CA_CERT) {
if (!nm_setting_802_1x_set_ca_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify CA certificate: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else
g_warning ("%s: invalid item type %d.", __func__, item_type);
g_object_unref (setting);
out:
g_free (filename);
return success;
}
static void
private_key_picker_helper (EAPMethod *parent, const char *filename, gboolean changed)
{
NMSetting8021x *setting;
NMSetting8021xCKFormat cert_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
const char *password;
GtkWidget *widget;
widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_password_entry");
g_assert (widget);
password = gtk_entry_get_text (GTK_ENTRY (widget));
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &cert_format, NULL);
g_object_unref (setting);
/* With PKCS#12, the client cert must be the same as the private key */
widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button");
if (cert_format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
gtk_file_chooser_unselect_all (GTK_FILE_CHOOSER (widget));
gtk_widget_set_sensitive (widget, FALSE);
} else if (changed)
gtk_widget_set_sensitive (widget, TRUE);
/* Warn the user if the private key is unencrypted */
if (!eap_method_is_encrypted_private_key (filename)) {
GtkWidget *dialog;
GtkWidget *toplevel;
GtkWindow *parent_window = NULL;
toplevel = gtk_widget_get_toplevel (parent->ui_widget);
#if GTK_CHECK_VERSION(2,18,0)
if (gtk_widget_is_toplevel (toplevel))
#else
if (GTK_WIDGET_TOPLEVEL (toplevel))
#endif
parent_window = GTK_WINDOW (toplevel);
dialog = gtk_message_dialog_new (parent_window,
GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
GTK_MESSAGE_WARNING,
GTK_BUTTONS_OK,
"%s",
_("Unencrypted private keys are insecure"));
gtk_message_dialog_format_secondary_text (GTK_MESSAGE_DIALOG (dialog),
"%s",
_("The selected private key does not appear to be protected by a password. This could allow your security credentials to be compromised. Please select a password-protected private key.\n\n(You can password-protect your private key with openssl)"));
gtk_dialog_run (GTK_DIALOG (dialog));
gtk_widget_destroy (dialog);
}
}
gboolean
eap_method_validate_filepicker (GtkBuilder *builder,
const char *name,
guint32 item_type,
const char *password,
NMSetting8021xCKFormat *out_format,
GError **error)
{
GtkWidget *widget;
char *filename;
NMSetting8021x *setting;
gboolean success = FALSE;
if (item_type == TYPE_PRIVATE_KEY) {
g_return_val_if_fail (password != NULL, FALSE);
g_return_val_if_fail (strlen (password), FALSE);
}
widget = GTK_WIDGET (gtk_builder_get_object (builder, name));
g_assert (widget);
filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
if (!filename)
return (item_type == TYPE_CA_CERT) ? TRUE : FALSE;
if (!g_file_test (filename, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR))
goto out;
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
if (item_type == TYPE_PRIVATE_KEY) {
if (nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error))
success = TRUE;
} else if (item_type == TYPE_CLIENT_CERT) {
if (nm_setting_802_1x_set_client_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error))
success = TRUE;
} else if (item_type == TYPE_CA_CERT) {
if (nm_setting_802_1x_set_ca_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error))
success = TRUE;
} else
g_warning ("%s: invalid item type %d.", __func__, item_type);
g_object_unref (setting);
out:
g_free (filename);
if (!success && error && !*error)
g_set_error_literal (error, NMA_ERROR, NMA_ERROR_GENERIC, _("unspecified error validating eap-method file"));
return success;
}
static void
test_clear_phase2_private_key (const char *path, const char *password)
{
NMSetting8021x *s_8021x;
gboolean success;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
GError *error = NULL;
const char *pw;
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL, "clear-phase2-private-key", "setting was NULL");
success = nm_setting_802_1x_set_phase2_private_key (s_8021x,
path,
password,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
&format,
&error);
ASSERT (success == TRUE,
"clear-phase2-private-key", "error reading private key: %s", error->message);
ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"clear-phase2-private-key", "unexpected private key format (got %d)", format);
/* Make sure the password is what we expect */
pw = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
ASSERT (pw != NULL,
"clear-phase2-private-key", "failed to get previous private key password");
ASSERT (strcmp (pw, password) == 0,
"clear-phase2-private-key", "failed to compare private key password");
/* Now clear it */
success = nm_setting_802_1x_set_phase2_private_key (s_8021x,
NULL,
NULL,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
NULL,
&error);
ASSERT (success == TRUE,
"clear-phase2-private-key", "unexpected failure clearing private key");
ASSERT (error == NULL,
"clear-phase2-private-key", "unexpected error clearing private key");
/* Ensure the password is also now clear */
ASSERT (nm_setting_802_1x_get_phase2_private_key_password (s_8021x) == NULL,
"clear-phase2-private-key", "unexpected private key password");
g_object_unref (s_8021x);
}
static void
test_wrong_phase2_password_keeps_data (const char *path, const char *password)
{
NMSetting8021x *s_8021x;
gboolean success;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
GError *error = NULL;
const char *pw;
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL, "wrong-phase2-password-keeps-data", "setting was NULL");
success = nm_setting_802_1x_set_phase2_private_key (s_8021x,
path,
password,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
&format,
&error);
ASSERT (success == TRUE,
"wrong-phase2-password-keeps-data", "error reading private key: %s", error->message);
ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"wrong-phase2-password-keeps-data", "unexpected private key format (got %d)", format);
/* Now try to set it to something that's not a certificate */
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
success = nm_setting_802_1x_set_phase2_private_key (s_8021x,
"Makefile.am",
password,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
&format,
&error);
ASSERT (success == FALSE,
"wrong-phase2-password-keeps-data", "unexpected success reading private key");
ASSERT (error != NULL,
"wrong-phase2-password-keeps-data", "unexpected missing error");
ASSERT (format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"wrong-phase2-password-keeps-data", "unexpected success reading private key format");
/* Make sure the password hasn't changed */
pw = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
ASSERT (pw != NULL,
"wrong-phase2-password-keeps-data", "failed to get previous private key password");
ASSERT (strcmp (pw, password) == 0,
"wrong-phase2-password-keeps-data", "failed to compare private key password");
g_object_unref (s_8021x);
}
static void
private_key_picker_helper (EAPMethod *parent, const char *filename, gboolean changed)
{
NMSetting8021x *setting;
NMSetting8021xCKType cert_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
const char *password;
GtkWidget *widget;
widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_password_entry");
g_assert (widget);
password = gtk_entry_get_text (GTK_ENTRY (widget));
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
nm_setting_802_1x_set_private_key_from_file (setting, filename, password, &cert_type, NULL);
g_object_unref (setting);
/* With PKCS#12, the client cert must be the same as the private key */
widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button");
if (cert_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) {
gtk_file_chooser_unselect_all (GTK_FILE_CHOOSER (widget));
gtk_widget_set_sensitive (widget, FALSE);
} else if (changed)
gtk_widget_set_sensitive (widget, TRUE);
}
static NMSettingWirelessSecurity *
get_security_for_ap (NMAccessPoint *ap,
guint32 dev_caps,
gboolean *supported,
NMSetting8021x **s_8021x)
{
NMSettingWirelessSecurity *sec;
NM80211Mode mode;
guint32 flags;
guint32 wpa_flags;
guint32 rsn_flags;
g_return_val_if_fail (NM_IS_ACCESS_POINT (ap), NULL);
g_return_val_if_fail (supported != NULL, NULL);
g_return_val_if_fail (*supported == TRUE, NULL);
g_return_val_if_fail (s_8021x != NULL, NULL);
g_return_val_if_fail (*s_8021x == NULL, NULL);
sec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
mode = nm_access_point_get_mode (ap);
flags = nm_access_point_get_flags (ap);
wpa_flags = nm_access_point_get_wpa_flags (ap);
rsn_flags = nm_access_point_get_rsn_flags (ap);
/* No security */
if ( !(flags & NM_802_11_AP_FLAGS_PRIVACY)
&& (wpa_flags == NM_802_11_AP_SEC_NONE)
&& (rsn_flags == NM_802_11_AP_SEC_NONE))
goto none;
/* Static WEP, Dynamic WEP, or LEAP */
if (flags & NM_802_11_AP_FLAGS_PRIVACY) {
if ((dev_caps & NM_WIFI_DEVICE_CAP_RSN) || (dev_caps & NM_WIFI_DEVICE_CAP_WPA)) {
/* If the device can do WPA/RSN but the AP has no WPA/RSN informatoin
* elements, it must be LEAP or static/dynamic WEP.
*/
if ((wpa_flags == NM_802_11_AP_SEC_NONE) && (rsn_flags == NM_802_11_AP_SEC_NONE)) {
g_object_set (sec,
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "none",
NM_SETTING_WIRELESS_SECURITY_WEP_TX_KEYIDX, 0,
NULL);
return sec;
}
/* Otherwise, the AP supports WPA or RSN, which is preferred */
} else {
/* Device can't do WPA/RSN, but can at least pass through the
* WPA/RSN information elements from a scan. Since Privacy was
* advertised, LEAP or static/dynamic WEP must be in use.
*/
g_object_set (sec,
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "none",
NM_SETTING_WIRELESS_SECURITY_WEP_TX_KEYIDX, 0,
NULL);
return sec;
}
}
/* Stuff after this point requires infrastructure */
if (mode != NM_802_11_MODE_INFRA) {
*supported = FALSE;
goto none;
}
/* WPA2 PSK first */
if ( (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)
&& (dev_caps & NM_WIFI_DEVICE_CAP_RSN)) {
g_object_set (sec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-psk", NULL);
nm_setting_wireless_security_add_proto (sec, "rsn");
add_ciphers_from_flags (sec, rsn_flags, TRUE);
add_ciphers_from_flags (sec, rsn_flags, FALSE);
return sec;
}
/* WPA PSK */
if ( (wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)
&& (dev_caps & NM_WIFI_DEVICE_CAP_WPA)) {
g_object_set (sec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-psk", NULL);
nm_setting_wireless_security_add_proto (sec, "wpa");
add_ciphers_from_flags (sec, wpa_flags, TRUE);
add_ciphers_from_flags (sec, wpa_flags, FALSE);
return sec;
}
/* WPA2 Enterprise */
if ( (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
&& (dev_caps & NM_WIFI_DEVICE_CAP_RSN)) {
g_object_set (sec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap", NULL);
nm_setting_wireless_security_add_proto (sec, "rsn");
add_ciphers_from_flags (sec, rsn_flags, TRUE);
add_ciphers_from_flags (sec, rsn_flags, FALSE);
*s_8021x = NM_SETTING_802_1X (nm_setting_802_1x_new ());
nm_setting_802_1x_add_eap_method (*s_8021x, "ttls");
g_object_set (*s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "mschapv2", NULL);
return sec;
}
/* WPA Enterprise */
if ( (wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
&& (dev_caps & NM_WIFI_DEVICE_CAP_WPA)) {
g_object_set (sec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap", NULL);
nm_setting_wireless_security_add_proto (sec, "wpa");
add_ciphers_from_flags (sec, wpa_flags, TRUE);
add_ciphers_from_flags (sec, wpa_flags, FALSE);
*s_8021x = NM_SETTING_802_1X (nm_setting_802_1x_new ());
nm_setting_802_1x_add_eap_method (*s_8021x, "ttls");
g_object_set (*s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "mschapv2", NULL);
return sec;
}
*supported = FALSE;
none:
g_object_unref (sec);
return NULL;
}
static NMConnection *
make_tls_connection (const char *detail, NMSetting8021xCKScheme scheme)
{
NMConnection *connection;
NMSettingConnection *s_con;
NMSetting8021x *s_8021x;
NMSettingWired *s_wired;
NMSettingIP4Config *s_ip4;
char *uuid;
gboolean success;
GError *error = NULL;
connection = nm_connection_new ();
ASSERT (connection != NULL,
detail, "failed to allocate new connection");
/* Connection setting */
s_con = (NMSettingConnection *) nm_setting_connection_new ();
ASSERT (s_con != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_CONNECTION_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_con));
uuid = nm_utils_uuid_generate ();
g_object_set (s_con,
NM_SETTING_CONNECTION_ID, "Test Need TLS Secrets",
NM_SETTING_CONNECTION_UUID, uuid,
NM_SETTING_CONNECTION_AUTOCONNECT, TRUE,
NM_SETTING_CONNECTION_TYPE, NM_SETTING_WIRED_SETTING_NAME,
NULL);
g_free (uuid);
/* Wired setting */
s_wired = (NMSettingWired *) nm_setting_wired_new ();
ASSERT (s_wired != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_WIRED_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_wired));
/* Wireless security setting */
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_802_1X_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_8021x));
g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL);
nm_setting_802_1x_add_eap_method (s_8021x, "tls");
success = nm_setting_802_1x_set_ca_cert (s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CA_CERT,
scheme,
NULL,
&error);
ASSERT (success == TRUE,
detail, "failed to set CA certificate '%s': %s",
TEST_NEED_SECRETS_EAP_TLS_CA_CERT, error->message);
success = nm_setting_802_1x_set_client_cert (s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT,
scheme,
NULL,
&error);
ASSERT (success == TRUE,
detail, "failed to set client certificate '%s': %s",
TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT, error->message);
success = nm_setting_802_1x_set_private_key (s_8021x,
TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY,
"test",
scheme,
NULL,
&error);
ASSERT (success == TRUE,
detail, "failed to set private key '%s': %s",
TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY, error->message);
/* IP4 setting */
s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new ();
ASSERT (s_ip4 != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_IP4_CONFIG_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_ip4));
g_object_set (s_ip4, NM_SETTING_IP4_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL);
ASSERT (nm_connection_verify (connection, &error) == TRUE,
detail, "failed to verify connection: %s",
(error && error->message) ? error->message : "(unknown)");
return connection;
}
static void
test_private_key_import (const char *path,
const char *password,
NMSetting8021xCKScheme scheme)
{
NMSetting8021x *s_8021x;
gboolean success;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
NMSetting8021xCKFormat tmp_fmt;
GError *error = NULL;
GByteArray *tmp_key = NULL, *client_cert = NULL;
const char *pw;
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL, "private-key-import", "setting was NULL");
success = nm_setting_802_1x_set_private_key (s_8021x,
path,
password,
scheme,
&format,
&error);
ASSERT (success == TRUE,
"private-key-import", "error reading private key: %s", error->message);
ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"private-key-import", "unexpected private key format (got %d)", format);
tmp_fmt = nm_setting_802_1x_get_private_key_format (s_8021x);
ASSERT (tmp_fmt == format,
"private-key-import", "unexpected re-read private key format (expected %d, got %d)",
format, tmp_fmt);
/* Make sure the password is what we expect */
pw = nm_setting_802_1x_get_private_key_password (s_8021x);
ASSERT (pw != NULL,
"private-key-import", "failed to get previous private key password");
ASSERT (strcmp (pw, password) == 0,
"private-key-import", "failed to compare private key password");
if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
tmp_key = (GByteArray *) nm_setting_802_1x_get_private_key_blob (s_8021x);
ASSERT (tmp_key != NULL, "private-key-import", "missing private key blob");
compare_blob_data ("private-key-import", path, tmp_key);
} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
g_object_get (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY, &tmp_key, NULL);
ASSERT (tmp_key != NULL, "private-key-import", "missing private key value");
check_scheme_path (tmp_key, path);
g_byte_array_free (tmp_key, TRUE);
} else
g_assert_not_reached ();
/* If it's PKCS#12 ensure the client cert is the same value */
if (format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
g_object_get (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY, &tmp_key, NULL);
ASSERT (tmp_key != NULL, "private-key-import", "missing private key value");
g_object_get (s_8021x, NM_SETTING_802_1X_CLIENT_CERT, &client_cert, NULL);
ASSERT (client_cert != NULL, "private-key-import", "missing client certificate value");
/* make sure they are the same */
ASSERT (tmp_key->len == client_cert->len,
"private-key-import", "unexpected different private key and client cert lengths");
ASSERT (memcmp (tmp_key->data, client_cert->data, tmp_key->len) == 0,
"private-key-import", "unexpected different private key and client cert data");
g_byte_array_free (tmp_key, TRUE);
g_byte_array_free (client_cert, TRUE);
}
g_object_unref (s_8021x);
}
void
cc_network_panel_connect_to_8021x_network (CcNetworkPanel *panel,
NMClient *client,
NMRemoteSettings *settings,
NMDevice *device,
const gchar *arg_access_point)
{
NMConnection *connection;
NMSettingConnection *s_con;
NMSettingWireless *s_wifi;
NMSettingWirelessSecurity *s_wsec;
NMSetting8021x *s_8021x;
NM80211ApSecurityFlags wpa_flags, rsn_flags;
GtkWidget *dialog;
char *uuid;
NMAccessPoint *ap;
g_debug ("connect to 8021x wifi");
ap = nm_device_wifi_get_access_point_by_path (NM_DEVICE_WIFI (device), arg_access_point);
if (ap == NULL) {
g_warning ("didn't find access point with path %s", arg_access_point);
return;
}
/* If the AP is WPA[2]-Enterprise then we need to set up a minimal 802.1x
* setting and ask the user for more information.
*/
rsn_flags = nm_access_point_get_rsn_flags (ap);
wpa_flags = nm_access_point_get_wpa_flags (ap);
if (!(rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
&& !(wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)) {
g_warning ("Network panel loaded with connect-8021x-wifi but the "
"access point does not support 802.1x");
return;
}
connection = nm_connection_new ();
/* Need a UUID for the "always ask" stuff in the Dialog of Doom */
s_con = (NMSettingConnection *) nm_setting_connection_new ();
uuid = nm_utils_uuid_generate ();
g_object_set (s_con, NM_SETTING_CONNECTION_UUID, uuid, NULL);
g_free (uuid);
nm_connection_add_setting (connection, NM_SETTING (s_con));
s_wifi = (NMSettingWireless *) nm_setting_wireless_new ();
nm_connection_add_setting (connection, NM_SETTING (s_wifi));
g_object_set (s_wifi,
NM_SETTING_WIRELESS_SSID, nm_access_point_get_ssid (ap),
NM_SETTING_WIRELESS_SEC, NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
NULL);
s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap", NULL);
nm_connection_add_setting (connection, NM_SETTING (s_wsec));
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
nm_setting_802_1x_add_eap_method (s_8021x, "ttls");
g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "mschapv2", NULL);
nm_connection_add_setting (connection, NM_SETTING (s_8021x));
dialog = nma_wireless_dialog_new (client, settings, connection, device, ap, FALSE);
show_wireless_dialog (panel, client, settings, dialog);
}
static void
add_connection (pam_handle_t *pamh, DBusGProxy *proxy, const char *con_name,
const char *con_identity,
const char *con_pwd)
{
NMConnection *connection;
NMSettingConnection *s_con;
NMSettingWired *s_wired;
NMSetting8021x *s_8021x;
NMSettingIP4Config *s_ip4;
char *uuid, *new_con_path = NULL;
GHashTable *hash;
GError *error = NULL;
/* Create a new connection object */
if (debug)
{
pam_syslog (pamh, LOG_INFO, "Creating new connection object.");
}
connection = (NMConnection *) nm_connection_new ();
/* Build up the 'connection' Setting */
if (debug)
{
pam_syslog (pamh, LOG_INFO, "Building up the 'connection' setting.");
}
s_con = (NMSettingConnection *) nm_setting_connection_new ();
uuid = nm_utils_uuid_generate ();
g_object_set (G_OBJECT (s_con),
NM_SETTING_CONNECTION_UUID, uuid,
NM_SETTING_CONNECTION_ID, con_name,
NM_SETTING_CONNECTION_TYPE, "802-3-ethernet",
NULL);
g_free (uuid);
nm_connection_add_setting (connection, NM_SETTING (s_con));
/* Build up the 'wired' Setting */
if (debug)
{
pam_syslog (pamh, LOG_INFO, "Building up the 'wired' setting.");
}
s_wired = (NMSettingWired *) nm_setting_wired_new ();
nm_connection_add_setting (connection, NM_SETTING (s_wired));
/* Build up the '8021x' Setting */
if (debug)
{
pam_syslog (pamh, LOG_INFO, "Building up the '8021x' setting.");
}
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
g_object_set (G_OBJECT (s_8021x),
NM_SETTING_802_1X_SYSTEM_CA_CERTS, TRUE,
NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS, TRUE,
NM_SETTING_802_1X_ANONYMOUS_IDENTITY, "*****@*****.**",
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS, TRUE,
NM_SETTING_802_1X_IDENTITY, con_identity,
NM_SETTING_802_1X_PHASE2_AUTH, "mschapv2",
NM_SETTING_802_1X_PASSWORD, con_pwd,
NULL);
nm_setting_802_1x_add_phase2_altsubject_match(s_8021x, "DNS:radius.example.com");
nm_setting_802_1x_add_eap_method(s_8021x, "peap");
nm_connection_add_setting (connection, NM_SETTING (s_8021x));
/* Build up the 'ipv4' Setting */
if (debug)
{
pam_syslog (pamh, LOG_INFO, "Building up the 'ipv4' setting.");
}
s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new ();
g_object_set (G_OBJECT (s_ip4),
NM_SETTING_IP4_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO,
NULL);
nm_connection_add_setting (connection, NM_SETTING (s_ip4));
hash = nm_connection_to_hash (connection, NM_SETTING_HASH_FLAG_ALL);
/* Call AddConnection with the hash as argument */
if (debug)
{
pam_syslog (pamh, LOG_INFO, "Calling AddConnection D-BUS method.");
}
if (!dbus_g_proxy_call (proxy, "AddConnection", &error,
DBUS_TYPE_G_MAP_OF_MAP_OF_VARIANT, hash,
G_TYPE_INVALID,
DBUS_TYPE_G_OBJECT_PATH, &new_con_path,
G_TYPE_INVALID)) {
g_print ("Error adding connection: %s %s",
dbus_g_error_get_name (error),
error->message);
pam_syslog (pamh, LOG_ERR, "Error adding connection: %s %s",
dbus_g_error_get_name (error),
error->message);
g_clear_error (&error);
} else {
g_print ("Added: %s\n", new_con_path);
pam_syslog (pamh, LOG_ERR, "Added: %s\n", new_con_path);
g_free (new_con_path);
}
g_hash_table_destroy (hash);
g_object_unref (connection);
}