static void test_clear_private_key (const char *path, const char *password) { NMSetting8021x *s_8021x; gboolean success; NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; GError *error = NULL; const char *pw; s_8021x = (NMSetting8021x *) nm_setting_802_1x_new (); ASSERT (s_8021x != NULL, "clear-private-key", "setting was NULL"); success = nm_setting_802_1x_set_private_key (s_8021x, path, password, NM_SETTING_802_1X_CK_SCHEME_BLOB, &format, &error); ASSERT (success == TRUE, "clear-private-key", "error reading private key: %s", error->message); ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, "clear-private-key", "unexpected private key format (got %d)", format); /* Make sure the password is what we expect */ pw = nm_setting_802_1x_get_private_key_password (s_8021x); ASSERT (pw != NULL, "clear-private-key", "failed to get previous private key password"); ASSERT (strcmp (pw, password) == 0, "clear-private-key", "failed to compare private key password"); /* Now clear it */ success = nm_setting_802_1x_set_private_key (s_8021x, NULL, NULL, NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL, &error); ASSERT (success == TRUE, "clear-private-key", "unexpected failure clearing private key"); ASSERT (error == NULL, "clear-private-key", "unexpected error clearing private key"); /* Ensure the password is also now clear */ ASSERT (nm_setting_802_1x_get_private_key_password (s_8021x) == NULL, "clear-private-key", "unexpected private key password"); g_object_unref (s_8021x); }
static void test_wrong_password_keeps_data (const char *path, const char *password) { NMSetting8021x *s_8021x; gboolean success; NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; GError *error = NULL; const char *pw; s_8021x = (NMSetting8021x *) nm_setting_802_1x_new (); ASSERT (s_8021x != NULL, "wrong-password-keeps-data", "setting was NULL"); success = nm_setting_802_1x_set_private_key (s_8021x, path, password, NM_SETTING_802_1X_CK_SCHEME_BLOB, &format, &error); ASSERT (success == TRUE, "wrong-password-keeps-data", "error reading private key: %s", error->message); ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, "wrong-password-keeps-data", "unexpected private key format (got %d)", format); /* Now try to set it to something that's not a certificate */ format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; success = nm_setting_802_1x_set_private_key (s_8021x, "Makefile.am", password, NM_SETTING_802_1X_CK_SCHEME_BLOB, &format, &error); ASSERT (success == FALSE, "wrong-password-keeps-data", "unexpected success reading private key"); ASSERT (error != NULL, "wrong-password-keeps-data", "unexpected missing error"); ASSERT (format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, "wrong-password-keeps-data", "unexpected success reading private key format"); /* Make sure the password hasn't changed */ pw = nm_setting_802_1x_get_private_key_password (s_8021x); ASSERT (pw != NULL, "wrong-password-keeps-data", "failed to get previous private key password"); ASSERT (strcmp (pw, password) == 0, "wrong-password-keeps-data", "failed to compare private key password"); g_object_unref (s_8021x); }
gboolean eap_method_validate_filepicker (GtkBuilder *builder, const char *name, guint32 item_type, const char *password, NMSetting8021xCKFormat *out_format) { GtkWidget *widget; char *filename; NMSetting8021x *setting; gboolean success = FALSE; GError *error = NULL; if (item_type == TYPE_PRIVATE_KEY) { g_return_val_if_fail (password != NULL, FALSE); g_return_val_if_fail (strlen (password), FALSE); } widget = GTK_WIDGET (gtk_builder_get_object (builder, name)); g_assert (widget); filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); if (!filename) return (item_type == TYPE_CA_CERT) ? TRUE : FALSE; if (!g_file_test (filename, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) goto out; setting = (NMSetting8021x *) nm_setting_802_1x_new (); if (item_type == TYPE_PRIVATE_KEY) { if (!nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) { g_warning ("Error: couldn't verify private key: %d %s", error ? error->code : -1, error ? error->message : "(none)"); g_clear_error (&error); } else success = TRUE; } else if (item_type == TYPE_CLIENT_CERT) { if (!nm_setting_802_1x_set_client_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) { g_warning ("Error: couldn't verify client certificate: %d %s", error ? error->code : -1, error ? error->message : "(none)"); g_clear_error (&error); } else success = TRUE; } else if (item_type == TYPE_CA_CERT) { if (!nm_setting_802_1x_set_ca_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) { g_warning ("Error: couldn't verify CA certificate: %d %s", error ? error->code : -1, error ? error->message : "(none)"); g_clear_error (&error); } else success = TRUE; } else g_warning ("%s: invalid item type %d.", __func__, item_type); g_object_unref (setting); out: g_free (filename); return success; }
static void private_key_picker_helper (EAPMethod *parent, const char *filename, gboolean changed) { NMSetting8021x *setting; NMSetting8021xCKFormat cert_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; const char *password; GtkWidget *widget; widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_password_entry"); g_assert (widget); password = gtk_entry_get_text (GTK_ENTRY (widget)); setting = (NMSetting8021x *) nm_setting_802_1x_new (); nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &cert_format, NULL); g_object_unref (setting); /* With PKCS#12, the client cert must be the same as the private key */ widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button"); if (cert_format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) { gtk_file_chooser_unselect_all (GTK_FILE_CHOOSER (widget)); gtk_widget_set_sensitive (widget, FALSE); } else if (changed) gtk_widget_set_sensitive (widget, TRUE); /* Warn the user if the private key is unencrypted */ if (!eap_method_is_encrypted_private_key (filename)) { GtkWidget *dialog; GtkWidget *toplevel; GtkWindow *parent_window = NULL; toplevel = gtk_widget_get_toplevel (parent->ui_widget); #if GTK_CHECK_VERSION(2,18,0) if (gtk_widget_is_toplevel (toplevel)) #else if (GTK_WIDGET_TOPLEVEL (toplevel)) #endif parent_window = GTK_WINDOW (toplevel); dialog = gtk_message_dialog_new (parent_window, GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT, GTK_MESSAGE_WARNING, GTK_BUTTONS_OK, "%s", _("Unencrypted private keys are insecure")); gtk_message_dialog_format_secondary_text (GTK_MESSAGE_DIALOG (dialog), "%s", _("The selected private key does not appear to be protected by a password. This could allow your security credentials to be compromised. Please select a password-protected private key.\n\n(You can password-protect your private key with openssl)")); gtk_dialog_run (GTK_DIALOG (dialog)); gtk_widget_destroy (dialog); } }
gboolean eap_method_validate_filepicker (GtkBuilder *builder, const char *name, guint32 item_type, const char *password, NMSetting8021xCKFormat *out_format, GError **error) { GtkWidget *widget; char *filename; NMSetting8021x *setting; gboolean success = FALSE; if (item_type == TYPE_PRIVATE_KEY) { g_return_val_if_fail (password != NULL, FALSE); g_return_val_if_fail (strlen (password), FALSE); } widget = GTK_WIDGET (gtk_builder_get_object (builder, name)); g_assert (widget); filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); if (!filename) return (item_type == TYPE_CA_CERT) ? TRUE : FALSE; if (!g_file_test (filename, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) goto out; setting = (NMSetting8021x *) nm_setting_802_1x_new (); if (item_type == TYPE_PRIVATE_KEY) { if (nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error)) success = TRUE; } else if (item_type == TYPE_CLIENT_CERT) { if (nm_setting_802_1x_set_client_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error)) success = TRUE; } else if (item_type == TYPE_CA_CERT) { if (nm_setting_802_1x_set_ca_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error)) success = TRUE; } else g_warning ("%s: invalid item type %d.", __func__, item_type); g_object_unref (setting); out: g_free (filename); if (!success && error && !*error) g_set_error_literal (error, NMA_ERROR, NMA_ERROR_GENERIC, _("unspecified error validating eap-method file")); return success; }
static void fill_connection (EAPMethod *parent, NMConnection *connection) { EAPMethodTLS *method = (EAPMethodTLS *) parent; NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; NMSetting8021x *s_8021x; GtkWidget *widget; char *ca_filename, *pk_filename, *cc_filename; const char *password = NULL; GError *error = NULL; const char *secret_flag_prop = NULL; s_8021x = nm_connection_get_setting_802_1x (connection); g_assert (s_8021x); if (parent->phase2) g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "tls", NULL); else nm_setting_802_1x_add_eap_method (s_8021x, "tls"); widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_identity_entry")); g_assert (widget); g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL); /* TLS private key */ widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry")); g_assert (widget); password = gtk_entry_get_text (GTK_ENTRY (widget)); g_assert (password); widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_button")); g_assert (widget); pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); g_assert (pk_filename); if (parent->phase2) { if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } secret_flag_prop = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS; } else { if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } secret_flag_prop = NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS; } g_free (pk_filename); /* Default to agent-owned secrets for new connections */ if (method->new_connection) { g_object_set (s_8021x, secret_flag_prop, NM_SETTING_SECRET_FLAG_AGENT_OWNED, NM_SETTING_802_1X_SYSTEM_CA_CERTS, TRUE, NULL); } /* TLS client certificate */ if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) { /* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already * set the client certificate for us. */ widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_button")); g_assert (widget); cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); g_assert (cc_filename); format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; if (parent->phase2) { if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } else { if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } g_free (cc_filename); } /* TLS CA certificate */ widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_button")); g_assert (widget); ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; if (parent->phase2) { if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } else { if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } }
static NMConnection * make_tls_connection (const char *detail, NMSetting8021xCKScheme scheme) { NMConnection *connection; NMSettingConnection *s_con; NMSetting8021x *s_8021x; NMSettingWired *s_wired; NMSettingIP4Config *s_ip4; char *uuid; gboolean success; GError *error = NULL; connection = nm_connection_new (); ASSERT (connection != NULL, detail, "failed to allocate new connection"); /* Connection setting */ s_con = (NMSettingConnection *) nm_setting_connection_new (); ASSERT (s_con != NULL, detail, "failed to allocate new %s setting", NM_SETTING_CONNECTION_SETTING_NAME); nm_connection_add_setting (connection, NM_SETTING (s_con)); uuid = nm_utils_uuid_generate (); g_object_set (s_con, NM_SETTING_CONNECTION_ID, "Test Need TLS Secrets", NM_SETTING_CONNECTION_UUID, uuid, NM_SETTING_CONNECTION_AUTOCONNECT, TRUE, NM_SETTING_CONNECTION_TYPE, NM_SETTING_WIRED_SETTING_NAME, NULL); g_free (uuid); /* Wired setting */ s_wired = (NMSettingWired *) nm_setting_wired_new (); ASSERT (s_wired != NULL, detail, "failed to allocate new %s setting", NM_SETTING_WIRED_SETTING_NAME); nm_connection_add_setting (connection, NM_SETTING (s_wired)); /* Wireless security setting */ s_8021x = (NMSetting8021x *) nm_setting_802_1x_new (); ASSERT (s_8021x != NULL, detail, "failed to allocate new %s setting", NM_SETTING_802_1X_SETTING_NAME); nm_connection_add_setting (connection, NM_SETTING (s_8021x)); g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL); nm_setting_802_1x_add_eap_method (s_8021x, "tls"); success = nm_setting_802_1x_set_ca_cert (s_8021x, TEST_NEED_SECRETS_EAP_TLS_CA_CERT, scheme, NULL, &error); ASSERT (success == TRUE, detail, "failed to set CA certificate '%s': %s", TEST_NEED_SECRETS_EAP_TLS_CA_CERT, error->message); success = nm_setting_802_1x_set_client_cert (s_8021x, TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT, scheme, NULL, &error); ASSERT (success == TRUE, detail, "failed to set client certificate '%s': %s", TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT, error->message); success = nm_setting_802_1x_set_private_key (s_8021x, TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY, "test", scheme, NULL, &error); ASSERT (success == TRUE, detail, "failed to set private key '%s': %s", TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY, error->message); /* IP4 setting */ s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new (); ASSERT (s_ip4 != NULL, detail, "failed to allocate new %s setting", NM_SETTING_IP4_CONFIG_SETTING_NAME); nm_connection_add_setting (connection, NM_SETTING (s_ip4)); g_object_set (s_ip4, NM_SETTING_IP4_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL); ASSERT (nm_connection_verify (connection, &error) == TRUE, detail, "failed to verify connection: %s", (error && error->message) ? error->message : "(unknown)"); return connection; }
static void fill_connection (EAPMethod *parent, NMConnection *connection) { EAPMethodTLS *method = (EAPMethodTLS *) parent; NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; NMSetting8021x *s_8021x; NMSettingConnection *s_con; GtkWidget *widget; char *ca_filename, *pk_filename, *cc_filename; const char *password = NULL; GError *error = NULL; s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION)); g_assert (s_con); s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X)); g_assert (s_8021x); if (method->phase2) g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "tls", NULL); else nm_setting_802_1x_add_eap_method (s_8021x, "tls"); widget = glade_xml_get_widget (parent->xml, "eap_tls_identity_entry"); g_assert (widget); g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL); /* TLS private key */ widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_password_entry"); g_assert (widget); password = gtk_entry_get_text (GTK_ENTRY (widget)); g_assert (password); widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_button"); g_assert (widget); pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); g_assert (pk_filename); if (method->phase2) { if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } else { if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } g_free (pk_filename); /* TLS client certificate */ if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) { /* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already * set the client certificate for us. */ widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button"); g_assert (widget); cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); g_assert (cc_filename); format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; if (method->phase2) { if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } else { if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } g_free (cc_filename); } /* TLS CA certificate */ widget = glade_xml_get_widget (parent->xml, "eap_tls_ca_cert_button"); g_assert (widget); ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; if (method->phase2) { if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } else { if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } nm_gconf_set_ignore_ca_cert (nm_setting_connection_get_uuid (s_con), method->phase2, eap_method_get_ignore_ca_cert (parent)); }
static void test_private_key_import (const char *path, const char *password, NMSetting8021xCKScheme scheme) { NMSetting8021x *s_8021x; gboolean success; NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; NMSetting8021xCKFormat tmp_fmt; GError *error = NULL; GByteArray *tmp_key = NULL, *client_cert = NULL; const char *pw; s_8021x = (NMSetting8021x *) nm_setting_802_1x_new (); ASSERT (s_8021x != NULL, "private-key-import", "setting was NULL"); success = nm_setting_802_1x_set_private_key (s_8021x, path, password, scheme, &format, &error); ASSERT (success == TRUE, "private-key-import", "error reading private key: %s", error->message); ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, "private-key-import", "unexpected private key format (got %d)", format); tmp_fmt = nm_setting_802_1x_get_private_key_format (s_8021x); ASSERT (tmp_fmt == format, "private-key-import", "unexpected re-read private key format (expected %d, got %d)", format, tmp_fmt); /* Make sure the password is what we expect */ pw = nm_setting_802_1x_get_private_key_password (s_8021x); ASSERT (pw != NULL, "private-key-import", "failed to get previous private key password"); ASSERT (strcmp (pw, password) == 0, "private-key-import", "failed to compare private key password"); if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) { tmp_key = (GByteArray *) nm_setting_802_1x_get_private_key_blob (s_8021x); ASSERT (tmp_key != NULL, "private-key-import", "missing private key blob"); compare_blob_data ("private-key-import", path, tmp_key); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) { g_object_get (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY, &tmp_key, NULL); ASSERT (tmp_key != NULL, "private-key-import", "missing private key value"); check_scheme_path (tmp_key, path); g_byte_array_free (tmp_key, TRUE); } else g_assert_not_reached (); /* If it's PKCS#12 ensure the client cert is the same value */ if (format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) { g_object_get (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY, &tmp_key, NULL); ASSERT (tmp_key != NULL, "private-key-import", "missing private key value"); g_object_get (s_8021x, NM_SETTING_802_1X_CLIENT_CERT, &client_cert, NULL); ASSERT (client_cert != NULL, "private-key-import", "missing client certificate value"); /* make sure they are the same */ ASSERT (tmp_key->len == client_cert->len, "private-key-import", "unexpected different private key and client cert lengths"); ASSERT (memcmp (tmp_key->data, client_cert->data, tmp_key->len) == 0, "private-key-import", "unexpected different private key and client cert data"); g_byte_array_free (tmp_key, TRUE); g_byte_array_free (client_cert, TRUE); } g_object_unref (s_8021x); }
static void fill_connection (EAPMethod *parent, NMConnection *connection, NMSettingSecretFlags flags) { EAPMethodTLS *method = (EAPMethodTLS *) parent; NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; NMSetting8021x *s_8021x; NMSettingSecretFlags secret_flags; GtkWidget *widget, *passwd_entry; char *ca_filename, *pk_filename, *cc_filename; const char *password = NULL; GError *error = NULL; gboolean ca_cert_error = FALSE; s_8021x = nm_connection_get_setting_802_1x (connection); g_assert (s_8021x); if (parent->phase2) g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "tls", NULL); else nm_setting_802_1x_add_eap_method (s_8021x, "tls"); widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_identity_entry")); g_assert (widget); g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL); /* TLS private key */ widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry")); g_assert (widget); password = gtk_entry_get_text (GTK_ENTRY (widget)); g_assert (password); passwd_entry = widget; widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_button")); g_assert (widget); pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); g_assert (pk_filename); if (parent->phase2) { if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } else { if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } g_free (pk_filename); /* Save 802.1X password flags to the connection */ secret_flags = nma_utils_menu_to_secret_flags (passwd_entry); nm_setting_set_secret_flags (NM_SETTING (s_8021x), parent->password_flags_name, secret_flags, NULL); /* Update secret flags and popup when editing the connection */ if (method->editing_connection) { nma_utils_update_password_storage (passwd_entry, secret_flags, NM_SETTING (s_8021x), parent->password_flags_name); } /* TLS client certificate */ if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) { /* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already * set the client certificate for us. */ widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_button")); g_assert (widget); cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); g_assert (cc_filename); format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; if (parent->phase2) { if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } else { if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)"); g_clear_error (&error); } } g_free (cc_filename); } /* TLS CA certificate */ widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_button")); g_assert (widget); ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget)); format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN; if (parent->phase2) { if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)"); g_clear_error (&error); ca_cert_error = TRUE; } } else { if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) { g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)"); g_clear_error (&error); ca_cert_error = TRUE; } } eap_method_ca_cert_ignore_set (parent, connection, ca_filename, ca_cert_error); g_free (ca_filename); }