static void
test_clear_private_key (const char *path, const char *password)
{
NMSetting8021x *s_8021x;
gboolean success;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
GError *error = NULL;
const char *pw;
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL, "clear-private-key", "setting was NULL");
success = nm_setting_802_1x_set_private_key (s_8021x,
path,
password,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
&format,
&error);
ASSERT (success == TRUE,
"clear-private-key", "error reading private key: %s", error->message);
ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"clear-private-key", "unexpected private key format (got %d)", format);
/* Make sure the password is what we expect */
pw = nm_setting_802_1x_get_private_key_password (s_8021x);
ASSERT (pw != NULL,
"clear-private-key", "failed to get previous private key password");
ASSERT (strcmp (pw, password) == 0,
"clear-private-key", "failed to compare private key password");
/* Now clear it */
success = nm_setting_802_1x_set_private_key (s_8021x,
NULL,
NULL,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
NULL,
&error);
ASSERT (success == TRUE,
"clear-private-key", "unexpected failure clearing private key");
ASSERT (error == NULL,
"clear-private-key", "unexpected error clearing private key");
/* Ensure the password is also now clear */
ASSERT (nm_setting_802_1x_get_private_key_password (s_8021x) == NULL,
"clear-private-key", "unexpected private key password");
g_object_unref (s_8021x);
}
static void
test_wrong_password_keeps_data (const char *path, const char *password)
{
NMSetting8021x *s_8021x;
gboolean success;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
GError *error = NULL;
const char *pw;
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL, "wrong-password-keeps-data", "setting was NULL");
success = nm_setting_802_1x_set_private_key (s_8021x,
path,
password,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
&format,
&error);
ASSERT (success == TRUE,
"wrong-password-keeps-data", "error reading private key: %s", error->message);
ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"wrong-password-keeps-data", "unexpected private key format (got %d)", format);
/* Now try to set it to something that's not a certificate */
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
success = nm_setting_802_1x_set_private_key (s_8021x,
"Makefile.am",
password,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
&format,
&error);
ASSERT (success == FALSE,
"wrong-password-keeps-data", "unexpected success reading private key");
ASSERT (error != NULL,
"wrong-password-keeps-data", "unexpected missing error");
ASSERT (format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"wrong-password-keeps-data", "unexpected success reading private key format");
/* Make sure the password hasn't changed */
pw = nm_setting_802_1x_get_private_key_password (s_8021x);
ASSERT (pw != NULL,
"wrong-password-keeps-data", "failed to get previous private key password");
ASSERT (strcmp (pw, password) == 0,
"wrong-password-keeps-data", "failed to compare private key password");
g_object_unref (s_8021x);
}
gboolean
eap_method_validate_filepicker (GtkBuilder *builder,
const char *name,
guint32 item_type,
const char *password,
NMSetting8021xCKFormat *out_format)
{
GtkWidget *widget;
char *filename;
NMSetting8021x *setting;
gboolean success = FALSE;
GError *error = NULL;
if (item_type == TYPE_PRIVATE_KEY) {
g_return_val_if_fail (password != NULL, FALSE);
g_return_val_if_fail (strlen (password), FALSE);
}
widget = GTK_WIDGET (gtk_builder_get_object (builder, name));
g_assert (widget);
filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
if (!filename)
return (item_type == TYPE_CA_CERT) ? TRUE : FALSE;
if (!g_file_test (filename, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR))
goto out;
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
if (item_type == TYPE_PRIVATE_KEY) {
if (!nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify private key: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else if (item_type == TYPE_CLIENT_CERT) {
if (!nm_setting_802_1x_set_client_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify client certificate: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else if (item_type == TYPE_CA_CERT) {
if (!nm_setting_802_1x_set_ca_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify CA certificate: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else
g_warning ("%s: invalid item type %d.", __func__, item_type);
g_object_unref (setting);
out:
g_free (filename);
return success;
}
static void
private_key_picker_helper (EAPMethod *parent, const char *filename, gboolean changed)
{
NMSetting8021x *setting;
NMSetting8021xCKFormat cert_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
const char *password;
GtkWidget *widget;
widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_password_entry");
g_assert (widget);
password = gtk_entry_get_text (GTK_ENTRY (widget));
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &cert_format, NULL);
g_object_unref (setting);
/* With PKCS#12, the client cert must be the same as the private key */
widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button");
if (cert_format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
gtk_file_chooser_unselect_all (GTK_FILE_CHOOSER (widget));
gtk_widget_set_sensitive (widget, FALSE);
} else if (changed)
gtk_widget_set_sensitive (widget, TRUE);
/* Warn the user if the private key is unencrypted */
if (!eap_method_is_encrypted_private_key (filename)) {
GtkWidget *dialog;
GtkWidget *toplevel;
GtkWindow *parent_window = NULL;
toplevel = gtk_widget_get_toplevel (parent->ui_widget);
#if GTK_CHECK_VERSION(2,18,0)
if (gtk_widget_is_toplevel (toplevel))
#else
if (GTK_WIDGET_TOPLEVEL (toplevel))
#endif
parent_window = GTK_WINDOW (toplevel);
dialog = gtk_message_dialog_new (parent_window,
GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
GTK_MESSAGE_WARNING,
GTK_BUTTONS_OK,
"%s",
_("Unencrypted private keys are insecure"));
gtk_message_dialog_format_secondary_text (GTK_MESSAGE_DIALOG (dialog),
"%s",
_("The selected private key does not appear to be protected by a password. This could allow your security credentials to be compromised. Please select a password-protected private key.\n\n(You can password-protect your private key with openssl)"));
gtk_dialog_run (GTK_DIALOG (dialog));
gtk_widget_destroy (dialog);
}
}
gboolean
eap_method_validate_filepicker (GtkBuilder *builder,
const char *name,
guint32 item_type,
const char *password,
NMSetting8021xCKFormat *out_format,
GError **error)
{
GtkWidget *widget;
char *filename;
NMSetting8021x *setting;
gboolean success = FALSE;
if (item_type == TYPE_PRIVATE_KEY) {
g_return_val_if_fail (password != NULL, FALSE);
g_return_val_if_fail (strlen (password), FALSE);
}
widget = GTK_WIDGET (gtk_builder_get_object (builder, name));
g_assert (widget);
filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
if (!filename)
return (item_type == TYPE_CA_CERT) ? TRUE : FALSE;
if (!g_file_test (filename, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR))
goto out;
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
if (item_type == TYPE_PRIVATE_KEY) {
if (nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error))
success = TRUE;
} else if (item_type == TYPE_CLIENT_CERT) {
if (nm_setting_802_1x_set_client_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error))
success = TRUE;
} else if (item_type == TYPE_CA_CERT) {
if (nm_setting_802_1x_set_ca_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, error))
success = TRUE;
} else
g_warning ("%s: invalid item type %d.", __func__, item_type);
g_object_unref (setting);
out:
g_free (filename);
if (!success && error && !*error)
g_set_error_literal (error, NMA_ERROR, NMA_ERROR_GENERIC, _("unspecified error validating eap-method file"));
return success;
}
static void
fill_connection (EAPMethod *parent, NMConnection *connection)
{
EAPMethodTLS *method = (EAPMethodTLS *) parent;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
NMSetting8021x *s_8021x;
GtkWidget *widget;
char *ca_filename, *pk_filename, *cc_filename;
const char *password = NULL;
GError *error = NULL;
const char *secret_flag_prop = NULL;
s_8021x = nm_connection_get_setting_802_1x (connection);
g_assert (s_8021x);
if (parent->phase2)
g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "tls", NULL);
else
nm_setting_802_1x_add_eap_method (s_8021x, "tls");
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_identity_entry"));
g_assert (widget);
g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL);
/* TLS private key */
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry"));
g_assert (widget);
password = gtk_entry_get_text (GTK_ENTRY (widget));
g_assert (password);
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_button"));
g_assert (widget);
pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
g_assert (pk_filename);
if (parent->phase2) {
if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
secret_flag_prop = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS;
} else {
if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
secret_flag_prop = NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS;
}
g_free (pk_filename);
/* Default to agent-owned secrets for new connections */
if (method->new_connection) {
g_object_set (s_8021x,
secret_flag_prop, NM_SETTING_SECRET_FLAG_AGENT_OWNED,
NM_SETTING_802_1X_SYSTEM_CA_CERTS, TRUE,
NULL);
}
/* TLS client certificate */
if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
/* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already
* set the client certificate for us.
*/
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_button"));
g_assert (widget);
cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
g_assert (cc_filename);
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (parent->phase2) {
if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
g_free (cc_filename);
}
/* TLS CA certificate */
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_button"));
g_assert (widget);
ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (parent->phase2) {
if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
}
static NMConnection *
make_tls_connection (const char *detail, NMSetting8021xCKScheme scheme)
{
NMConnection *connection;
NMSettingConnection *s_con;
NMSetting8021x *s_8021x;
NMSettingWired *s_wired;
NMSettingIP4Config *s_ip4;
char *uuid;
gboolean success;
GError *error = NULL;
connection = nm_connection_new ();
ASSERT (connection != NULL,
detail, "failed to allocate new connection");
/* Connection setting */
s_con = (NMSettingConnection *) nm_setting_connection_new ();
ASSERT (s_con != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_CONNECTION_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_con));
uuid = nm_utils_uuid_generate ();
g_object_set (s_con,
NM_SETTING_CONNECTION_ID, "Test Need TLS Secrets",
NM_SETTING_CONNECTION_UUID, uuid,
NM_SETTING_CONNECTION_AUTOCONNECT, TRUE,
NM_SETTING_CONNECTION_TYPE, NM_SETTING_WIRED_SETTING_NAME,
NULL);
g_free (uuid);
/* Wired setting */
s_wired = (NMSettingWired *) nm_setting_wired_new ();
ASSERT (s_wired != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_WIRED_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_wired));
/* Wireless security setting */
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_802_1X_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_8021x));
g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL);
nm_setting_802_1x_add_eap_method (s_8021x, "tls");
success = nm_setting_802_1x_set_ca_cert (s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CA_CERT,
scheme,
NULL,
&error);
ASSERT (success == TRUE,
detail, "failed to set CA certificate '%s': %s",
TEST_NEED_SECRETS_EAP_TLS_CA_CERT, error->message);
success = nm_setting_802_1x_set_client_cert (s_8021x,
TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT,
scheme,
NULL,
&error);
ASSERT (success == TRUE,
detail, "failed to set client certificate '%s': %s",
TEST_NEED_SECRETS_EAP_TLS_CLIENT_CERT, error->message);
success = nm_setting_802_1x_set_private_key (s_8021x,
TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY,
"test",
scheme,
NULL,
&error);
ASSERT (success == TRUE,
detail, "failed to set private key '%s': %s",
TEST_NEED_SECRETS_EAP_TLS_PRIVATE_KEY, error->message);
/* IP4 setting */
s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new ();
ASSERT (s_ip4 != NULL,
detail, "failed to allocate new %s setting",
NM_SETTING_IP4_CONFIG_SETTING_NAME);
nm_connection_add_setting (connection, NM_SETTING (s_ip4));
g_object_set (s_ip4, NM_SETTING_IP4_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL);
ASSERT (nm_connection_verify (connection, &error) == TRUE,
detail, "failed to verify connection: %s",
(error && error->message) ? error->message : "(unknown)");
return connection;
}
static void
fill_connection (EAPMethod *parent, NMConnection *connection)
{
EAPMethodTLS *method = (EAPMethodTLS *) parent;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
NMSetting8021x *s_8021x;
NMSettingConnection *s_con;
GtkWidget *widget;
char *ca_filename, *pk_filename, *cc_filename;
const char *password = NULL;
GError *error = NULL;
s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
g_assert (s_con);
s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X));
g_assert (s_8021x);
if (method->phase2)
g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "tls", NULL);
else
nm_setting_802_1x_add_eap_method (s_8021x, "tls");
widget = glade_xml_get_widget (parent->xml, "eap_tls_identity_entry");
g_assert (widget);
g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL);
/* TLS private key */
widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_password_entry");
g_assert (widget);
password = gtk_entry_get_text (GTK_ENTRY (widget));
g_assert (password);
widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_button");
g_assert (widget);
pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
g_assert (pk_filename);
if (method->phase2) {
if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
g_free (pk_filename);
/* TLS client certificate */
if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
/* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already
* set the client certificate for us.
*/
widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button");
g_assert (widget);
cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
g_assert (cc_filename);
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (method->phase2) {
if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
g_free (cc_filename);
}
/* TLS CA certificate */
widget = glade_xml_get_widget (parent->xml, "eap_tls_ca_cert_button");
g_assert (widget);
ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (method->phase2) {
if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
nm_gconf_set_ignore_ca_cert (nm_setting_connection_get_uuid (s_con),
method->phase2,
eap_method_get_ignore_ca_cert (parent));
}
static void
test_private_key_import (const char *path,
const char *password,
NMSetting8021xCKScheme scheme)
{
NMSetting8021x *s_8021x;
gboolean success;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
NMSetting8021xCKFormat tmp_fmt;
GError *error = NULL;
GByteArray *tmp_key = NULL, *client_cert = NULL;
const char *pw;
s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
ASSERT (s_8021x != NULL, "private-key-import", "setting was NULL");
success = nm_setting_802_1x_set_private_key (s_8021x,
path,
password,
scheme,
&format,
&error);
ASSERT (success == TRUE,
"private-key-import", "error reading private key: %s", error->message);
ASSERT (format != NM_SETTING_802_1X_CK_FORMAT_UNKNOWN,
"private-key-import", "unexpected private key format (got %d)", format);
tmp_fmt = nm_setting_802_1x_get_private_key_format (s_8021x);
ASSERT (tmp_fmt == format,
"private-key-import", "unexpected re-read private key format (expected %d, got %d)",
format, tmp_fmt);
/* Make sure the password is what we expect */
pw = nm_setting_802_1x_get_private_key_password (s_8021x);
ASSERT (pw != NULL,
"private-key-import", "failed to get previous private key password");
ASSERT (strcmp (pw, password) == 0,
"private-key-import", "failed to compare private key password");
if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
tmp_key = (GByteArray *) nm_setting_802_1x_get_private_key_blob (s_8021x);
ASSERT (tmp_key != NULL, "private-key-import", "missing private key blob");
compare_blob_data ("private-key-import", path, tmp_key);
} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
g_object_get (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY, &tmp_key, NULL);
ASSERT (tmp_key != NULL, "private-key-import", "missing private key value");
check_scheme_path (tmp_key, path);
g_byte_array_free (tmp_key, TRUE);
} else
g_assert_not_reached ();
/* If it's PKCS#12 ensure the client cert is the same value */
if (format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
g_object_get (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY, &tmp_key, NULL);
ASSERT (tmp_key != NULL, "private-key-import", "missing private key value");
g_object_get (s_8021x, NM_SETTING_802_1X_CLIENT_CERT, &client_cert, NULL);
ASSERT (client_cert != NULL, "private-key-import", "missing client certificate value");
/* make sure they are the same */
ASSERT (tmp_key->len == client_cert->len,
"private-key-import", "unexpected different private key and client cert lengths");
ASSERT (memcmp (tmp_key->data, client_cert->data, tmp_key->len) == 0,
"private-key-import", "unexpected different private key and client cert data");
g_byte_array_free (tmp_key, TRUE);
g_byte_array_free (client_cert, TRUE);
}
g_object_unref (s_8021x);
}
static void
fill_connection (EAPMethod *parent, NMConnection *connection, NMSettingSecretFlags flags)
{
EAPMethodTLS *method = (EAPMethodTLS *) parent;
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
NMSetting8021x *s_8021x;
NMSettingSecretFlags secret_flags;
GtkWidget *widget, *passwd_entry;
char *ca_filename, *pk_filename, *cc_filename;
const char *password = NULL;
GError *error = NULL;
gboolean ca_cert_error = FALSE;
s_8021x = nm_connection_get_setting_802_1x (connection);
g_assert (s_8021x);
if (parent->phase2)
g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_AUTH, "tls", NULL);
else
nm_setting_802_1x_add_eap_method (s_8021x, "tls");
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_identity_entry"));
g_assert (widget);
g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL);
/* TLS private key */
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry"));
g_assert (widget);
password = gtk_entry_get_text (GTK_ENTRY (widget));
g_assert (password);
passwd_entry = widget;
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_button"));
g_assert (widget);
pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
g_assert (pk_filename);
if (parent->phase2) {
if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
g_free (pk_filename);
/* Save 802.1X password flags to the connection */
secret_flags = nma_utils_menu_to_secret_flags (passwd_entry);
nm_setting_set_secret_flags (NM_SETTING (s_8021x), parent->password_flags_name,
secret_flags, NULL);
/* Update secret flags and popup when editing the connection */
if (method->editing_connection) {
nma_utils_update_password_storage (passwd_entry, secret_flags,
NM_SETTING (s_8021x), parent->password_flags_name);
}
/* TLS client certificate */
if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
/* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already
* set the client certificate for us.
*/
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_button"));
g_assert (widget);
cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
g_assert (cc_filename);
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (parent->phase2) {
if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
g_free (cc_filename);
}
/* TLS CA certificate */
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_button"));
g_assert (widget);
ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (parent->phase2) {
if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
ca_cert_error = TRUE;
}
} else {
if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
ca_cert_error = TRUE;
}
}
eap_method_ca_cert_ignore_set (parent, connection, ca_filename, ca_cert_error);
g_free (ca_filename);
}
