File nm-probe-radius-server-cert.patch of Package NetworkManager.openSUSE_12.1_Update
diff --git a/introspection/nm-device-wifi.xml b/introspection/nm-device-wifi.xml
index fb50762..fdff623 100644
--- a/introspection/nm-device-wifi.xml
+++ b/introspection/nm-device-wifi.xml
@@ -14,6 +14,18 @@
</tp:docstring>
</method>
+ <method name="ProbeCert">
+ <annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_device_probe_cert"/>
+ <arg name="ssid" type="ay" direction="in">
+ <tp:docstring>
+ The SSID of the AP to be probed
+ </tp:docstring>
+ </arg>
+ <tp:docstring>
+ Probe the certificate of the RADIUS server.
+ </tp:docstring>
+ </method>
+
<property name="HwAddress" type="s" access="read">
<tp:docstring>
The active hardware address of the device.
@@ -81,6 +93,17 @@
</tp:docstring>
</signal>
+ <signal name="CertReceived">
+ <arg name="cert" type="a{sv}" tp:type="String_Variant_Map">
+ <tp:docstring>
+ The certificate of the RADIUS server
+ </tp:docstring>
+ </arg>
+ <tp:docstring>
+ Emitted when wpa_supplicant replies the certificate of the RADIUS server.
+ </tp:docstring>
+ </signal>
+
<tp:flags name="NM_802_11_DEVICE_CAP" type="u">
<tp:docstring>
Flags describing the capabilities of a wireless device.
diff --git a/libnm-glib/libnm-glib.ver b/libnm-glib/libnm-glib.ver
index 1a4a68c..51b8c50 100644
--- a/libnm-glib/libnm-glib.ver
+++ b/libnm-glib/libnm-glib.ver
@@ -98,6 +98,7 @@ global:
nm_device_wifi_get_permanent_hw_address;
nm_device_wifi_get_type;
nm_device_wifi_new;
+ nm_device_wifi_probe_cert;
nm_device_wimax_get_active_nsp;
nm_device_wimax_get_bsid;
nm_device_wimax_get_center_frequency;
diff --git a/libnm-glib/nm-device-wifi.c b/libnm-glib/nm-device-wifi.c
index 7d0e1b9..2bf4e3b 100644
--- a/libnm-glib/nm-device-wifi.c
+++ b/libnm-glib/nm-device-wifi.c
@@ -84,6 +84,7 @@ enum {
enum {
ACCESS_POINT_ADDED,
ACCESS_POINT_REMOVED,
+ CERT_RECEIVED,
LAST_SIGNAL
};
@@ -385,6 +386,26 @@ nm_device_wifi_get_access_point_by_path (NMDeviceWifi *device,
return ap;
}
+gboolean
+nm_device_wifi_probe_cert (NMDeviceWifi *device,
+ const GByteArray *ssid)
+{
+ NMDeviceWifiPrivate *priv;
+ GError *error = NULL;
+
+ g_return_val_if_fail (NM_IS_DEVICE_WIFI (device), FALSE);
+
+ priv = NM_DEVICE_WIFI_GET_PRIVATE (device);
+
+ if (!org_freedesktop_NetworkManager_Device_Wireless_probe_cert (priv->proxy, ssid, &error)) {
+ g_warning ("%s: error probe certificate: %s", __func__, error->message);
+ g_error_free (error);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
static void
access_point_added_proxy (DBusGProxy *proxy, char *path, gpointer user_data)
{
@@ -440,6 +461,14 @@ access_point_removed_proxy (DBusGProxy *proxy, char *path, gpointer user_data)
}
static void
+cert_received_proxy (DBusGProxy *proxy, GHashTable *cert, gpointer user_data)
+{
+ NMDeviceWifi *self = NM_DEVICE_WIFI (user_data);
+
+ g_signal_emit (self, signals[CERT_RECEIVED], 0, cert);
+}
+
+static void
clean_up_aps (NMDeviceWifi *self, gboolean notify)
{
NMDeviceWifiPrivate *priv;
@@ -719,6 +748,13 @@ constructor (GType type,
G_CALLBACK (access_point_removed_proxy),
object, NULL);
+ dbus_g_proxy_add_signal (priv->proxy, "CertReceived",
+ DBUS_TYPE_G_MAP_OF_VARIANT,
+ G_TYPE_INVALID);
+ dbus_g_proxy_connect_signal (priv->proxy, "CertReceived",
+ G_CALLBACK (cert_received_proxy),
+ object, NULL);
+
register_for_property_changed (NM_DEVICE_WIFI (object));
g_signal_connect (NM_DEVICE (object),
@@ -888,4 +924,22 @@ nm_device_wifi_class_init (NMDeviceWifiClass *wifi_class)
g_cclosure_marshal_VOID__OBJECT,
G_TYPE_NONE, 1,
G_TYPE_OBJECT);
+
+ /**
+ * NMDeviceWifi::cert-received:
+ * @device: the wifi device that received the signal
+ * @subject: the subject of the RADIUS server
+ * @hash: the hash of the RADIUS server
+ *
+ * Notifies that a certificate of a RADIUS server is received.
+ **/
+ signals[CERT_RECEIVED] =
+ g_signal_new ("cert-received",
+ G_OBJECT_CLASS_TYPE (object_class),
+ G_SIGNAL_RUN_FIRST,
+ G_STRUCT_OFFSET (NMDeviceWifiClass, cert_received),
+ NULL, NULL,
+ g_cclosure_marshal_VOID__BOXED,
+ G_TYPE_NONE, 1,
+ G_TYPE_HASH_TABLE);
}
diff --git a/libnm-glib/nm-device-wifi.h b/libnm-glib/nm-device-wifi.h
index fb2ab27..313a3f3 100644
--- a/libnm-glib/nm-device-wifi.h
+++ b/libnm-glib/nm-device-wifi.h
@@ -53,6 +53,7 @@ typedef struct {
/* Signals */
void (*access_point_added) (NMDeviceWifi *device, NMAccessPoint *ap);
void (*access_point_removed) (NMDeviceWifi *device, NMAccessPoint *ap);
+ void (*cert_received) (NMDeviceWifi *device, GHashTable *cert);
/* Padding for future expansion */
void (*_reserved1) (void);
@@ -60,7 +61,6 @@ typedef struct {
void (*_reserved3) (void);
void (*_reserved4) (void);
void (*_reserved5) (void);
- void (*_reserved6) (void);
} NMDeviceWifiClass;
GType nm_device_wifi_get_type (void);
@@ -79,6 +79,9 @@ NMAccessPoint * nm_device_wifi_get_access_point_by_path (NMDeviceWifi *
const GPtrArray * nm_device_wifi_get_access_points (NMDeviceWifi *device);
+gboolean nm_device_wifi_probe_cert (NMDeviceWifi *device,
+ const GByteArray *ssid);
+
G_END_DECLS
#endif /* NM_DEVICE_WIFI_H */
diff --git a/libnm-util/libnm-util.ver b/libnm-util/libnm-util.ver
index 53c2482..54a70e0 100644
--- a/libnm-util/libnm-util.ver
+++ b/libnm-util/libnm-util.ver
@@ -108,6 +108,7 @@ global:
nm_setting_802_1x_get_anonymous_identity;
nm_setting_802_1x_get_ca_cert_blob;
nm_setting_802_1x_get_ca_cert_path;
+ nm_setting_802_1x_get_ca_cert_hash;
nm_setting_802_1x_get_ca_cert_scheme;
nm_setting_802_1x_get_ca_path;
nm_setting_802_1x_get_client_cert_blob;
diff --git a/libnm-util/nm-setting-8021x.c b/libnm-util/nm-setting-8021x.c
index 07fdcc2..70c668d 100644
--- a/libnm-util/nm-setting-8021x.c
+++ b/libnm-util/nm-setting-8021x.c
@@ -64,6 +64,7 @@
**/
#define SCHEME_PATH "file://"
+#define SCHEME_HASH "hash://server/sha256/"
/**
* nm_setting_802_1x_error_quark:
@@ -390,6 +391,9 @@ get_cert_scheme (GByteArray *array)
if ( (array->len > strlen (SCHEME_PATH))
&& !memcmp (array->data, SCHEME_PATH, strlen (SCHEME_PATH)))
return NM_SETTING_802_1X_CK_SCHEME_PATH;
+ else if ( (array->len > strlen (SCHEME_HASH))
+ && !memcmp (array->data, SCHEME_HASH, strlen (SCHEME_HASH)))
+ return NM_SETTING_802_1X_CK_SCHEME_HASH;
return NM_SETTING_802_1X_CK_SCHEME_BLOB;
}
@@ -400,7 +404,8 @@ get_cert_scheme (GByteArray *array)
*
* Returns the scheme used to store the CA certificate. If the returned scheme
* is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob();
- * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path().
+ * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path();
+ * if %NM_SETTING_802_1X_CK_SCHEME_HASH, use nm_setting_802_1x_get_ca_cert_hash().
*
* Returns: scheme used to store the CA certificate (blob or path)
**/
@@ -464,6 +469,32 @@ nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting)
return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert->data + strlen (SCHEME_PATH));
}
+/**
+ * nm_setting_802_1x_get_ca_cert_hash:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the CA certificate path if the CA certificate is stored using the
+ * %NM_SETTING_802_1X_CK_SCHEME_HASH scheme. Not all EAP methods use a
+ * CA certificate (LEAP for example), and those that can take advantage of the
+ * CA certificate allow it to be unset. Note that lack of a CA certificate
+ * reduces security by allowing man-in-the-middle attacks, because the identity
+ * of the network cannot be confirmed by the client.
+ *
+ * Returns: hash of the RADIUS server
+ **/
+const char *
+nm_setting_802_1x_get_ca_cert_hash (NMSetting8021x *setting)
+{
+ NMSetting8021xCKScheme scheme;
+
+ g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+ scheme = nm_setting_802_1x_get_ca_cert_scheme (setting);
+ g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_HASH, NULL);
+
+ return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert->data);
+}
+
static GByteArray *
path_to_scheme_value (const char *path)
{
@@ -515,7 +546,8 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *self,
if (cert_path) {
g_return_val_if_fail (g_utf8_validate (cert_path, -1, NULL), FALSE);
g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
- || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
+ || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH
+ || scheme == NM_SETTING_802_1X_CK_SCHEME_HASH,
FALSE);
}
@@ -533,6 +565,17 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *self,
if (!cert_path)
return TRUE;
+ if (scheme == NM_SETTING_802_1X_CK_SCHEME_HASH) {
+ int length = strlen (cert_path);
+ if ( length == (strlen (SCHEME_HASH) + 64)
+ && !g_str_has_prefix (cert_path, SCHEME_HASH))
+ return FALSE;
+ data = g_byte_array_sized_new (length + 1);
+ g_byte_array_append (data, (guint8 *) cert_path, length + 1);
+ priv->ca_cert = data;
+ return TRUE;
+ }
+
data = crypto_load_and_verify_certificate (cert_path, &format, error);
if (data) {
/* wpa_supplicant can only use raw x509 CA certs */
@@ -2397,6 +2440,13 @@ verify_cert (GByteArray *array, const char *prop_name, GError **error)
return TRUE;
}
break;
+ case NM_SETTING_802_1X_CK_SCHEME_HASH:
+ /* For hash-based schemes, verify that the has is zero-terminated */
+ if (array->data[array->len - 1] == '\0') {
+ if (g_str_has_prefix ((char *)array->data, SCHEME_HASH))
+ return TRUE;
+ }
+ break;
default:
break;
}
diff --git a/libnm-util/nm-setting-8021x.h b/libnm-util/nm-setting-8021x.h
index a6016ae..443822c 100644
--- a/libnm-util/nm-setting-8021x.h
+++ b/libnm-util/nm-setting-8021x.h
@@ -57,6 +57,8 @@ typedef enum {
* item data
* @NM_SETTING_802_1X_CK_SCHEME_PATH: certificate or key is stored as a path
* to a file containing the certificate or key data
+ * @NM_SETTING_802_1X_CK_SCHEME_HASH: certificate or key is stored as a path
+ * of the CA server hash
*
* #NMSetting8021xCKScheme values indicate how a certificate or private key is
* stored in the setting properties, either as a blob of the item's data, or as
@@ -65,7 +67,8 @@ typedef enum {
typedef enum {
NM_SETTING_802_1X_CK_SCHEME_UNKNOWN = 0,
NM_SETTING_802_1X_CK_SCHEME_BLOB,
- NM_SETTING_802_1X_CK_SCHEME_PATH
+ NM_SETTING_802_1X_CK_SCHEME_PATH,
+ NM_SETTING_802_1X_CK_SCHEME_HASH
} NMSetting8021xCKScheme;
@@ -183,6 +186,7 @@ const char * nm_setting_802_1x_get_phase2_ca_path (NMSetting8
NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme (NMSetting8021x *setting);
const GByteArray * nm_setting_802_1x_get_ca_cert_blob (NMSetting8021x *setting);
const char * nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting);
+const char * nm_setting_802_1x_get_ca_cert_hash (NMSetting8021x *setting);
gboolean nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting,
const char *cert_path,
NMSetting8021xCKScheme scheme,
diff --git a/src/nm-device-wifi.c b/src/nm-device-wifi.c
index 9695c07..e186aad 100644
--- a/src/nm-device-wifi.c
+++ b/src/nm-device-wifi.c
@@ -57,10 +57,14 @@
#include "nm-setting-ip6-config.h"
#include "nm-system.h"
#include "nm-settings-connection.h"
+#include "nm-dbus-glib-types.h"
static gboolean impl_device_get_access_points (NMDeviceWifi *device,
GPtrArray **aps,
GError **err);
+static gboolean impl_device_probe_cert (NMDeviceWifi *device,
+ GByteArray *ssid,
+ GError **err);
#include "nm-device-wifi-glue.h"
@@ -100,6 +104,7 @@ enum {
HIDDEN_AP_FOUND,
PROPERTIES_CHANGED,
SCANNING_ALLOWED,
+ CERT_RECEIVED,
LAST_SIGNAL
};
@@ -114,6 +119,7 @@ typedef struct Supplicant {
guint sig_ids[SUP_SIG_ID_LEN];
guint iface_error_id;
+ guint iface_cert_id;
/* Timeouts and idles */
guint iface_con_error_cb_id;
@@ -200,6 +206,7 @@ typedef enum {
NM_WIFI_ERROR_CONNECTION_INVALID,
NM_WIFI_ERROR_CONNECTION_INCOMPATIBLE,
NM_WIFI_ERROR_ACCESS_POINT_NOT_FOUND,
+ NM_WIFI_ERROR_INVALID_CERT_PROBE,
} NMWifiError;
#define NM_WIFI_ERROR (nm_wifi_error_quark ())
@@ -232,6 +239,8 @@ nm_wifi_error_get_type (void)
ENUM_ENTRY (NM_WIFI_ERROR_CONNECTION_INCOMPATIBLE, "ConnectionIncompatible"),
/* Given access point was not in this device's scan list. */
ENUM_ENTRY (NM_WIFI_ERROR_ACCESS_POINT_NOT_FOUND, "AccessPointNotFound"),
+ /* CA Probe was not valid. */
+ ENUM_ENTRY (NM_WIFI_ERROR_INVALID_CERT_PROBE, "InvalidCertProbe"),
{ 0, 0, 0 }
};
etype = g_enum_register_static ("NMWifiError", values);
@@ -1725,6 +1734,89 @@ impl_device_get_access_points (NMDeviceWifi *self,
return TRUE;
}
+static void
+supplicant_iface_certification_cb (NMSupplicantInterface * iface,
+ GHashTable *cert,
+ NMDeviceWifi * self)
+{
+ NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE (self);
+ GValue *value;
+ const char *subject, *hash;
+ guint depth;
+
+ value = g_hash_table_lookup (cert, "depth");
+ if (!value || !G_VALUE_HOLDS_UINT(value)) {
+ nm_log_dbg (LOGD_WIFI_SCAN, "Depth was not set");
+ return;
+ }
+ depth = g_value_get_uint (value);
+
+ value = g_hash_table_lookup (cert, "subject");
+ if (!value || !G_VALUE_HOLDS_STRING(value))
+ return;
+ subject = g_value_get_string (value);
+
+ value = g_hash_table_lookup (cert, "cert_hash");
+ if (!value || !G_VALUE_HOLDS_STRING(value))
+ return;
+ hash = g_value_get_string (value);
+
+ nm_log_info (LOGD_WIFI_SCAN, "Got Server Certificate %u, subject %s, hash %s", depth, subject, hash);
+
+ if (depth != 0)
+ return;
+
+ g_signal_emit (self, signals[CERT_RECEIVED], 0, cert);
+
+ if (priv->supplicant.iface_cert_id > 0) {
+ g_signal_handler_disconnect (priv->supplicant.iface, priv->supplicant.iface_cert_id);
+ priv->supplicant.iface_cert_id = 0;
+ }
+
+ nm_supplicant_interface_disconnect (iface);
+}
+
+static gboolean
+impl_device_probe_cert (NMDeviceWifi *self,
+ GByteArray *ssid,
+ GError **err)
+{
+ NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE (self);
+ NMSupplicantConfig *config = NULL;
+ guint id;
+ gboolean ret = FALSE;
+
+ config = nm_supplicant_config_new_probe (ssid);
+ if (!config)
+ goto error;
+
+ /* Hook up signal handler to capture certification signal */
+ id = g_signal_connect (priv->supplicant.iface,
+ "certification",
+ G_CALLBACK (supplicant_iface_certification_cb),
+ self);
+ priv->supplicant.iface_cert_id = id;
+
+ if (!nm_supplicant_interface_set_config (priv->supplicant.iface, config))
+ goto error;
+
+ ret = TRUE;
+
+error:
+ if (!ret) {
+ g_set_error_literal (err,
+ NM_WIFI_ERROR,
+ NM_WIFI_ERROR_INVALID_CERT_PROBE,
+ "Couldn't probe RADIUS server certificate");
+ if (priv->supplicant.iface_cert_id) {
+ g_signal_handler_disconnect (priv->supplicant.iface, priv->supplicant.iface_cert_id);
+ priv->supplicant.iface_cert_id = 0;
+ }
+ }
+
+ return ret;
+}
+
/*
* nm_device_get_mode
*
@@ -4021,6 +4113,16 @@ nm_device_wifi_class_init (NMDeviceWifiClass *klass)
_nm_marshal_BOOLEAN__VOID,
G_TYPE_BOOLEAN, 0);
+ signals[CERT_RECEIVED] =
+ g_signal_new ("cert-received",
+ G_OBJECT_CLASS_TYPE (object_class),
+ G_SIGNAL_RUN_FIRST,
+ G_STRUCT_OFFSET (NMDeviceWifiClass, cert_received),
+ NULL, NULL,
+ g_cclosure_marshal_VOID__BOXED,
+ G_TYPE_NONE, 1,
+ DBUS_TYPE_G_MAP_OF_VARIANT);
+
dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (klass), &dbus_glib_nm_device_wifi_object_info);
dbus_g_error_domain_register (NM_WIFI_ERROR, NULL, NM_TYPE_WIFI_ERROR);
diff --git a/src/nm-device-wifi.h b/src/nm-device-wifi.h
index 31ac5ad..916c2b9 100644
--- a/src/nm-device-wifi.h
+++ b/src/nm-device-wifi.h
@@ -77,6 +77,7 @@ struct _NMDeviceWifiClass
void (*hidden_ap_found) (NMDeviceWifi *device, NMAccessPoint *ap);
void (*properties_changed) (NMDeviceWifi *device, GHashTable *properties);
gboolean (*scanning_allowed) (NMDeviceWifi *device);
+ void (*cert_received) (NMDeviceWifi *device, GHashTable *cert);
};
diff --git a/src/settings/plugins/ifnet/connection_parser.c b/src/settings/plugins/ifnet/connection_parser.c
index b4aaa8d..9a52baa 100644
--- a/src/settings/plugins/ifnet/connection_parser.c
+++ b/src/settings/plugins/ifnet/connection_parser.c
@@ -292,6 +292,8 @@ done:
return success;
}
+#define SCHEME_HASH "hash://server/sha256/"
+
static gboolean
eap_peap_reader (const char *eap_method,
const char *ssid,
@@ -307,11 +309,18 @@ eap_peap_reader (const char *eap_method,
ca_cert = wpa_get_value (ssid, "ca_cert");
if (ca_cert) {
- if (!nm_setting_802_1x_set_ca_cert (s_8021x,
- ca_cert,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL, error))
- goto done;
+ if (g_str_has_prefix (ca_cert, SCHEME_HASH))
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x,
+ ca_cert,
+ NM_SETTING_802_1X_CK_SCHEME_HASH,
+ NULL, error))
+ goto done;
+ else
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x,
+ ca_cert,
+ NM_SETTING_802_1X_CK_SCHEME_PATH,
+ NULL, error))
+ goto done;
} else {
PLUGIN_WARN (IFNET_PLUGIN_NAME, " warning: missing "
"IEEE_8021X_CA_CERT for EAP method '%s'; this is"
@@ -409,11 +418,18 @@ eap_ttls_reader (const char *eap_method,
/* ca cert */
ca_cert = wpa_get_value (ssid, "ca_cert");
if (ca_cert) {
- if (!nm_setting_802_1x_set_ca_cert (s_8021x,
- ca_cert,
- NM_SETTING_802_1X_CK_SCHEME_PATH,
- NULL, error))
- goto done;
+ if (g_str_has_prefix (ca_cert, SCHEME_HASH))
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x,
+ ca_cert,
+ NM_SETTING_802_1X_CK_SCHEME_HASH,
+ NULL, error))
+ goto done;
+ else
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x,
+ ca_cert,
+ NM_SETTING_802_1X_CK_SCHEME_PATH,
+ NULL, error))
+ goto done;
} else {
PLUGIN_WARN (IFNET_PLUGIN_NAME, " warning: missing "
"IEEE_8021X_CA_CERT for EAP method '%s'; this is"
@@ -1769,12 +1785,14 @@ error:
typedef NMSetting8021xCKScheme (*SchemeFunc) (NMSetting8021x * setting);
typedef const char *(*PathFunc) (NMSetting8021x * setting);
+typedef const char *(*HashFunc) (NMSetting8021x * setting);
typedef const GByteArray *(*BlobFunc) (NMSetting8021x * setting);
typedef struct ObjectType {
const char *setting_key;
SchemeFunc scheme_func;
PathFunc path_func;
+ HashFunc hash_func;
BlobFunc blob_func;
const char *conn_name_key;
const char *suffix;
@@ -1784,6 +1802,7 @@ static const ObjectType ca_type = {
NM_SETTING_802_1X_CA_CERT,
nm_setting_802_1x_get_ca_cert_scheme,
nm_setting_802_1x_get_ca_cert_path,
+ nm_setting_802_1x_get_ca_cert_hash,
nm_setting_802_1x_get_ca_cert_blob,
"ca_cert",
"ca-cert.der"
@@ -1793,6 +1812,7 @@ static const ObjectType phase2_ca_type = {
NM_SETTING_802_1X_PHASE2_CA_CERT,
nm_setting_802_1x_get_phase2_ca_cert_scheme,
nm_setting_802_1x_get_phase2_ca_cert_path,
+ NULL,
nm_setting_802_1x_get_phase2_ca_cert_blob,
"ca_cert2",
"inner-ca-cert.der"
@@ -1802,6 +1822,7 @@ static const ObjectType client_type = {
NM_SETTING_802_1X_CLIENT_CERT,
nm_setting_802_1x_get_client_cert_scheme,
nm_setting_802_1x_get_client_cert_path,
+ NULL,
nm_setting_802_1x_get_client_cert_blob,
"client_cert",
"client-cert.der"
@@ -1811,6 +1832,7 @@ static const ObjectType phase2_client_type = {
NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
nm_setting_802_1x_get_phase2_client_cert_scheme,
nm_setting_802_1x_get_phase2_client_cert_path,
+ NULL,
nm_setting_802_1x_get_phase2_client_cert_blob,
"client_cert2",
"inner-client-cert.der"
@@ -1820,6 +1842,7 @@ static const ObjectType pk_type = {
NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
+ NULL,
nm_setting_802_1x_get_private_key_blob,
"private_key",
"private-key.pem"
@@ -1829,6 +1852,7 @@ static const ObjectType phase2_pk_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
+ NULL,
nm_setting_802_1x_get_phase2_private_key_blob,
"private_key2",
"inner-private-key.pem"
@@ -1838,6 +1862,7 @@ static const ObjectType p12_type = {
NM_SETTING_802_1X_PRIVATE_KEY,
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_path,
+ NULL,
nm_setting_802_1x_get_private_key_blob,
"private_key",
"private-key.p12"
@@ -1847,6 +1872,7 @@ static const ObjectType phase2_p12_type = {
NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_path,
+ NULL,
nm_setting_802_1x_get_phase2_private_key_blob,
"private_key2",
"inner-private-key.p12"
@@ -1861,6 +1887,7 @@ write_object (NMSetting8021x *s_8021x,
{
NMSetting8021xCKScheme scheme;
const char *path = NULL;
+ const char *hash = NULL;
const GByteArray *blob = NULL;
g_return_val_if_fail (conn_name != NULL, FALSE);
@@ -1879,6 +1906,9 @@ write_object (NMSetting8021x *s_8021x,
case NM_SETTING_802_1X_CK_SCHEME_PATH:
path = (*(objtype->path_func)) (s_8021x);
break;
+ case NM_SETTING_802_1X_CK_SCHEME_HASH:
+ hash = (*(objtype->hash_func)) (s_8021x);
+ break;
default:
break;
}
@@ -1893,6 +1923,15 @@ write_object (NMSetting8021x *s_8021x,
return TRUE;
}
+ /* If the object hash was specified, prefer that over any raw cert data that
+ * may have been sent.
+ */
+ if (hash) {
+ wpa_set_data (conn_name, (gchar *) objtype->conn_name_key,
+ (gchar *) hash);
+ return TRUE;
+ }
+
/* does not support writing encryption data now */
if (blob) {
PLUGIN_WARN (IFNET_PLUGIN_NAME,
diff --git a/src/settings/plugins/keyfile/reader.c b/src/settings/plugins/keyfile/reader.c
index 4128b9f..7cc7a32 100644
--- a/src/settings/plugins/keyfile/reader.c
+++ b/src/settings/plugins/keyfile/reader.c
@@ -852,6 +852,7 @@ get_cert_path (const char *keyfile_path, GByteArray *cert_path)
}
#define SCHEME_PATH "file://"
+#define SCHEME_HASH "hash://server/sha256/"
static const char *certext[] = { ".pem", ".cert", ".crt", ".cer", ".p12", ".der", ".key" };
@@ -876,6 +877,12 @@ handle_as_scheme (GByteArray *array, NMSetting *setting, const char *key)
&& (array->data[array->len - 1] == '\0')) {
g_object_set (setting, key, array, NULL);
return TRUE;
+ } else if ( (array->len > strlen (SCHEME_HASH))
+ && g_str_has_prefix ((const char *) array->data, SCHEME_HASH)
+ && (array->data[array->len - 1] == '\0')) {
+ /* It's the HASH scheme, can just set plain data */
+ g_object_set (setting, key, array, NULL);
+ return TRUE;
}
return FALSE;
}
diff --git a/src/settings/plugins/keyfile/writer.c b/src/settings/plugins/keyfile/writer.c
index db43b23..6da0876 100644
--- a/src/settings/plugins/keyfile/writer.c
+++ b/src/settings/plugins/keyfile/writer.c
@@ -539,6 +539,7 @@ typedef struct ObjectType {
NMSetting8021xCKScheme (*scheme_func) (NMSetting8021x *setting);
NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting);
const char * (*path_func) (NMSetting8021x *setting);
+ const char * (*hash_func) (NMSetting8021x *setting);
const GByteArray * (*blob_func) (NMSetting8021x *setting);
} ObjectType;
@@ -549,6 +550,7 @@ static const ObjectType objtypes[10] = {
nm_setting_802_1x_get_ca_cert_scheme,
NULL,
nm_setting_802_1x_get_ca_cert_path,
+ nm_setting_802_1x_get_ca_cert_hash,
nm_setting_802_1x_get_ca_cert_blob },
{ NM_SETTING_802_1X_PHASE2_CA_CERT,
@@ -557,6 +559,7 @@ static const ObjectType objtypes[10] = {
nm_setting_802_1x_get_phase2_ca_cert_scheme,
NULL,
nm_setting_802_1x_get_phase2_ca_cert_path,
+ NULL,
nm_setting_802_1x_get_phase2_ca_cert_blob },
{ NM_SETTING_802_1X_CLIENT_CERT,
@@ -565,6 +568,7 @@ static const ObjectType objtypes[10] = {
nm_setting_802_1x_get_client_cert_scheme,
NULL,
nm_setting_802_1x_get_client_cert_path,
+ NULL,
nm_setting_802_1x_get_client_cert_blob },
{ NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
@@ -573,6 +577,7 @@ static const ObjectType objtypes[10] = {
nm_setting_802_1x_get_phase2_client_cert_scheme,
NULL,
nm_setting_802_1x_get_phase2_client_cert_path,
+ NULL,
nm_setting_802_1x_get_phase2_client_cert_blob },
{ NM_SETTING_802_1X_PRIVATE_KEY,
@@ -581,6 +586,7 @@ static const ObjectType objtypes[10] = {
nm_setting_802_1x_get_private_key_scheme,
nm_setting_802_1x_get_private_key_format,
nm_setting_802_1x_get_private_key_path,
+ NULL,
nm_setting_802_1x_get_private_key_blob },
{ NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
@@ -589,6 +595,7 @@ static const ObjectType objtypes[10] = {
nm_setting_802_1x_get_phase2_private_key_scheme,
nm_setting_802_1x_get_phase2_private_key_format,
nm_setting_802_1x_get_phase2_private_key_path,
+ NULL,
nm_setting_802_1x_get_phase2_private_key_blob },
{ NULL },
@@ -667,7 +674,7 @@ cert_writer (GKeyFile *file,
const char *setting_name = nm_setting_get_name (setting);
NMSetting8021xCKScheme scheme;
NMSetting8021xCKFormat format;
- const char *path = NULL, *ext = "pem";
+ const char *path = NULL, *hash = NULL, *ext = "pem";
const ObjectType *objtype = NULL;
int i;
@@ -729,6 +736,11 @@ cert_writer (GKeyFile *file,
g_error_free (error);
}
g_free (new_path);
+ } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_HASH) {
+ hash = objtype->hash_func (NM_SETTING_802_1X (setting));
+ g_assert (hash);
+
+ g_key_file_set_string (file, setting_name, key, hash);
} else
g_assert_not_reached ();
}
diff --git a/src/supplicant-manager/nm-supplicant-config.c b/src/supplicant-manager/nm-supplicant-config.c
index 4860314..4b6588e 100644
--- a/src/supplicant-manager/nm-supplicant-config.c
+++ b/src/supplicant-manager/nm-supplicant-config.c
@@ -173,6 +173,25 @@ nm_supplicant_config_add_option (NMSupplicantConfig *self,
return nm_supplicant_config_add_option_with_type (self, key, value, len, TYPE_INVALID, secret);
}
+NMSupplicantConfig *
+nm_supplicant_config_new_probe (const GByteArray *ssid)
+{
+ NMSupplicantConfig *probe_config;
+
+ if (!ssid)
+ return NULL;
+
+ probe_config = (NMSupplicantConfig *)g_object_new (NM_TYPE_SUPPLICANT_CONFIG, NULL);
+
+ nm_supplicant_config_add_option (probe_config, "ssid", (char *)ssid->data, ssid->len, FALSE);
+ nm_supplicant_config_add_option (probe_config, "key_mgmt", "WPA-EAP", -1, FALSE);
+ nm_supplicant_config_add_option (probe_config, "eap", "TTLS PEAP TLS", -1, FALSE);
+ nm_supplicant_config_add_option (probe_config, "identity", " ", -1, FALSE);
+ nm_supplicant_config_add_option (probe_config, "ca_cert", "probe://", -1, FALSE);
+
+ return probe_config;
+}
+
static gboolean
nm_supplicant_config_add_blob (NMSupplicantConfig *self,
const char *key,
@@ -845,6 +864,11 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
return FALSE;
break;
+ case NM_SETTING_802_1X_CK_SCHEME_HASH:
+ path = nm_setting_802_1x_get_ca_cert_hash (setting);
+ if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
+ return FALSE;
+ break;
default:
break;
}
diff --git a/src/supplicant-manager/nm-supplicant-config.h b/src/supplicant-manager/nm-supplicant-config.h
index dad23e2..8886a91 100644
--- a/src/supplicant-manager/nm-supplicant-config.h
+++ b/src/supplicant-manager/nm-supplicant-config.h
@@ -52,6 +52,8 @@ GType nm_supplicant_config_get_type (void);
NMSupplicantConfig *nm_supplicant_config_new (void);
+NMSupplicantConfig *nm_supplicant_config_new_probe (const GByteArray *ssid);
+
guint32 nm_supplicant_config_get_ap_scan (NMSupplicantConfig *self);
void nm_supplicant_config_set_ap_scan (NMSupplicantConfig *self,
diff --git a/src/supplicant-manager/nm-supplicant-interface.c b/src/supplicant-manager/nm-supplicant-interface.c
index 857cde5..28ad780 100644
--- a/src/supplicant-manager/nm-supplicant-interface.c
+++ b/src/supplicant-manager/nm-supplicant-interface.c
@@ -60,6 +60,7 @@ enum {
NEW_BSS, /* interface saw a new access point from a scan */
SCAN_DONE, /* wifi scan is complete */
CONNECTION_ERROR, /* an error occurred during a connection request */
+ CERTIFICATION, /* a RADIUS server certificate was received */
LAST_SIGNAL
};
static guint signals[LAST_SIGNAL] = { 0 };
@@ -387,6 +388,17 @@ wpas_iface_scan_done (DBusGProxy *proxy,
}
static void
+wpas_iface_got_certification (DBusGProxy *proxy,
+ const GHashTable *cert_table,
+ gpointer user_data)
+{
+ g_signal_emit (user_data,
+ signals[CERTIFICATION],
+ 0,
+ cert_table);
+}
+
+static void
wpas_iface_properties_changed (DBusGProxy *proxy,
GHashTable *props,
gpointer user_data)
@@ -486,6 +498,18 @@ interface_add_done (NMSupplicantInterface *self, char *path)
self,
NULL);
+ dbus_g_object_register_marshaller (g_cclosure_marshal_VOID__BOXED,
+ G_TYPE_NONE,
+ DBUS_TYPE_G_MAP_OF_VARIANT,
+ G_TYPE_INVALID);
+ dbus_g_proxy_add_signal (priv->iface_proxy, "Certification",
+ DBUS_TYPE_G_MAP_OF_VARIANT,
+ G_TYPE_INVALID);
+ dbus_g_proxy_connect_signal (priv->iface_proxy, "Certification",
+ G_CALLBACK (wpas_iface_got_certification),
+ self,
+ NULL);
+
priv->props_proxy = dbus_g_proxy_new_for_name (nm_dbus_manager_get_connection (priv->dbus_mgr),
WPAS_DBUS_SERVICE,
path,
@@ -1207,5 +1231,13 @@ nm_supplicant_interface_class_init (NMSupplicantInterfaceClass *klass)
NULL, NULL,
_nm_marshal_VOID__STRING_STRING,
G_TYPE_NONE, 2, G_TYPE_STRING, G_TYPE_STRING);
+ signals[CERTIFICATION] =
+ g_signal_new ("certification",
+ G_OBJECT_CLASS_TYPE (object_class),
+ G_SIGNAL_RUN_LAST,
+ G_STRUCT_OFFSET (NMSupplicantInterfaceClass, certification),
+ NULL, NULL,
+ g_cclosure_marshal_VOID__BOXED,
+ G_TYPE_NONE, 1, DBUS_TYPE_G_MAP_OF_VARIANT);
}
diff --git a/src/supplicant-manager/nm-supplicant-interface.h b/src/supplicant-manager/nm-supplicant-interface.h
index e32411d..b65cd87 100644
--- a/src/supplicant-manager/nm-supplicant-interface.h
+++ b/src/supplicant-manager/nm-supplicant-interface.h
@@ -89,6 +89,10 @@ typedef struct {
void (*connection_error) (NMSupplicantInterface * iface,
const char * name,
const char * message);
+
+ /* a RADIUS server certificate was received */
+ void (*certification) (NMSupplicantInterface * iface,
+ const GHashTable * ca_cert);
} NMSupplicantInterfaceClass;
