1/* SPDX-License-Identifier: LGPL-2.1-or-later */
2/*
3 * Copyright (C) 2007 - 2014 Red Hat, Inc.
4 * Copyright (C) 2007 - 2008 Novell, Inc.
5 */
6
7#ifndef __NM_SETTING_8021X_H__
8#define __NM_SETTING_8021X_H__
9
10#if !defined(__NETWORKMANAGER_H_INSIDE__) && !defined(NETWORKMANAGER_COMPILATION)
11#error "Only <NetworkManager.h> can be included directly."
12#endif
13
14#include "nm-setting.h"
15
16G_BEGIN_DECLS
17
18#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH "file://"
19#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11 "pkcs11:"
20
21/**
22 * NMSetting8021xCKFormat:
23 * @NM_SETTING_802_1X_CK_FORMAT_UNKNOWN: unknown file format
24 * @NM_SETTING_802_1X_CK_FORMAT_X509: file contains an X.509 format certificate
25 * @NM_SETTING_802_1X_CK_FORMAT_RAW_KEY: file contains an old-style OpenSSL PEM
26 * or DER private key
27 * @NM_SETTING_802_1X_CK_FORMAT_PKCS12: file contains a PKCS#<!-- -->12 certificate
28 * and private key
29 *
30 * #NMSetting8021xCKFormat values indicate the general type of a certificate
31 * or private key
32 */
33typedef enum { /*< underscore_name=nm_setting_802_1x_ck_format >*/
34 NM_SETTING_802_1X_CK_FORMAT_UNKNOWN = 0,
35 NM_SETTING_802_1X_CK_FORMAT_X509,
36 NM_SETTING_802_1X_CK_FORMAT_RAW_KEY,
37 NM_SETTING_802_1X_CK_FORMAT_PKCS12
38} NMSetting8021xCKFormat;
39
40/**
41 * NMSetting8021xCKScheme:
42 * @NM_SETTING_802_1X_CK_SCHEME_UNKNOWN: unknown certificate or private key
43 * scheme
44 * @NM_SETTING_802_1X_CK_SCHEME_BLOB: certificate or key is stored as the raw
45 * item data
46 * @NM_SETTING_802_1X_CK_SCHEME_PATH: certificate or key is stored as a path
47 * to a file containing the certificate or key data
48 * @NM_SETTING_802_1X_CK_SCHEME_PKCS11: certificate or key is stored as a
49 * URI of an object on a PKCS#11 token
50 *
51 * #NMSetting8021xCKScheme values indicate how a certificate or private key is
52 * stored in the setting properties, either as a blob of the item's data, or as
53 * a path to a certificate or private key file on the filesystem
54 */
55typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
56 NM_SETTING_802_1X_CK_SCHEME_UNKNOWN = 0,
57 NM_SETTING_802_1X_CK_SCHEME_BLOB,
58 NM_SETTING_802_1X_CK_SCHEME_PATH,
59 NM_SETTING_802_1X_CK_SCHEME_PKCS11,
60} NMSetting8021xCKScheme;
61
62/**
63 * NMSetting8021xAuthFlags:
64 * @NM_SETTING_802_1X_AUTH_FLAGS_NONE: No flags
65 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
66 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
67 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
68 * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
69 *
70 * #NMSetting8021xAuthFlags values indicate which authentication settings
71 * should be used.
72 *
73 * Before 1.22, this was wrongly marked as a enum and not as a flags
74 * type.
75 *
76 * Since: 1.8
77 */
78typedef enum { /*< flags, underscore_name=nm_setting_802_1x_auth_flags >*/
79 NM_SETTING_802_1X_AUTH_FLAGS_NONE = 0,
80 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = 0x1,
81 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = 0x2,
82 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = 0x4,
83
84 NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x7,
85} NMSetting8021xAuthFlags;
86
87#define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())
88#define NM_SETTING_802_1X(obj) \
89 (G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_SETTING_802_1X, NMSetting8021x))
90#define NM_SETTING_802_1X_CLASS(klass) \
91 (G_TYPE_CHECK_CLASS_CAST((klass), NM_TYPE_SETTING_802_1X, NMSetting8021xClass))
92#define NM_IS_SETTING_802_1X(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), NM_TYPE_SETTING_802_1X))
93#define NM_IS_SETTING_802_1X_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), NM_TYPE_SETTING_802_1X))
94#define NM_SETTING_802_1X_GET_CLASS(obj) \
95 (G_TYPE_INSTANCE_GET_CLASS((obj), NM_TYPE_SETTING_802_1X, NMSetting8021xClass))
96
97#define NM_SETTING_802_1X_SETTING_NAME "802-1x"
98
99#define NM_SETTING_802_1X_EAP "eap"
100#define NM_SETTING_802_1X_IDENTITY "identity"
101#define NM_SETTING_802_1X_ANONYMOUS_IDENTITY "anonymous-identity"
102#define NM_SETTING_802_1X_PAC_FILE "pac-file"
103#define NM_SETTING_802_1X_CA_CERT "ca-cert"
104#define NM_SETTING_802_1X_CA_CERT_PASSWORD "ca-cert-password"
105#define NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS "ca-cert-password-flags"
106#define NM_SETTING_802_1X_CA_PATH "ca-path"
107#define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match"
108#define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches"
109#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match"
110#define NM_SETTING_802_1X_DOMAIN_MATCH "domain-match"
111#define NM_SETTING_802_1X_CLIENT_CERT "client-cert"
112#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD "client-cert-password"
113#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS "client-cert-password-flags"
114#define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver"
115#define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel"
116#define NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING "phase1-fast-provisioning"
117#define NM_SETTING_802_1X_PHASE1_AUTH_FLAGS "phase1-auth-flags"
118#define NM_SETTING_802_1X_PHASE2_AUTH "phase2-auth"
119#define NM_SETTING_802_1X_PHASE2_AUTHEAP "phase2-autheap"
120#define NM_SETTING_802_1X_PHASE2_CA_CERT "phase2-ca-cert"
121#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD "phase2-ca-cert-password"
122#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS "phase2-ca-cert-password-flags"
123#define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path"
124#define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match"
125#define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches"
126#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match"
127#define NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH "phase2-domain-match"
128#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert"
129#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD "phase2-client-cert-password"
130#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS "phase2-client-cert-password-flags"
131#define NM_SETTING_802_1X_PASSWORD "password"
132#define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags"
133#define NM_SETTING_802_1X_PASSWORD_RAW "password-raw"
134#define NM_SETTING_802_1X_PASSWORD_RAW_FLAGS "password-raw-flags"
135#define NM_SETTING_802_1X_PRIVATE_KEY "private-key"
136#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD "private-key-password"
137#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS "private-key-password-flags"
138#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY "phase2-private-key"
139#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD "phase2-private-key-password"
140#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS "phase2-private-key-password-flags"
141#define NM_SETTING_802_1X_PIN "pin"
142#define NM_SETTING_802_1X_PIN_FLAGS "pin-flags"
143#define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
144#define NM_SETTING_802_1X_AUTH_TIMEOUT "auth-timeout"
145#define NM_SETTING_802_1X_OPTIONAL "optional"
146
147/* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties
148 * using the "blob" scheme, the data must be passed in PKCS#12 binary format.
149 * In this case, the appropriate "client-cert" (or "phase2-client-cert")
150 * property of the NMSetting8021x object must also contain the exact same
151 * PKCS#12 binary data that the private key does. This is because the
152 * PKCS#12 file contains both the private key and client certificate, so both
153 * properties need to be set to the same thing. When using the "path" scheme,
154 * just set both the private-key and client-cert properties to the same path.
155 *
156 * When setting OpenSSL-derived "traditional" format (ie S/MIME style, not
157 * PKCS#8) RSA and DSA keys directly via properties with the "blob" scheme, they
158 * should be passed to NetworkManager in PEM format with the "DEK-Info" and
159 * "Proc-Type" tags intact. Decrypted private keys should not be used as this
160 * is insecure and could allow unprivileged users to access the decrypted
161 * private key data.
162 *
163 * When using the "path" scheme, just set the private-key and client-cert
164 * properties to the paths to their respective objects.
165 */
166
167typedef struct _NMSetting8021xClass NMSetting8021xClass;
168
169GType nm_setting_802_1x_get_type(void);
170
171NMSetting *nm_setting_802_1x_new(void);
172
173NM_AVAILABLE_IN_1_2
174NMSetting8021xCKScheme
175nm_setting_802_1x_check_cert_scheme(gconstpointer pdata, gsize length, GError **error);
176
177guint32 nm_setting_802_1x_get_num_eap_methods(NMSetting8021x *setting);
178const char *nm_setting_802_1x_get_eap_method(NMSetting8021x *setting, guint32 i);
179gboolean nm_setting_802_1x_add_eap_method(NMSetting8021x *setting, const char *eap);
180void nm_setting_802_1x_remove_eap_method(NMSetting8021x *setting, guint32 i);
181gboolean nm_setting_802_1x_remove_eap_method_by_value(NMSetting8021x *setting, const char *eap);
182void nm_setting_802_1x_clear_eap_methods(NMSetting8021x *setting);
183
184const char *nm_setting_802_1x_get_identity(NMSetting8021x *setting);
185
186const char *nm_setting_802_1x_get_anonymous_identity(NMSetting8021x *setting);
187
188const char *nm_setting_802_1x_get_pac_file(NMSetting8021x *setting);
189
190gboolean nm_setting_802_1x_get_system_ca_certs(NMSetting8021x *setting);
191const char *nm_setting_802_1x_get_ca_path(NMSetting8021x *setting);
192const char *nm_setting_802_1x_get_phase2_ca_path(NMSetting8021x *setting);
193
194NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme(NMSetting8021x *setting);
195GBytes *nm_setting_802_1x_get_ca_cert_blob(NMSetting8021x *setting);
196const char *nm_setting_802_1x_get_ca_cert_path(NMSetting8021x *setting);
197NM_AVAILABLE_IN_1_6
198const char *nm_setting_802_1x_get_ca_cert_uri(NMSetting8021x *setting);
199gboolean nm_setting_802_1x_set_ca_cert(NMSetting8021x *setting,
200 const char *value,
201 NMSetting8021xCKScheme scheme,
202 NMSetting8021xCKFormat *out_format,
203 GError **error);
204
205NM_AVAILABLE_IN_1_8
206const char *nm_setting_802_1x_get_ca_cert_password(NMSetting8021x *setting);
207NM_AVAILABLE_IN_1_8
208NMSettingSecretFlags nm_setting_802_1x_get_ca_cert_password_flags(NMSetting8021x *setting);
209
210const char *nm_setting_802_1x_get_subject_match(NMSetting8021x *setting);
211
212guint32 nm_setting_802_1x_get_num_altsubject_matches(NMSetting8021x *setting);
213const char *nm_setting_802_1x_get_altsubject_match(NMSetting8021x *setting, guint32 i);
214gboolean nm_setting_802_1x_add_altsubject_match(NMSetting8021x *setting,
215 const char *altsubject_match);
216void nm_setting_802_1x_remove_altsubject_match(NMSetting8021x *setting, guint32 i);
217gboolean nm_setting_802_1x_remove_altsubject_match_by_value(NMSetting8021x *setting,
218 const char *altsubject_match);
219void nm_setting_802_1x_clear_altsubject_matches(NMSetting8021x *setting);
220NM_AVAILABLE_IN_1_2
221const char *nm_setting_802_1x_get_domain_suffix_match(NMSetting8021x *setting);
222
223NM_AVAILABLE_IN_1_24
224const char *nm_setting_802_1x_get_domain_match(NMSetting8021x *setting);
225
226NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme(NMSetting8021x *setting);
227GBytes *nm_setting_802_1x_get_client_cert_blob(NMSetting8021x *setting);
228const char *nm_setting_802_1x_get_client_cert_path(NMSetting8021x *setting);
229NM_AVAILABLE_IN_1_6
230const char *nm_setting_802_1x_get_client_cert_uri(NMSetting8021x *setting);
231gboolean nm_setting_802_1x_set_client_cert(NMSetting8021x *setting,
232 const char *value,
233 NMSetting8021xCKScheme scheme,
234 NMSetting8021xCKFormat *out_format,
235 GError **error);
236
237NM_AVAILABLE_IN_1_8
238const char *nm_setting_802_1x_get_client_cert_password(NMSetting8021x *setting);
239NM_AVAILABLE_IN_1_8
240NMSettingSecretFlags nm_setting_802_1x_get_client_cert_password_flags(NMSetting8021x *setting);
241
242const char *nm_setting_802_1x_get_phase1_peapver(NMSetting8021x *setting);
243
244const char *nm_setting_802_1x_get_phase1_peaplabel(NMSetting8021x *setting);
245
246const char *nm_setting_802_1x_get_phase1_fast_provisioning(NMSetting8021x *setting);
247
248const char *nm_setting_802_1x_get_phase2_auth(NMSetting8021x *setting);
249
250const char *nm_setting_802_1x_get_phase2_autheap(NMSetting8021x *setting);
251
252NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_ca_cert_scheme(NMSetting8021x *setting);
253GBytes *nm_setting_802_1x_get_phase2_ca_cert_blob(NMSetting8021x *setting);
254const char *nm_setting_802_1x_get_phase2_ca_cert_path(NMSetting8021x *setting);
255NM_AVAILABLE_IN_1_6
256const char *nm_setting_802_1x_get_phase2_ca_cert_uri(NMSetting8021x *setting);
257gboolean nm_setting_802_1x_set_phase2_ca_cert(NMSetting8021x *setting,
258 const char *value,
259 NMSetting8021xCKScheme scheme,
260 NMSetting8021xCKFormat *out_format,
261 GError **error);
262
263NM_AVAILABLE_IN_1_8
264const char *nm_setting_802_1x_get_phase2_ca_cert_password(NMSetting8021x *setting);
265NM_AVAILABLE_IN_1_8
266NMSettingSecretFlags nm_setting_802_1x_get_phase2_ca_cert_password_flags(NMSetting8021x *setting);
267
268const char *nm_setting_802_1x_get_phase2_subject_match(NMSetting8021x *setting);
269
270guint32 nm_setting_802_1x_get_num_phase2_altsubject_matches(NMSetting8021x *setting);
271const char *nm_setting_802_1x_get_phase2_altsubject_match(NMSetting8021x *setting, guint32 i);
272gboolean nm_setting_802_1x_add_phase2_altsubject_match(NMSetting8021x *setting,
273 const char *phase2_altsubject_match);
274void nm_setting_802_1x_remove_phase2_altsubject_match(NMSetting8021x *setting, guint32 i);
275gboolean
276 nm_setting_802_1x_remove_phase2_altsubject_match_by_value(NMSetting8021x *setting,
277 const char *phase2_altsubject_match);
278void nm_setting_802_1x_clear_phase2_altsubject_matches(NMSetting8021x *setting);
279NM_AVAILABLE_IN_1_2
280const char *nm_setting_802_1x_get_phase2_domain_suffix_match(NMSetting8021x *setting);
281
282NM_AVAILABLE_IN_1_24
283const char *nm_setting_802_1x_get_phase2_domain_match(NMSetting8021x *setting);
284
285NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme(NMSetting8021x *setting);
286GBytes *nm_setting_802_1x_get_phase2_client_cert_blob(NMSetting8021x *setting);
287const char *nm_setting_802_1x_get_phase2_client_cert_path(NMSetting8021x *setting);
288NM_AVAILABLE_IN_1_6
289const char *nm_setting_802_1x_get_phase2_client_cert_uri(NMSetting8021x *setting);
290gboolean nm_setting_802_1x_set_phase2_client_cert(NMSetting8021x *setting,
291 const char *value,
292 NMSetting8021xCKScheme scheme,
293 NMSetting8021xCKFormat *out_format,
294 GError **error);
295
296NM_AVAILABLE_IN_1_8
297const char *nm_setting_802_1x_get_phase2_client_cert_password(NMSetting8021x *setting);
298NM_AVAILABLE_IN_1_8
299NMSettingSecretFlags
300nm_setting_802_1x_get_phase2_client_cert_password_flags(NMSetting8021x *setting);
301
302const char *nm_setting_802_1x_get_password(NMSetting8021x *setting);
303NMSettingSecretFlags nm_setting_802_1x_get_password_flags(NMSetting8021x *setting);
304GBytes *nm_setting_802_1x_get_password_raw(NMSetting8021x *setting);
305NMSettingSecretFlags nm_setting_802_1x_get_password_raw_flags(NMSetting8021x *setting);
306
307const char *nm_setting_802_1x_get_pin(NMSetting8021x *setting);
308NMSettingSecretFlags nm_setting_802_1x_get_pin_flags(NMSetting8021x *setting);
309
310NMSetting8021xCKScheme nm_setting_802_1x_get_private_key_scheme(NMSetting8021x *setting);
311GBytes *nm_setting_802_1x_get_private_key_blob(NMSetting8021x *setting);
312const char *nm_setting_802_1x_get_private_key_path(NMSetting8021x *setting);
313NM_AVAILABLE_IN_1_6
314const char *nm_setting_802_1x_get_private_key_uri(NMSetting8021x *setting);
315gboolean nm_setting_802_1x_set_private_key(NMSetting8021x *setting,
316 const char *value,
317 const char *password,
318 NMSetting8021xCKScheme scheme,
319 NMSetting8021xCKFormat *out_format,
320 GError **error);
321const char *nm_setting_802_1x_get_private_key_password(NMSetting8021x *setting);
322NMSettingSecretFlags nm_setting_802_1x_get_private_key_password_flags(NMSetting8021x *setting);
323
324NMSetting8021xCKFormat nm_setting_802_1x_get_private_key_format(NMSetting8021x *setting);
325
326NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_private_key_scheme(NMSetting8021x *setting);
327GBytes *nm_setting_802_1x_get_phase2_private_key_blob(NMSetting8021x *setting);
328const char *nm_setting_802_1x_get_phase2_private_key_path(NMSetting8021x *setting);
329NM_AVAILABLE_IN_1_6
330const char *nm_setting_802_1x_get_phase2_private_key_uri(NMSetting8021x *setting);
331gboolean nm_setting_802_1x_set_phase2_private_key(NMSetting8021x *setting,
332 const char *value,
333 const char *password,
334 NMSetting8021xCKScheme scheme,
335 NMSetting8021xCKFormat *out_format,
336 GError **error);
337const char *nm_setting_802_1x_get_phase2_private_key_password(NMSetting8021x *setting);
338NMSettingSecretFlags
339nm_setting_802_1x_get_phase2_private_key_password_flags(NMSetting8021x *setting);
340
341NMSetting8021xCKFormat nm_setting_802_1x_get_phase2_private_key_format(NMSetting8021x *setting);
342
343NM_AVAILABLE_IN_1_8
344NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags(NMSetting8021x *setting);
345NM_AVAILABLE_IN_1_8
346int nm_setting_802_1x_get_auth_timeout(NMSetting8021x *setting);
347NM_AVAILABLE_IN_1_22
348gboolean nm_setting_802_1x_get_optional(NMSetting8021x *setting);
349
350G_END_DECLS
351
352#endif /* __NM_SETTING_8021X_H__ */
353

source code of include/libnm/nm-setting-8021x.h