1/* SPDX-License-Identifier: LGPL-2.1-or-later */
2/*
3 * Copyright (C) 2007 - 2014 Red Hat, Inc.
4 * Copyright (C) 2007 - 2008 Novell, Inc.
5 */
6
7#ifndef __NM_SETTING_8021X_H__
8#define __NM_SETTING_8021X_H__
9
10#if !defined(__NETWORKMANAGER_H_INSIDE__) && !defined(NETWORKMANAGER_COMPILATION)
11#error "Only <NetworkManager.h> can be included directly."
12#endif
13
14#include "nm-setting.h"
15
16G_BEGIN_DECLS
17
18#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH "file://"
19#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11 "pkcs11:"
20
21/**
22 * NMSetting8021xCKFormat:
23 * @NM_SETTING_802_1X_CK_FORMAT_UNKNOWN: unknown file format
24 * @NM_SETTING_802_1X_CK_FORMAT_X509: file contains an X.509 format certificate
25 * @NM_SETTING_802_1X_CK_FORMAT_RAW_KEY: file contains an old-style OpenSSL PEM
26 * or DER private key
27 * @NM_SETTING_802_1X_CK_FORMAT_PKCS12: file contains a PKCS#<!-- -->12 certificate
28 * and private key
29 *
30 * #NMSetting8021xCKFormat values indicate the general type of a certificate
31 * or private key
32 */
33typedef enum { /*< underscore_name=nm_setting_802_1x_ck_format >*/
34 NM_SETTING_802_1X_CK_FORMAT_UNKNOWN = 0,
35 NM_SETTING_802_1X_CK_FORMAT_X509,
36 NM_SETTING_802_1X_CK_FORMAT_RAW_KEY,
37 NM_SETTING_802_1X_CK_FORMAT_PKCS12
38} NMSetting8021xCKFormat;
39
40/**
41 * NMSetting8021xCKScheme:
42 * @NM_SETTING_802_1X_CK_SCHEME_UNKNOWN: unknown certificate or private key
43 * scheme
44 * @NM_SETTING_802_1X_CK_SCHEME_BLOB: certificate or key is stored as the raw
45 * item data
46 * @NM_SETTING_802_1X_CK_SCHEME_PATH: certificate or key is stored as a path
47 * to a file containing the certificate or key data
48 * @NM_SETTING_802_1X_CK_SCHEME_PKCS11: certificate or key is stored as a
49 * URI of an object on a PKCS#11 token
50 *
51 * #NMSetting8021xCKScheme values indicate how a certificate or private key is
52 * stored in the setting properties, either as a blob of the item's data, or as
53 * a path to a certificate or private key file on the filesystem
54 */
55typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
56 NM_SETTING_802_1X_CK_SCHEME_UNKNOWN = 0,
57 NM_SETTING_802_1X_CK_SCHEME_BLOB,
58 NM_SETTING_802_1X_CK_SCHEME_PATH,
59 NM_SETTING_802_1X_CK_SCHEME_PKCS11,
60} NMSetting8021xCKScheme;
61
62/**
63 * NMSetting8021xAuthFlags:
64 * @NM_SETTING_802_1X_AUTH_FLAGS_NONE: No flags
65 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
66 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE: Enable TLSv1.0. Since 1.42.
67 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
68 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE: Enable TLSv1.1. Since 1.42.
69 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
70 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE: Enable TLSv1.2. Since 1.42.
71 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE: Disable TLSv1.3. Since 1.42.
72 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE: Enable TLSv1.3. Since 1.42.
73 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS: Disable TLS time checks. Since 1.42.
74 * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
75 *
76 * #NMSetting8021xAuthFlags values indicate which authentication settings
77 * should be used.
78 *
79 * Before 1.22, this was wrongly marked as a enum and not as a flags
80 * type.
81 *
82 * Since: 1.8
83 */
84typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
85 NM_SETTING_802_1X_AUTH_FLAGS_NONE = 0,
86 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = 0x1,
87 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = 0x2,
88 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = 0x4,
89 NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS = 0x8,
90 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE = 0x10,
91 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE = 0x20,
92 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE = 0x40,
93 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE = 0x80,
94 NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE = 0x100,
95
96 NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x1FF,
97} NMSetting8021xAuthFlags;
98
99#define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())
100#define NM_SETTING_802_1X(obj) \
101 (G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_SETTING_802_1X, NMSetting8021x))
102#define NM_SETTING_802_1X_CLASS(klass) \
103 (G_TYPE_CHECK_CLASS_CAST((klass), NM_TYPE_SETTING_802_1X, NMSetting8021xClass))
104#define NM_IS_SETTING_802_1X(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), NM_TYPE_SETTING_802_1X))
105#define NM_IS_SETTING_802_1X_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), NM_TYPE_SETTING_802_1X))
106#define NM_SETTING_802_1X_GET_CLASS(obj) \
107 (G_TYPE_INSTANCE_GET_CLASS((obj), NM_TYPE_SETTING_802_1X, NMSetting8021xClass))
108
109#define NM_SETTING_802_1X_SETTING_NAME "802-1x"
110
111#define NM_SETTING_802_1X_EAP "eap"
112#define NM_SETTING_802_1X_IDENTITY "identity"
113#define NM_SETTING_802_1X_ANONYMOUS_IDENTITY "anonymous-identity"
114#define NM_SETTING_802_1X_PAC_FILE "pac-file"
115#define NM_SETTING_802_1X_CA_CERT "ca-cert"
116#define NM_SETTING_802_1X_CA_CERT_PASSWORD "ca-cert-password"
117#define NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS "ca-cert-password-flags"
118#define NM_SETTING_802_1X_CA_PATH "ca-path"
119#define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match"
120#define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches"
121#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match"
122#define NM_SETTING_802_1X_DOMAIN_MATCH "domain-match"
123#define NM_SETTING_802_1X_CLIENT_CERT "client-cert"
124#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD "client-cert-password"
125#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS "client-cert-password-flags"
126#define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver"
127#define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel"
128#define NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING "phase1-fast-provisioning"
129#define NM_SETTING_802_1X_PHASE1_AUTH_FLAGS "phase1-auth-flags"
130#define NM_SETTING_802_1X_PHASE2_AUTH "phase2-auth"
131#define NM_SETTING_802_1X_PHASE2_AUTHEAP "phase2-autheap"
132#define NM_SETTING_802_1X_PHASE2_CA_CERT "phase2-ca-cert"
133#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD "phase2-ca-cert-password"
134#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS "phase2-ca-cert-password-flags"
135#define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path"
136#define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match"
137#define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches"
138#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match"
139#define NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH "phase2-domain-match"
140#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert"
141#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD "phase2-client-cert-password"
142#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS "phase2-client-cert-password-flags"
143#define NM_SETTING_802_1X_PASSWORD "password"
144#define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags"
145#define NM_SETTING_802_1X_PASSWORD_RAW "password-raw"
146#define NM_SETTING_802_1X_PASSWORD_RAW_FLAGS "password-raw-flags"
147#define NM_SETTING_802_1X_PRIVATE_KEY "private-key"
148#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD "private-key-password"
149#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS "private-key-password-flags"
150#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY "phase2-private-key"
151#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD "phase2-private-key-password"
152#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS "phase2-private-key-password-flags"
153#define NM_SETTING_802_1X_PIN "pin"
154#define NM_SETTING_802_1X_PIN_FLAGS "pin-flags"
155#define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
156#define NM_SETTING_802_1X_AUTH_TIMEOUT "auth-timeout"
157#define NM_SETTING_802_1X_OPTIONAL "optional"
158
159/* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties
160 * using the "blob" scheme, the data must be passed in PKCS#12 binary format.
161 * In this case, the appropriate "client-cert" (or "phase2-client-cert")
162 * property of the NMSetting8021x object must also contain the exact same
163 * PKCS#12 binary data that the private key does. This is because the
164 * PKCS#12 file contains both the private key and client certificate, so both
165 * properties need to be set to the same thing. When using the "path" scheme,
166 * just set both the private-key and client-cert properties to the same path.
167 *
168 * When setting OpenSSL-derived "traditional" format (ie S/MIME style, not
169 * PKCS#8) RSA and DSA keys directly via properties with the "blob" scheme, they
170 * should be passed to NetworkManager in PEM format with the "DEK-Info" and
171 * "Proc-Type" tags intact. Decrypted private keys should not be used as this
172 * is insecure and could allow unprivileged users to access the decrypted
173 * private key data.
174 *
175 * When using the "path" scheme, just set the private-key and client-cert
176 * properties to the paths to their respective objects.
177 */
178
179typedef struct _NMSetting8021xClass NMSetting8021xClass;
180
181GType nm_setting_802_1x_get_type(void);
182
183NMSetting *nm_setting_802_1x_new(void);
184
185NM_AVAILABLE_IN_1_2
186NMSetting8021xCKScheme
187nm_setting_802_1x_check_cert_scheme(gconstpointer pdata, gsize length, GError **error);
188
189guint32 nm_setting_802_1x_get_num_eap_methods(NMSetting8021x *setting);
190const char *nm_setting_802_1x_get_eap_method(NMSetting8021x *setting, guint32 i);
191gboolean nm_setting_802_1x_add_eap_method(NMSetting8021x *setting, const char *eap);
192void nm_setting_802_1x_remove_eap_method(NMSetting8021x *setting, guint32 i);
193gboolean nm_setting_802_1x_remove_eap_method_by_value(NMSetting8021x *setting, const char *eap);
194void nm_setting_802_1x_clear_eap_methods(NMSetting8021x *setting);
195
196const char *nm_setting_802_1x_get_identity(NMSetting8021x *setting);
197
198const char *nm_setting_802_1x_get_anonymous_identity(NMSetting8021x *setting);
199
200const char *nm_setting_802_1x_get_pac_file(NMSetting8021x *setting);
201
202gboolean nm_setting_802_1x_get_system_ca_certs(NMSetting8021x *setting);
203const char *nm_setting_802_1x_get_ca_path(NMSetting8021x *setting);
204const char *nm_setting_802_1x_get_phase2_ca_path(NMSetting8021x *setting);
205
206NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme(NMSetting8021x *setting);
207GBytes *nm_setting_802_1x_get_ca_cert_blob(NMSetting8021x *setting);
208const char *nm_setting_802_1x_get_ca_cert_path(NMSetting8021x *setting);
209NM_AVAILABLE_IN_1_6
210const char *nm_setting_802_1x_get_ca_cert_uri(NMSetting8021x *setting);
211gboolean nm_setting_802_1x_set_ca_cert(NMSetting8021x *setting,
212 const char *value,
213 NMSetting8021xCKScheme scheme,
214 NMSetting8021xCKFormat *out_format,
215 GError **error);
216
217NM_AVAILABLE_IN_1_8
218const char *nm_setting_802_1x_get_ca_cert_password(NMSetting8021x *setting);
219NM_AVAILABLE_IN_1_8
220NMSettingSecretFlags nm_setting_802_1x_get_ca_cert_password_flags(NMSetting8021x *setting);
221
222const char *nm_setting_802_1x_get_subject_match(NMSetting8021x *setting);
223
224guint32 nm_setting_802_1x_get_num_altsubject_matches(NMSetting8021x *setting);
225const char *nm_setting_802_1x_get_altsubject_match(NMSetting8021x *setting, guint32 i);
226gboolean nm_setting_802_1x_add_altsubject_match(NMSetting8021x *setting,
227 const char *altsubject_match);
228void nm_setting_802_1x_remove_altsubject_match(NMSetting8021x *setting, guint32 i);
229gboolean nm_setting_802_1x_remove_altsubject_match_by_value(NMSetting8021x *setting,
230 const char *altsubject_match);
231void nm_setting_802_1x_clear_altsubject_matches(NMSetting8021x *setting);
232NM_AVAILABLE_IN_1_2
233const char *nm_setting_802_1x_get_domain_suffix_match(NMSetting8021x *setting);
234
235NM_AVAILABLE_IN_1_24
236const char *nm_setting_802_1x_get_domain_match(NMSetting8021x *setting);
237
238NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme(NMSetting8021x *setting);
239GBytes *nm_setting_802_1x_get_client_cert_blob(NMSetting8021x *setting);
240const char *nm_setting_802_1x_get_client_cert_path(NMSetting8021x *setting);
241NM_AVAILABLE_IN_1_6
242const char *nm_setting_802_1x_get_client_cert_uri(NMSetting8021x *setting);
243gboolean nm_setting_802_1x_set_client_cert(NMSetting8021x *setting,
244 const char *value,
245 NMSetting8021xCKScheme scheme,
246 NMSetting8021xCKFormat *out_format,
247 GError **error);
248
249NM_AVAILABLE_IN_1_8
250const char *nm_setting_802_1x_get_client_cert_password(NMSetting8021x *setting);
251NM_AVAILABLE_IN_1_8
252NMSettingSecretFlags nm_setting_802_1x_get_client_cert_password_flags(NMSetting8021x *setting);
253
254const char *nm_setting_802_1x_get_phase1_peapver(NMSetting8021x *setting);
255
256const char *nm_setting_802_1x_get_phase1_peaplabel(NMSetting8021x *setting);
257
258const char *nm_setting_802_1x_get_phase1_fast_provisioning(NMSetting8021x *setting);
259
260const char *nm_setting_802_1x_get_phase2_auth(NMSetting8021x *setting);
261
262const char *nm_setting_802_1x_get_phase2_autheap(NMSetting8021x *setting);
263
264NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_ca_cert_scheme(NMSetting8021x *setting);
265GBytes *nm_setting_802_1x_get_phase2_ca_cert_blob(NMSetting8021x *setting);
266const char *nm_setting_802_1x_get_phase2_ca_cert_path(NMSetting8021x *setting);
267NM_AVAILABLE_IN_1_6
268const char *nm_setting_802_1x_get_phase2_ca_cert_uri(NMSetting8021x *setting);
269gboolean nm_setting_802_1x_set_phase2_ca_cert(NMSetting8021x *setting,
270 const char *value,
271 NMSetting8021xCKScheme scheme,
272 NMSetting8021xCKFormat *out_format,
273 GError **error);
274
275NM_AVAILABLE_IN_1_8
276const char *nm_setting_802_1x_get_phase2_ca_cert_password(NMSetting8021x *setting);
277NM_AVAILABLE_IN_1_8
278NMSettingSecretFlags nm_setting_802_1x_get_phase2_ca_cert_password_flags(NMSetting8021x *setting);
279
280const char *nm_setting_802_1x_get_phase2_subject_match(NMSetting8021x *setting);
281
282guint32 nm_setting_802_1x_get_num_phase2_altsubject_matches(NMSetting8021x *setting);
283const char *nm_setting_802_1x_get_phase2_altsubject_match(NMSetting8021x *setting, guint32 i);
284gboolean nm_setting_802_1x_add_phase2_altsubject_match(NMSetting8021x *setting,
285 const char *phase2_altsubject_match);
286void nm_setting_802_1x_remove_phase2_altsubject_match(NMSetting8021x *setting, guint32 i);
287gboolean
288 nm_setting_802_1x_remove_phase2_altsubject_match_by_value(NMSetting8021x *setting,
289 const char *phase2_altsubject_match);
290void nm_setting_802_1x_clear_phase2_altsubject_matches(NMSetting8021x *setting);
291NM_AVAILABLE_IN_1_2
292const char *nm_setting_802_1x_get_phase2_domain_suffix_match(NMSetting8021x *setting);
293
294NM_AVAILABLE_IN_1_24
295const char *nm_setting_802_1x_get_phase2_domain_match(NMSetting8021x *setting);
296
297NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme(NMSetting8021x *setting);
298GBytes *nm_setting_802_1x_get_phase2_client_cert_blob(NMSetting8021x *setting);
299const char *nm_setting_802_1x_get_phase2_client_cert_path(NMSetting8021x *setting);
300NM_AVAILABLE_IN_1_6
301const char *nm_setting_802_1x_get_phase2_client_cert_uri(NMSetting8021x *setting);
302gboolean nm_setting_802_1x_set_phase2_client_cert(NMSetting8021x *setting,
303 const char *value,
304 NMSetting8021xCKScheme scheme,
305 NMSetting8021xCKFormat *out_format,
306 GError **error);
307
308NM_AVAILABLE_IN_1_8
309const char *nm_setting_802_1x_get_phase2_client_cert_password(NMSetting8021x *setting);
310NM_AVAILABLE_IN_1_8
311NMSettingSecretFlags
312nm_setting_802_1x_get_phase2_client_cert_password_flags(NMSetting8021x *setting);
313
314const char *nm_setting_802_1x_get_password(NMSetting8021x *setting);
315NMSettingSecretFlags nm_setting_802_1x_get_password_flags(NMSetting8021x *setting);
316GBytes *nm_setting_802_1x_get_password_raw(NMSetting8021x *setting);
317NMSettingSecretFlags nm_setting_802_1x_get_password_raw_flags(NMSetting8021x *setting);
318
319const char *nm_setting_802_1x_get_pin(NMSetting8021x *setting);
320NMSettingSecretFlags nm_setting_802_1x_get_pin_flags(NMSetting8021x *setting);
321
322NMSetting8021xCKScheme nm_setting_802_1x_get_private_key_scheme(NMSetting8021x *setting);
323GBytes *nm_setting_802_1x_get_private_key_blob(NMSetting8021x *setting);
324const char *nm_setting_802_1x_get_private_key_path(NMSetting8021x *setting);
325NM_AVAILABLE_IN_1_6
326const char *nm_setting_802_1x_get_private_key_uri(NMSetting8021x *setting);
327gboolean nm_setting_802_1x_set_private_key(NMSetting8021x *setting,
328 const char *value,
329 const char *password,
330 NMSetting8021xCKScheme scheme,
331 NMSetting8021xCKFormat *out_format,
332 GError **error);
333const char *nm_setting_802_1x_get_private_key_password(NMSetting8021x *setting);
334NMSettingSecretFlags nm_setting_802_1x_get_private_key_password_flags(NMSetting8021x *setting);
335
336NMSetting8021xCKFormat nm_setting_802_1x_get_private_key_format(NMSetting8021x *setting);
337
338NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_private_key_scheme(NMSetting8021x *setting);
339GBytes *nm_setting_802_1x_get_phase2_private_key_blob(NMSetting8021x *setting);
340const char *nm_setting_802_1x_get_phase2_private_key_path(NMSetting8021x *setting);
341NM_AVAILABLE_IN_1_6
342const char *nm_setting_802_1x_get_phase2_private_key_uri(NMSetting8021x *setting);
343gboolean nm_setting_802_1x_set_phase2_private_key(NMSetting8021x *setting,
344 const char *value,
345 const char *password,
346 NMSetting8021xCKScheme scheme,
347 NMSetting8021xCKFormat *out_format,
348 GError **error);
349const char *nm_setting_802_1x_get_phase2_private_key_password(NMSetting8021x *setting);
350NMSettingSecretFlags
351nm_setting_802_1x_get_phase2_private_key_password_flags(NMSetting8021x *setting);
352
353NMSetting8021xCKFormat nm_setting_802_1x_get_phase2_private_key_format(NMSetting8021x *setting);
354
355NM_AVAILABLE_IN_1_8
356NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags(NMSetting8021x *setting);
357NM_AVAILABLE_IN_1_8
358int nm_setting_802_1x_get_auth_timeout(NMSetting8021x *setting);
359NM_AVAILABLE_IN_1_22
360gboolean nm_setting_802_1x_get_optional(NMSetting8021x *setting);
361
362G_END_DECLS
363
364#endif /* __NM_SETTING_8021X_H__ */
365

source code of include/libnm/nm-setting-8021x.h