Creates a new #NMSetting8021x object with default values.
List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificate's altSubjectName is performed.
Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.
A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds.
Contains the CA certificate if used by the EAP method specified in the #NMSetting8021x:eap property.
Certificate data is specified using a "scheme"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.
Setting this property directly is discouraged; use the nm_setting_802_1x_set_ca_cert() function instead.
The password used to access the CA certificate stored in #NMSetting8021x:ca-cert property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.
Flags indicating how to handle the #NMSetting8021x:ca-cert-password property.
UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the #NMSetting8021x:ca-cert property.
If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.
Contains the client certificate if used by the EAP method specified in the #NMSetting8021x:eap property.
Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte.
Setting this property directly is discouraged; use the nm_setting_802_1x_set_client_cert() function instead.
The password used to access the client certificate stored in #NMSetting8021x:client-cert property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.
Flags indicating how to handle the #NMSetting8021x:client-cert-password property.
Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a ";" delimited list.
Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited list.
The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd", and "fast". Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.
Identity string for EAP authentication methods. Often the user's user or login name.
The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "802-11-wireless" or "802-3-ethernet".
Whether the 802.1X authentication is optional. If %TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to %TRUE is currently allowed only for Ethernet connections. If set to %FALSE, the activation can continue only after a successful authentication.
UTF-8 encoded file path containing PAC for EAP-FAST.
UTF-8 encoded password used for EAP authentication methods. If both the #NMSetting8021x:password property and the #NMSetting8021x:password-raw property are specified, #NMSetting8021x:password is preferred.
Flags indicating how to handle the #NMSetting8021x:password property.
Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the #NMSetting8021x:password property and the #NMSetting8021x:password-raw property are specified, #NMSetting8021x:password is preferred.
Flags indicating how to handle the #NMSetting8021x:password-raw property.
Specifies authentication flags to use in "phase 1" outer authentication using #NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details.
Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the #NMSetting8021x:eap property. Recognized values are "0" (disabled), "1" (allow unauthenticated provisioning), "2" (allow authenticated provisioning), and "3" (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation for more details.
Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to "1" to force use of the new PEAP label. See the wpa_supplicant documentation for more details.
Forces which PEAP version is used when PEAP is set as the EAP method in the #NMSetting8021x:eap property. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to "0" or "1" to force that specific PEAP version.
List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner "phase 2" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.
Specifies the allowed "phase 2" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the #NMSetting8021x:eap property. For TTLS this property selects one of the supported non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while #NMSetting8021x:phase2-autheap selects an EAP inner method. For PEAP this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both #NMSetting8021x:phase2-auth and #NMSetting8021x:phase2-autheap cannot be specified.
Specifies the allowed "phase 2" inner EAP-based authentication method when TTLS is specified in the #NMSetting8021x:eap property. Recognized EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.
Contains the "phase 2" CA certificate if used by the EAP method specified in the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap properties.
Certificate data is specified using a "scheme"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.
Setting this property directly is discouraged; use the nm_setting_802_1x_set_phase2_ca_cert() function instead.
The password used to access the "phase2" CA certificate stored in #NMSetting8021x:phase2-ca-cert property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.
Flags indicating how to handle the #NMSetting8021x:phase2-ca-cert-password property.
UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the #NMSetting8021x:phase2-ca-cert property.
If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.
Contains the "phase 2" client certificate if used by the EAP method specified in the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap properties.
Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
Setting this property directly is discouraged; use the nm_setting_802_1x_set_phase2_client_cert() function instead.
The password used to access the "phase2" client certificate stored in #NMSetting8021x:phase2-client-cert property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.
Flags indicating how to handle the #NMSetting8021x:phase2-client-cert-password property.
Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a ";" delimited list.
Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited list.
Contains the "phase 2" inner private key when the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap property is set to "tls".
Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the #NMSetting8021x:phase2-private-key-password property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte, and as with the blob scheme the #NMSetting8021x:phase2-private-key-password property must be set to the password used to decode the PKCS#12 private key and certificate.
Setting this property directly is discouraged; use the nm_setting_802_1x_set_phase2_private_key() function instead.
The password used to decrypt the "phase 2" private key specified in the #NMSetting8021x:phase2-private-key property when the private key either uses the path scheme, or is a PKCS#12 format key. Setting this property directly is not generally necessary except when returning secrets to NetworkManager; it is generally set automatically when setting the private key by the nm_setting_802_1x_set_phase2_private_key() function.
Flags indicating how to handle the #NMSetting8021x:phase2-private-key-password property.
Substring to be matched against the subject of the certificate presented by the authentication server during the inner "phase 2" authentication. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:phase2-domain-suffix-match.
PIN used for EAP authentication methods.
Flags indicating how to handle the #NMSetting8021x:pin property.
Contains the private key when the #NMSetting8021x:eap property is set to "tls".
Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the #NMSetting8021x:private-key-password property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte, and as with the blob scheme the "private-key-password" property must be set to the password used to decode the PKCS#12 private key and certificate.
Setting this property directly is discouraged; use the nm_setting_802_1x_set_private_key() function instead.
WARNING: #NMSetting8021x:private-key is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.
The password used to decrypt the private key specified in the #NMSetting8021x:private-key property when the private key either uses the path scheme, or if the private key is a PKCS#12 format key. Setting this property directly is not generally necessary except when returning secrets to NetworkManager; it is generally set automatically when setting the private key by the nm_setting_802_1x_set_private_key() function.
Flags indicating how to handle the #NMSetting8021x:private-key-password property.
Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:domain-suffix-match.
When %TRUE, overrides the #NMSetting8021x:ca-path and #NMSetting8021x:phase2-ca-path properties using the system CA directory specified at configure time with the --system-ca-path switch. The certificates in this directory are added to the verification chain in addition to any certificates specified by the #NMSetting8021x:ca-cert and #NMSetting8021x:phase2-ca-cert properties. If the path provided with --system-ca-path is rather a file name (bundle of trusted CA certificates), it overrides #NMSetting8021x:ca-cert and #NMSetting8021x:phase2-ca-cert properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).
Adds an allowed alternate subject name match. Until at least one match is added, the altSubjectName of the remote authentication server is not verified.
the altSubjectName to allow for this connection
Adds an allowed EAP method. The setting is not valid until at least one EAP method has been added. See #NMSetting8021x:eap property for a list of allowed EAP methods.
the name of the EAP method to allow for this connection
Adds an allowed alternate subject name match for "phase 2". Until at least one match is added, the altSubjectName of the "phase 2" remote authentication server is not verified.
the "phase 2" altSubjectName to allow for this connection
Creates a binding between source_property on source and target_property
on target.
Whenever the source_property is changed the target_property is
updated using the same value. For instance:
g_object_bind_property (action, "active", widget, "sensitive", 0);
Will result in the "sensitive" property of the widget #GObject instance to be updated with the same value of the "active" property of the action #GObject instance.
If flags contains %G_BINDING_BIDIRECTIONAL then the binding will be mutual:
if target_property on target changes then the source_property on source
will be updated as well.
The binding will automatically be removed when either the source or the
target instances are finalized. To remove the binding without affecting the
source and the target you can just call g_object_unref() on the returned
#GBinding instance.
Removing the binding by calling g_object_unref() on it must only be done if
the binding, source and target are only used from a single thread and it
is clear that both source and target outlive the binding. Especially it
is not safe to rely on this if the binding, source or target can be
finalized from different threads. Keep another reference to the binding and
use g_binding_unbind() instead to be on the safe side.
A #GObject can have multiple bindings.
the property on source to bind
the target #GObject
the property on target to bind
flags to pass to #GBinding
Creates a binding between source_property on source and target_property
on target, allowing you to set the transformation functions to be used by
the binding.
This function is the language bindings friendly version of g_object_bind_property_full(), using #GClosures instead of function pointers.
the property on source to bind
the target #GObject
the property on target to bind
flags to pass to #GBinding
a #GClosure wrapping the transformation function from the source to the target, or %NULL to use the default
a #GClosure wrapping the transformation function from the target to the source, or %NULL to use the default
Clears all altSubjectName matches.
Clears all allowed EAP methods.
Clears all "phase 2" altSubjectName matches.
Compares two #NMSetting objects for similarity, with comparison behavior modified by a set of flags. See the documentation for #NMSettingCompareFlags for a description of each flag's behavior.
a second #NMSetting to compare with the first
compare flags, e.g. %NM_SETTING_COMPARE_FLAG_EXACT
Compares two #NMSetting objects for similarity, with comparison behavior
modified by a set of flags. See the documentation for #NMSettingCompareFlags
for a description of each flag's behavior. If the settings differ, the keys
of each setting that differ from the other are added to results, mapped to
one or more #NMSettingDiffResult values.
a second #NMSetting to compare with the first
compare flags, e.g. %NM_SETTING_COMPARE_FLAG_EXACT
this parameter is used internally by libnm and should be set to %FALSE. If %TRUE inverts the meaning of the #NMSettingDiffResult.
if the settings differ, on return a hash table mapping the differing keys to one or more %NMSettingDiffResult values OR-ed together. If the settings do not differ, any hash table passed in is unmodified. If no hash table is passed in and the settings differ, a new one is created and returned.
Iterates over each property of the #NMSetting object, calling the supplied user function for each property.
user-supplied function called for each property of the setting
This function is intended for #GObject implementations to re-enforce a [floating][floating-ref] object reference. Doing this is seldom required: all #GInitiallyUnowneds are created with a floating reference which usually just needs to be sunken by calling g_object_ref_sink().
Increases the freeze count on object. If the freeze count is
non-zero, the emission of "notify" signals on object is
stopped. The signals are queued until the freeze count is decreased
to zero. Duplicate notifications are squashed so that at most one
#GObject::notify signal is emitted for each property modified while the
object is frozen.
This is necessary for accessors that modify multiple properties to prevent premature notification while the object is still being modified.
Returns the altSubjectName match at index i.
the zero-based index of the array of altSubjectName matches
Returns the anonymous identifier used by some EAP methods (like TTLS) to authenticate the user in the outer unencrypted "phase 1" authentication. The inner "phase 2" authentication will use the #NMSetting8021x:identity in a secure form, if applicable for that EAP method.
Returns the value contained in the #NMSetting8021x:auth-timeout property.
Returns the CA certificate blob if the CA certificate is stored using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
Returns the CA certificate path if the CA certificate is stored using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
Returns the scheme used to store the CA certificate. If the returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_ca_cert_uri().
Returns the CA certificate URI analogously to nm_setting_802_1x_get_ca_cert_blob() and nm_setting_802_1x_get_ca_cert_path().
Currently, it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).
Returns the path of the CA certificate directory if previously set. Systems will often have a directory that contains multiple individual CA certificates which the supplicant can then add to the verification chain. This may be used in addition to the #NMSetting8021x:ca-cert property to add more CA certificates for verifying the network to client.
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
Returns the scheme used to store the client certificate. If the returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().
Returns the client certificate URI analogously to nm_setting_802_1x_get_client_cert_blob() and nm_setting_802_1x_get_client_cert_path().
Currently, it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).
Gets a named field from the objects table of associations (see g_object_set_data()).
name of the key for that association
Gets the D-Bus marshalling type of a property. property_name is a D-Bus
property name, which may not necessarily be a #GObject property.
the property of setting to get the type of
Returns the name of the allowed EAP method at index i.
the index of the EAP method name to return
Returns the identifier used by some EAP methods (like TLS) to authenticate the user. Often this is a username or login name.
Returns the type name of the #NMSetting object
Returns the number of entries in the #NMSetting8021x:altsubject-matches property of this setting.
Returns the number of eap methods allowed for use when connecting to the network. Generally only one EAP method is used. Use the functions nm_setting_802_1x_get_eap_method(), nm_setting_802_1x_add_eap_method(), and nm_setting_802_1x_remove_eap_method() for adding, removing, and retrieving allowed EAP methods.
Returns the number of entries in the #NMSetting8021x:phase2-altsubject-matches property of this setting.
Returns the value contained in the #NMSetting8021x:optional property.
Returns the file containing PAC credentials used by EAP-FAST method.
Returns the "phase 2" altSubjectName match at index i.
the zero-based index of the array of "phase 2" altSubjectName matches
Returns the "phase 2" CA certificate blob if the CA certificate is stored using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
Returns the "phase 2" CA certificate path if the CA certificate is stored using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
Returns the scheme used to store the "phase 2" CA certificate. If the returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_ca_cert_uri().
Returns the "phase 2" CA certificate URI analogously to nm_setting_802_1x_get_phase2_ca_cert_blob() and nm_setting_802_1x_get_phase2_ca_cert_path().
Currently, it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).
Returns the path of the "phase 2" CA certificate directory if previously set. Systems will often have a directory that contains multiple individual CA certificates which the supplicant can then add to the verification chain. This may be used in addition to the #NMSetting8021x:phase2-ca-cert property to add more CA certificates for verifying the network to client.
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
Returns the scheme used to store the "phase 2" client certificate. If the returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().
Returns the "phase 2" client certificate URI analogously to nm_setting_802_1x_get_phase2_ca_cert_blob() and nm_setting_802_1x_get_phase2_ca_cert_path().
Currently, it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
WARNING: the phase2 private key property is not a "secret" property, and thus unencrypted private key data may be readable by unprivileged users. Private keys should always be encrypted with a private key password.
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
Returns the scheme used to store the "phase 2" private key. If the returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().
Returns the "phase 2" private key URI analogously to nm_setting_802_1x_get_phase2_private_key_blob() and nm_setting_802_1x_get_phase2_private_key_path().
Currently, it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
WARNING: the private key property is not a "secret" property, and thus unencrypted private key data may be readable by unprivileged users. Private keys should always be encrypted with a private key password.
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
Returns the scheme used to store the private key. If the returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().
Returns the private key URI analogously to nm_setting_802_1x_get_private_key_blob() and nm_setting_802_1x_get_private_key_path().
Currently, it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).
Gets a property of an object.
The value can be:
In general, a copy is made of the property contents and the caller is responsible for freeing the memory by calling g_value_unset().
Note that g_object_get_property() is really intended for language bindings, g_object_get() is much more convenient for C programming.
the name of the property to get
return location for the property value
This function gets back user data pointers stored via g_object_set_qdata().
A #GQuark, naming the user data pointer
For a given secret, retrieves the #NMSettingSecretFlags describing how to handle that secret.
the secret key name to get flags for
on success, the #NMSettingSecretFlags for the secret
Sets the #NMSetting8021x:system-ca-certs property. The #NMSetting8021x:ca-path and #NMSetting8021x:phase2-ca-path properties are ignored if the #NMSetting8021x:system-ca-certs property is %TRUE, in which case a system-wide CA certificate directory specified at compile time (using the --system-ca-path configure option) is used in place of these properties.
Gets n_properties properties for an object.
Obtained properties will be set to values. All properties must be valid.
Warnings will be emitted and undefined behaviour may result if invalid
properties are passed in.
the names of each property to get
the values of each property to get
Checks whether object has a [floating][floating-ref] reference.
Emits a "notify" signal for the property property_name on object.
When possible, eg. when signaling a property change from within the class that registered the property, you should use g_object_notify_by_pspec() instead.
Note that emission of the notify signal may be blocked with g_object_freeze_notify(). In this case, the signal emissions are queued and will be emitted (in reverse order) when g_object_thaw_notify() is called.
the name of a property installed on the class of object.
Emits a "notify" signal for the property specified by pspec on object.
This function omits the property name lookup, hence it is faster than g_object_notify().
One way to avoid using g_object_notify() from within the class that registered the properties, and using g_object_notify_by_pspec() instead, is to store the GParamSpec used with g_object_class_install_property() inside a static array, e.g.:
enum
{
PROP_0,
PROP_FOO,
PROP_LAST
};
static GParamSpec *properties[PROP_LAST];
static void
my_object_class_init (MyObjectClass *klass)
{
properties[PROP_FOO] = g_param_spec_int ("foo", "Foo", "The foo",
0, 100,
50,
G_PARAM_READWRITE);
g_object_class_install_property (gobject_class,
PROP_FOO,
properties[PROP_FOO]);
}
and then notify a change on the "foo" property with:
g_object_notify_by_pspec (self, properties[PROP_FOO]);
the #GParamSpec of a property installed on the class of object.
Gives the name of all set options.
If variant is %NULL, this clears the option if it is set.
Otherwise, variant is set as the option. If variant is
a floating reference, it will be consumed.
Note that not all setting types support options. It is a bug setting a variant to a setting that doesn't support it. Currently, only #NMSettingEthtool supports it.
Like nm_setting_option_set() to set a boolean GVariant.
the value to set.
Like nm_setting_option_set() to set a uint32 GVariant.
the value to set.
Increase the reference count of object, and possibly remove the
[floating][floating-ref] reference, if object has a floating reference.
In other words, if the object is floating, then this call "assumes ownership" of the floating reference, converting it to a normal reference by clearing the floating flag while leaving the reference count unchanged. If the object is not floating, then this call adds a new normal reference increasing the reference count by one.
Since GLib 2.56, the type of object will be propagated to the return type
under the same conditions as for g_object_ref().
Removes the allowed altSubjectName at the specified index.
the index of the altSubjectName match to remove
Removes the allowed altSubjectName altsubject_match.
the altSubjectName to remove
Removes the allowed EAP method at the specified index.
the index of the EAP method to remove
Removes the allowed EAP method method.
the name of the EAP method to remove
Removes the allowed "phase 2" altSubjectName at the specified index.
the index of the "phase 2" altSubjectName match to remove
Removes the allowed "phase 2" altSubjectName phase2_altsubject_match.
the "phase 2" altSubjectName to remove
Releases all references to other objects. This can be used to break reference cycles.
This function should only be called from object system implementations.
Reads a certificate from disk and sets the #NMSetting8021x:ca-cert property with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
when scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the CA certificate file (PEM or DER format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with any scheme clears the CA certificate.
desired storage scheme for the certificate
on successful return, the type of the certificate added
Reads a certificate from disk and sets the #NMSetting8021x:client-cert property with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
when scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the client certificate file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with any scheme clears the client certificate.
desired storage scheme for the certificate
on successful return, the type of the certificate added
Each object carries around a table of associations from strings to pointers. This function lets you set an association.
If the object already had an association with that name, the old association will be destroyed.
Internally, the key is converted to a #GQuark using g_quark_from_string().
This means a copy of key is kept permanently (even after object has been
finalized) — so it is recommended to only use a small, bounded set of values
for key in your program, to avoid the #GQuark storage growing unbounded.
name of the key
data to associate with that key
Reads a certificate from disk and sets the #NMSetting8021x:phase2-ca-cert property with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
when scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" CA certificate file (PEM or DER format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with any scheme clears the "phase2" CA certificate.
desired storage scheme for the certificate
on successful return, the type of the certificate added
Reads a certificate from disk and sets the #NMSetting8021x:phase2-client-cert property with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
when scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" client certificate file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with any scheme clears the "phase2" client certificate.
desired storage scheme for the certificate
on successful return, the type of the certificate added
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
This function reads a private key from disk and sets the #NMSetting8021x:phase2-private-key property with the private key file data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the private key file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
If password is given, this function attempts to decrypt the private key to
verify that password is correct, and if it is, updates the
#NMSetting8021x:phase2-private-key-password property with the given
password. If the decryption is unsuccessful, %FALSE is returned, error is
set, and no internal data is changed. If no password is given, the private
key is assumed to be valid, no decryption is performed, and the password may
be set at a later time.
WARNING: the "phase2" private key property is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.
when scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" private key file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with any scheme clears the private key.
password used to decrypt the private key, or %NULL if the password is unknown. If the password is given but fails to decrypt the private key, an error is returned.
desired storage scheme for the private key
on successful return, the type of the private key added
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.
This function reads a private key from disk and sets the #NMSetting8021x:private-key property with the private key file data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the private key file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
If password is given, this function attempts to decrypt the private key to
verify that password is correct, and if it is, updates the
#NMSetting8021x:private-key-password property with the given password. If
the decryption is unsuccessful, %FALSE is returned, error is set, and no
internal data is changed. If no password is given, the private key is
assumed to be valid, no decryption is performed, and the password may be set
at a later time.
WARNING: the private key property is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.
when scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the private key file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing %NULL with any scheme clears the private key.
password used to decrypt the private key, or %NULL if the password is unknown. If the password is given but fails to decrypt the private key, an error is returned.
desired storage scheme for the private key
on successful return, the type of the private key added
Sets a property on an object.
the name of the property to set
the value
For a given secret, stores the #NMSettingSecretFlags describing how to handle that secret.
the secret key name to set flags for
the #NMSettingSecretFlags for the secret
Remove a specified datum from the object's data associations, without invoking the association's destroy handler.
name of the key
This function gets back user data pointers stored via
g_object_set_qdata() and removes the data from object
without invoking its destroy() function (if any was
set).
Usually, calling this function is only required to update
user data pointers with a destroy notifier, for example:
void
object_add_to_user_list (GObject *object,
const gchar *new_string)
{
// the quark, naming the object data
GQuark quark_string_list = g_quark_from_static_string ("my-string-list");
// retrieve the old string list
GList *list = g_object_steal_qdata (object, quark_string_list);
// prepend new string
list = g_list_prepend (list, g_strdup (new_string));
// this changed 'list', so we need to set it again
g_object_set_qdata_full (object, quark_string_list, list, free_string_list);
}
static void
free_string_list (gpointer data)
{
GList *node, *list = data;
for (node = list; node; node = node->next)
g_free (node->data);
g_list_free (list);
}
Using g_object_get_qdata() in the above example, instead of g_object_steal_qdata() would have left the destroy function set, and thus the partial string list would have been freed upon g_object_set_qdata_full().
A #GQuark, naming the user data pointer
Reverts the effect of a previous call to
g_object_freeze_notify(). The freeze count is decreased on object
and when it reaches zero, queued "notify" signals are emitted.
Duplicate notifications for each property are squashed so that at most one #GObject::notify signal is emitted for each property, in the reverse order in which they have been queued.
It is an error to call this function when the freeze count is zero.
Convert the setting (including secrets!) into a string. For debugging purposes ONLY, should NOT be used for serialization of the setting, or machine-parsed in any way. The output format is not guaranteed to be stable and may change at any time.
Decreases the reference count of object. When its reference count
drops to 0, the object is finalized (i.e. its memory is freed).
If the pointer to the #GObject may be reused in future (for example, if it is an instance variable of another object), it is recommended to clear the pointer to %NULL rather than retain a dangling pointer to a potentially invalid #GObject instance. Use g_clear_object() for this.
Validates the setting. Each setting's properties have allowed values, and
some are dependent on other values (hence the need for connection). The
returned #GError contains information about which property of the setting
failed validation, and in what way that property failed validation.
the #NMConnection that setting came from, or %NULL if setting is being verified in isolation.
Verifies the secrets in the setting. The returned #GError contains information about which secret of the setting failed validation, and in what way that secret failed validation. The secret validation is done separately from main setting validation, because in some cases connection failure is not desired just for the secrets.
the #NMConnection that setting came from, or %NULL if setting is being verified in isolation.
Emits a "notify" signal for the property property_name on object.
When possible, eg. when signaling a property change from within the class that registered the property, you should use g_object_notify_by_pspec() instead.
Note that emission of the notify signal may be blocked with g_object_freeze_notify(). In this case, the signal emissions are queued and will be emitted (in reverse order) when g_object_thaw_notify() is called.
This function essentially limits the life time of the closure to
the life time of the object. That is, when the object is finalized,
the closure is invalidated by calling g_closure_invalidate() on
it, in order to prevent invocations of the closure with a finalized
(nonexisting) object. Also, g_object_ref() and g_object_unref() are
added as marshal guards to the closure, to ensure that an extra
reference count is held on object during invocation of the
closure. Usually, this function will be called on closures that
use this object as closure data.
#GClosure to watch
Determines and verifies the blob type. When setting certificate properties of NMSetting8021x the blob must be not UNKNOWN (or NULL).
the data pointer
the length of the data
Find the #GParamSpec with the given name for an
interface. Generally, the interface vtable passed in as g_iface
will be the default vtable from g_type_default_interface_ref(), or,
if you know the interface has already been loaded,
g_type_default_interface_peek().
any interface vtable for the interface, or the default vtable for the interface
name of a property to look up.
Add a property to an interface; this is only useful for interfaces that are added to GObject-derived types. Adding a property to an interface forces all objects classes with that interface to have a compatible property. The compatible property could be a newly created #GParamSpec, but normally g_object_class_override_property() will be used so that the object class only needs to provide an implementation and inherits the property description, default value, bounds, and so forth from the interface property.
This function is meant to be called from the interface's default
vtable initialization function (the class_init member of
#GTypeInfo.) It must not be called after after class_init has
been called for any object types implementing this interface.
If pspec is a floating reference, it will be consumed.
any interface vtable for the interface, or the default vtable for the interface.
the #GParamSpec for the new property
Lists the properties of an interface.Generally, the interface
vtable passed in as g_iface will be the default vtable from
g_type_default_interface_ref(), or, if you know the interface has
already been loaded, g_type_default_interface_peek().
any interface vtable for the interface, or the default vtable for the interface
Returns the #GType of the setting's class for a given setting name.
a setting name
Creates a new #NMSetting8021x object with default values.
Creates a new instance of a #GObject subtype and sets its properties.
Construction parameters (see %G_PARAM_CONSTRUCT, %G_PARAM_CONSTRUCT_ONLY) which are not explicitly specified are set to their default values.
the type id of the #GObject subtype to instantiate
an array of #GParameter
IEEE 802.1x Authentication Settings