-
apatard authored
There's no need to try to set the engine/engine2 parameters, they're automatically set. Support tested with : - eap-tls on libvirt/kvm virtual machine and real system - wpa2-eap-peap-tls on real system. (TODO: setting test VM with mac80211_hwsim) The certificate key is protected by tpm2. No pin. Modifications done to libnm-core/nm-setting-8021x.c : o verify_tls() to make sure that if engine_id/engine2_id are specified key_id/key2_id are specified too. If engine_id/engine2_id not specified, behaves as before. o need_secrets_tls() modified to not look for a passphrase for a certificate if an engine id is set for phase 1 or phase 2. o verify_ttls() to work in my phase 2 peap-tls case. Could have used a new fonction but was a little bit easier to adapt verify_ttls(). The function nows check: - we're using phase2 auth or autheap - there's an identity set - in case of ttls(), check that anonymous identity is set. Example of 802-1x section for ethernet eap-tls case: [802-1x] ca-cert=/home/rtp/ca.pem client-cert=/home/rtp/tpm2/csr2/client-tpm-qemu.crt eap=tls; identity=nm-tpm2 phase1-engine-id=tpm2tss phase1-key-id=/home/rtp/tpm2/csr2/pri_pub_blob.key Signed-off-by: Arnaud Patard <apatard@hupstream.com>
c1a93f9f