[network-manager-applet/cert-paths: 8/8] core: update to work with certificate paths
- From: Dan Williams <dcbw src gnome org>
- To: svn-commits-list gnome org
- Cc:
- Subject: [network-manager-applet/cert-paths: 8/8] core: update to work with certificate paths
- Date: Wed, 16 Sep 2009 21:36:08 +0000 (UTC)
commit b16d8acaeaf3771c953439022300cca41865aaae
Author: Dan Williams <dcbw redhat com>
Date: Wed Sep 16 14:30:02 2009 -0700
core: update to work with certificate paths
Don't store the certificate/key paths in lookaside variables, just use
the normal key/value pairs in the 802.1x setting.
Since (for backwards compat) NM treats the private key as a secret, we
need to do a few odd things like retrieving the private key paths from
GConf when getting secrets from the keyring.
Also, since the private keys and certificate properties are byte arrays,
it's a slight bit more complicated to load/store them to GConf, requiring
a bit of indirection in read_one_setting_value_from_gconf() and
copy_one_setting_value_to_gconf(). Especially for
copy_one_setting_value_to_gconf() since the incoming certificate may
just be a byte array of the cert/key data from some older plugin or
settings service, and thus we need to copy that cert data to a file
on-disk and possibly re-encrypt a decrypted private key too.
src/applet-device-wifi.c | 3 -
src/applet-device-wired.c | 21 -
src/applet.c | 3 +
src/connection-editor/nm-connection-list.c | 15 +-
src/connection-editor/page-dsl.c | 16 -
src/connection-editor/page-mobile.c | 50 --
src/connection-editor/page-wired-security.c | 2 -
src/connection-editor/page-wireless-security.c | 1 -
src/gconf-helpers/gconf-helpers.c | 950 ++++++++++++------------
src/gconf-helpers/gconf-helpers.h | 36 +-
src/gconf-helpers/gconf-upgrade.c | 159 ++++
src/gconf-helpers/gconf-upgrade.h | 4 +
src/gconf-helpers/nma-gconf-connection.c | 233 ++++++-
src/gconf-helpers/nma-gconf-settings.c | 2 +
src/utils/utils.c | 136 ----
src/utils/utils.h | 4 -
src/wireless-dialog.c | 10 +-
src/wireless-security/eap-method-peap.c | 39 +-
src/wireless-security/eap-method-tls.c | 176 +++---
src/wireless-security/eap-method-ttls.c | 39 +-
src/wireless-security/eap-method.c | 31 +-
src/wireless-security/eap-method.h | 5 +-
22 files changed, 1038 insertions(+), 897 deletions(-)
---
diff --git a/src/applet-device-wifi.c b/src/applet-device-wifi.c
index 180337f..e6e105a 100644
--- a/src/applet-device-wifi.c
+++ b/src/applet-device-wifi.c
@@ -1485,10 +1485,7 @@ add_one_setting (GHashTable *settings,
g_return_val_if_fail (error != NULL, FALSE);
g_return_val_if_fail (*error == NULL, FALSE);
- utils_fill_connection_certs (connection);
secrets = nm_setting_to_hash (setting);
- utils_clear_filled_connection_certs (connection);
-
if (secrets) {
g_hash_table_insert (settings, g_strdup (nm_setting_get_name (setting)), secrets);
} else {
diff --git a/src/applet-device-wired.c b/src/applet-device-wired.c
index dc24051..e6212ab 100644
--- a/src/applet-device-wired.c
+++ b/src/applet-device-wired.c
@@ -389,24 +389,6 @@ pppoe_update_ui (NMConnection *connection, NMPppoeInfo *info)
s = nm_setting_pppoe_get_password (s_pppoe);
if (s)
gtk_entry_set_text (info->password_entry, s);
- else {
- GHashTable *secrets;
- GError *error = NULL;
- GValue *value;
-
- /* Grab password from keyring if possible */
- secrets = nm_gconf_get_keyring_items (connection,
- nm_setting_get_name (NM_SETTING (s_pppoe)),
- FALSE,
- &error);
- if (secrets) {
- value = g_hash_table_lookup (secrets, NM_SETTING_PPPOE_PASSWORD);
- if (value)
- gtk_entry_set_text (info->password_entry, g_value_get_string (value));
- g_hash_table_destroy (secrets);
- } else if (error)
- g_error_free (error);
- }
}
static NMPppoeInfo *
@@ -672,10 +654,7 @@ get_8021x_secrets_cb (GtkDialog *dialog,
goto done;
}
- utils_fill_connection_certs (NM_CONNECTION (connection));
secrets = nm_setting_to_hash (setting);
- utils_clear_filled_connection_certs (NM_CONNECTION (connection));
-
if (!secrets) {
g_set_error (&error,
NM_SETTINGS_INTERFACE_ERROR,
diff --git a/src/applet.c b/src/applet.c
index b354c68..f44e684 100644
--- a/src/applet.c
+++ b/src/applet.c
@@ -2192,6 +2192,9 @@ applet_settings_new_secrets_requested_cb (NMAGConfSettings *settings,
goto error;
}
+ // FIXME: get secrets locally and populate connection with previous secrets
+ // before asking user for other secrets
+
/* Let the device class handle secrets */
if (dclass->get_secrets (device, NM_SETTINGS_CONNECTION_INTERFACE (connection),
active_connection, setting_name, hints, callback,
diff --git a/src/connection-editor/nm-connection-list.c b/src/connection-editor/nm-connection-list.c
index 62d6bdf..ba2ff4b 100644
--- a/src/connection-editor/nm-connection-list.c
+++ b/src/connection-editor/nm-connection-list.c
@@ -332,9 +332,6 @@ delete_cb (NMSettingsConnectionInterface *connection_iface,
NMVpnPluginUiInterface *plugin;
GError *vpn_error = NULL;
- /* Clean up keyring keys */
- nm_gconf_clear_keyring_items (connection);
-
s_con = (NMSettingConnection *) nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION);
g_assert (s_con);
@@ -440,9 +437,7 @@ add_connection (NMConnectionList *self,
else
g_assert_not_reached ();
- utils_fill_connection_certs (connection);
nm_settings_interface_add_connection (settings, connection, add_cb, info);
- utils_clear_filled_connection_certs (connection);
}
/**********************************************/
@@ -543,10 +538,7 @@ update_connection (NMConnectionList *list,
* and private keys don't go through D-Bus; they are private of course!
*/
if (new_scope == NM_CONNECTION_SCOPE_SYSTEM) {
- utils_fill_connection_certs (NM_CONNECTION (connection));
new_settings = nm_connection_to_hash (NM_CONNECTION (connection));
- utils_clear_filled_connection_certs (NM_CONNECTION (connection));
-
if (!nm_connection_replace_settings (NM_CONNECTION (connection),
new_settings,
&error)) {
@@ -713,7 +705,6 @@ edit_done_cb (NMConnectionEditor *editor, gint response, GError *error, gpointer
const char *message = _("An unknown error ocurred.");
NMConnection *connection;
GError *edit_error = NULL;
- gboolean success;
connection = nm_connection_editor_get_connection (editor);
g_assert (connection);
@@ -721,11 +712,7 @@ edit_done_cb (NMConnectionEditor *editor, gint response, GError *error, gpointer
switch (response) {
case GTK_RESPONSE_OK:
/* Make sure the connection is valid */
- utils_fill_connection_certs (connection);
- success = nm_connection_verify (connection, &edit_error);
- utils_clear_filled_connection_certs (connection);
-
- if (success) {
+ if (nm_connection_verify (connection, &edit_error)) {
/* Save the connection to backing storage */
update_connection (info->list,
editor,
diff --git a/src/connection-editor/page-dsl.c b/src/connection-editor/page-dsl.c
index 0de10c6..92a49b9 100644
--- a/src/connection-editor/page-dsl.c
+++ b/src/connection-editor/page-dsl.c
@@ -75,22 +75,6 @@ populate_ui (CEPageDsl *self, NMConnection *connection)
/* Grab password from keyring if possible */
str = nm_setting_pppoe_get_password (setting);
- if (!str) {
- GError *error = NULL;
- GValue *value;
-
- secrets = nm_gconf_get_keyring_items (connection,
- nm_setting_get_name (NM_SETTING (setting)),
- FALSE,
- &error);
- if (secrets) {
- value = g_hash_table_lookup (secrets, NM_SETTING_PPPOE_PASSWORD);
- if (value)
- str = g_value_get_string (value);
- } else if (error)
- g_error_free (error);
- }
-
if (str)
gtk_entry_set_text (priv->password, str);
diff --git a/src/connection-editor/page-mobile.c b/src/connection-editor/page-mobile.c
index 1789765..43ec4d1 100644
--- a/src/connection-editor/page-mobile.c
+++ b/src/connection-editor/page-mobile.c
@@ -93,30 +93,12 @@ mobile_private_init (CEPageMobile *self)
priv->window_group = gtk_window_group_new ();
}
-static GHashTable *
-get_secrets (NMConnection *connection, const char *setting_name)
-{
- GError *error = NULL;
- GHashTable *secrets;
-
- secrets = nm_gconf_get_keyring_items (connection,
- setting_name,
- FALSE,
- &error);
- if (!secrets && error)
- g_error_free (error);
-
- return secrets;
-}
-
static void
populate_gsm_ui (CEPageMobile *self, NMConnection *connection)
{
CEPageMobilePrivate *priv = CE_PAGE_MOBILE_GET_PRIVATE (self);
NMSettingGsm *setting = NM_SETTING_GSM (priv->setting);
int type_idx;
- GHashTable *secrets;
- GValue *value;
GtkWidget *widget;
const char *s;
@@ -167,37 +149,17 @@ populate_gsm_ui (CEPageMobile *self, NMConnection *connection)
widget = glade_xml_get_widget (CE_PAGE (self)->xml, "band_label");
gtk_widget_hide (widget);
- secrets = get_secrets (connection, nm_setting_get_name (priv->setting));
-
s = nm_setting_gsm_get_password (setting);
if (s)
gtk_entry_set_text (priv->password, s);
- else if (secrets) {
- value = g_hash_table_lookup (secrets, NM_SETTING_GSM_PASSWORD);
- if (value)
- gtk_entry_set_text (priv->password, g_value_get_string (value));
- }
s = nm_setting_gsm_get_pin (setting);
if (s)
gtk_entry_set_text (priv->pin, s);
- else if (secrets) {
- value = g_hash_table_lookup (secrets, NM_SETTING_GSM_PIN);
- if (value)
- gtk_entry_set_text (priv->pin, g_value_get_string (value));
- }
s = nm_setting_gsm_get_puk (setting);
if (s)
gtk_entry_set_text (priv->pin, s);
- else if (secrets) {
- value = g_hash_table_lookup (secrets, NM_SETTING_GSM_PUK);
- if (value)
- gtk_entry_set_text (priv->puk, g_value_get_string (value));
- }
-
- if (secrets)
- g_hash_table_destroy (secrets);
}
static void
@@ -205,8 +167,6 @@ populate_cdma_ui (CEPageMobile *self, NMConnection *connection)
{
CEPageMobilePrivate *priv = CE_PAGE_MOBILE_GET_PRIVATE (self);
NMSettingCdma *setting = NM_SETTING_CDMA (priv->setting);
- GHashTable *secrets;
- GValue *value;
const char *s;
s = nm_setting_cdma_get_number (setting);
@@ -217,19 +177,9 @@ populate_cdma_ui (CEPageMobile *self, NMConnection *connection)
if (s)
gtk_entry_set_text (priv->username, s);
- secrets = get_secrets (connection, nm_setting_get_name (priv->setting));
-
s = nm_setting_cdma_get_password (setting);
if (s)
gtk_entry_set_text (priv->password, s);
- else if (secrets) {
- value = g_hash_table_lookup (secrets, NM_SETTING_CDMA_PASSWORD);
- if (value)
- gtk_entry_set_text (priv->password, g_value_get_string (value));
- }
-
- if (secrets)
- g_hash_table_destroy (secrets);
/* Hide GSM specific widgets */
gtk_widget_hide (glade_xml_get_widget (CE_PAGE (self)->xml, "mobile_basic_label"));
diff --git a/src/connection-editor/page-wired-security.c b/src/connection-editor/page-wired-security.c
index a1db027..492fbe7 100644
--- a/src/connection-editor/page-wired-security.c
+++ b/src/connection-editor/page-wired-security.c
@@ -150,14 +150,12 @@ validate (CEPage *page, NMConnection *connection, GError **error)
s_8021x = nm_connection_get_setting (tmp_connection, NM_TYPE_SETTING_802_1X);
nm_connection_add_setting (connection, NM_SETTING (g_object_ref (s_8021x)));
- nm_gconf_copy_private_connection_values (connection, tmp_connection);
g_object_unref (tmp_connection);
} else
g_set_error (error, 0, 0, "Invalid 802.1x security");
} else {
nm_connection_remove_setting (connection, NM_TYPE_SETTING_802_1X);
- nm_gconf_clear_private_connection_values (connection);
valid = TRUE;
}
diff --git a/src/connection-editor/page-wireless-security.c b/src/connection-editor/page-wireless-security.c
index 36aaa84..51a1a72 100644
--- a/src/connection-editor/page-wireless-security.c
+++ b/src/connection-editor/page-wireless-security.c
@@ -468,7 +468,6 @@ validate (CEPage *page, NMConnection *connection, GError **error)
g_object_set (s_wireless, NM_SETTING_WIRELESS_SEC, NULL, NULL);
nm_connection_remove_setting (connection, NM_TYPE_SETTING_WIRELESS_SECURITY);
nm_connection_remove_setting (connection, NM_TYPE_SETTING_802_1X);
- nm_gconf_clear_private_connection_values (connection);
valid = TRUE;
}
diff --git a/src/gconf-helpers/gconf-helpers.c b/src/gconf-helpers/gconf-helpers.c
index 3a8c2c1..a299ccc 100644
--- a/src/gconf-helpers/gconf-helpers.c
+++ b/src/gconf-helpers/gconf-helpers.c
@@ -17,7 +17,7 @@
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
- * (C) Copyright 2005 - 2008 Red Hat, Inc.
+ * (C) Copyright 2005 - 2009 Red Hat, Inc.
*/
#include <string.h>
@@ -27,11 +27,15 @@
#include <netinet/ether.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
#include <gconf/gconf.h>
#include <gconf/gconf-client.h>
#include <glib.h>
#include <gnome-keyring.h>
#include <dbus/dbus-glib.h>
+
#include <nm-setting-bluetooth.h>
#include <nm-setting-connection.h>
#include <nm-setting-wired.h>
@@ -46,6 +50,7 @@
#include "gconf-helpers.h"
#include "gconf-upgrade.h"
#include "utils.h"
+#include "applet.h"
#define DBUS_TYPE_G_ARRAY_OF_OBJECT_PATH (dbus_g_type_get_collection ("GPtrArray", DBUS_TYPE_G_OBJECT_PATH))
#define DBUS_TYPE_G_ARRAY_OF_STRING (dbus_g_type_get_collection ("GPtrArray", G_TYPE_STRING))
@@ -61,7 +66,7 @@
#define DBUS_TYPE_G_IP6_ROUTE (dbus_g_type_get_struct ("GValueArray", DBUS_TYPE_G_UCHAR_ARRAY, G_TYPE_UINT, DBUS_TYPE_G_UCHAR_ARRAY, G_TYPE_UINT, G_TYPE_INVALID))
#define DBUS_TYPE_G_ARRAY_OF_IP6_ROUTE (dbus_g_type_get_collection ("GPtrArray", DBUS_TYPE_G_IP6_ROUTE))
-const char *applet_8021x_ignore_keys[] = {
+const char *applet_8021x_cert_keys[] = {
"ca-cert",
"client-cert",
"private-key",
@@ -87,7 +92,7 @@ nm_gconf_set_pre_keyring_callback (PreKeyringCallback func, gpointer user_data)
pre_keyring_user_data = user_data;
}
-static void
+void
pre_keyring_callback (void)
{
GnomeKeyringInfo *info = NULL;
@@ -1516,6 +1521,9 @@ nm_gconf_get_all_connections (GConfClient *client)
nm_gconf_migrate_0_7_autoconnect_default (client);
}
+ nm_gconf_migrate_0_7_ca_cert_ignore (client);
+ nm_gconf_migrate_0_7_certs (client);
+
connections = gconf_client_all_dirs (client, GCONF_PATH_CONNECTIONS, NULL);
if (!connections) {
nm_gconf_migrate_0_6_connections (client);
@@ -1566,6 +1574,8 @@ typedef struct ReadFromGConfInfo {
guint32 dir_len;
} ReadFromGConfInfo;
+#define FILE_TAG "file://"
+
static void
read_one_setting_value_from_gconf (NMSetting *setting,
const char *key,
@@ -1584,7 +1594,8 @@ read_one_setting_value_from_gconf (NMSetting *setting,
return;
/* Secrets don't get stored in GConf */
- if (flags & NM_SETTING_PARAM_SECRET)
+ if ( (flags & NM_SETTING_PARAM_SECRET)
+ && !(NM_IS_SETTING_802_1X (setting) && string_in_list (key, applet_8021x_cert_keys)))
return;
/* Don't read the NMSettingConnection object's 'read-only' property */
@@ -1597,15 +1608,32 @@ read_one_setting_value_from_gconf (NMSetting *setting,
/* Some keys (like certs) aren't read directly from GConf but are handled
* separately.
*/
- if (NM_IS_SETTING_802_1X (setting)) {
- if (string_in_list (key, applet_8021x_ignore_keys))
- return;
- } else if (NM_IS_SETTING_VPN (setting)) {
+ /* Some VPN keys are ignored */
+ if (NM_IS_SETTING_VPN (setting)) {
if (string_in_list (key, vpn_ignore_keys))
return;
}
- if (type == G_TYPE_STRING) {
+ if ( NM_IS_SETTING_802_1X (setting)
+ && string_in_list (key, applet_8021x_cert_keys)
+ && (type == DBUS_TYPE_G_UCHAR_ARRAY)) {
+ char *str_val = NULL;
+
+ /* Certificate/key paths are stored as paths in GConf, but we need to
+ * take that path and use the special functions to set them on the
+ * setting.
+ */
+ if (nm_gconf_get_string_helper (info->client, info->dir, key, setting_name, &str_val)) {
+ GByteArray *ba_val;
+
+ ba_val = g_byte_array_sized_new (strlen (FILE_TAG) + strlen (str_val) + 1);
+ g_byte_array_append (ba_val, (const guint8 *) FILE_TAG, strlen (FILE_TAG));
+ g_byte_array_append (ba_val, (const guint8 *) str_val, strlen (str_val) + 1); /* +1 for the trailing NULL */
+ g_object_set (setting, key, ba_val, NULL);
+ g_byte_array_free (ba_val, TRUE);
+ g_free (str_val);
+ }
+ } else if (type == G_TYPE_STRING) {
char *str_val = NULL;
if (nm_gconf_get_string_helper (info->client, info->dir, key, setting_name, &str_val)) {
@@ -1739,59 +1767,6 @@ read_one_setting_value_from_gconf (NMSetting *setting,
}
static void
-read_one_cert (ReadFromGConfInfo *info,
- const char *setting_name,
- const char *key)
-{
- char *value = NULL;
-
- if (!nm_gconf_get_string_helper (info->client, info->dir, key, setting_name, &value))
- return;
-
- g_object_set_data_full (G_OBJECT (info->connection),
- key, value,
- (GDestroyNotify) g_free);
-}
-
-static void
-read_applet_private_values_from_gconf (NMSetting *setting,
- ReadFromGConfInfo *info)
-{
- if (NM_IS_SETTING_802_1X (setting)) {
- const char *setting_name = nm_setting_get_name (setting);
- gboolean value;
-
- if (nm_gconf_get_bool_helper (info->client, info->dir,
- NMA_CA_CERT_IGNORE_TAG,
- setting_name, &value)) {
- g_object_set_data (G_OBJECT (info->connection),
- NMA_CA_CERT_IGNORE_TAG,
- GUINT_TO_POINTER (value));
- }
-
- if (nm_gconf_get_bool_helper (info->client, info->dir,
- NMA_PHASE2_CA_CERT_IGNORE_TAG,
- setting_name, &value)) {
- g_object_set_data (G_OBJECT (info->connection),
- NMA_PHASE2_CA_CERT_IGNORE_TAG,
- GUINT_TO_POINTER (value));
- }
-
- /* Binary certificate and key data doesn't get stored in GConf. Instead,
- * the path to the certificate gets stored in a special key and the
- * certificate is read and stuffed into the setting right before
- * the connection is sent to NM
- */
- read_one_cert (info, setting_name, NMA_PATH_CA_CERT_TAG);
- read_one_cert (info, setting_name, NMA_PATH_CLIENT_CERT_TAG);
- read_one_cert (info, setting_name, NMA_PATH_PRIVATE_KEY_TAG);
- read_one_cert (info, setting_name, NMA_PATH_PHASE2_CA_CERT_TAG);
- read_one_cert (info, setting_name, NMA_PATH_PHASE2_CLIENT_CERT_TAG);
- read_one_cert (info, setting_name, NMA_PATH_PHASE2_PRIVATE_KEY_TAG);
- }
-}
-
-static void
read_one_setting (gpointer data, gpointer user_data)
{
char *name;
@@ -1806,7 +1781,6 @@ read_one_setting (gpointer data, gpointer user_data)
nm_setting_enumerate_values (setting,
read_one_setting_value_from_gconf,
info);
- read_applet_private_values_from_gconf (setting, info);
nm_connection_add_setting (info->connection, setting);
}
@@ -1912,7 +1886,9 @@ write_one_secret_to_keyring (NMSetting *setting,
const char *secret;
const char *setting_name;
- if (!(flags & NM_SETTING_PARAM_SECRET))
+ /* non-secrets and private key paths don't get stored in the keyring */
+ if ( !(flags & NM_SETTING_PARAM_SECRET)
+ || (NM_IS_SETTING_802_1X (setting) && string_in_list (key, applet_8021x_cert_keys)))
return;
setting_name = nm_setting_get_name (setting);
@@ -1939,6 +1915,391 @@ write_one_secret_to_keyring (NMSetting *setting,
}
}
+static gboolean
+write_secret_file (const char *path,
+ const char *data,
+ gsize len,
+ GError **error)
+{
+ char *tmppath;
+ int fd = -1, written;
+ gboolean success = FALSE;
+
+ tmppath = g_malloc0 (strlen (path) + 10);
+ if (!tmppath) {
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Could not allocate memory for temporary file for '%s'",
+ path);
+ return FALSE;
+ }
+
+ memcpy (tmppath, path, strlen (path));
+ strcat (tmppath, ".XXXXXX");
+
+ errno = 0;
+ fd = mkstemp (tmppath);
+ if (fd < 0) {
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Could not create temporary file for '%s': %d",
+ path, errno);
+ goto out;
+ }
+
+ /* Only readable by root */
+ errno = 0;
+ if (fchmod (fd, S_IRUSR | S_IWUSR)) {
+ close (fd);
+ unlink (tmppath);
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Could not set permissions for temporary file '%s': %d",
+ path, errno);
+ goto out;
+ }
+
+ errno = 0;
+ written = write (fd, data, len);
+ if (written != len) {
+ close (fd);
+ unlink (tmppath);
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Could not write temporary file for '%s': %d",
+ path, errno);
+ goto out;
+ }
+ close (fd);
+
+ /* Try to rename */
+ errno = 0;
+ if (rename (tmppath, path)) {
+ unlink (tmppath);
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Could not rename temporary file to '%s': %d",
+ path, errno);
+ goto out;
+ }
+ success = TRUE;
+
+out:
+ return success;
+}
+
+typedef NMSetting8021xCKScheme (*SchemeFunc) (NMSetting8021x *setting);
+typedef const char * (*PathFunc) (NMSetting8021x *setting);
+typedef const GByteArray * (*BlobFunc) (NMSetting8021x *setting);
+typedef NMSetting8021xCKFormat (*FormatFunc) (NMSetting8021x *setting);
+typedef const char * (*PasswordFunc)(NMSetting8021x *setting);
+
+typedef struct ObjectType {
+ const char *setting_key;
+ gboolean p12_type;
+ SchemeFunc scheme_func;
+ PathFunc path_func;
+ BlobFunc blob_func;
+ FormatFunc format_func;
+ PasswordFunc password_func;
+ const char *privkey_password_key;
+ const char *suffix;
+} ObjectType;
+
+static const ObjectType ca_type = {
+ NM_SETTING_802_1X_CA_CERT,
+ FALSE,
+ nm_setting_802_1x_get_ca_cert_scheme,
+ nm_setting_802_1x_get_ca_cert_path,
+ nm_setting_802_1x_get_ca_cert_blob,
+ NULL,
+ NULL,
+ NULL,
+ "ca-cert.der"
+};
+
+static const ObjectType phase2_ca_type = {
+ NM_SETTING_802_1X_PHASE2_CA_CERT,
+ FALSE,
+ nm_setting_802_1x_get_phase2_ca_cert_scheme,
+ nm_setting_802_1x_get_phase2_ca_cert_path,
+ nm_setting_802_1x_get_phase2_ca_cert_blob,
+ NULL,
+ NULL,
+ NULL,
+ "inner-ca-cert.der"
+};
+
+static const ObjectType client_type = {
+ NM_SETTING_802_1X_CLIENT_CERT,
+ FALSE,
+ nm_setting_802_1x_get_client_cert_scheme,
+ nm_setting_802_1x_get_client_cert_path,
+ nm_setting_802_1x_get_client_cert_blob,
+ NULL,
+ NULL,
+ NULL,
+ "client-cert.der"
+};
+
+static const ObjectType phase2_client_type = {
+ NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
+ FALSE,
+ nm_setting_802_1x_get_phase2_client_cert_scheme,
+ nm_setting_802_1x_get_phase2_client_cert_path,
+ nm_setting_802_1x_get_phase2_client_cert_blob,
+ NULL,
+ NULL,
+ NULL,
+ "inner-client-cert.der"
+};
+
+static const ObjectType pk_type = {
+ NM_SETTING_802_1X_PRIVATE_KEY,
+ FALSE,
+ nm_setting_802_1x_get_private_key_scheme,
+ nm_setting_802_1x_get_private_key_path,
+ nm_setting_802_1x_get_private_key_blob,
+ nm_setting_802_1x_get_private_key_format,
+ nm_setting_802_1x_get_private_key_password,
+ NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD,
+ "private-key.pem"
+};
+
+static const ObjectType phase2_pk_type = {
+ NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
+ FALSE,
+ nm_setting_802_1x_get_phase2_private_key_scheme,
+ nm_setting_802_1x_get_phase2_private_key_path,
+ nm_setting_802_1x_get_phase2_private_key_blob,
+ nm_setting_802_1x_get_phase2_private_key_format,
+ nm_setting_802_1x_get_phase2_private_key_password,
+ NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD,
+ "inner-private-key.pem"
+};
+
+static const ObjectType p12_type = {
+ NM_SETTING_802_1X_PRIVATE_KEY,
+ TRUE,
+ nm_setting_802_1x_get_private_key_scheme,
+ nm_setting_802_1x_get_private_key_path,
+ nm_setting_802_1x_get_private_key_blob,
+ nm_setting_802_1x_get_private_key_format,
+ nm_setting_802_1x_get_private_key_password,
+ NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD,
+ "private-key.p12"
+};
+
+static const ObjectType phase2_p12_type = {
+ NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
+ TRUE,
+ nm_setting_802_1x_get_phase2_private_key_scheme,
+ nm_setting_802_1x_get_phase2_private_key_path,
+ nm_setting_802_1x_get_phase2_private_key_blob,
+ nm_setting_802_1x_get_phase2_private_key_format,
+ nm_setting_802_1x_get_phase2_private_key_password,
+ NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD,
+ "inner-private-key.p12"
+};
+
+static char *
+generate_cert_path (const char *id, const char *suffix)
+{
+ return g_strdup_printf ("%s/.ssh/%s-%s", g_get_home_dir (), id, suffix);
+}
+
+static gboolean
+write_object (GConfClient *client,
+ const char *dir,
+ const char *id,
+ NMSetting8021x *s_8021x,
+ const GByteArray *override_data,
+ const ObjectType *objtype,
+ GError **error)
+{
+ NMSetting8021xCKScheme scheme;
+ const char *path = NULL;
+ const GByteArray *blob = NULL;
+ const char *setting_name = nm_setting_get_name (NM_SETTING (s_8021x));
+
+ g_return_val_if_fail (objtype != NULL, FALSE);
+
+ if (override_data) {
+ /* if given explicit data to save, always use that instead of asking
+ * the setting what to do.
+ */
+ blob = override_data;
+ } else {
+ scheme = (*(objtype->scheme_func))(s_8021x);
+ switch (scheme) {
+ case NM_SETTING_802_1X_CK_SCHEME_BLOB:
+ blob = (*(objtype->blob_func))(s_8021x);
+ break;
+ case NM_SETTING_802_1X_CK_SCHEME_PATH:
+ path = (*(objtype->path_func))(s_8021x);
+ break;
+ default:
+ break;
+ }
+ }
+
+ /* If certificate/private key wasn't sent, the connection may no longer be
+ * 802.1x and thus we clear out the paths and certs.
+ */
+ if (!path && !blob) {
+ char *standard_file;
+ int ignored;
+
+ /* Since no cert/private key is now being used, delete any standard file
+ * that was created for this connection, but leave other files alone.
+ * Thus, for example, ~/.ssh/My Company Network-ca-cert.der will be
+ * deleted, but /etc/pki/tls/cert.pem would not.
+ */
+ standard_file = generate_cert_path (id, objtype->suffix);
+ if (g_file_test (standard_file, G_FILE_TEST_EXISTS))
+ ignored = unlink (standard_file);
+ g_free (standard_file);
+
+ /* Delete the key from GConf */
+ nm_gconf_set_string_helper (client, dir, objtype->setting_key, setting_name, NULL);
+ return TRUE;
+ }
+
+ /* If the object path was specified, prefer that over any raw cert data that
+ * may have been sent.
+ */
+ if (path) {
+ nm_gconf_set_string_helper (client, dir, objtype->setting_key, setting_name, path);
+ return TRUE;
+ }
+
+ /* If it's raw certificate data, write the cert data out to the standard file */
+ if (blob) {
+ gboolean success;
+ char *new_file;
+ GError *write_error = NULL;
+
+ new_file = generate_cert_path (id, objtype->suffix);
+ if (!new_file) {
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Could not create file path for %s / %s",
+ setting_name, objtype->setting_key);
+ return FALSE;
+ }
+
+ /* Write the raw certificate data out to the standard file so that we
+ * can use paths from now on instead of pushing around the certificate
+ * data itself.
+ */
+ success = write_secret_file (new_file, (const char *) blob->data, blob->len, &write_error);
+ if (success) {
+ nm_gconf_set_string_helper (client, dir, objtype->setting_key, setting_name, new_file);
+ return TRUE;
+ } else {
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Could not write certificate/key for %s / %s: %s",
+ setting_name, objtype->setting_key,
+ (write_error && write_error->message) ? write_error->message : "(unknown)");
+ g_clear_error (&write_error);
+ }
+ g_free (new_file);
+ }
+
+ return FALSE;
+}
+
+static gboolean
+write_one_certificate (GConfClient *client,
+ const char *dir,
+ const char *key,
+ NMSetting8021x *s_8021x,
+ NMConnection *connection,
+ GError **error)
+{
+ const char *id;
+ NMSettingConnection *s_con;
+ const ObjectType *cert_objects[] = {
+ &ca_type,
+ &phase2_ca_type,
+ &client_type,
+ &phase2_client_type,
+ &pk_type,
+ &phase2_pk_type,
+ &p12_type,
+ &phase2_p12_type,
+ NULL
+ };
+ const ObjectType **obj = &cert_objects[0];
+ gboolean handled = FALSE, success = FALSE;
+
+ s_con = (NMSettingConnection *) nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION);
+ g_assert (s_con);
+ id = nm_setting_connection_get_id (s_con);
+ g_assert (id);
+
+ while (*obj && !handled) {
+ const GByteArray *blob = NULL;
+ GByteArray *enc_key = NULL;
+
+ if (strcmp (key, (*obj)->setting_key)) {
+ obj++;
+ continue;
+ }
+
+ /* Check for pkcs#12 format private keys; if the current ObjectType
+ * structure isn't for a pkcs#12 key but the key actually is
+ * pkcs#12, keep going to get the right pkcs#12 ObjectType.
+ */
+ if ( (*obj)->format_func
+ && ((*obj)->format_func (s_8021x) == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
+ && !(*obj)->p12_type) {
+ obj++;
+ continue;
+ }
+
+ if ((*obj)->scheme_func (s_8021x) == NM_SETTING_802_1X_CK_SCHEME_BLOB)
+ blob = (*obj)->blob_func (s_8021x);
+
+ /* Only do the private key re-encrypt dance if we got the raw key data, which
+ * by definition will be unencrypted. If we're given a direct path to the
+ * private key file, it'll be encrypted, so we don't need to re-encrypt.
+ */
+ if (blob && !(*obj)->p12_type) {
+ const char *password;
+ char *generated_pw;
+
+ /* If the private key is an unencrypted blob, re-encrypt it with a
+ * random password since we don't store unencrypted private keys on disk.
+ */
+ password = (*obj)->password_func (s_8021x);
+
+ /* Encrypt the unencrypted private key */
+ enc_key = nm_utils_rsa_key_encrypt (blob, password, &generated_pw, error);
+ if (!enc_key)
+ goto out;
+
+ /* Save any generated private key back into the 802.1x setting so
+ * it'll get stored when secrets are written to the keyring.
+ */
+ if (generated_pw) {
+ g_object_set (G_OBJECT (s_8021x), (*obj)->privkey_password_key, generated_pw, NULL);
+ memset (generated_pw, 0, strlen (generated_pw));
+ g_free (generated_pw);
+ }
+ }
+
+ success = write_object (client, dir, id, s_8021x, enc_key ? enc_key : blob, *obj, error);
+ if (enc_key)
+ g_byte_array_free (enc_key, TRUE);
+
+ handled = TRUE;
+ }
+
+ if (!handled) {
+ g_set_error (error, NM_SETTINGS_INTERFACE_ERROR, 0,
+ "Unhandled certificate/private-key item '%s'",
+ key);
+ }
+
+out:
+ return success;
+}
+
static void
copy_one_setting_value_to_gconf (NMSetting *setting,
const char *key,
@@ -1951,19 +2312,19 @@ copy_one_setting_value_to_gconf (NMSetting *setting,
GType type = G_VALUE_TYPE (value);
GParamSpec *pspec;
- /* Some keys (like certs) aren't written directly to GConf but are handled
- * separately.
- */
- if (NM_IS_SETTING_802_1X (setting)) {
- if (string_in_list (key, applet_8021x_ignore_keys))
- return;
- } else if (NM_IS_SETTING_VPN (setting)) {
+ /* Some VPN keys are ignored */
+ if (NM_IS_SETTING_VPN (setting)) {
if (string_in_list (key, vpn_ignore_keys))
return;
}
- /* Secrets don't get stored in GConf */
- if (flags & NM_SETTING_PARAM_SECRET)
+ /* Secrets don't get stored in GConf; but the 802.1x private keys,
+ * which are marked secret for backwards compat, do get stored in
+ * GConf because as of NM 0.8, they are just paths and not the decrypted
+ * private key blobs.
+ */
+ if ( (flags & NM_SETTING_PARAM_SECRET)
+ && !(NM_IS_SETTING_802_1X (setting) && string_in_list (key, applet_8021x_cert_keys)))
return;
/* Don't write the NMSettingConnection object's 'read-only' property */
@@ -1987,7 +2348,24 @@ copy_one_setting_value_to_gconf (NMSetting *setting,
}
}
- if (type == G_TYPE_STRING) {
+ if ( NM_IS_SETTING_802_1X (setting)
+ && string_in_list (key, applet_8021x_cert_keys)
+ && (type == DBUS_TYPE_G_UCHAR_ARRAY)) {
+ GError *error = NULL;
+
+ if (!write_one_certificate (info->client,
+ info->dir,
+ key,
+ NM_SETTING_802_1X (setting),
+ info->connection,
+ &error)) {
+ g_warning ("%s: error saving certificate/private key '%s': (%d) %s",
+ __func__,
+ key,
+ error ? error->code : -1,
+ error && error->message ? error->message : "(unknown)");
+ }
+ } else if (type == G_TYPE_STRING) {
nm_gconf_set_string_helper (info->client, info->dir, key, setting_name, g_value_get_string (value));
} else if (type == G_TYPE_UINT) {
nm_gconf_set_int_helper (info->client, info->dir,
@@ -2065,95 +2443,6 @@ copy_one_setting_value_to_gconf (NMSetting *setting,
}
static void
-write_ignore_ca_cert_helper (CopyOneSettingValueInfo *info,
- const char *tag,
- const GByteArray *cert)
-{
- g_return_if_fail (info != NULL);
- g_return_if_fail (tag != NULL);
-
- if (cert) {
- char *key;
-
- key = g_strdup_printf ("%s/%s/%s", info->dir, NM_SETTING_802_1X_SETTING_NAME, tag);
- gconf_client_unset (info->client, key, NULL);
- g_free (key);
- } else {
- if (GPOINTER_TO_UINT (g_object_get_data (G_OBJECT (info->connection), tag)))
- nm_gconf_set_bool_helper (info->client, info->dir, tag, NM_SETTING_802_1X_SETTING_NAME, TRUE);
- }
-}
-
-static void
-write_one_private_string_value (CopyOneSettingValueInfo *info, const char *tag)
-{
- const char *value;
-
- g_return_if_fail (info != NULL);
- g_return_if_fail (tag != NULL);
-
- value = g_object_get_data (G_OBJECT (info->connection), tag);
- nm_gconf_set_string_helper (info->client, info->dir, tag,
- NM_SETTING_802_1X_SETTING_NAME,
- value);
-}
-
-static void
-write_one_password (CopyOneSettingValueInfo *info, const char *tag)
-{
- const char *value;
-
- g_return_if_fail (info != NULL);
- g_return_if_fail (tag != NULL);
-
- value = g_object_get_data (G_OBJECT (info->connection), tag);
- if (value) {
- nm_gconf_add_keyring_item (info->connection_uuid,
- info->connection_name,
- NM_SETTING_802_1X_SETTING_NAME,
- tag,
- value);
-
- /* Try not to leave the password lying around in memory */
- g_object_set_data (G_OBJECT (info->connection), tag, NULL);
- }
-}
-
-static void
-write_applet_private_values_to_gconf (CopyOneSettingValueInfo *info)
-{
- NMSetting8021x *s_8021x;
-
- g_return_if_fail (info != NULL);
-
- /* Handle values private to the applet that are not supposed to
- * be sent to NetworkManager.
- */
- s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (info->connection, NM_TYPE_SETTING_802_1X));
- if (s_8021x) {
- write_ignore_ca_cert_helper (info, NMA_CA_CERT_IGNORE_TAG,
- nm_setting_802_1x_get_ca_cert (s_8021x));
- write_ignore_ca_cert_helper (info, NMA_PHASE2_CA_CERT_IGNORE_TAG,
- nm_setting_802_1x_get_phase2_ca_cert (s_8021x));
-
- /* Binary certificate and key data doesn't get stored in GConf. Instead,
- * the path to the certificate gets stored in a special key and the
- * certificate is read and stuffed into the setting right before
- * the connection is sent to NM
- */
- write_one_private_string_value (info, NMA_PATH_CA_CERT_TAG);
- write_one_private_string_value (info, NMA_PATH_CLIENT_CERT_TAG);
- write_one_private_string_value (info, NMA_PATH_PRIVATE_KEY_TAG);
- write_one_private_string_value (info, NMA_PATH_PHASE2_CA_CERT_TAG);
- write_one_private_string_value (info, NMA_PATH_PHASE2_CLIENT_CERT_TAG);
- write_one_private_string_value (info, NMA_PATH_PHASE2_PRIVATE_KEY_TAG);
-
- write_one_password (info, NMA_PRIVATE_KEY_PASSWORD_TAG);
- write_one_password (info, NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG);
- }
-}
-
-static void
remove_leftovers (CopyOneSettingValueInfo *info)
{
GSList *dirs;
@@ -2184,6 +2473,7 @@ nm_gconf_write_connection (NMConnection *connection,
{
NMSettingConnection *s_con;
CopyOneSettingValueInfo info;
+ gboolean ignore;
g_return_if_fail (NM_IS_CONNECTION (connection));
g_return_if_fail (client != NULL);
@@ -2208,326 +2498,58 @@ nm_gconf_write_connection (NMConnection *connection,
write_one_secret_to_keyring,
&info);
- write_applet_private_values_to_gconf (&info);
-}
-
-static GValue *
-string_to_gvalue (const char *str)
-{
- GValue *val;
-
- val = g_slice_new0 (GValue);
- g_value_init (val, G_TYPE_STRING);
- g_value_set_string (val, str);
-
- return val;
-}
-
-static GValue *
-byte_array_to_gvalue (const GByteArray *array)
-{
- GValue *val;
-
- val = g_slice_new0 (GValue);
- g_value_init (val, DBUS_TYPE_G_UCHAR_ARRAY);
- g_value_set_boxed (val, array);
-
- return val;
-}
-
-static void
-destroy_gvalue (gpointer data)
-{
- GValue *value = (GValue *) data;
+ /* Update ignore CA cert status */
+ ignore = GPOINTER_TO_UINT (g_object_get_data (G_OBJECT (connection), IGNORE_CA_CERT_TAG));
+ nm_gconf_set_ignore_ca_cert (info.connection_uuid, FALSE, ignore);
- g_value_unset (value);
- g_slice_free (GValue, value);
+ ignore = GPOINTER_TO_UINT (g_object_get_data (G_OBJECT (connection), IGNORE_PHASE2_CA_CERT_TAG));
+ nm_gconf_set_ignore_ca_cert (info.connection_uuid, TRUE, ignore);
}
-static gboolean
-get_one_private_key (NMConnection *connection,
- const char *setting_name,
- const char *tag,
- const char *password,
- gboolean include_password,
- GHashTable *secrets,
- GError **error)
+static char *
+get_ignore_path (const char *uuid, gboolean phase2)
{
- NMSettingConnection *s_con;
- GByteArray *array = NULL;
- const char *filename = NULL;
- const char *secret_name;
- const char *real_password_secret_name = NULL;
- gboolean success = FALSE;
- gboolean add_password = FALSE;
-
- g_return_val_if_fail (connection != NULL, FALSE);
- g_return_val_if_fail (tag != NULL, FALSE);
- g_return_val_if_fail (password != NULL, FALSE);
- g_return_val_if_fail (error != NULL, FALSE);
- g_return_val_if_fail (*error == NULL, FALSE);
-
- s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
-
- if (!strcmp (tag, NMA_PRIVATE_KEY_PASSWORD_TAG)) {
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_PRIVATE_KEY_TAG);
- secret_name = NM_SETTING_802_1X_PRIVATE_KEY;
- real_password_secret_name = NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD;
- } else if (!strcmp (tag, NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG)) {
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_PHASE2_PRIVATE_KEY_TAG);
- secret_name = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY;
- real_password_secret_name = NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD;
- } else {
- g_set_error (error,
- NM_SETTINGS_INTERFACE_ERROR,
- NM_SETTINGS_INTERFACE_ERROR_SECRETS_UNAVAILABLE,
- "%s.%d - %s/%s Unknown private key password type '%s'.",
- __FILE__, __LINE__, nm_setting_connection_get_id (s_con), setting_name, tag);
- return FALSE;
- }
-
- if (filename) {
- NMSetting8021x *setting;
- const GByteArray *tmp = NULL;
- NMSetting8021xCKType ck_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
-
- setting = (NMSetting8021x *) nm_setting_802_1x_new ();
- if (nm_setting_802_1x_set_private_key_from_file (setting, filename, password, &ck_type, error)) {
- /* For PKCS#12 files, which don't get decrypted, add the private key
- * password to the secrets hash.
- */
- if (ck_type == NM_SETTING_802_1X_CK_TYPE_PKCS12)
- add_password = TRUE;
-
- /* Steal the private key */
- tmp = nm_setting_802_1x_get_private_key (setting);
- g_assert (tmp);
- array = g_byte_array_sized_new (tmp->len);
- g_byte_array_append (array, tmp->data, tmp->len);
- }
- g_object_unref (setting);
- }
-
- if (*error) {
- goto out;
- } else if (!array || !array->len) {
- g_set_error (error,
- NM_SETTINGS_INTERFACE_ERROR,
- NM_SETTINGS_INTERFACE_ERROR_SECRETS_UNAVAILABLE,
- "%s.%d - %s/%s couldn't read private key.",
- __FILE__, __LINE__, nm_setting_connection_get_id (s_con), setting_name);
- goto out;
- }
-
- g_hash_table_insert (secrets, g_strdup (secret_name), byte_array_to_gvalue (array));
-
- if (include_password || add_password)
- g_hash_table_insert (secrets, g_strdup (real_password_secret_name), string_to_gvalue (password));
-
- success = TRUE;
-
-out:
- if (array) {
- /* Try not to leave the decrypted private key around in memory */
- memset (array->data, 0, array->len);
- g_byte_array_free (array, TRUE);
- }
- return success;
+ return g_strdup_printf (APPLET_PREFS_PATH "/%s/%s",
+ phase2 ? "ignore-phase2-ca-cert" : "ignore-ca-cert",
+ uuid);
}
-GHashTable *
-nm_gconf_get_keyring_items (NMConnection *connection,
- const char *setting_name,
- gboolean include_private_passwords,
- GError **error)
+gboolean
+nm_gconf_get_ignore_ca_cert (const char *uuid, gboolean phase2)
{
- NMSettingConnection *s_con;
- GHashTable *secrets;
- GList *found_list = NULL;
- GnomeKeyringResult ret;
- GList *iter;
- const char *connection_name;
-
- g_return_val_if_fail (connection != NULL, NULL);
- g_return_val_if_fail (setting_name != NULL, NULL);
- g_return_val_if_fail (error != NULL, NULL);
- g_return_val_if_fail (*error == NULL, NULL);
-
- s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
- g_assert (s_con);
-
- connection_name = nm_setting_connection_get_id (s_con);
- g_assert (connection_name);
-
- pre_keyring_callback ();
-
- ret = gnome_keyring_find_itemsv_sync (GNOME_KEYRING_ITEM_GENERIC_SECRET,
- &found_list,
- KEYRING_UUID_TAG,
- GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
- nm_setting_connection_get_uuid (s_con),
- KEYRING_SN_TAG,
- GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
- setting_name,
- NULL);
- if ((ret != GNOME_KEYRING_RESULT_OK) || (g_list_length (found_list) == 0))
- return NULL;
-
- secrets = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, destroy_gvalue);
-
- for (iter = found_list; iter != NULL; iter = g_list_next (iter)) {
- GnomeKeyringFound *found = (GnomeKeyringFound *) iter->data;
- int i;
- const char * key_name = NULL;
-
- for (i = 0; i < found->attributes->len; i++) {
- GnomeKeyringAttribute *attr;
-
- attr = &(gnome_keyring_attribute_list_index (found->attributes, i));
- if ( (strcmp (attr->name, "setting-key") == 0)
- && (attr->type == GNOME_KEYRING_ATTRIBUTE_TYPE_STRING)) {
- key_name = attr->value.string;
- break;
- }
- }
-
- if (key_name == NULL) {
- g_set_error (error,
- NM_SETTINGS_INTERFACE_ERROR,
- NM_SETTINGS_INTERFACE_ERROR_SECRETS_UNAVAILABLE,
- "%s.%d - Internal error; keyring item '%s/%s' didn't "
- "have a 'setting-key' attribute.",
- __FILE__, __LINE__, connection_name, setting_name);
- break;
- }
+ GConfClient *client;
+ char *key = NULL;
+ gboolean ignore = FALSE;
- if ( !strcmp (setting_name, NM_SETTING_802_1X_SETTING_NAME)
- && ( !strcmp (key_name, NMA_PRIVATE_KEY_PASSWORD_TAG)
- || !strcmp (key_name, NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG))) {
- /* Private key passwords aren't passed to NM for "traditional"
- * OpenSSL private keys, but are passed to NM for PKCS#12 keys.
- */
- if (!get_one_private_key (connection, setting_name, key_name,
- found->secret, include_private_passwords, secrets, error)) {
- if (!*error) {
- g_set_error (error,
- NM_SETTINGS_INTERFACE_ERROR,
- NM_SETTINGS_INTERFACE_ERROR_SECRETS_UNAVAILABLE,
- "%s.%d - %s/%s unknown error from get_one_private_key().",
- __FILE__, __LINE__, connection_name, setting_name);
- }
- break;
- }
- } else {
- /* Ignore older obsolete keyring keys that we don't want to leak
- * through to NM.
- */
- if ( strcmp (key_name, "private-key-passwd")
- && strcmp (key_name, "phase2-private-key-passwd")) {
- g_hash_table_insert (secrets,
- g_strdup (key_name),
- string_to_gvalue (found->secret));
- }
- }
- }
+ g_return_val_if_fail (uuid != NULL, FALSE);
- if (*error) {
- nm_warning ("%s: error reading secrets: (%d) %s", __func__,
- (*error)->code, (*error)->message);
- g_hash_table_destroy (secrets);
- secrets = NULL;
- }
+ client = gconf_client_get_default ();
- gnome_keyring_found_list_free (found_list);
- return secrets;
-}
+ key = get_ignore_path (uuid, phase2);
+ ignore = gconf_client_get_bool (client, key, NULL);
+ g_free (key);
-static void
-delete_done (GnomeKeyringResult result, gpointer user_data)
-{
+ g_object_unref (client);
+ return ignore;
}
void
-nm_gconf_clear_keyring_items (NMConnection *connection)
+nm_gconf_set_ignore_ca_cert (const char *uuid, gboolean phase2, gboolean ignore)
{
- NMSettingConnection *s_con;
- const char *uuid;
- GList *found_list = NULL;
- GnomeKeyringResult ret;
- GList *iter;
-
- g_return_if_fail (connection != NULL);
-
- s_con = (NMSettingConnection *) nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION);
- g_return_if_fail (s_con != NULL);
+ GConfClient *client;
+ char *key = NULL;
- uuid = nm_setting_connection_get_uuid (s_con);
g_return_if_fail (uuid != NULL);
- pre_keyring_callback ();
-
- ret = gnome_keyring_find_itemsv_sync (GNOME_KEYRING_ITEM_GENERIC_SECRET,
- &found_list,
- KEYRING_UUID_TAG,
- GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
- nm_setting_connection_get_uuid (s_con),
- NULL);
- if (ret == GNOME_KEYRING_RESULT_OK) {
- for (iter = found_list; iter != NULL; iter = g_list_next (iter)) {
- GnomeKeyringFound *found = (GnomeKeyringFound *) iter->data;
-
- gnome_keyring_item_delete (found->keyring,
- found->item_id,
- delete_done,
- NULL,
- NULL);
- }
- gnome_keyring_found_list_free (found_list);
- }
-}
-
-static inline void
-copy_str_item (NMConnection *dst, NMConnection *src, const char *tag)
-{
- g_object_set_data_full (G_OBJECT (dst), tag, g_strdup (g_object_get_data (G_OBJECT (src), tag)), g_free);
-}
+ client = gconf_client_get_default ();
-void
-nm_gconf_copy_private_connection_values (NMConnection *dst, NMConnection *src)
-{
- g_return_if_fail (NM_IS_CONNECTION (dst));
- g_return_if_fail (NM_IS_CONNECTION (src));
-
- g_object_set_data (G_OBJECT (dst), NMA_CA_CERT_IGNORE_TAG,
- g_object_get_data (G_OBJECT (src), NMA_CA_CERT_IGNORE_TAG));
- g_object_set_data (G_OBJECT (dst), NMA_PHASE2_CA_CERT_IGNORE_TAG,
- g_object_get_data (G_OBJECT (src), NMA_PHASE2_CA_CERT_IGNORE_TAG));
-
- copy_str_item (dst, src, NMA_PATH_CLIENT_CERT_TAG);
- copy_str_item (dst, src, NMA_PATH_PHASE2_CLIENT_CERT_TAG);
- copy_str_item (dst, src, NMA_PATH_CA_CERT_TAG);
- copy_str_item (dst, src, NMA_PATH_PHASE2_CA_CERT_TAG);
- copy_str_item (dst, src, NMA_PATH_PRIVATE_KEY_TAG);
- copy_str_item (dst, src, NMA_PRIVATE_KEY_PASSWORD_TAG);
- copy_str_item (dst, src, NMA_PATH_PHASE2_PRIVATE_KEY_TAG);
- copy_str_item (dst, src, NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG);
-}
-
-void
-nm_gconf_clear_private_connection_values (NMConnection *connection)
-{
- g_return_if_fail (NM_IS_CONNECTION (connection));
+ key = get_ignore_path (uuid, phase2);
+ if (ignore)
+ gconf_client_set_bool (client, key, ignore, NULL);
+ else
+ gconf_client_unset (client, key, NULL);
+ g_free (key);
- g_object_set_data (G_OBJECT (connection), NMA_CA_CERT_IGNORE_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PHASE2_CA_CERT_IGNORE_TAG, NULL);
-
- g_object_set_data (G_OBJECT (connection), NMA_PATH_CLIENT_CERT_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PATH_PHASE2_CLIENT_CERT_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PATH_CA_CERT_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PATH_PHASE2_CA_CERT_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PATH_PRIVATE_KEY_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PRIVATE_KEY_PASSWORD_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PATH_PHASE2_PRIVATE_KEY_TAG, NULL);
- g_object_set_data (G_OBJECT (connection), NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG, NULL);
+ g_object_unref (client);
}
diff --git a/src/gconf-helpers/gconf-helpers.h b/src/gconf-helpers/gconf-helpers.h
index 727115d..17d1ce8 100644
--- a/src/gconf-helpers/gconf-helpers.h
+++ b/src/gconf-helpers/gconf-helpers.h
@@ -27,6 +27,8 @@
#include <glib.h>
#include <nm-connection.h>
+#include "nma-gconf-connection.h"
+
#define GCONF_PATH_CONNECTIONS "/system/networking/connections"
/* The stamp is a mechanism for determining which applet version last
@@ -35,25 +37,8 @@
#define APPLET_CURRENT_STAMP 1
#define APPLET_PREFS_STAMP "/apps/nm-applet/stamp"
-
-/*
- * ATTENTION: Make sure to update nm_gconf_copy_private_connection_values()
- * and nm_gconf_clear_private_connection_values() when new tag is added!
- * Otherwise duplicating connection will not work correctly.
- */
-#define NMA_CA_CERT_IGNORE_TAG "nma-ca-cert-ignore"
-#define NMA_PHASE2_CA_CERT_IGNORE_TAG "nma-phase2-ca-cert-ignore"
-#define NMA_PATH_CLIENT_CERT_TAG "nma-path-client-cert"
-#define NMA_PATH_PHASE2_CLIENT_CERT_TAG "nma-path-phase2-client-cert"
-#define NMA_PATH_CA_CERT_TAG "nma-path-ca-cert"
-#define NMA_PATH_PHASE2_CA_CERT_TAG "nma-path-phase2-ca-cert"
-#define NMA_PATH_PRIVATE_KEY_TAG "nma-path-private-key"
-#define NMA_PRIVATE_KEY_PASSWORD_TAG "nma-private-key-password"
-#define NMA_PATH_PHASE2_PRIVATE_KEY_TAG "nma-path-phase2-private-key"
-#define NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG "nma-phase2-private-key-password"
-
-void nm_gconf_copy_private_connection_values (NMConnection *dst, NMConnection *src);
-void nm_gconf_clear_private_connection_values (NMConnection *connection);
+#define IGNORE_CA_CERT_TAG "ignore-ca-cert"
+#define IGNORE_PHASE2_CA_CERT_TAG "ignore-phase2-ca-cert"
#define KEYRING_UUID_TAG "connection-uuid"
#define KEYRING_SN_TAG "setting-name"
@@ -265,17 +250,12 @@ nm_gconf_add_keyring_item (const char *connection_uuid,
const char *setting_key,
const char *secret);
-GHashTable *
-nm_gconf_get_keyring_items (NMConnection *connection,
- const char *setting_name,
- gboolean include_private_passwords,
- GError **error);
-
-void
-nm_gconf_clear_keyring_items (NMConnection *connection);
-
typedef void (*PreKeyringCallback) (gpointer user_data);
void nm_gconf_set_pre_keyring_callback (PreKeyringCallback func, gpointer user_data);
+void pre_keyring_callback (void);
+
+gboolean nm_gconf_get_ignore_ca_cert (const char *uuid, gboolean phase2);
+void nm_gconf_set_ignore_ca_cert (const char *uuid, gboolean phase2, gboolean ignore);
#endif /* GCONF_HELPERS_H */
diff --git a/src/gconf-helpers/gconf-upgrade.c b/src/gconf-helpers/gconf-upgrade.c
index 9c87fbd..30f28af 100644
--- a/src/gconf-helpers/gconf-upgrade.c
+++ b/src/gconf-helpers/gconf-upgrade.c
@@ -70,6 +70,18 @@
#define NM_PHASE2_AUTH_MSCHAPV2 0x00030000
#define NM_PHASE2_AUTH_GTC 0x00040000
+#define NMA_CA_CERT_IGNORE_TAG "nma-ca-cert-ignore"
+#define NMA_PHASE2_CA_CERT_IGNORE_TAG "nma-phase2-ca-cert-ignore"
+#define NMA_PRIVATE_KEY_PASSWORD_TAG "nma-private-key-password"
+#define NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG "nma-phase2-private-key-password"
+#define NMA_PATH_CA_CERT_TAG "nma-path-ca-cert"
+#define NMA_PATH_PHASE2_CA_CERT_TAG "nma-path-phase2-ca-cert"
+#define NMA_PATH_CLIENT_CERT_TAG "nma-path-client-cert"
+#define NMA_PATH_PHASE2_CLIENT_CERT_TAG "nma-path-phase2-client-cert"
+#define NMA_PATH_PRIVATE_KEY_TAG "nma-path-private-key"
+#define NMA_PATH_PHASE2_PRIVATE_KEY_TAG "nma-path-phase2-private-key"
+
+
struct flagnames {
const char * const name;
guint value;
@@ -1820,3 +1832,150 @@ nm_gconf_migrate_0_7_autoconnect_default (GConfClient *client)
gconf_client_suggest_sync (client, NULL);
}
+void
+nm_gconf_migrate_0_7_ca_cert_ignore (GConfClient *client)
+{
+ GSList *connections, *iter;
+
+ /* With 0.8, the applet stores the key that suppresses the nag dialog
+ * when the user elects to ignore CA certificates in a different place than
+ * the connection itself. Move the old location to the new location.
+ */
+
+ connections = gconf_client_all_dirs (client, GCONF_PATH_CONNECTIONS, NULL);
+ for (iter = connections; iter; iter = iter->next) {
+ const char *dir = iter->data;
+ char *uuid = NULL;
+ gboolean ignore_ca_cert = FALSE;
+ gboolean ignore_phase2_ca_cert = FALSE;
+
+ if (!nm_gconf_get_string_helper (client, dir,
+ NM_SETTING_CONNECTION_UUID,
+ NM_SETTING_CONNECTION_SETTING_NAME,
+ &uuid))
+ continue;
+
+ nm_gconf_get_bool_helper (client, dir,
+ NMA_CA_CERT_IGNORE_TAG,
+ NM_SETTING_802_1X_SETTING_NAME,
+ &ignore_ca_cert);
+ if (ignore_ca_cert)
+ nm_gconf_set_ignore_ca_cert (uuid, FALSE, TRUE);
+ /* delete old key */
+ unset_one_setting_property (client, dir,
+ NM_SETTING_802_1X_SETTING_NAME,
+ NMA_CA_CERT_IGNORE_TAG);
+
+ nm_gconf_get_bool_helper (client, dir,
+ NMA_PHASE2_CA_CERT_IGNORE_TAG,
+ NM_SETTING_802_1X_SETTING_NAME,
+ &ignore_phase2_ca_cert);
+ if (ignore_phase2_ca_cert)
+ nm_gconf_set_ignore_ca_cert (uuid, TRUE, TRUE);
+ unset_one_setting_property (client, dir,
+ NM_SETTING_802_1X_SETTING_NAME,
+ NMA_PHASE2_CA_CERT_IGNORE_TAG);
+ }
+
+ nm_utils_slist_free (connections, g_free);
+ gconf_client_suggest_sync (client, NULL);
+}
+
+static void
+copy_one_cert_value (GConfClient *client,
+ const char *dir,
+ const char *tag,
+ const char *key)
+{
+ char *path = NULL;
+
+ if (nm_gconf_get_string_helper (client, dir,
+ tag,
+ NM_SETTING_802_1X_SETTING_NAME,
+ &path)) {
+ nm_gconf_set_string_helper (client, dir, key, NM_SETTING_802_1X_SETTING_NAME, path);
+ g_free (path);
+ }
+}
+
+static void
+copy_one_private_key_password (const char *uuid,
+ const char *id,
+ const char *old_key,
+ const char *new_key)
+{
+ GnomeKeyringResult ret;
+ GList *found_list = NULL;
+
+ /* Find the secret */
+ ret = gnome_keyring_find_itemsv_sync (GNOME_KEYRING_ITEM_GENERIC_SECRET,
+ &found_list,
+ KEYRING_UUID_TAG,
+ GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
+ uuid,
+ KEYRING_SN_TAG,
+ GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
+ NM_SETTING_802_1X_SETTING_NAME,
+ KEYRING_SK_TAG,
+ GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
+ old_key,
+ NULL);
+ if ((ret == GNOME_KEYRING_RESULT_OK) && g_list_length (found_list)) {
+ GnomeKeyringFound *found = found_list->data;
+
+ nm_gconf_add_keyring_item (uuid,
+ id,
+ NM_SETTING_802_1X_SETTING_NAME,
+ new_key,
+ found->secret);
+ gnome_keyring_item_delete_sync (found->keyring, found->item_id);
+ gnome_keyring_found_list_free (found_list);
+ }
+}
+
+void
+nm_gconf_migrate_0_7_certs (GConfClient *client)
+{
+ GSList *connections, *iter;
+
+ /* With 0.8, the certificate/key path is stored in the value itself, not
+ * in the lookaside "nma" value.
+ */
+
+ connections = gconf_client_all_dirs (client, GCONF_PATH_CONNECTIONS, NULL);
+ for (iter = connections; iter; iter = iter->next) {
+ const char *dir = iter->data;
+ char *uuid = NULL, *id = NULL;
+
+ if (!nm_gconf_get_string_helper (client, dir,
+ NM_SETTING_CONNECTION_UUID,
+ NM_SETTING_CONNECTION_SETTING_NAME,
+ &uuid))
+ continue;
+
+ if (!nm_gconf_get_string_helper (client, dir,
+ NM_SETTING_CONNECTION_ID,
+ NM_SETTING_CONNECTION_SETTING_NAME,
+ &id)) {
+ g_free (uuid);
+ continue;
+ }
+
+ copy_one_cert_value (client, dir, NMA_PATH_CA_CERT_TAG, NM_SETTING_802_1X_CA_CERT);
+ copy_one_cert_value (client, dir, NMA_PATH_PHASE2_CA_CERT_TAG, NM_SETTING_802_1X_PHASE2_CA_CERT);
+ copy_one_cert_value (client, dir, NMA_PATH_CLIENT_CERT_TAG, NM_SETTING_802_1X_CLIENT_CERT);
+ copy_one_cert_value (client, dir, NMA_PATH_PHASE2_CLIENT_CERT_TAG, NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
+ copy_one_cert_value (client, dir, NMA_PATH_PRIVATE_KEY_TAG, NM_SETTING_802_1X_PRIVATE_KEY);
+ copy_one_cert_value (client, dir, NMA_PATH_PHASE2_PRIVATE_KEY_TAG, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
+
+ copy_one_private_key_password (uuid, id, NMA_PRIVATE_KEY_PASSWORD_TAG, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
+ copy_one_private_key_password (uuid, id, NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
+
+ g_free (uuid);
+ g_free (id);
+ }
+
+ nm_utils_slist_free (connections, g_free);
+ gconf_client_suggest_sync (client, NULL);
+}
+
diff --git a/src/gconf-helpers/gconf-upgrade.h b/src/gconf-helpers/gconf-upgrade.h
index 68c1ce2..868601c 100644
--- a/src/gconf-helpers/gconf-upgrade.h
+++ b/src/gconf-helpers/gconf-upgrade.h
@@ -48,5 +48,9 @@ void nm_gconf_migrate_0_7_vpn_never_default (GConfClient *client);
void nm_gconf_migrate_0_7_autoconnect_default (GConfClient *client);
+void nm_gconf_migrate_0_7_ca_cert_ignore (GConfClient *client);
+
+void nm_gconf_migrate_0_7_certs (GConfClient *client);
+
#endif /* GCONF_UPGRADE_H */
diff --git a/src/gconf-helpers/nma-gconf-connection.c b/src/gconf-helpers/nma-gconf-connection.c
index 2515c11..99bb2c9 100644
--- a/src/gconf-helpers/nma-gconf-connection.c
+++ b/src/gconf-helpers/nma-gconf-connection.c
@@ -25,8 +25,12 @@
#include <dbus/dbus.h>
#include <dbus/dbus-glib.h>
#include <dbus/dbus-glib-lowlevel.h>
+#include <gnome-keyring.h>
+
#include <nm-setting-connection.h>
#include <nm-setting-vpn.h>
+#include <nm-setting-8021x.h>
+
#include "nma-gconf-connection.h"
#include "gconf-helpers.h"
#include "nm-utils.h"
@@ -121,9 +125,7 @@ nma_gconf_connection_new_from_connection (GConfClient *client,
g_return_val_if_fail (NM_IS_CONNECTION (connection), NULL);
/* Ensure the connection is valid first */
- utils_fill_connection_certs (connection);
success = nm_connection_verify (connection, &error);
- utils_clear_filled_connection_certs (connection);
if (!success) {
g_warning ("Invalid connection %s: '%s' / '%s' invalid: %d",
conf_dir,
@@ -145,19 +147,10 @@ nma_gconf_connection_new_from_connection (GConfClient *client,
self = NMA_GCONF_CONNECTION (object);
/* Fill certs so that the nm_connection_replace_settings verification works */
- utils_fill_connection_certs (connection);
settings = nm_connection_to_hash (connection);
- utils_clear_filled_connection_certs (connection);
-
success = nm_connection_replace_settings (NM_CONNECTION (self), settings, NULL);
g_hash_table_destroy (settings);
- /* Then clear the filled certs on the replaced settings, and copy over
- * applet private values like file locations and such.
- */
- utils_clear_filled_connection_certs (NM_CONNECTION (self));
- nm_gconf_copy_private_connection_values (NM_CONNECTION (self), connection);
-
/* Already verified the settings above, they had better be OK */
g_assert (success);
@@ -189,9 +182,7 @@ nma_gconf_connection_gconf_changed (NMAGConfConnection *self)
goto invalid;
}
- utils_fill_connection_certs (new);
success = nm_connection_verify (new, &error);
- utils_clear_filled_connection_certs (new);
if (!success) {
g_warning ("%s: Invalid connection %s: '%s' / '%s' invalid: %d",
__func__, priv->dir,
@@ -207,14 +198,10 @@ nma_gconf_connection_gconf_changed (NMAGConfConnection *self)
return TRUE;
}
- utils_fill_connection_certs (new);
new_settings = nm_connection_to_hash (new);
- utils_clear_filled_connection_certs (new);
- g_object_unref (new);
-
success = nm_connection_replace_settings (NM_CONNECTION (self), new_settings, &error);
- utils_clear_filled_connection_certs (NM_CONNECTION (self));
g_hash_table_destroy (new_settings);
+ g_object_unref (new);
if (!success) {
g_warning ("%s: '%s' / '%s' invalid: %d",
@@ -238,6 +225,209 @@ invalid:
/******************************************************/
+static GValue *
+string_to_gvalue (const char *str)
+{
+ GValue *val;
+
+ val = g_slice_new0 (GValue);
+ g_value_init (val, G_TYPE_STRING);
+ g_value_set_string (val, str);
+
+ return val;
+}
+
+#define FILE_TAG "file://"
+
+static GValue *
+path_to_gvalue (const char *path)
+{
+ GValue *val;
+ GByteArray *array;
+
+ array = g_byte_array_sized_new (strlen (FILE_TAG) + strlen (path) + 1);
+ g_byte_array_append (array, (guint8 *) FILE_TAG, strlen (FILE_TAG));
+ g_byte_array_append (array, (guint8 *) path, strlen (path) + 1); /* +1 for the trailing NULL */
+
+ val = g_slice_new0 (GValue);
+ g_value_init (val, DBUS_TYPE_G_UCHAR_ARRAY);
+ g_value_take_boxed (val, array);
+
+ return val;
+}
+
+static void
+destroy_gvalue (gpointer data)
+{
+ GValue *value = (GValue *) data;
+
+ g_value_unset (value);
+ g_slice_free (GValue, value);
+}
+
+static GHashTable *
+nma_gconf_connection_get_keyring_items (NMAGConfConnection *self,
+ const char *setting_name,
+ GError **error)
+{
+ NMAGConfConnectionPrivate *priv;
+ NMSettingConnection *s_con;
+ GHashTable *secrets;
+ GList *found_list = NULL;
+ GnomeKeyringResult ret;
+ GList *iter;
+ const char *connection_name;
+ char *path = NULL;
+
+ g_return_val_if_fail (self != NULL, NULL);
+ g_return_val_if_fail (setting_name != NULL, NULL);
+ g_return_val_if_fail (error != NULL, NULL);
+ g_return_val_if_fail (*error == NULL, NULL);
+
+ priv = NMA_GCONF_CONNECTION_GET_PRIVATE (self);
+
+ s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (NM_CONNECTION (self), NM_TYPE_SETTING_CONNECTION));
+ g_assert (s_con);
+
+ connection_name = nm_setting_connection_get_id (s_con);
+ g_assert (connection_name);
+
+ pre_keyring_callback ();
+
+ ret = gnome_keyring_find_itemsv_sync (GNOME_KEYRING_ITEM_GENERIC_SECRET,
+ &found_list,
+ KEYRING_UUID_TAG,
+ GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
+ nm_setting_connection_get_uuid (s_con),
+ KEYRING_SN_TAG,
+ GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
+ setting_name,
+ NULL);
+ if ((ret != GNOME_KEYRING_RESULT_OK) || (g_list_length (found_list) == 0))
+ return NULL;
+
+ secrets = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, destroy_gvalue);
+
+ for (iter = found_list; iter != NULL; iter = g_list_next (iter)) {
+ GnomeKeyringFound *found = (GnomeKeyringFound *) iter->data;
+ int i;
+ const char *key_name = NULL;
+
+ for (i = 0; i < found->attributes->len; i++) {
+ GnomeKeyringAttribute *attr;
+
+ attr = &(gnome_keyring_attribute_list_index (found->attributes, i));
+ if ( (strcmp (attr->name, KEYRING_SK_TAG) == 0)
+ && (attr->type == GNOME_KEYRING_ATTRIBUTE_TYPE_STRING)) {
+ key_name = attr->value.string;
+ break;
+ }
+ }
+
+ if (key_name == NULL) {
+ g_set_error (error,
+ NM_SETTINGS_INTERFACE_ERROR,
+ NM_SETTINGS_INTERFACE_ERROR_SECRETS_UNAVAILABLE,
+ "%s.%d - Internal error; keyring item '%s/%s' didn't "
+ "have a 'setting-key' attribute.",
+ __FILE__, __LINE__, connection_name, setting_name);
+ break;
+ }
+
+ g_hash_table_insert (secrets,
+ g_strdup (key_name),
+ string_to_gvalue (found->secret));
+ }
+
+ /* The phase1 and phase2 private key are still marked as 'secret' for
+ * backwards compat, but since they don't get stored in the keyring since
+ * they aren't really secret (because we now use paths everywhere and not
+ * the decrypted private key like 0.7.x). So we need to grab them out of
+ * GConf and add them to the returned secret hash.
+ */
+ /* Private key path */
+ path = NULL;
+ if (nm_gconf_get_string_helper (priv->client,
+ priv->dir,
+ NM_SETTING_802_1X_PRIVATE_KEY,
+ NM_SETTING_802_1X_SETTING_NAME,
+ &path)) {
+ g_hash_table_insert (secrets,
+ g_strdup (NM_SETTING_802_1X_PRIVATE_KEY),
+ path_to_gvalue (path));
+ g_free (path);
+ }
+
+ /* Phase2 private key path */
+ path = NULL;
+ if (nm_gconf_get_string_helper (priv->client,
+ priv->dir,
+ NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
+ NM_SETTING_802_1X_SETTING_NAME,
+ &path)) {
+ g_hash_table_insert (secrets,
+ g_strdup (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY),
+ path_to_gvalue (path));
+ g_free (path);
+ }
+
+ if (*error) {
+ nm_warning ("%s: error reading secrets: (%d) %s", __func__,
+ (*error)->code, (*error)->message);
+ g_hash_table_destroy (secrets);
+ secrets = NULL;
+ }
+
+ gnome_keyring_found_list_free (found_list);
+ return secrets;
+}
+
+static void
+delete_done (GnomeKeyringResult result, gpointer user_data)
+{
+}
+
+static void
+clear_keyring_items (NMAGConfConnection *self)
+{
+ NMSettingConnection *s_con;
+ const char *uuid;
+ GList *found_list = NULL;
+ GnomeKeyringResult ret;
+ GList *iter;
+
+ g_return_if_fail (self != NULL);
+
+ s_con = (NMSettingConnection *) nm_connection_get_setting (NM_CONNECTION (self), NM_TYPE_SETTING_CONNECTION);
+ g_return_if_fail (s_con != NULL);
+
+ uuid = nm_setting_connection_get_uuid (s_con);
+ g_return_if_fail (uuid != NULL);
+
+ pre_keyring_callback ();
+
+ ret = gnome_keyring_find_itemsv_sync (GNOME_KEYRING_ITEM_GENERIC_SECRET,
+ &found_list,
+ KEYRING_UUID_TAG,
+ GNOME_KEYRING_ATTRIBUTE_TYPE_STRING,
+ uuid,
+ NULL);
+ if (ret == GNOME_KEYRING_RESULT_OK) {
+ for (iter = found_list; iter != NULL; iter = g_list_next (iter)) {
+ GnomeKeyringFound *found = (GnomeKeyringFound *) iter->data;
+
+ gnome_keyring_item_delete (found->keyring,
+ found->item_id,
+ delete_done,
+ NULL,
+ NULL);
+ }
+ gnome_keyring_found_list_free (found_list);
+ }
+}
+
+/******************************************************/
+
static gboolean
update (NMSettingsConnectionInterface *connection,
NMSettingsConnectionInterfaceUpdateFunc callback,
@@ -263,6 +453,9 @@ do_delete (NMSettingsConnectionInterface *connection,
gboolean success;
GError *error = NULL;
+ /* Clean up keyring keys */
+ clear_keyring_items (NMA_GCONF_CONNECTION (connection));
+
success = gconf_client_recursive_unset (priv->client, priv->dir, 0, &error);
if (!success) {
callback (connection, error, user_data);
@@ -320,7 +513,7 @@ internal_get_secrets (NMSettingsConnectionInterface *connection,
/* Only try to get new secrets for D-Bus requests */
if (local) {
- secrets = nm_gconf_get_keyring_items (NM_CONNECTION (self), setting_name, local, error);
+ secrets = nma_gconf_connection_get_keyring_items (self, setting_name, error);
if (!secrets && error && *error)
return FALSE;
} else {
@@ -335,7 +528,7 @@ internal_get_secrets (NMSettingsConnectionInterface *connection,
goto get_secrets;
}
- secrets = nm_gconf_get_keyring_items (NM_CONNECTION (self), setting_name, local, error);
+ secrets = nma_gconf_connection_get_keyring_items (self, setting_name, error);
if (!secrets) {
if (error && *error)
return FALSE;
diff --git a/src/gconf-helpers/nma-gconf-settings.c b/src/gconf-helpers/nma-gconf-settings.c
index 8fca201..986d947 100644
--- a/src/gconf-helpers/nma-gconf-settings.c
+++ b/src/gconf-helpers/nma-gconf-settings.c
@@ -99,6 +99,7 @@ internal_add_connection (NMAGConfSettings *self, NMAGConfConnection *connection)
DBusGConnection *bus = NULL;
g_return_if_fail (connection != NULL);
+ g_return_if_fail (NMA_IS_GCONF_CONNECTION (connection));
priv->connections = g_slist_prepend (priv->connections, connection);
g_signal_connect (connection, "new-secrets-requested",
@@ -115,6 +116,7 @@ internal_add_connection (NMAGConfSettings *self, NMAGConfConnection *connection)
}
g_signal_emit_by_name (self, NM_SETTINGS_INTERFACE_NEW_CONNECTION, NM_CONNECTION (connection));
+ g_return_if_fail (NMA_IS_GCONF_CONNECTION (priv->connections->data));
}
static void
diff --git a/src/utils/utils.c b/src/utils/utils.c
index 61f1a7a..6405865 100644
--- a/src/utils/utils.c
+++ b/src/utils/utils.c
@@ -189,142 +189,6 @@ utils_get_device_description (NMDevice *device)
return description;
}
-static GByteArray *
-file_to_g_byte_array (const char *filename)
-{
- char *contents = NULL;
- GByteArray *array = NULL;
- gsize length = 0;
-
- if (!g_file_get_contents (filename, &contents, &length, NULL))
- return NULL;
-
- array = g_byte_array_sized_new (length);
- if (!array) {
- g_free (contents);
- return NULL;
- }
-
- g_byte_array_append (array, (unsigned char *) contents, length);
- return array;
-}
-
-static gboolean
-fill_one_private_key (NMConnection *connection,
- const char *pk_tag,
- const char *pk_prop,
- const char *cc_prop)
-{
- const char *filename;
- NMSetting8021x *tmp;
- NMSetting8021xCKType pk_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
- gboolean need_client_cert = TRUE;
-
- /* If the private key is PKCS#12, don't set the client cert */
- filename = g_object_get_data (G_OBJECT (connection), pk_tag);
- if (!filename)
- return TRUE;
-
- tmp = NM_SETTING_802_1X (nm_setting_802_1x_new ());
- nm_setting_802_1x_set_private_key_from_file (tmp, filename, NULL, &pk_type, NULL);
- if (pk_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) {
- GByteArray *array;
-
- array = file_to_g_byte_array (filename);
- if (array) {
- NMSetting *s_8021x = nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
-
- g_object_set (s_8021x,
- pk_prop, array,
- cc_prop, array,
- NULL);
- g_byte_array_free (array, TRUE);
- need_client_cert = FALSE;
- }
- }
- g_object_unref (tmp);
- return need_client_cert;
-}
-
-void
-utils_fill_connection_certs (NMConnection *connection)
-{
- NMSetting8021x *s_8021x;
- const char *filename;
- GError *error = NULL;
- gboolean need_client_cert = TRUE;
-
- g_return_if_fail (connection != NULL);
-
- s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X));
- if (!s_8021x)
- return;
-
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_CA_CERT_TAG);
- if (filename) {
- if (!nm_setting_802_1x_set_ca_cert_from_file (s_8021x, filename, NULL, &error))
- g_warning ("%s: couldn't read CA certificate: %d %s", __func__, error->code, error->message);
- g_clear_error (&error);
- }
-
- /* If the private key is PKCS#12, don't set the client cert */
- need_client_cert = fill_one_private_key (connection,
- NMA_PATH_PRIVATE_KEY_TAG,
- NM_SETTING_802_1X_PRIVATE_KEY,
- NM_SETTING_802_1X_CLIENT_CERT);
- if (need_client_cert) {
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_CLIENT_CERT_TAG);
- if (filename) {
- if (!nm_setting_802_1x_set_client_cert_from_file (s_8021x, filename, NULL, &error))
- g_warning ("%s: couldn't read client certificate: %d %s", __func__, error->code, error->message);
- g_clear_error (&error);
- }
- }
-
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_PHASE2_CA_CERT_TAG);
- if (filename) {
- if (!nm_setting_802_1x_set_phase2_ca_cert_from_file (s_8021x, filename, NULL, &error))
- g_warning ("%s: couldn't read phase2 CA certificate: %d %s", __func__, error->code, error->message);
- g_clear_error (&error);
- }
-
- /* If the private key is PKCS#12, don't set the client cert */
- need_client_cert = fill_one_private_key (connection,
- NMA_PATH_PHASE2_PRIVATE_KEY_TAG,
- NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
- NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
- if (need_client_cert) {
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_PHASE2_CLIENT_CERT_TAG);
- if (filename) {
- if (!nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, filename, NULL, &error))
- g_warning ("%s: couldn't read phase2 client certificate: %d %s", __func__, error->code, error->message);
- g_clear_error (&error);
- }
- }
-}
-
-void
-utils_clear_filled_connection_certs (NMConnection *connection)
-{
- NMSetting8021x *s_8021x;
-
- g_return_if_fail (connection != NULL);
-
- s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X));
- if (!s_8021x)
- return;
-
- g_object_set (s_8021x,
- NM_SETTING_802_1X_CA_CERT, NULL,
- NM_SETTING_802_1X_CLIENT_CERT, NULL,
- NM_SETTING_802_1X_PRIVATE_KEY, NULL,
- NM_SETTING_802_1X_PHASE2_CA_CERT, NULL,
- NM_SETTING_802_1X_PHASE2_CLIENT_CERT, NULL,
- NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, NULL,
- NULL);
-}
-
-
struct cf_pair {
guint32 chan;
guint32 freq;
diff --git a/src/utils/utils.h b/src/utils/utils.h
index 9e26442..11acb66 100644
--- a/src/utils/utils.h
+++ b/src/utils/utils.h
@@ -30,10 +30,6 @@
const char *utils_get_device_description (NMDevice *device);
-void utils_fill_connection_certs (NMConnection *connection);
-
-void utils_clear_filled_connection_certs (NMConnection *connection);
-
guint32 utils_freq_to_channel (guint32 freq);
guint32 utils_channel_to_freq (guint32 channel, char *band);
guint32 utils_find_next_channel (guint32 channel, int direction, char *band);
diff --git a/src/wireless-dialog.c b/src/wireless-dialog.c
index c973be1..6c761b7 100644
--- a/src/wireless-dialog.c
+++ b/src/wireless-dialog.c
@@ -1,3 +1,4 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager Wireless Applet -- Display wireless access points and allow user control
*
* Dan Williams <dcbw redhat com>
@@ -125,14 +126,15 @@ model_free (GtkTreeModel *model, guint col)
static void
size_group_clear (GtkSizeGroup *group)
{
- GSList *children;
GSList *iter;
g_return_if_fail (group != NULL);
- children = gtk_size_group_get_widgets (group);
- for (iter = children; iter; iter = g_slist_next (iter))
+ iter = gtk_size_group_get_widgets (group);
+ while (iter) {
gtk_size_group_remove_widget (group, GTK_WIDGET (iter->data));
+ iter = gtk_size_group_get_widgets (group);
+ }
}
static void
@@ -200,7 +202,7 @@ security_combo_changed (GtkWidget *combo,
/* Set focus to the security method's default widget, but only if the
* network name entry should not be focused.
*/
- if (!priv->network_name_focus) {
+ if (!priv->network_name_focus && sec->default_field) {
def_widget = glade_xml_get_widget (sec->xml, sec->default_field);
if (def_widget)
gtk_widget_grab_focus (def_widget);
diff --git a/src/wireless-security/eap-method-peap.c b/src/wireless-security/eap-method-peap.c
index e8e5f6e..4905c40 100644
--- a/src/wireless-security/eap-method-peap.c
+++ b/src/wireless-security/eap-method-peap.c
@@ -1,3 +1,4 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager Wireless Applet -- Display wireless access points and allow user control
*
* Dan Williams <dcbw redhat com>
@@ -23,6 +24,8 @@
#include <glade/glade.h>
#include <ctype.h>
#include <string.h>
+
+#include <nm-setting-connection.h>
#include <nm-setting-8021x.h>
#include "eap-method.h"
@@ -109,7 +112,9 @@ add_to_size_group (EAPMethod *parent, GtkSizeGroup *group)
static void
fill_connection (EAPMethod *parent, NMConnection *connection)
{
+ NMSettingConnection *s_con;
NMSetting8021x *s_8021x;
+ NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
GtkWidget *widget;
const char *text;
char *filename;
@@ -117,6 +122,10 @@ fill_connection (EAPMethod *parent, NMConnection *connection)
GtkTreeModel *model;
GtkTreeIter iter;
int peapver_active = 0;
+ GError *error = NULL;
+
+ s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
+ g_assert (s_con);
s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X));
g_assert (s_8021x);
@@ -132,19 +141,14 @@ fill_connection (EAPMethod *parent, NMConnection *connection)
widget = glade_xml_get_widget (parent->xml, "eap_peap_ca_cert_button");
g_assert (widget);
filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
- if (filename) {
- g_object_set_data_full (G_OBJECT (connection),
- NMA_PATH_CA_CERT_TAG, g_strdup (filename),
- (GDestroyNotify) g_free);
- g_free (filename);
- } else {
- g_object_set_data (G_OBJECT (connection), NMA_PATH_CA_CERT_TAG, NULL);
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
+ g_warning ("Couldn't read CA certificate '%s': %s", filename, error ? error->message : "(unknown)");
+ g_clear_error (&error);
}
- if (eap_method_get_ignore_ca_cert (parent))
- g_object_set_data (G_OBJECT (connection), NMA_CA_CERT_IGNORE_TAG, GUINT_TO_POINTER (TRUE));
- else
- g_object_set_data (G_OBJECT (connection), NMA_CA_CERT_IGNORE_TAG, NULL);
+ nm_gconf_set_ignore_ca_cert (nm_setting_connection_get_uuid (s_con),
+ FALSE,
+ eap_method_get_ignore_ca_cert (parent));
widget = glade_xml_get_widget (parent->xml, "eap_peap_version_combo");
peapver_active = gtk_combo_box_get_active (GTK_COMBO_BOX (widget));
@@ -332,7 +336,8 @@ eap_method_peap_new (const char *glade_file,
eap_method_nag_init (EAP_METHOD (method),
glade_file,
"eap_peap_ca_cert_button",
- connection);
+ connection,
+ FALSE);
method->sec_parent = parent;
@@ -349,10 +354,12 @@ eap_method_peap_new (const char *glade_file,
parent);
filter = eap_method_default_file_chooser_filter_new (FALSE);
gtk_file_chooser_add_filter (GTK_FILE_CHOOSER (widget), filter);
- if (connection) {
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_CA_CERT_TAG);
- if (filename)
- gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
+ if (connection && s_8021x) {
+ if (nm_setting_802_1x_get_ca_cert_scheme (s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH) {
+ filename = nm_setting_802_1x_get_ca_cert_path (s_8021x);
+ if (filename)
+ gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
+ }
}
widget = inner_auth_combo_init (method, glade_file, connection, s_8021x);
diff --git a/src/wireless-security/eap-method-tls.c b/src/wireless-security/eap-method-tls.c
index db0d7c4..28f26aa 100644
--- a/src/wireless-security/eap-method-tls.c
+++ b/src/wireless-security/eap-method-tls.c
@@ -1,5 +1,4 @@
-/* -*- Mode: C; tab-width: 5; indent-tabs-mode: t; c-basic-offset: 5 -*- */
-
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager Wireless Applet -- Display wireless access points and allow user control
*
* Dan Williams <dcbw redhat com>
@@ -25,6 +24,8 @@
#include <glib/gi18n.h>
#include <ctype.h>
#include <string.h>
+
+#include <nm-setting-connection.h>
#include <nm-setting-8021x.h>
#include "gconf-helpers.h"
@@ -57,7 +58,7 @@ destroy (EAPMethod *parent)
static gboolean
validate (EAPMethod *parent)
{
- NMSetting8021xCKType ck_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
+ NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
GtkWidget *widget;
const char *password, *identity;
@@ -80,10 +81,10 @@ validate (EAPMethod *parent)
"eap_tls_private_key_button",
TYPE_PRIVATE_KEY,
password,
- &ck_type))
+ &format))
return FALSE;
- if (ck_type != NM_SETTING_802_1X_CK_TYPE_PKCS12) {
+ if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
if (!eap_method_validate_filepicker (parent->xml, "eap_tls_user_cert_button", TYPE_CLIENT_CERT, NULL, NULL))
return FALSE;
}
@@ -118,26 +119,20 @@ add_to_size_group (EAPMethod *parent, GtkSizeGroup *group)
}
static void
-free_password (gpointer data)
-{
- g_return_if_fail (data != NULL);
-
- /* Try not to leave passwords around in memory */
- memset (data, 0, strlen (data));
- g_free (data);
-}
-
-static void
fill_connection (EAPMethod *parent, NMConnection *connection)
{
EAPMethodTLS *method = (EAPMethodTLS *) parent;
- NMSetting8021xCKType key_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
+ NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
NMSetting8021x *s_8021x;
+ NMSettingConnection *s_con;
GtkWidget *widget;
- char *filename, *pk_filename, *cc_filename;
- char *password = NULL;
+ char *ca_filename, *pk_filename, *cc_filename;
+ const char *password = NULL;
GError *error = NULL;
+ s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
+ g_assert (s_con);
+
s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X));
g_assert (s_8021x);
@@ -150,92 +145,83 @@ fill_connection (EAPMethod *parent, NMConnection *connection)
g_assert (widget);
g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL);
+ /* TLS private key */
widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_password_entry");
g_assert (widget);
- password = g_strdup (gtk_entry_get_text (GTK_ENTRY (widget)));
- if (method->phase2) {
- g_object_set_data_full (G_OBJECT (connection),
- NMA_PHASE2_PRIVATE_KEY_PASSWORD_TAG,
- password,
- (GDestroyNotify) free_password);
- } else {
- g_object_set_data_full (G_OBJECT (connection),
- NMA_PRIVATE_KEY_PASSWORD_TAG,
- password,
- (GDestroyNotify) free_password);
- }
+ password = gtk_entry_get_text (GTK_ENTRY (widget));
+ g_assert (password);
- /* TLS private key */
widget = glade_xml_get_widget (parent->xml, "eap_tls_private_key_button");
g_assert (widget);
pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
g_assert (pk_filename);
- g_object_set_data_full (G_OBJECT (connection),
- method->phase2 ? NMA_PATH_PHASE2_PRIVATE_KEY_TAG : NMA_PATH_PRIVATE_KEY_TAG,
- g_strdup (pk_filename),
- (GDestroyNotify) g_free);
+
if (method->phase2) {
- if (!nm_setting_802_1x_set_phase2_private_key_from_file (s_8021x, pk_filename, password, &key_type, &error)) {
+ if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
} else {
- if (!nm_setting_802_1x_set_private_key_from_file (s_8021x, pk_filename, password, &key_type, &error)) {
+ if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message : "(unknown)");
g_clear_error (&error);
}
}
+ g_free (pk_filename);
/* TLS client certificate */
- if (key_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) {
- /* if the key is pkcs#12, the cert is filled with the same data */
- cc_filename = g_strdup (pk_filename);
- } else {
+ if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
+ /* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already
+ * set the client certificate for us.
+ */
widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button");
g_assert (widget);
cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
+ g_assert (cc_filename);
+
+ format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
+ if (method->phase2) {
+ if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
+ g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
+ g_clear_error (&error);
+ }
+ } else {
+ if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
+ g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ? error->message : "(unknown)");
+ g_clear_error (&error);
+ }
+ }
+ g_free (cc_filename);
}
- g_assert (cc_filename);
- g_object_set_data_full (G_OBJECT (connection),
- method->phase2 ? NMA_PATH_PHASE2_CLIENT_CERT_TAG : NMA_PATH_CLIENT_CERT_TAG,
- g_strdup (cc_filename),
- (GDestroyNotify) g_free);
- g_free (cc_filename);
- g_free (pk_filename);
-
/* TLS CA certificate */
widget = glade_xml_get_widget (parent->xml, "eap_tls_ca_cert_button");
g_assert (widget);
- filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
- if (filename) {
- g_object_set_data_full (G_OBJECT (connection),
- method->phase2 ? NMA_PATH_PHASE2_CA_CERT_TAG : NMA_PATH_CA_CERT_TAG,
- g_strdup (filename),
- (GDestroyNotify) g_free);
- g_free (filename);
- } else {
- g_object_set_data (G_OBJECT (connection),
- method->phase2 ? NMA_PATH_PHASE2_CA_CERT_TAG : NMA_PATH_CA_CERT_TAG,
- NULL);
- }
+ ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
- if (eap_method_get_ignore_ca_cert (parent)) {
- g_object_set_data (G_OBJECT (connection),
- method->phase2 ? NMA_PHASE2_CA_CERT_IGNORE_TAG : NMA_CA_CERT_IGNORE_TAG,
- GUINT_TO_POINTER (TRUE));
+ format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
+ if (method->phase2) {
+ if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
+ g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
+ g_clear_error (&error);
+ }
} else {
- g_object_set_data (G_OBJECT (connection),
- method->phase2 ? NMA_PHASE2_CA_CERT_IGNORE_TAG : NMA_CA_CERT_IGNORE_TAG,
- NULL);
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
+ g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ? error->message : "(unknown)");
+ g_clear_error (&error);
+ }
}
+
+ nm_gconf_set_ignore_ca_cert (nm_setting_connection_get_uuid (s_con),
+ method->phase2,
+ eap_method_get_ignore_ca_cert (parent));
}
static void
private_key_picker_helper (EAPMethod *parent, const char *filename, gboolean changed)
{
NMSetting8021x *setting;
- NMSetting8021xCKType cert_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
+ NMSetting8021xCKFormat cert_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
const char *password;
GtkWidget *widget;
@@ -244,12 +230,12 @@ private_key_picker_helper (EAPMethod *parent, const char *filename, gboolean cha
password = gtk_entry_get_text (GTK_ENTRY (widget));
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
- nm_setting_802_1x_set_private_key_from_file (setting, filename, password, &cert_type, NULL);
+ nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, &cert_format, NULL);
g_object_unref (setting);
/* With PKCS#12, the client cert must be the same as the private key */
widget = glade_xml_get_widget (parent->xml, "eap_tls_user_cert_button");
- if (cert_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) {
+ if (cert_format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
gtk_file_chooser_unselect_all (GTK_FILE_CHOOSER (widget));
gtk_widget_set_sensitive (widget, FALSE);
} else if (changed)
@@ -277,34 +263,36 @@ static void reset_filter (GtkWidget *widget, GParamSpec *spec, gpointer user_dat
}
}
+typedef const char * (*PathFunc) (NMSetting8021x *setting);
+typedef NMSetting8021xCKScheme (*SchemeFunc) (NMSetting8021x *setting);
+
static void
setup_filepicker (GladeXML *xml,
const char *name,
const char *title,
WirelessSecurity *parent,
EAPMethodTLS *method,
- NMConnection *connection,
- const char *tag)
+ NMSetting8021x *s_8021x,
+ SchemeFunc scheme_func,
+ PathFunc path_func,
+ gboolean privkey,
+ gboolean client_cert)
{
GtkWidget *widget;
GtkFileFilter *filter;
const char *filename = NULL;
- gboolean privkey = FALSE, client_cert = FALSE;
-
- if (!strcmp (tag, NMA_PATH_PHASE2_PRIVATE_KEY_TAG) || !strcmp (tag, NMA_PATH_PRIVATE_KEY_TAG))
- privkey = TRUE;
- if (!strcmp (tag, NMA_PATH_PHASE2_CLIENT_CERT_TAG) || !strcmp (tag, NMA_PATH_CLIENT_CERT_TAG))
- client_cert = TRUE;
widget = glade_xml_get_widget (xml, name);
g_assert (widget);
gtk_file_chooser_set_local_only (GTK_FILE_CHOOSER (widget), TRUE);
gtk_file_chooser_button_set_title (GTK_FILE_CHOOSER_BUTTON (widget), title);
- if (connection && tag) {
- filename = g_object_get_data (G_OBJECT (connection), tag);
- if (filename)
- gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
+ if (s_8021x && path_func && scheme_func) {
+ if (scheme_func (s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH) {
+ filename = path_func (s_8021x);
+ if (filename)
+ gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
+ }
}
/* Connect a special handler for private keys to intercept PKCS#12 key types
@@ -376,7 +364,8 @@ eap_method_tls_new (const char *glade_file,
eap_method_nag_init (EAP_METHOD (method),
glade_file,
"eap_tls_ca_cert_button",
- connection);
+ connection,
+ phase2);
method->phase2 = phase2;
@@ -410,19 +399,26 @@ eap_method_tls_new (const char *glade_file,
(GCallback) wireless_security_changed_cb,
parent);
+nm_connection_dump (connection);
setup_filepicker (xml, "eap_tls_user_cert_button",
_("Choose your personal certificate..."),
- parent, method, connection,
- phase2 ? NMA_PATH_PHASE2_CLIENT_CERT_TAG : NMA_PATH_CLIENT_CERT_TAG);
+ parent, method, s_8021x,
+ phase2 ? nm_setting_802_1x_get_phase2_client_cert_scheme : nm_setting_802_1x_get_client_cert_scheme,
+ phase2 ? nm_setting_802_1x_get_phase2_client_cert_path : nm_setting_802_1x_get_client_cert_path,
+ FALSE, TRUE);
setup_filepicker (xml, "eap_tls_ca_cert_button",
_("Choose a Certificate Authority certificate..."),
- parent, method, connection,
- phase2 ? NMA_PATH_PHASE2_CA_CERT_TAG : NMA_PATH_CA_CERT_TAG);
+ parent, method, s_8021x,
+ phase2 ? nm_setting_802_1x_get_phase2_ca_cert_scheme : nm_setting_802_1x_get_ca_cert_scheme,
+ phase2 ? nm_setting_802_1x_get_phase2_ca_cert_path : nm_setting_802_1x_get_ca_cert_path,
+ FALSE, FALSE);
setup_filepicker (xml,
"eap_tls_private_key_button",
_("Choose your private key..."),
- parent, method, connection,
- phase2 ? NMA_PATH_PHASE2_PRIVATE_KEY_TAG : NMA_PATH_PRIVATE_KEY_TAG);
+ parent, method, s_8021x,
+ phase2 ? nm_setting_802_1x_get_phase2_private_key_scheme : nm_setting_802_1x_get_private_key_scheme,
+ phase2 ? nm_setting_802_1x_get_phase2_private_key_path : nm_setting_802_1x_get_private_key_path,
+ TRUE, FALSE);
widget = glade_xml_get_widget (xml, "show_checkbutton");
g_assert (widget);
diff --git a/src/wireless-security/eap-method-ttls.c b/src/wireless-security/eap-method-ttls.c
index 6117592..9ccb1f8 100644
--- a/src/wireless-security/eap-method-ttls.c
+++ b/src/wireless-security/eap-method-ttls.c
@@ -1,3 +1,4 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager Wireless Applet -- Display wireless access points and allow user control
*
* Dan Williams <dcbw redhat com>
@@ -23,6 +24,8 @@
#include <glade/glade.h>
#include <ctype.h>
#include <string.h>
+
+#include <nm-setting-connection.h>
#include <nm-setting-8021x.h>
#include "eap-method.h"
@@ -105,13 +108,19 @@ add_to_size_group (EAPMethod *parent, GtkSizeGroup *group)
static void
fill_connection (EAPMethod *parent, NMConnection *connection)
{
+ NMSettingConnection *s_con;
NMSetting8021x *s_8021x;
+ NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
GtkWidget *widget;
const char *text;
char *filename;
EAPMethod *eap = NULL;
GtkTreeModel *model;
GtkTreeIter iter;
+ GError *error = NULL;
+
+ s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
+ g_assert (s_con);
s_8021x = NM_SETTING_802_1X (nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X));
g_assert (s_8021x);
@@ -127,19 +136,14 @@ fill_connection (EAPMethod *parent, NMConnection *connection)
widget = glade_xml_get_widget (parent->xml, "eap_ttls_ca_cert_button");
g_assert (widget);
filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
- if (filename) {
- g_object_set_data_full (G_OBJECT (connection),
- NMA_PATH_CA_CERT_TAG, g_strdup (filename),
- (GDestroyNotify) g_free);
- g_free (filename);
- } else {
- g_object_set_data (G_OBJECT (connection), NMA_PATH_CA_CERT_TAG, NULL);
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
+ g_warning ("Couldn't read CA certificate '%s': %s", filename, error ? error->message : "(unknown)");
+ g_clear_error (&error);
}
- if (eap_method_get_ignore_ca_cert (parent))
- g_object_set_data (G_OBJECT (connection), NMA_CA_CERT_IGNORE_TAG, GUINT_TO_POINTER (TRUE));
- else
- g_object_set_data (G_OBJECT (connection), NMA_CA_CERT_IGNORE_TAG, NULL);
+ nm_gconf_set_ignore_ca_cert (nm_setting_connection_get_uuid (s_con),
+ FALSE,
+ eap_method_get_ignore_ca_cert (parent));
widget = glade_xml_get_widget (parent->xml, "eap_ttls_inner_auth_combo");
model = gtk_combo_box_get_model (GTK_COMBO_BOX (widget));
@@ -330,7 +334,8 @@ eap_method_ttls_new (const char *glade_file,
eap_method_nag_init (EAP_METHOD (method),
glade_file,
"eap_ttls_ca_cert_button",
- connection);
+ connection,
+ FALSE);
method->sec_parent = parent;
@@ -347,10 +352,12 @@ eap_method_ttls_new (const char *glade_file,
parent);
filter = eap_method_default_file_chooser_filter_new (FALSE);
gtk_file_chooser_add_filter (GTK_FILE_CHOOSER (widget), filter);
- if (connection) {
- filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_CA_CERT_TAG);
- if (filename)
- gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
+ if (connection && s_8021x) {
+ if (nm_setting_802_1x_get_ca_cert_scheme (s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH) {
+ filename = nm_setting_802_1x_get_ca_cert_path (s_8021x);
+ if (filename)
+ gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
+ }
}
widget = glade_xml_get_widget (xml, "eap_ttls_anon_identity_entry");
diff --git a/src/wireless-security/eap-method.c b/src/wireless-security/eap-method.c
index f382bf7..7ab7bbd 100644
--- a/src/wireless-security/eap-method.c
+++ b/src/wireless-security/eap-method.c
@@ -31,6 +31,7 @@
#include <fcntl.h>
#include <unistd.h>
+#include <nm-setting-connection.h>
#include <nm-setting-8021x.h>
#include "eap-method.h"
#include "gconf-helpers.h"
@@ -139,7 +140,8 @@ gboolean
eap_method_nag_init (EAPMethod *method,
const char *glade_file,
const char *ca_cert_chooser,
- NMConnection *connection)
+ NMConnection *connection,
+ gboolean phase2)
{
GtkWidget *dialog, *widget;
char *text;
@@ -155,8 +157,17 @@ eap_method_nag_init (EAPMethod *method,
}
method->ca_cert_chooser = g_strdup (ca_cert_chooser);
- if (connection)
- method->ignore_ca_cert = GPOINTER_TO_UINT (g_object_get_data (G_OBJECT (connection), NMA_CA_CERT_IGNORE_TAG));
+ if (connection) {
+ NMSettingConnection *s_con;
+ const char *uuid;
+
+ s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
+ g_assert (s_con);
+ uuid = nm_setting_connection_get_uuid (s_con);
+ g_assert (uuid);
+
+ method->ignore_ca_cert = nm_gconf_get_ignore_ca_cert (uuid, phase2);
+ }
dialog = glade_xml_get_widget (method->nag_dialog_xml, "nag_user_dialog");
g_assert (dialog);
@@ -250,7 +261,7 @@ eap_method_validate_filepicker (GladeXML *xml,
const char *name,
guint32 item_type,
const char *password,
- NMSetting8021xCKType *out_ck_type)
+ NMSetting8021xCKFormat *out_format)
{
GtkWidget *widget;
char *filename;
@@ -259,15 +270,15 @@ eap_method_validate_filepicker (GladeXML *xml,
GError *error = NULL;
if (item_type == TYPE_PRIVATE_KEY) {
- g_return_val_if_fail (password != NULL, NM_SETTING_802_1X_CK_TYPE_UNKNOWN);
- g_return_val_if_fail (strlen (password), NM_SETTING_802_1X_CK_TYPE_UNKNOWN);
+ g_return_val_if_fail (password != NULL, FALSE);
+ g_return_val_if_fail (strlen (password), FALSE);
}
widget = glade_xml_get_widget (xml, name);
g_assert (widget);
filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
if (!filename)
- return (item_type == TYPE_CA_CERT) ? NM_SETTING_802_1X_CK_TYPE_X509 : NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
+ return (item_type == TYPE_CA_CERT) ? TRUE : FALSE;
if (!g_file_test (filename, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR))
goto out;
@@ -275,21 +286,21 @@ eap_method_validate_filepicker (GladeXML *xml,
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
if (item_type == TYPE_PRIVATE_KEY) {
- if (!nm_setting_802_1x_set_private_key_from_file (setting, filename, password, out_ck_type, &error)) {
+ if (!nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify private key: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else if (item_type == TYPE_CLIENT_CERT) {
- if (!nm_setting_802_1x_set_client_cert_from_file (setting, filename, out_ck_type, &error)) {
+ if (!nm_setting_802_1x_set_client_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify client certificate: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
} else
success = TRUE;
} else if (item_type == TYPE_CA_CERT) {
- if (!nm_setting_802_1x_set_ca_cert_from_file (setting, filename, out_ck_type, &error)) {
+ if (!nm_setting_802_1x_set_ca_cert (setting, filename, NM_SETTING_802_1X_CK_SCHEME_PATH, out_format, &error)) {
g_warning ("Error: couldn't verify CA certificate: %d %s",
error ? error->code : -1, error ? error->message : "(none)");
g_clear_error (&error);
diff --git a/src/wireless-security/eap-method.h b/src/wireless-security/eap-method.h
index 2d517b0..dd4a345 100644
--- a/src/wireless-security/eap-method.h
+++ b/src/wireless-security/eap-method.h
@@ -100,12 +100,13 @@ gboolean eap_method_validate_filepicker (GladeXML *xml,
const char *name,
guint32 item_type,
const char *password,
- NMSetting8021xCKType *out_ck_type);
+ NMSetting8021xCKFormat *out_format);
gboolean eap_method_nag_init (EAPMethod *method,
const char *glade_file,
const char *ca_cert_chooser,
- NMConnection *connection);
+ NMConnection *connection,
+ gboolean phase2);
gboolean eap_method_get_ignore_ca_cert (EAPMethod *method);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
