void nm_active_connection_clear_secrets (NMActiveConnection *self) { NMActiveConnectionPrivate *priv; g_return_if_fail (NM_IS_ACTIVE_CONNECTION (self)); priv = NM_ACTIVE_CONNECTION_GET_PRIVATE (self); if (nm_settings_connection_has_unmodified_applied_connection (priv->settings_connection, priv->applied_connection, NM_SETTING_COMPARE_FLAG_NONE)) nm_connection_clear_secrets ((NMConnection *) priv->settings_connection); nm_connection_clear_secrets (priv->applied_connection); }
void nm_active_connection_set_settings_connection (NMActiveConnection *self, NMSettingsConnection *connection) { NMActiveConnectionPrivate *priv; g_return_if_fail (NM_IS_ACTIVE_CONNECTION (self)); priv = NM_ACTIVE_CONNECTION_GET_PRIVATE (self); g_return_if_fail (NM_IS_SETTINGS_CONNECTION (connection)); g_return_if_fail (!priv->settings_connection); g_return_if_fail (!priv->applied_connection); /* Can't change connection after the ActiveConnection is exported over D-Bus. * * Later, we want to change the settings-connection of an activated connection. * When doing that, this changes the assumption that the settings-connection * never changes (once it's set). That has effects for NMVpnConnection and * NMActivationRequest. * For example, we'd have to cancel all pending seret requests. */ g_return_if_fail (!nm_exported_object_is_exported (NM_EXPORTED_OBJECT (self))); _set_settings_connection (self, connection); priv->applied_connection = nm_simple_connection_new_clone (NM_CONNECTION (priv->settings_connection)); nm_connection_clear_secrets (priv->applied_connection); }
static void device_state_changed (NMDevice *device, NMDeviceState new_state, NMDeviceState old_state, NMDeviceStateReason reason, gpointer user_data) { NMPolicy *policy = (NMPolicy *) user_data; NMConnection *connection = get_device_connection (device); switch (new_state) { case NM_DEVICE_STATE_FAILED: /* Mark the connection invalid if it failed during activation so that * it doesn't get automatically chosen over and over and over again. */ if (connection && IS_ACTIVATING_STATE (old_state)) { g_object_set_data (G_OBJECT (connection), INVALID_TAG, GUINT_TO_POINTER (TRUE)); nm_log_info (LOGD_DEVICE, "Marking connection '%s' invalid.", get_connection_id (connection)); nm_connection_clear_secrets (connection); } schedule_activate_check (policy, device, 3); break; case NM_DEVICE_STATE_ACTIVATED: if (connection) { /* Clear the invalid tag on the connection */ g_object_set_data (G_OBJECT (connection), INVALID_TAG, NULL); /* And clear secrets so they will always be requested from the * settings service when the next connection is made. */ nm_connection_clear_secrets (connection); } update_routing_and_dns (policy, FALSE); break; case NM_DEVICE_STATE_UNMANAGED: case NM_DEVICE_STATE_UNAVAILABLE: case NM_DEVICE_STATE_DISCONNECTED: update_routing_and_dns (policy, FALSE); schedule_activate_check (policy, device, 0); break; default: break; } }
static void updated_connection_cb (NMRemoteConnection *connection, GError *error, gpointer data) { NetConnectionEditor *editor = data; nm_connection_clear_secrets (NM_CONNECTION (connection)); update_complete (editor, error); }
static void impl_ppp_manager_need_secrets (NMPPPManager *manager, DBusGMethodInvocation *context) { NMPPPManagerPrivate *priv = NM_PPP_MANAGER_GET_PRIVATE (manager); NMConnection *connection; const char *setting_name; const char *username = NULL; const char *password = NULL; guint32 tries; GPtrArray *hints = NULL; GError *error = NULL; NMSettingsGetSecretsFlags flags = NM_SETTINGS_GET_SECRETS_FLAG_ALLOW_INTERACTION; connection = nm_act_request_get_connection (priv->act_req); nm_connection_clear_secrets (connection); setting_name = nm_connection_need_secrets (connection, &hints); if (!setting_name) { /* Use existing secrets from the connection */ if (extract_details_from_connection (connection, &username, &password, &error)) { /* Send existing secrets to the PPP plugin */ priv->pending_secrets_context = context; ppp_secrets_cb (priv->act_req, priv->secrets_id, connection, NULL, manager); } else { nm_log_warn (LOGD_PPP, "%s", error->message); dbus_g_method_return_error (priv->pending_secrets_context, error); g_clear_error (&error); } return; } /* Only ask for completely new secrets after retrying them once; some devices * appear to ask a few times when they actually don't even care what you * pass back. */ tries = GPOINTER_TO_UINT (g_object_get_data (G_OBJECT (connection), PPP_MANAGER_SECRET_TRIES)); if (tries > 1) flags |= NM_SETTINGS_GET_SECRETS_FLAG_REQUEST_NEW; priv->secrets_id = nm_act_request_get_secrets (priv->act_req, setting_name, flags, hints ? g_ptr_array_index (hints, 0) : NULL, ppp_secrets_cb, manager); g_object_set_data (G_OBJECT (connection), PPP_MANAGER_SECRET_TRIES, GUINT_TO_POINTER (++tries)); priv->pending_secrets_context = context; if (hints) g_ptr_array_free (hints, TRUE); }
static void set_property (GObject *object, guint prop_id, const GValue *value, GParamSpec *pspec) { NMActiveConnection *self = (NMActiveConnection *) object; NMActiveConnectionPrivate *priv = NM_ACTIVE_CONNECTION_GET_PRIVATE (self); const char *tmp; NMSettingsConnection *con; switch (prop_id) { case PROP_INT_SETTINGS_CONNECTION: /* construct-only */ con = g_value_get_object (value); if (con) { _set_settings_connection (self, con); priv->applied_connection = nm_simple_connection_new_clone ((NMConnection *) priv->settings_connection); nm_connection_clear_secrets (priv->applied_connection); } break; case PROP_INT_DEVICE: /* construct-only */ nm_active_connection_set_device (self, g_value_get_object (value)); break; case PROP_INT_SUBJECT: priv->subject = g_value_dup_object (value); break; case PROP_INT_MASTER: nm_active_connection_set_master (self, g_value_get_object (value)); break; case PROP_SPECIFIC_OBJECT: tmp = g_value_get_string (value); /* NM uses "/" to mean NULL */ if (g_strcmp0 (tmp, "/") != 0) priv->specific_object = g_strdup (tmp); break; case PROP_DEFAULT: priv->is_default = !!g_value_get_boolean (value); break; case PROP_DEFAULT6: priv->is_default6 = !!g_value_get_boolean (value); break; case PROP_VPN: priv->vpn = g_value_get_boolean (value); break; case PROP_MASTER: break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); break; } }
static void save_connection_and_exit (NmtNewtButton *button, gpointer user_data) { NmtEditor *editor = user_data; NmtEditorPrivate *priv = NMT_EDITOR_GET_PRIVATE (editor); NmtSyncOp op; GError *error = NULL; if (!nm_connection_replace_settings_from_connection (priv->orig_connection, priv->edit_connection, &error)) { nmt_newt_message_dialog (_("Error saving connection: %s"), error->message); g_error_free (error); return; } nmt_sync_op_init (&op); if (NM_IS_REMOTE_CONNECTION (priv->orig_connection)) { nm_remote_connection_commit_changes (NM_REMOTE_CONNECTION (priv->orig_connection), connection_updated, &op); if (!nmt_sync_op_wait_boolean (&op, &error)) { nmt_newt_message_dialog (_("Unable to save connection: %s"), error->message); g_error_free (error); return; } /* Clear secrets so they don't lay around in memory; they'll get * requested again anyway next time the connection is edited. */ nm_connection_clear_secrets (priv->orig_connection); } else { nm_remote_settings_add_connection (nm_settings, priv->orig_connection, connection_added, &op); if (!nmt_sync_op_wait_boolean (&op, &error)) { nmt_newt_message_dialog (_("Unable to add new connection: %s"), error->message); g_error_free (error); return; } } nmt_newt_form_quit (NMT_NEWT_FORM (editor)); }
static void updated_connection_cb (GObject *connection, GAsyncResult *result, gpointer user_data) { NMConnectionEditor *self = NM_CONNECTION_EDITOR (user_data); GError *error = NULL; nm_remote_connection_commit_changes_finish (NM_REMOTE_CONNECTION (connection), result, &error); /* Clear secrets so they don't lay around in memory; they'll get requested * again anyway next time the connection is edited. */ nm_connection_clear_secrets (NM_CONNECTION (connection)); update_complete (self, error); g_clear_error (&error); }
static void connection_secrets_response_cb (NMAWirelessDialog *dialog, gint response, gpointer user_data) { SecretsRequestInfo *info = user_data; NMConnection *connection; GHashTable *settings = NULL; NMSetting *s_wireless_sec; const char *key_mgmt; GError *error = NULL; gtk_widget_hide (GTK_WIDGET (dialog)); connection = nma_wireless_dialog_get_connection (dialog); if (response != GTK_RESPONSE_OK) { error = g_error_new (NM_SETTINGS_INTERFACE_ERROR, NM_SETTINGS_INTERFACE_ERROR_SECRETS_REQUEST_CANCELED, "%s.%d (%s): canceled", __FILE__, __LINE__, __func__); goto done; } /* Returned secrets are a{sa{sv}}; this is the outer a{s...} hash that * will contain all the individual settings hashes. */ settings = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify) g_hash_table_destroy); /* If the user chose an 802.1x-based auth method, return 802.1x secrets, * not wireless secrets. Can happen with Dynamic WEP, because NM doesn't * know the capabilities of the AP (since Dynamic WEP APs don't broadcast * beacons), and therefore defaults to requesting WEP secrets from the * wireless-security setting, not the 802.1x setting. */ s_wireless_sec = nm_connection_get_setting (connection, NM_TYPE_SETTING_WIRELESS_SECURITY); key_mgmt = nm_setting_wireless_security_get_key_mgmt (NM_SETTING_WIRELESS_SECURITY (s_wireless_sec)); if (!strcmp (key_mgmt, "ieee8021x") || !strcmp (key_mgmt, "wpa-eap")) { const char *auth_alg; /* LEAP secrets aren't in the 802.1x setting */ auth_alg = nm_setting_wireless_security_get_auth_alg (NM_SETTING_WIRELESS_SECURITY (s_wireless_sec)); if (!auth_alg || strcmp (auth_alg, "leap")) { NMSetting *s_8021x; s_8021x = nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X); if (!s_8021x) { error = g_error_new (NM_SETTINGS_INTERFACE_ERROR, NM_SETTINGS_INTERFACE_ERROR_INVALID_CONNECTION, "%s.%d (%s): requested setting '802-1x' didn't" " exist in the connection.", __FILE__, __LINE__, __func__); goto done; } /* Add the 802.1x setting */ g_hash_table_insert (settings, g_strdup (nm_setting_get_name (s_8021x)), nm_setting_to_hash (s_8021x)); } } /* Add the 802-11-wireless-security setting no matter what */ g_hash_table_insert (settings, g_strdup (nm_setting_get_name (s_wireless_sec)), nm_setting_to_hash (s_wireless_sec)); info->callback ((NMSettingsConnectionInterface *) connection, settings, NULL, info->callback_data); /* Save the connection back to GConf _after_ hashing it, because * saving to GConf might trigger the GConf change notifiers, resulting * in the connection being read back in from GConf which clears secrets. */ if (NM_IS_GCONF_CONNECTION (connection)) { nm_settings_connection_interface_update (NM_SETTINGS_CONNECTION_INTERFACE (connection), update_cb, NULL); } done: if (settings) g_hash_table_destroy (settings); if (error) { g_warning ("%s", error->message); info->callback (NM_SETTINGS_CONNECTION_INTERFACE (connection), NULL, error, info->callback_data); g_error_free (error); } g_free (info); if (connection) nm_connection_clear_secrets (connection); gtk_widget_destroy (GTK_WIDGET (dialog)); }
static void test_need_tls_phase2_secrets_blob (void) { NMConnection *connection; const char *setting_name; GPtrArray *hints = NULL; NMSetting8021x *s_8021x; connection = make_tls_phase2_connection ("need-tls-phase2-secrets-blob-key", NM_SETTING_802_1X_CK_SCHEME_BLOB); ASSERT (connection != NULL, "need-tls-phase2-secrets-blob-key", "error creating test connection"); /* Ensure we don't need any secrets since we just set up the connection */ setting_name = nm_connection_need_secrets (connection, &hints); ASSERT (setting_name == NULL, "need-tls-phase2-secrets-blob-key", "secrets are unexpectedly required"); ASSERT (hints == NULL, "need-tls-phase2-secrets-blob-key", "hints should be NULL since no secrets were required"); /* Connection is good; clear secrets and ensure private key is then required */ nm_connection_clear_secrets (connection); hints = NULL; setting_name = nm_connection_need_secrets (connection, &hints); ASSERT (setting_name != NULL, "need-tls-phase2-secrets-blob-key", "unexpected secrets success"); ASSERT (strcmp (setting_name, NM_SETTING_802_1X_SETTING_NAME) == 0, "need-tls-phase2-secrets-blob-key", "unexpected setting secrets required"); ASSERT (hints != NULL, "need-tls-phase2-secrets-blob-key", "expected returned secrets hints"); ASSERT (find_hints_item (hints, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY), "need-tls-phase2-secrets-blob-key", "expected to require private key, but it wasn't"); g_object_unref (connection); /*** Just clear the private key this time ***/ connection = make_tls_phase2_connection ("need-tls-phase2-secrets-blob-key-password", NM_SETTING_802_1X_CK_SCHEME_BLOB); ASSERT (connection != NULL, "need-tls-phase2-secrets-blob-key-password", "error creating test connection"); s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X); ASSERT (s_8021x != NULL, "need-tls-phase2-secrets-blob-key-password", "error getting test 802.1x setting"); g_object_set (G_OBJECT (s_8021x), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, NULL, NULL); /* Blobs are already decrypted and don't need a password */ hints = NULL; setting_name = nm_connection_need_secrets (connection, &hints); ASSERT (setting_name == NULL, "need-tls-phase2-secrets-blob-key-password", "unexpected secrets failure"); ASSERT (hints == NULL, "need-tls-phase2-secrets-blob-key-password", "hints should be NULL since no secrets were required"); g_object_unref (connection); }