void
nm_active_connection_clear_secrets (NMActiveConnection *self)
{
NMActiveConnectionPrivate *priv;
g_return_if_fail (NM_IS_ACTIVE_CONNECTION (self));
priv = NM_ACTIVE_CONNECTION_GET_PRIVATE (self);
if (nm_settings_connection_has_unmodified_applied_connection (priv->settings_connection,
priv->applied_connection,
NM_SETTING_COMPARE_FLAG_NONE))
nm_connection_clear_secrets ((NMConnection *) priv->settings_connection);
nm_connection_clear_secrets (priv->applied_connection);
}
void
nm_active_connection_set_settings_connection (NMActiveConnection *self,
NMSettingsConnection *connection)
{
NMActiveConnectionPrivate *priv;
g_return_if_fail (NM_IS_ACTIVE_CONNECTION (self));
priv = NM_ACTIVE_CONNECTION_GET_PRIVATE (self);
g_return_if_fail (NM_IS_SETTINGS_CONNECTION (connection));
g_return_if_fail (!priv->settings_connection);
g_return_if_fail (!priv->applied_connection);
/* Can't change connection after the ActiveConnection is exported over D-Bus.
*
* Later, we want to change the settings-connection of an activated connection.
* When doing that, this changes the assumption that the settings-connection
* never changes (once it's set). That has effects for NMVpnConnection and
* NMActivationRequest.
* For example, we'd have to cancel all pending seret requests. */
g_return_if_fail (!nm_exported_object_is_exported (NM_EXPORTED_OBJECT (self)));
_set_settings_connection (self, connection);
priv->applied_connection = nm_simple_connection_new_clone (NM_CONNECTION (priv->settings_connection));
nm_connection_clear_secrets (priv->applied_connection);
}
static void
device_state_changed (NMDevice *device,
NMDeviceState new_state,
NMDeviceState old_state,
NMDeviceStateReason reason,
gpointer user_data)
{
NMPolicy *policy = (NMPolicy *) user_data;
NMConnection *connection = get_device_connection (device);
switch (new_state) {
case NM_DEVICE_STATE_FAILED:
/* Mark the connection invalid if it failed during activation so that
* it doesn't get automatically chosen over and over and over again.
*/
if (connection && IS_ACTIVATING_STATE (old_state)) {
g_object_set_data (G_OBJECT (connection), INVALID_TAG, GUINT_TO_POINTER (TRUE));
nm_log_info (LOGD_DEVICE, "Marking connection '%s' invalid.", get_connection_id (connection));
nm_connection_clear_secrets (connection);
}
schedule_activate_check (policy, device, 3);
break;
case NM_DEVICE_STATE_ACTIVATED:
if (connection) {
/* Clear the invalid tag on the connection */
g_object_set_data (G_OBJECT (connection), INVALID_TAG, NULL);
/* And clear secrets so they will always be requested from the
* settings service when the next connection is made.
*/
nm_connection_clear_secrets (connection);
}
update_routing_and_dns (policy, FALSE);
break;
case NM_DEVICE_STATE_UNMANAGED:
case NM_DEVICE_STATE_UNAVAILABLE:
case NM_DEVICE_STATE_DISCONNECTED:
update_routing_and_dns (policy, FALSE);
schedule_activate_check (policy, device, 0);
break;
default:
break;
}
}
static void
updated_connection_cb (NMRemoteConnection *connection,
GError *error,
gpointer data)
{
NetConnectionEditor *editor = data;
nm_connection_clear_secrets (NM_CONNECTION (connection));
update_complete (editor, error);
}
static void
impl_ppp_manager_need_secrets (NMPPPManager *manager,
DBusGMethodInvocation *context)
{
NMPPPManagerPrivate *priv = NM_PPP_MANAGER_GET_PRIVATE (manager);
NMConnection *connection;
const char *setting_name;
const char *username = NULL;
const char *password = NULL;
guint32 tries;
GPtrArray *hints = NULL;
GError *error = NULL;
NMSettingsGetSecretsFlags flags = NM_SETTINGS_GET_SECRETS_FLAG_ALLOW_INTERACTION;
connection = nm_act_request_get_connection (priv->act_req);
nm_connection_clear_secrets (connection);
setting_name = nm_connection_need_secrets (connection, &hints);
if (!setting_name) {
/* Use existing secrets from the connection */
if (extract_details_from_connection (connection, &username, &password, &error)) {
/* Send existing secrets to the PPP plugin */
priv->pending_secrets_context = context;
ppp_secrets_cb (priv->act_req, priv->secrets_id, connection, NULL, manager);
} else {
nm_log_warn (LOGD_PPP, "%s", error->message);
dbus_g_method_return_error (priv->pending_secrets_context, error);
g_clear_error (&error);
}
return;
}
/* Only ask for completely new secrets after retrying them once; some devices
* appear to ask a few times when they actually don't even care what you
* pass back.
*/
tries = GPOINTER_TO_UINT (g_object_get_data (G_OBJECT (connection), PPP_MANAGER_SECRET_TRIES));
if (tries > 1)
flags |= NM_SETTINGS_GET_SECRETS_FLAG_REQUEST_NEW;
priv->secrets_id = nm_act_request_get_secrets (priv->act_req,
setting_name,
flags,
hints ? g_ptr_array_index (hints, 0) : NULL,
ppp_secrets_cb,
manager);
g_object_set_data (G_OBJECT (connection), PPP_MANAGER_SECRET_TRIES, GUINT_TO_POINTER (++tries));
priv->pending_secrets_context = context;
if (hints)
g_ptr_array_free (hints, TRUE);
}
static void
set_property (GObject *object, guint prop_id,
const GValue *value, GParamSpec *pspec)
{
NMActiveConnection *self = (NMActiveConnection *) object;
NMActiveConnectionPrivate *priv = NM_ACTIVE_CONNECTION_GET_PRIVATE (self);
const char *tmp;
NMSettingsConnection *con;
switch (prop_id) {
case PROP_INT_SETTINGS_CONNECTION:
/* construct-only */
con = g_value_get_object (value);
if (con) {
_set_settings_connection (self, con);
priv->applied_connection = nm_simple_connection_new_clone ((NMConnection *) priv->settings_connection);
nm_connection_clear_secrets (priv->applied_connection);
}
break;
case PROP_INT_DEVICE:
/* construct-only */
nm_active_connection_set_device (self, g_value_get_object (value));
break;
case PROP_INT_SUBJECT:
priv->subject = g_value_dup_object (value);
break;
case PROP_INT_MASTER:
nm_active_connection_set_master (self, g_value_get_object (value));
break;
case PROP_SPECIFIC_OBJECT:
tmp = g_value_get_string (value);
/* NM uses "/" to mean NULL */
if (g_strcmp0 (tmp, "/") != 0)
priv->specific_object = g_strdup (tmp);
break;
case PROP_DEFAULT:
priv->is_default = !!g_value_get_boolean (value);
break;
case PROP_DEFAULT6:
priv->is_default6 = !!g_value_get_boolean (value);
break;
case PROP_VPN:
priv->vpn = g_value_get_boolean (value);
break;
case PROP_MASTER:
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
}
}
static void
save_connection_and_exit (NmtNewtButton *button,
gpointer user_data)
{
NmtEditor *editor = user_data;
NmtEditorPrivate *priv = NMT_EDITOR_GET_PRIVATE (editor);
NmtSyncOp op;
GError *error = NULL;
if (!nm_connection_replace_settings_from_connection (priv->orig_connection,
priv->edit_connection,
&error)) {
nmt_newt_message_dialog (_("Error saving connection: %s"), error->message);
g_error_free (error);
return;
}
nmt_sync_op_init (&op);
if (NM_IS_REMOTE_CONNECTION (priv->orig_connection)) {
nm_remote_connection_commit_changes (NM_REMOTE_CONNECTION (priv->orig_connection),
connection_updated, &op);
if (!nmt_sync_op_wait_boolean (&op, &error)) {
nmt_newt_message_dialog (_("Unable to save connection: %s"),
error->message);
g_error_free (error);
return;
}
/* Clear secrets so they don't lay around in memory; they'll get
* requested again anyway next time the connection is edited.
*/
nm_connection_clear_secrets (priv->orig_connection);
} else {
nm_remote_settings_add_connection (nm_settings, priv->orig_connection,
connection_added, &op);
if (!nmt_sync_op_wait_boolean (&op, &error)) {
nmt_newt_message_dialog (_("Unable to add new connection: %s"),
error->message);
g_error_free (error);
return;
}
}
nmt_newt_form_quit (NMT_NEWT_FORM (editor));
}
static void
updated_connection_cb (GObject *connection,
GAsyncResult *result,
gpointer user_data)
{
NMConnectionEditor *self = NM_CONNECTION_EDITOR (user_data);
GError *error = NULL;
nm_remote_connection_commit_changes_finish (NM_REMOTE_CONNECTION (connection),
result, &error);
/* Clear secrets so they don't lay around in memory; they'll get requested
* again anyway next time the connection is edited.
*/
nm_connection_clear_secrets (NM_CONNECTION (connection));
update_complete (self, error);
g_clear_error (&error);
}
static void
connection_secrets_response_cb (NMAWirelessDialog *dialog,
gint response,
gpointer user_data)
{
SecretsRequestInfo *info = user_data;
NMConnection *connection;
GHashTable *settings = NULL;
NMSetting *s_wireless_sec;
const char *key_mgmt;
GError *error = NULL;
gtk_widget_hide (GTK_WIDGET (dialog));
connection = nma_wireless_dialog_get_connection (dialog);
if (response != GTK_RESPONSE_OK) {
error = g_error_new (NM_SETTINGS_INTERFACE_ERROR,
NM_SETTINGS_INTERFACE_ERROR_SECRETS_REQUEST_CANCELED,
"%s.%d (%s): canceled",
__FILE__, __LINE__, __func__);
goto done;
}
/* Returned secrets are a{sa{sv}}; this is the outer a{s...} hash that
* will contain all the individual settings hashes.
*/
settings = g_hash_table_new_full (g_str_hash, g_str_equal,
g_free, (GDestroyNotify) g_hash_table_destroy);
/* If the user chose an 802.1x-based auth method, return 802.1x secrets,
* not wireless secrets. Can happen with Dynamic WEP, because NM doesn't
* know the capabilities of the AP (since Dynamic WEP APs don't broadcast
* beacons), and therefore defaults to requesting WEP secrets from the
* wireless-security setting, not the 802.1x setting.
*/
s_wireless_sec = nm_connection_get_setting (connection, NM_TYPE_SETTING_WIRELESS_SECURITY);
key_mgmt = nm_setting_wireless_security_get_key_mgmt (NM_SETTING_WIRELESS_SECURITY (s_wireless_sec));
if (!strcmp (key_mgmt, "ieee8021x") || !strcmp (key_mgmt, "wpa-eap")) {
const char *auth_alg;
/* LEAP secrets aren't in the 802.1x setting */
auth_alg = nm_setting_wireless_security_get_auth_alg (NM_SETTING_WIRELESS_SECURITY (s_wireless_sec));
if (!auth_alg || strcmp (auth_alg, "leap")) {
NMSetting *s_8021x;
s_8021x = nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
if (!s_8021x) {
error = g_error_new (NM_SETTINGS_INTERFACE_ERROR,
NM_SETTINGS_INTERFACE_ERROR_INVALID_CONNECTION,
"%s.%d (%s): requested setting '802-1x' didn't"
" exist in the connection.",
__FILE__, __LINE__, __func__);
goto done;
}
/* Add the 802.1x setting */
g_hash_table_insert (settings,
g_strdup (nm_setting_get_name (s_8021x)),
nm_setting_to_hash (s_8021x));
}
}
/* Add the 802-11-wireless-security setting no matter what */
g_hash_table_insert (settings,
g_strdup (nm_setting_get_name (s_wireless_sec)),
nm_setting_to_hash (s_wireless_sec));
info->callback ((NMSettingsConnectionInterface *) connection, settings, NULL, info->callback_data);
/* Save the connection back to GConf _after_ hashing it, because
* saving to GConf might trigger the GConf change notifiers, resulting
* in the connection being read back in from GConf which clears secrets.
*/
if (NM_IS_GCONF_CONNECTION (connection)) {
nm_settings_connection_interface_update (NM_SETTINGS_CONNECTION_INTERFACE (connection),
update_cb,
NULL);
}
done:
if (settings)
g_hash_table_destroy (settings);
if (error) {
g_warning ("%s", error->message);
info->callback (NM_SETTINGS_CONNECTION_INTERFACE (connection), NULL, error, info->callback_data);
g_error_free (error);
}
g_free (info);
if (connection)
nm_connection_clear_secrets (connection);
gtk_widget_destroy (GTK_WIDGET (dialog));
}
static void
test_need_tls_phase2_secrets_blob (void)
{
NMConnection *connection;
const char *setting_name;
GPtrArray *hints = NULL;
NMSetting8021x *s_8021x;
connection = make_tls_phase2_connection ("need-tls-phase2-secrets-blob-key",
NM_SETTING_802_1X_CK_SCHEME_BLOB);
ASSERT (connection != NULL,
"need-tls-phase2-secrets-blob-key",
"error creating test connection");
/* Ensure we don't need any secrets since we just set up the connection */
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name == NULL,
"need-tls-phase2-secrets-blob-key",
"secrets are unexpectedly required");
ASSERT (hints == NULL,
"need-tls-phase2-secrets-blob-key",
"hints should be NULL since no secrets were required");
/* Connection is good; clear secrets and ensure private key is then required */
nm_connection_clear_secrets (connection);
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name != NULL,
"need-tls-phase2-secrets-blob-key",
"unexpected secrets success");
ASSERT (strcmp (setting_name, NM_SETTING_802_1X_SETTING_NAME) == 0,
"need-tls-phase2-secrets-blob-key",
"unexpected setting secrets required");
ASSERT (hints != NULL,
"need-tls-phase2-secrets-blob-key",
"expected returned secrets hints");
ASSERT (find_hints_item (hints, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY),
"need-tls-phase2-secrets-blob-key",
"expected to require private key, but it wasn't");
g_object_unref (connection);
/*** Just clear the private key this time ***/
connection = make_tls_phase2_connection ("need-tls-phase2-secrets-blob-key-password",
NM_SETTING_802_1X_CK_SCHEME_BLOB);
ASSERT (connection != NULL,
"need-tls-phase2-secrets-blob-key-password",
"error creating test connection");
s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
ASSERT (s_8021x != NULL,
"need-tls-phase2-secrets-blob-key-password",
"error getting test 802.1x setting");
g_object_set (G_OBJECT (s_8021x), NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, NULL, NULL);
/* Blobs are already decrypted and don't need a password */
hints = NULL;
setting_name = nm_connection_need_secrets (connection, &hints);
ASSERT (setting_name == NULL,
"need-tls-phase2-secrets-blob-key-password",
"unexpected secrets failure");
ASSERT (hints == NULL,
"need-tls-phase2-secrets-blob-key-password",
"hints should be NULL since no secrets were required");
g_object_unref (connection);
}
