From ee9be9cef769cdfb3a14ec65741f1c36d0b1ac32 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 4 Mar 2014 14:32:46 +0100 Subject: [PATCH 01/10] core: fix adding gateway routes within the own subnet Before, when adding a gateway route to a destination within the current subnets, it would be skipped because of the wrong assumption that we already have a prefix route to that destination. This assumption is wrong, because we want to reach the more specific subnet via a gateway and not directly on the link. Signed-off-by: Thomas Haller (cherry picked from commit 4f7b1cabc063bfda96cb5c129d6a233e5d5cff68) --- src/nm-ip4-config.c | 3 ++- src/nm-ip6-config.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/nm-ip4-config.c b/src/nm-ip4-config.c index bb85926..b7ae161 100644 --- a/src/nm-ip4-config.c +++ b/src/nm-ip4-config.c @@ -169,7 +169,8 @@ nm_ip4_config_commit (const NMIP4Config *config, int ifindex, int priority) /* Don't add the route if it's more specific than one of the subnets * the device already has an IP address on. */ - if (nm_ip4_config_destination_is_direct (config, route.network, route.plen)) + if ( route.gateway == 0 + && nm_ip4_config_destination_is_direct (config, route.network, route.plen)) continue; /* Don't add the default route when and the connection diff --git a/src/nm-ip6-config.c b/src/nm-ip6-config.c index 3a56f4f..2a6c8a3 100644 --- a/src/nm-ip6-config.c +++ b/src/nm-ip6-config.c @@ -168,7 +168,8 @@ nm_ip6_config_commit (const NMIP6Config *config, int ifindex, int priority) /* Don't add the route if it's more specific than one of the subnets * the device already has an IP address on. */ - if (nm_ip6_config_destination_is_direct (config, &route.network, route.plen)) + if ( IN6_IS_ADDR_UNSPECIFIED (&route.gateway) + && nm_ip6_config_destination_is_direct (config, &route.network, route.plen)) continue; /* Don't add the default route when and the connection -- 1.8.5.3 From 9efbadda08792db99d708a89586be31445d61f83 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 4 Mar 2014 14:30:01 +0100 Subject: [PATCH 02/10] tivial/core: move common #defines to header file Signed-off-by: Thomas Haller (cherry picked from commit 8cd0de231a27d26e719f1b747f95ae53f5fec59e) --- src/devices/nm-device.c | 8 -------- src/platform/nm-platform.c | 8 -------- src/platform/nm-platform.h | 8 ++++++++ 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c index 7757153..6f3213a 100644 --- a/src/devices/nm-device.c +++ b/src/devices/nm-device.c @@ -69,14 +69,6 @@ #include "nm-config.h" #include "nm-platform.h" -/* workaround for older libnl version, that does not define these flags. */ -#ifndef IFA_F_MANAGETEMPADDR -#define IFA_F_MANAGETEMPADDR 0x100 -#endif -#ifndef IFA_F_NOPREFIXROUTE -#define IFA_F_NOPREFIXROUTE 0x200 -#endif - static void impl_device_disconnect (NMDevice *device, DBusGMethodInvocation *context); #include "nm-device-glue.h" diff --git a/src/platform/nm-platform.c b/src/platform/nm-platform.c index 37d4318..97540fc 100644 --- a/src/platform/nm-platform.c +++ b/src/platform/nm-platform.c @@ -33,14 +33,6 @@ #include "nm-logging.h" #include "nm-enum-types.h" -/* workaround for older libnl version, that does not define these flags. */ -#ifndef IFA_F_MANAGETEMPADDR -#define IFA_F_MANAGETEMPADDR 0x100 -#endif -#ifndef IFA_F_NOPREFIXROUTE -#define IFA_F_NOPREFIXROUTE 0x200 -#endif - #define debug(...) nm_log_dbg (LOGD_PLATFORM, __VA_ARGS__) #define NM_PLATFORM_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_PLATFORM, NMPlatformPrivate)) diff --git a/src/platform/nm-platform.h b/src/platform/nm-platform.h index 9375148..2725dd9 100644 --- a/src/platform/nm-platform.h +++ b/src/platform/nm-platform.h @@ -35,6 +35,14 @@ /******************************************************************/ +/* workaround for older libnl version, that does not define these flags. */ +#ifndef IFA_F_MANAGETEMPADDR +#define IFA_F_MANAGETEMPADDR 0x100 +#endif +#ifndef IFA_F_NOPREFIXROUTE +#define IFA_F_NOPREFIXROUTE 0x200 +#endif + typedef enum { /* no error specified, sometimes this means the arguments were wrong */ NM_PLATFORM_ERROR_NONE, -- 1.8.5.3 From b35e2118ac4c4380e3b7536b98f64bec195898ff Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 4 Mar 2014 14:34:12 +0100 Subject: [PATCH 03/10] core: fix adding gateway route for IPv6 Setting the address flag IFA_F_NOPREFIXROUTE broke adding the device route to the IPv6 prefix because the check for nm_ip6_config_destination_is_direct() caused the route to be skipped. This, together with the kernel no longer adding the prefix route resulted in no device route for autoconf /64 prefixes. https://bugzilla.redhat.com/show_bug.cgi?id=1068632 https://bugzilla.redhat.com/show_bug.cgi?id=1072410 Signed-off-by: Thomas Haller (cherry picked from commit d6f6ccef432fb45a30b0b642975acd36d08410fb) --- src/devices/nm-device.c | 9 +++++---- src/nm-ip6-config.c | 3 ++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c index 6f3213a..c7f72b8 100644 --- a/src/devices/nm-device.c +++ b/src/devices/nm-device.c @@ -3282,13 +3282,14 @@ rdisc_config_changed (NMRDisc *rdisc, NMRDiscConfigMap changed, NMDevice *device nm_platform_check_support_kernel_extended_ifa_flags (); } - /* without system_support, these flags will be ignored. - * Still, we set them (why not?). - **/ - ifa_flags = IFA_F_NOPREFIXROUTE; + if (system_support) + ifa_flags = IFA_F_NOPREFIXROUTE; if (priv->rdisc_use_tempaddr == NM_SETTING_IP6_CONFIG_PRIVACY_PREFER_TEMP_ADDR || priv->rdisc_use_tempaddr == NM_SETTING_IP6_CONFIG_PRIVACY_PREFER_PUBLIC_ADDR) + { + /* without system_support, this flag will be ignored. Still set it, doesn't seem to do any harm. */ ifa_flags |= IFA_F_MANAGETEMPADDR; + } g_return_if_fail (priv->act_request); connection = nm_device_get_connection (device); diff --git a/src/nm-ip6-config.c b/src/nm-ip6-config.c index 2a6c8a3..58ad2e0 100644 --- a/src/nm-ip6-config.c +++ b/src/nm-ip6-config.c @@ -398,7 +398,8 @@ nm_ip6_config_destination_is_direct (const NMIP6Config *config, const struct in6 for (i = 0; i < num; i++) { const NMPlatformIP6Address *item = nm_ip6_config_get_address (config, i); - if (item->plen <= plen && same_prefix (&item->address, network, item->plen)) + if (item->plen <= plen && same_prefix (&item->address, network, item->plen) && + !(item->flags & IFA_F_NOPREFIXROUTE)) return TRUE; } -- 1.8.5.3 From cf576344d6f2e7616daf50b5e3dcd1dd1bbbf663 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Thu, 6 Mar 2014 11:58:50 -0500 Subject: [PATCH 04/10] rdisc: set the expiration timer correctly (rh #1073560) check_timestamps() was mixing up absolute and relative timestamps, which meant that IPv6 expiration checks more-or-less stopped happening after a while, allowing expired IPv6 routes, etc, to remain applied. (cherry picked from commit 5ec9b9e97c1e1647c7bb45c79518f1c49cb23cd6) --- src/rdisc/nm-lndp-rdisc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/rdisc/nm-lndp-rdisc.c b/src/rdisc/nm-lndp-rdisc.c index 7d61b59..048cae9 100644 --- a/src/rdisc/nm-lndp-rdisc.c +++ b/src/rdisc/nm-lndp-rdisc.c @@ -380,8 +380,10 @@ check_timestamps (NMRDisc *rdisc, guint32 now, NMRDiscConfigMap changed) g_signal_emit_by_name (rdisc, NM_RDISC_CONFIG_CHANGED, changed); if (nextevent != never) { - debug ("(%s): scheduling next now/lifetime check: %u seconds", rdisc->ifname, nextevent); - priv->timeout_id = g_timeout_add_seconds (nextevent, timeout_cb, rdisc); + g_return_if_fail (nextevent > now); + debug ("(%s): scheduling next now/lifetime check: %u seconds", + rdisc->ifname, nextevent - now); + priv->timeout_id = g_timeout_add_seconds (nextevent - now, timeout_cb, rdisc); } } -- 1.8.5.3 From 97aefecea0465f0a56733d42cf19393e42c4fa03 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Tue, 4 Mar 2014 18:18:13 -0500 Subject: [PATCH 05/10] libnm-glib: fix a double free in NMDeviceVlan (cherry picked from commit 6300ea57ab4ee57a1afa4c76cb1d9503d78385a7) --- libnm-glib/nm-device-vlan.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libnm-glib/nm-device-vlan.c b/libnm-glib/nm-device-vlan.c index bd4cb78..3e20240 100644 --- a/libnm-glib/nm-device-vlan.c +++ b/libnm-glib/nm-device-vlan.c @@ -198,7 +198,6 @@ connection_compatible (NMDevice *device, NMConnection *connection, GError **erro if (!g_strcmp0 (mac_address_str, NM_DEVICE_VLAN_GET_PRIVATE (device)->hw_address)) { g_set_error (error, NM_DEVICE_VLAN_ERROR, NM_DEVICE_VLAN_ERROR_MAC_MISMATCH, "The hardware address of the device and the connection didn't match."); - g_free (mac_address_str); } g_free (mac_address_str); } -- 1.8.5.3 From e2ba3d96521c032dc88f6e9a8ae77d2c381f3cbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= Date: Tue, 25 Feb 2014 15:27:20 +0100 Subject: [PATCH 06/10] ifcfg-rh: add missing functionality for reading/writing subject matches subject-match - IEEE_8021X_SUBJECT_MATCH altsubject-matches - IEEE_8021X_ALTSUBJECT_MATCHES phase2-subject-match - IEEE_8021X_PHASE2_SUBJECT_MATCH phase2-altsubject-matches - IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES And a testcase of course. (cherry picked from commit cb680c5b54fdb5453d04e3dcdb3d33f445f00a95) --- src/settings/plugins/ifcfg-rh/reader.c | 46 ++++++++++++++ .../ifcfg-rh/tests/network-scripts/Makefile.am | 1 + .../ifcfg-test-wired-802-1X-subj-matches | 17 +++++ .../plugins/ifcfg-rh/tests/test-ifcfg-rh.c | 74 ++++++++++++++++++++++ src/settings/plugins/ifcfg-rh/writer.c | 38 ++++++++++- 5 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-802-1X-subj-matches diff --git a/src/settings/plugins/ifcfg-rh/reader.c b/src/settings/plugins/ifcfg-rh/reader.c index 4586b5c..e512402 100644 --- a/src/settings/plugins/ifcfg-rh/reader.c +++ b/src/settings/plugins/ifcfg-rh/reader.c @@ -2720,6 +2720,39 @@ static EAPReader eap_readers[] = { { NULL, NULL } }; +static void +read_8021x_list_value (shvarFile *ifcfg, + const char *ifcfg_var_name, + NMSetting8021x *setting, + const char *prop_name) +{ + char *value; + char **strv, **iter; + GSList *gslist = NULL; + + g_return_if_fail (ifcfg != NULL); + g_return_if_fail (ifcfg_var_name != NULL); + g_return_if_fail (prop_name != NULL); + + value = svGetValue (ifcfg, ifcfg_var_name, FALSE); + if (!value) + return; + + strv = g_strsplit_set (value, " \t", 0); + for (iter = strv; iter && *iter; iter++) { + if (*iter[0] == '\0') + continue; + gslist = g_slist_prepend (gslist, *iter); + } + if (gslist) { + gslist = g_slist_reverse (gslist); + g_object_set (setting, prop_name, gslist, NULL); + g_slist_free (gslist); + } + g_strfreev (strv); + g_free (value); +} + static NMSetting8021x * fill_8021x (shvarFile *ifcfg, const char *file, @@ -2796,6 +2829,19 @@ fill_8021x (shvarFile *ifcfg, goto error; } + value = svGetValue (ifcfg, "IEEE_8021X_SUBJECT_MATCH", FALSE); + g_object_set (s_8021x, NM_SETTING_802_1X_SUBJECT_MATCH, value, NULL); + g_free (value); + + value = svGetValue (ifcfg, "IEEE_8021X_PHASE2_SUBJECT_MATCH", FALSE); + g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH, value, NULL); + g_free (value); + + read_8021x_list_value (ifcfg, "IEEE_8021X_ALTSUBJECT_MATCHES", + s_8021x, NM_SETTING_802_1X_ALTSUBJECT_MATCHES); + read_8021x_list_value (ifcfg, "IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES", + s_8021x, NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES); + if (list) g_strfreev (list); if (keys) diff --git a/src/settings/plugins/ifcfg-rh/tests/network-scripts/Makefile.am b/src/settings/plugins/ifcfg-rh/tests/network-scripts/Makefile.am index 9f0c733..2f24fc3 100644 --- a/src/settings/plugins/ifcfg-rh/tests/network-scripts/Makefile.am +++ b/src/settings/plugins/ifcfg-rh/tests/network-scripts/Makefile.am @@ -17,6 +17,7 @@ EXTRA_DIST = \ keys-test-wired-8021x-peap-mschapv2 \ ifcfg-test-wired-8021x-tls-agent \ ifcfg-test-wired-8021x-tls-always \ + ifcfg-test-wired-802-1X-subj-matches \ ifcfg-test-onboot-no \ ifcfg-test-noip \ ifcfg-test-wifi-open \ diff --git a/src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-802-1X-subj-matches b/src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-802-1X-subj-matches new file mode 100644 index 0000000..70d69bf --- /dev/null +++ b/src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-802-1X-subj-matches @@ -0,0 +1,17 @@ +# Intel Corporation 82540EP Gigabit Ethernet Controller (Mobile) +TYPE=Ethernet +DEVICE=eth0 +HWADDR=00:11:22:33:44:ee +BOOTPROTO=dhcp +ONBOOT=yes +NM_CONTROLLED=yes +KEY_MGMT=IEEE8021X +IEEE_8021X_EAP_METHODS=PEAP +IEEE_8021X_IDENTITY="Jara Cimrman" +IEEE_8021X_PEAP_VERSION=1 +IEEE_8021X_INNER_AUTH_METHODS=GTC +IEEE_8021X_PASSWORD_FLAGS="user ask" +IEEE_8021X_SUBJECT_MATCH=server1.yourdomain.tld +IEEE_8021X_ALTSUBJECT_MATCHES="a.yourdomain.tld b.yourdomain.tld c.yourdomain.tld" +IEEE_8021X_PHASE2_SUBJECT_MATCH=server2.yourdomain.tld +IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES="x.yourdomain.tld y.yourdomain.tld" diff --git a/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c b/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c index 7c3d989..fc7119d 100644 --- a/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c +++ b/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c @@ -2614,6 +2614,79 @@ test_read_wired_8021x_tls_secret_flags (const char *ifcfg, NMSettingSecretFlags g_object_unref (connection); } +static void +test_read_write_802_1X_subj_matches (void) +{ + NMConnection *connection, *reread; + NMSetting8021x *s_8021x; + char *written = NULL; + GError *error = NULL; + gboolean success = FALSE; + + connection = connection_from_file (TEST_IFCFG_DIR"/network-scripts/ifcfg-test-wired-802-1X-subj-matches", + NULL, TYPE_ETHERNET, NULL, NULL, + NULL, NULL, NULL, &error, NULL); + g_assert_no_error (error); + g_assert (connection != NULL); + + /* ===== 802.1x SETTING ===== */ + s_8021x = nm_connection_get_setting_802_1x (connection); + g_assert (s_8021x); + g_assert_cmpint (nm_setting_802_1x_get_num_eap_methods (s_8021x), ==, 1); + g_assert_cmpstr (nm_setting_802_1x_get_eap_method (s_8021x, 0), ==, "peap"); + g_assert_cmpstr (nm_setting_802_1x_get_identity (s_8021x), ==, "Jara Cimrman"); + g_assert_cmpstr (nm_setting_802_1x_get_subject_match (s_8021x), ==, "server1.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_phase2_subject_match (s_8021x), ==, "server2.yourdomain.tld"); + g_assert_cmpint (nm_setting_802_1x_get_num_altsubject_matches (s_8021x), ==, 3); + g_assert_cmpstr (nm_setting_802_1x_get_altsubject_match (s_8021x, 0), ==, "a.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_altsubject_match (s_8021x, 1), ==, "b.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_altsubject_match (s_8021x, 2), ==, "c.yourdomain.tld"); + g_assert_cmpint (nm_setting_802_1x_get_num_phase2_altsubject_matches (s_8021x), ==, 2); + g_assert_cmpstr (nm_setting_802_1x_get_phase2_altsubject_match (s_8021x, 0), ==, "x.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_phase2_altsubject_match (s_8021x, 1), ==, "y.yourdomain.tld"); + + success = writer_new_connection (connection, + TEST_SCRATCH_DIR "/network-scripts/", + &written, + &error); + g_assert (success); + + /* re-read the connection for comparison */ + reread = connection_from_file (written, NULL, TYPE_ETHERNET, NULL, NULL, + NULL, NULL, NULL, &error, NULL); + unlink (written); + g_free (written); + + g_assert_no_error (error); + g_assert (reread != NULL); + + success = nm_connection_verify (reread, &error); + g_assert_no_error (error); + g_assert (success); + + success = nm_connection_compare (connection, reread, NM_SETTING_COMPARE_FLAG_EXACT); + g_assert (success); + + /* Check 802.1X stuff of the re-read connection. */ + s_8021x = nm_connection_get_setting_802_1x (reread); + g_assert (s_8021x); + g_assert_cmpint (nm_setting_802_1x_get_num_eap_methods (s_8021x), ==, 1); + g_assert_cmpstr (nm_setting_802_1x_get_eap_method (s_8021x, 0), ==, "peap"); + g_assert_cmpstr (nm_setting_802_1x_get_identity (s_8021x), ==, "Jara Cimrman"); + g_assert_cmpstr (nm_setting_802_1x_get_subject_match (s_8021x), ==, "server1.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_phase2_subject_match (s_8021x), ==, "server2.yourdomain.tld"); + g_assert_cmpint (nm_setting_802_1x_get_num_altsubject_matches (s_8021x), ==, 3); + g_assert_cmpstr (nm_setting_802_1x_get_altsubject_match (s_8021x, 0), ==, "a.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_altsubject_match (s_8021x, 1), ==, "b.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_altsubject_match (s_8021x, 2), ==, "c.yourdomain.tld"); + g_assert_cmpint (nm_setting_802_1x_get_num_phase2_altsubject_matches (s_8021x), ==, 2); + g_assert_cmpstr (nm_setting_802_1x_get_phase2_altsubject_match (s_8021x, 0), ==, "x.yourdomain.tld"); + g_assert_cmpstr (nm_setting_802_1x_get_phase2_altsubject_match (s_8021x, 1), ==, "y.yourdomain.tld"); + + g_object_unref (connection); + g_object_unref (reread); +} + #define TEST_IFCFG_WIFI_OPEN TEST_IFCFG_DIR"/network-scripts/ifcfg-test-wifi-open" static void @@ -12522,6 +12595,7 @@ int main (int argc, char **argv) test_read_wired_8021x_tls_secret_flags (TEST_IFCFG_WIRED_8021X_TLS_AGENT, NM_SETTING_SECRET_FLAG_AGENT_OWNED); test_read_wired_8021x_tls_secret_flags (TEST_IFCFG_WIRED_8021X_TLS_ALWAYS, NM_SETTING_SECRET_FLAG_AGENT_OWNED | NM_SETTING_SECRET_FLAG_NOT_SAVED); + g_test_add_func (TPATH "802-1x/subj-mathes", test_read_write_802_1X_subj_matches); test_read_wifi_open (); test_read_wifi_open_auto (); test_read_wifi_open_ssid_hex (); diff --git a/src/settings/plugins/ifcfg-rh/writer.c b/src/settings/plugins/ifcfg-rh/writer.c index 11e1d7b..4a18d14 100644 --- a/src/settings/plugins/ifcfg-rh/writer.c +++ b/src/settings/plugins/ifcfg-rh/writer.c @@ -447,10 +447,12 @@ write_8021x_setting (NMConnection *connection, GError **error) { NMSetting8021x *s_8021x; - const char *value; + const char *value, *match; char *tmp = NULL; gboolean success = FALSE; GString *phase2_auth; + GString *str; + guint32 i, num; s_8021x = nm_connection_get_setting_802_1x (connection); if (!s_8021x) { @@ -545,6 +547,40 @@ write_8021x_setting (NMConnection *connection, g_string_free (phase2_auth, TRUE); + svSetValue (ifcfg, "IEEE_8021X_SUBJECT_MATCH", + nm_setting_802_1x_get_subject_match (s_8021x), + FALSE); + + svSetValue (ifcfg, "IEEE_8021X_PHASE2_SUBJECT_MATCH", + nm_setting_802_1x_get_phase2_subject_match (s_8021x), + FALSE); + + svSetValue (ifcfg, "IEEE_8021X_ALTSUBJECT_MATCHES", NULL, FALSE); + str = g_string_new (NULL); + num = nm_setting_802_1x_get_num_altsubject_matches (s_8021x); + for (i = 0; i < num; i++) { + if (i > 0) + g_string_append_c (str, ' '); + match = nm_setting_802_1x_get_altsubject_match (s_8021x, i); + g_string_append (str, match); + } + if (str->len > 0) + svSetValue (ifcfg, "IEEE_8021X_ALTSUBJECT_MATCHES", str->str, FALSE); + g_string_free (str, TRUE); + + svSetValue (ifcfg, "IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES", NULL, FALSE); + str = g_string_new (NULL); + num = nm_setting_802_1x_get_num_phase2_altsubject_matches (s_8021x); + for (i = 0; i < num; i++) { + if (i > 0) + g_string_append_c (str, ' '); + match = nm_setting_802_1x_get_phase2_altsubject_match (s_8021x, i); + g_string_append (str, match); + } + if (str->len > 0) + svSetValue (ifcfg, "IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES", str->str, FALSE); + g_string_free (str, TRUE); + success = write_8021x_certs (s_8021x, FALSE, ifcfg, error); if (success) { /* phase2/inner certs */ -- 1.8.5.3 From b0e648e7f40d16943e2e531e220b926993b2f7f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= Date: Tue, 25 Feb 2014 18:40:13 +0100 Subject: [PATCH 07/10] libnm-util: fix adding values to 'phase2-altsubject-matches' It was mixed up with 'altsubject-matches'. (cherry picked from commit 37894121605014781810add19169ba8cbbe4394c) --- libnm-util/nm-setting-8021x.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libnm-util/nm-setting-8021x.c b/libnm-util/nm-setting-8021x.c index 58b2a44..ae03cd2 100644 --- a/libnm-util/nm-setting-8021x.c +++ b/libnm-util/nm-setting-8021x.c @@ -638,7 +638,7 @@ nm_setting_802_1x_get_altsubject_match (NMSetting8021x *setting, guint32 i) **/ gboolean nm_setting_802_1x_add_altsubject_match (NMSetting8021x *setting, - const char *altsubject_match) + const char *altsubject_match) { NMSetting8021xPrivate *priv; GSList *iter; @@ -652,7 +652,8 @@ nm_setting_802_1x_add_altsubject_match (NMSetting8021x *setting, return FALSE; } - priv->altsubject_matches = g_slist_append (priv->altsubject_matches, g_strdup (altsubject_match)); + priv->altsubject_matches = g_slist_append (priv->altsubject_matches, + g_strdup (altsubject_match)); g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES); return TRUE; } @@ -1184,7 +1185,7 @@ nm_setting_802_1x_get_phase2_altsubject_match (NMSetting8021x *setting, guint32 **/ gboolean nm_setting_802_1x_add_phase2_altsubject_match (NMSetting8021x *setting, - const char *phase2_altsubject_match) + const char *phase2_altsubject_match) { NMSetting8021xPrivate *priv; GSList *iter; @@ -1198,8 +1199,8 @@ nm_setting_802_1x_add_phase2_altsubject_match (NMSetting8021x *setting, return FALSE; } - priv->phase2_altsubject_matches = g_slist_append (priv->altsubject_matches, - g_strdup (phase2_altsubject_match)); + priv->phase2_altsubject_matches = g_slist_append (priv->phase2_altsubject_matches, + g_strdup (phase2_altsubject_match)); g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES); return TRUE; } -- 1.8.5.3 From 01198ca5c733624d6a4238e00b067a173679588a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= Date: Tue, 25 Feb 2014 15:52:45 +0100 Subject: [PATCH 08/10] libnm-util: fix verify_identity() in '802-1x' setting We need to return FALSE on error, otherwise we pile GErrors and assert in nm_setting_verify(). (cherry picked from commit 68066b40f2704ee069201cfa7f9c0f3b976e690f) --- libnm-util/nm-setting-8021x.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libnm-util/nm-setting-8021x.c b/libnm-util/nm-setting-8021x.c index ae03cd2..7777e02 100644 --- a/libnm-util/nm-setting-8021x.c +++ b/libnm-util/nm-setting-8021x.c @@ -2363,12 +2363,14 @@ verify_identity (NMSetting8021x *self, gboolean phase2, GError **error) NM_SETTING_802_1X_ERROR_MISSING_PROPERTY, _("property is missing")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY); + return FALSE; } else if (!strlen (priv->identity)) { g_set_error_literal (error, NM_SETTING_802_1X_ERROR, NM_SETTING_802_1X_ERROR_INVALID_PROPERTY, _("property is empty")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_IDENTITY); + return FALSE; } return TRUE; -- 1.8.5.3 From 044309eae71b908cdc01852e22ed2a5127293c40 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 4 Mar 2014 21:44:07 +0100 Subject: [PATCH 09/10] platform: fix converting address flags in nm_platform_ip6_address_to_string() Signed-off-by: Thomas Haller (cherry picked from commit eca6a49e2d91c21ff9f525dd34259e3ad6c12272) --- src/platform/nm-platform.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/platform/nm-platform.c b/src/platform/nm-platform.c index 97540fc..0477477 100644 --- a/src/platform/nm-platform.c +++ b/src/platform/nm-platform.c @@ -1791,11 +1791,11 @@ nm_platform_ip6_address_to_string (const NMPlatformIP6Address *address) * These two flags were introduced together with the extended ifa_flags, * so, check for that. **/ - if ((address->flags && IFA_F_MANAGETEMPADDR) & !nm_platform_check_support_libnl_extended_ifa_flags ()) { + if ((address->flags & IFA_F_MANAGETEMPADDR) && !nm_platform_check_support_libnl_extended_ifa_flags ()) { strncat (s_flags, s_flags[0] ? "," IFA_F_MANAGETEMPADDR_STR : IFA_F_MANAGETEMPADDR_STR, sizeof (s_flags) - strlen (s_flags) - 1); } - if ((address->flags && IFA_F_NOPREFIXROUTE) & !nm_platform_check_support_libnl_extended_ifa_flags ()) { + if ((address->flags & IFA_F_NOPREFIXROUTE) && !nm_platform_check_support_libnl_extended_ifa_flags ()) { strncat (s_flags, s_flags[0] ? "," IFA_F_NOPREFIXROUTE_STR : IFA_F_NOPREFIXROUTE_STR, sizeof (s_flags) - strlen (s_flags) - 1); } -- 1.8.5.3 From 917b799a1ce86963d41834c3bd5d24f945855ec0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= Date: Tue, 4 Mar 2014 16:51:01 +0100 Subject: [PATCH 10/10] policy: fix crash caused by calling functions on connection==NULL Crash appeared in: nm_settings_connection_set_autoconnect_blocked_reason() (partially cherry picked from commit b8915dae3c5d2a077a0615941cfa363c0efcb428) --- src/nm-policy.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/nm-policy.c b/src/nm-policy.c index a5a372a..408056e 100644 --- a/src/nm-policy.c +++ b/src/nm-policy.c @@ -1307,7 +1307,7 @@ reset_connections_retries (gpointer user_data) static void schedule_activate_all (NMPolicy *policy); static void -activate_slave_connections (NMPolicy *policy, NMConnection *connection, +activate_slave_connections (NMPolicy *policy, NMDevice *device) { NMPolicyPrivate *priv = NM_POLICY_GET_PRIVATE (policy); @@ -1414,7 +1414,7 @@ device_state_changed (NMDevice *device, const char *ip_iface = nm_device_get_ip_iface (device); NMIP4Config *ip4_config; NMIP6Config *ip6_config; - NMSettingConnection *s_con; + NMSettingConnection *s_con = NULL; if (connection) g_object_set_data (G_OBJECT (connection), FAILURE_REASON_TAG, GUINT_TO_POINTER (0)); @@ -1506,10 +1506,11 @@ device_state_changed (NMDevice *device, case NM_DEVICE_STATE_PREPARE: /* Reset auto-connect retries of all slaves and schedule them for * activation. */ - activate_slave_connections (policy, connection, device); + activate_slave_connections (policy, device); break; case NM_DEVICE_STATE_SECONDARIES: - s_con = nm_connection_get_setting_connection (connection); + if (connection) + s_con = nm_connection_get_setting_connection (connection); if (s_con && nm_setting_connection_get_num_secondaries (s_con) > 0) { /* Make routes and DNS up-to-date before activating dependent connections */ update_routing_and_dns (policy, FALSE); -- 1.8.5.3