Add a helper like nm_utils_security_valid() except for access point
mode. We can't use nm_utils_security_valid() without changing the
arguments, hence the new function. Plus in AP mode all you care about
are the device capabilities, not AP flags since the device *is*
the AP.
The ctype macros (eg, isalnum(), tolower()) are locale-dependent. Use
glib's ASCII-only versions instead.
Also, replace isascii() with g_ascii_isprint(), since isascii()
accepts control characters, which isn't what the code wanted in any of
the places where it was using it.
The kernel is broken for Ad-Hoc WPA, and creates the connections
as open connections instead. Yeah, eventually we can use
wpa_supplicant with RSN support, but for now we just have to
disable Ad-Hoc WPA because it's a problem to say we're creating
a protected network but then have the kernel not do that for
us. Will be re-enabled once all the necessary bits have been
fixed.
Note that Ad-Hoc WPA has been broken since at least 2.6.32 with
mac80211-based drivers, which is what most users will be using.
The crash happens with ipw2200, kernel 3.2.0 when a user tries to connect
to a hidden network using nm-applet.
g_assert (have_ap); is hit in 'case NMU_SEC_STATIC_WEP:' branch.
Reported by Mathieu Trudel-Lapierre.
See also:
(lp:908516)
(lp:908380)
ether_aton() allows addresses like "0:1:2:3:4:5" which was casusing
some problems when reading connections after switching callers of
ether_aton() to nm_utils_hwaddr_aton().
nm_utils_hwaddr_ntoa() and nm_utils_hwaddr_aton() are like
ether_ntoa()/ether_aton(), but handle IPoIB too.
nm_utils_hwaddr_atoba() is like _aton() but returns a GByteArray,
since that's what's wanted in many places.
Also remove nm_ether_ntop() and replace uses of it with
nm_utils_hwaddr_ntoa().
The current check caught stuff in the .ver file that was outdated, but
didn't quite get stuff that was supposed to be exported but wasn't,
in some cases. Update the regex to ensure that symbols that are
not exported, but that start with "nm_" (and aren't GObject
boilerplate) get flagged during the check.
Update internal code to return to a previous pattern of treating symbols
that start with "_" internal, and expecting symbols that start with
"nm_" to be exported.
Also fixes cases where random glibc symbols would get flagged:
00040ff4 l O *ABS* 00000000 .hidden _GLOBAL_OFFSET_TABLE_
00041380 l O .data 00000000 .hidden __dso_handle
000406e8 l O .dtors 00000000 .hidden __DTOR_END__
0000fbe4 l F .text 00000000 .hidden __i686.get_pc_thunk.cx
0002f980 l F .text 00000014 .hidden __stack_chk_fail_local
0000b1e7 l F .text 00000000 .hidden __i686.get_pc_thunk.bx
00040e60 l O *ABS* 00000000 .hidden _DYNAMIC
Because we can't ever know if we're the last user of NSS or gnutls
when nm_utils_deinit() is called, just don't bother deiniting
the crypto providers. And atexit handlers are generally frowned
upon for the exact same reason. You never know what library linked
into your process might be also using NSS or gnutls, so basically
if these libraries suck enough to use global data and not reference
count it, just let the data leak. If we do clean stuff up that
can lead to crashes when other libraries might try to use NSS or
gnutls after the atexit handler or nm_utils_deinit() has been run.
See also: https://bugzilla.mozilla.org/show_bug.cgi?id=54189#c1
Clients need to do their own logging using glib or whatever; these
macros while somewhat helpful were not flexible and are not a
substitute for actual logging in the client. g_warning, g_message,
and g_error are more suitable anyway.
It's always used with a GByteArray anyway, as are most
functions in nm-utils.h. Even better, we can skip the
memcpy since it turns out to be pointless.
Add the necessary annotations (the mininum required, that is those
on return values. NULL parameters or container types may require
more), and the Autotools stuff to get a NetworkManager GIR for
libnm-util and a NMClient for libnm-glib.
Ensure it still works correctly if something tries to set the
'addresses' property using the old GType. Also make sure that
the various IP6 address comparison operations and string conversion
functions handle the gateway.
To be backwards compatible clients need to handle both paths to private
keys and the decrypted private key data, which is what used to get passed
in the private-key and phase2-private-key attributes of the 802.1x setting.
When moving a connection around between system-settings and user-settings,
if the private key is decrypted data, the settings service needs to store
that decrypted data somewhere so that the key can be sent to NM during
the connection process.
But we don't want to store the decrypted private key data, so we have to
re-encrypt it (possibly generating a private key password if one wasn't
sent with the decrypted data) and save it to disk, then send NM a path
to that private key during connection.
To help clients do this, and so that they don't have to carry around
multiple crypto implementations depending on whether they want to use
NSS or gnutls/gcrypt, add a helper to libnm-util.
Furthermore, I misunderstood a bunch of stuff with crypto padding when
writing the encrypt/decrypt functions long ago, so fix that up. Don't
return padding as part of the decrypted data, and make sure to verify
the padding's expected lengths and values when decrypting. Many thanks
to Nalin Dahyabhai for pointing me in the right direction.
While broadcasting WPA and RSN IEs with the Privacy bit set to 0 is
technically illegal, some networks using older Cisco equipment do it
(I'm looking at you, Eduroam) and there's no reason not to support
it. Since the AP is broadcasting WPA/RSN IEs, assume that means
WPA and RSN is supported (duh).
