From 5ab6875d4e8af7a26eb5e067935670a1deb6308d Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 31 Aug 2018 21:04:17 +0200
Subject: [PATCH] libnm/802-1x: don't verify certificates in GObject property
 setter

First of all, g_warning() is not a suitable error handling. In
particular, note how this code is reached when obtaining a setting
from D-Bus, that is, the user is not at fault.

The proper way to handle this, is allowing the setter to set the invalid
value. Only later, during verify() we will fail. This way,
NetworkManager can extend the format and older libnm clients don't
break. This is how forward-compatibility (with older libnm vs. newer
daemon) is supposed to work.
---
 libnm-core/nm-setting-8021x.c | 55 ++++-------------------------------
 1 file changed, 6 insertions(+), 49 deletions(-)

diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index b5cc751b1a..8ddcc95671 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -3259,24 +3259,6 @@ need_secrets (NMSetting *setting)
 
 /*****************************************************************************/
 
-static GBytes *
-set_cert_prop_helper (const GValue *value, const char *prop_name, GError **error)
-{
-	gboolean valid;
-	GBytes *bytes = NULL;
-
-	bytes = g_value_dup_boxed (value);
-	/* Verify the new data */
-	if (bytes) {
-		valid = verify_cert (bytes, prop_name, NULL, NULL, error);
-		if (!valid)
-			g_clear_pointer (&bytes, g_bytes_unref);
-	}
-	return bytes;
-}
-
-/*****************************************************************************/
-
 static void
 get_property (GObject *object, guint prop_id,
               GValue *value, GParamSpec *pspec)
@@ -3429,7 +3411,6 @@ set_property (GObject *object, guint prop_id,
 {
 	NMSetting8021x *setting = NM_SETTING_802_1X (object);
 	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
-	GError *error = NULL;
 
 	switch (prop_id) {
 	case PROP_EAP:
@@ -3450,11 +3431,7 @@ set_property (GObject *object, guint prop_id,
 		break;
 	case PROP_CA_CERT:
 		g_bytes_unref (priv->ca_cert);
-		priv->ca_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_CA_CERT, &error);
-		if (error) {
-			g_warning ("Error setting certificate (invalid data): %s", error->message);
-			g_error_free (error);
-		}
+		priv->ca_cert = g_value_dup_boxed (value);
 		break;
 	case PROP_CA_CERT_PASSWORD:
 		g_free (priv->ca_cert_password);
@@ -3481,11 +3458,7 @@ set_property (GObject *object, guint prop_id,
 		break;
 	case PROP_CLIENT_CERT:
 		g_bytes_unref (priv->client_cert);
-		priv->client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_CLIENT_CERT, &error);
-		if (error) {
-			g_warning ("Error setting certificate (invalid data): %s", error->message);
-			g_error_free (error);
-		}
+		priv->client_cert = g_value_dup_boxed (value);
 		break;
 	case PROP_CLIENT_CERT_PASSWORD:
 		g_free (priv->client_cert_password);
@@ -3519,11 +3492,7 @@ set_property (GObject *object, guint prop_id,
 		break;
 	case PROP_PHASE2_CA_CERT:
 		g_bytes_unref (priv->phase2_ca_cert);
-		priv->phase2_ca_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CA_CERT, &error);
-		if (error) {
-			g_warning ("Error setting certificate (invalid data): %s", error->message);
-			g_error_free (error);
-		}
+		priv->phase2_ca_cert = g_value_dup_boxed (value);
 		break;
 	case PROP_PHASE2_CA_CERT_PASSWORD:
 		g_free (priv->phase2_ca_cert_password);
@@ -3550,11 +3519,7 @@ set_property (GObject *object, guint prop_id,
 		break;
 	case PROP_PHASE2_CLIENT_CERT:
 		g_bytes_unref (priv->phase2_client_cert);
-		priv->phase2_client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, &error);
-		if (error) {
-			g_warning ("Error setting certificate (invalid data): %s", error->message);
-			g_error_free (error);
-		}
+		priv->phase2_client_cert = g_value_dup_boxed (value);
 		break;
 	case PROP_PHASE2_CLIENT_CERT_PASSWORD:
 		g_free (priv->phase2_client_cert_password);
@@ -3579,11 +3544,7 @@ set_property (GObject *object, guint prop_id,
 		break;
 	case PROP_PRIVATE_KEY:
 		g_bytes_unref (priv->private_key);
-		priv->private_key = set_cert_prop_helper (value, NM_SETTING_802_1X_PRIVATE_KEY, &error);
-		if (error) {
-			g_warning ("Error setting private key (invalid data): %s", error->message);
-			g_error_free (error);
-		}
+		priv->private_key = g_value_dup_boxed (value);
 		break;
 	case PROP_PRIVATE_KEY_PASSWORD:
 		nm_free_secret (priv->private_key_password);
@@ -3594,11 +3555,7 @@ set_property (GObject *object, guint prop_id,
 		break;
 	case PROP_PHASE2_PRIVATE_KEY:
 		g_bytes_unref (priv->phase2_private_key);
-		priv->phase2_private_key = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, &error);
-		if (error) {
-			g_warning ("Error setting private key (invalid data): %s", error->message);
-			g_error_free (error);
-		}
+		priv->phase2_private_key = g_value_dup_boxed (value);
 		break;
 	case PROP_PHASE2_PRIVATE_KEY_PASSWORD:
 		nm_free_secret (priv->phase2_private_key_password);