From f30fba23ee19822fc73ec6268b8d6be887db1c70 Mon Sep 17 00:00:00 2001
From: Dan Williams <dcbw@redhat.com>
Date: Fri, 21 Nov 2008 18:59:37 +0000
Subject: [PATCH] 2008-11-21  Dan Williams  <dcbw@redhat.com>

	Patch from Tambet Ingo  <tambet@gmail.com>

	* configure.in
	  libnm-util/libnm-util.ver
	  libnm-util/nm-setting-8021x.c
	  libnm-util/nm-setting-8021x.h
		- Add configure-time option for the system CA path
		- Add 'system-ca-certs' option to 802.1x setting, which directs
			NetworkManager to use system CA certificates instead of any
			connection-defined CA certificates

	* src/supplicant-manager/nm-supplicant-config.c
	  src/supplicant-manager/nm-supplicant-settings-verify.c
		- Use system CA certificates if the connection says to do so



git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@4326 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
---
 ChangeLog                                     | 17 +++++++++++++
 configure.in                                  | 11 +++++++++
 libnm-util/libnm-util.ver                     |  1 +
 libnm-util/nm-setting-8021x.c                 | 24 +++++++++++++++++++
 libnm-util/nm-setting-8021x.h                 |  2 ++
 src/supplicant-manager/nm-supplicant-config.c | 16 +++++++++++--
 .../nm-supplicant-settings-verify.c           |  1 +
 7 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b869dfe590..aa621ac88f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2008-11-21  Dan Williams  <dcbw@redhat.com>
+
+	Patch from Tambet Ingo  <tambet@gmail.com>
+
+	* configure.in
+	  libnm-util/libnm-util.ver
+	  libnm-util/nm-setting-8021x.c
+	  libnm-util/nm-setting-8021x.h
+		- Add configure-time option for the system CA path
+		- Add 'system-ca-certs' option to 802.1x setting, which directs
+			NetworkManager to use system CA certificates instead of any
+			connection-defined CA certificates
+
+	* src/supplicant-manager/nm-supplicant-config.c
+	  src/supplicant-manager/nm-supplicant-settings-verify.c
+		- Use system CA certificates if the connection says to do so
+
 2008-11-21  Dan Williams  <dcbw@redhat.com>
 
 	* src/nm-dbus-manager.c
diff --git a/configure.in b/configure.in
index 0274f17872..b11cc10977 100644
--- a/configure.in
+++ b/configure.in
@@ -435,6 +435,17 @@ if test -n "${RESOLVCONF_PATH}"; then
 	AC_DEFINE_UNQUOTED(RESOLVCONF_PATH, "$RESOLVCONF_PATH", [Define if you have a resolvconf implementation])
 fi
 
+# system CA certificates path
+AC_ARG_WITH(system-ca-path, AS_HELP_STRING([--with-system-ca-path=/path/to/ssl/certs], [path to system CA certificates])) 
+if test "x${with_system_ca_path}" = x; then
+  SYSTEM_CA_PATH=/etc/ssl/certs
+else
+  SYSTEM_CA_PATH="$with_system_ca_path"
+fi
+AC_DEFINE_UNQUOTED(SYSTEM_CA_PATH, "$SYSTEM_CA_PATH", [Define to path to system CA certificates])
+AC_SUBST(SYSTEM_CA_PATH)
+
+
 AC_ARG_ENABLE(more-warnings,
 AS_HELP_STRING([--enable-more-warnings], [Maximum compiler warnings]), set_more_warnings="$enableval",set_more_warnings=yes)
 AC_MSG_CHECKING(for more warnings, including -Werror)
diff --git a/libnm-util/libnm-util.ver b/libnm-util/libnm-util.ver
index 642ff02e2f..483da9e439 100644
--- a/libnm-util/libnm-util.ver
+++ b/libnm-util/libnm-util.ver
@@ -60,6 +60,7 @@ global:
 	nm_setting_802_1x_get_private_key_password;
 	nm_setting_802_1x_get_private_key_type;
 	nm_setting_802_1x_get_psk;
+	nm_setting_802_1x_get_system_ca_certs;
 	nm_setting_802_1x_get_type;
 	nm_setting_802_1x_new;
 	nm_setting_802_1x_remove_eap_method;
diff --git a/libnm-util/nm-setting-8021x.c b/libnm-util/nm-setting-8021x.c
index 04d29057a8..062cb7af84 100644
--- a/libnm-util/nm-setting-8021x.c
+++ b/libnm-util/nm-setting-8021x.c
@@ -93,6 +93,7 @@ typedef struct {
 	char *private_key_password;
 	GByteArray *phase2_private_key;
 	char *phase2_private_key_password;
+	gboolean system_ca_certs;
 } NMSetting8021xPrivate;
 
 enum {
@@ -118,6 +119,7 @@ enum {
 	PROP_PHASE2_PRIVATE_KEY_PASSWORD,
 	PROP_PIN,
 	PROP_PSK,
+	PROP_SYSTEM_CA_CERTS,
 
 	LAST_PROP
 };
@@ -268,6 +270,14 @@ nm_setting_802_1x_set_ca_cert_from_file (NMSetting8021x *self,
 	return priv->ca_cert != NULL;
 }
 
+gboolean
+nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
+
+	return NM_SETTING_802_1X_GET_PRIVATE (setting)->system_ca_certs;
+}
+
 const GByteArray *
 nm_setting_802_1x_get_client_cert (NMSetting8021x *setting)
 {
@@ -1243,6 +1253,9 @@ set_property (GObject *object, guint prop_id,
 		g_free (priv->phase2_private_key_password);
 		priv->phase2_private_key_password = g_value_dup_string (value);
 		break;
+	case PROP_SYSTEM_CA_CERTS:
+		priv->system_ca_certs = g_value_get_boolean (value);
+		break;
 	default:
 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 		break;
@@ -1314,6 +1327,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_PHASE2_PRIVATE_KEY_PASSWORD:
 		g_value_set_string (value, priv->phase2_private_key_password);
 		break;
+	case PROP_SYSTEM_CA_CERTS:
+		g_value_set_boolean (value, priv->system_ca_certs);
+		break;
 	default:
 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 		break;
@@ -1490,6 +1506,14 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 						  NULL,
 						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));
 
+	g_object_class_install_property
+		(object_class, PROP_SYSTEM_CA_CERTS,
+		 g_param_spec_boolean (NM_SETTING_802_1X_SYSTEM_CA_CERTS,
+							   "Use system CA certificates",
+							   "Use system CA certificates",
+							   FALSE,
+							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
+
 	/* Initialize crypto lbrary. */
 	if (!nm_utils_init (&error)) {
 		g_warning ("Couldn't initilize nm-utils/crypto system: %d %s",
diff --git a/libnm-util/nm-setting-8021x.h b/libnm-util/nm-setting-8021x.h
index 91d494d9b3..e956e685ae 100644
--- a/libnm-util/nm-setting-8021x.h
+++ b/libnm-util/nm-setting-8021x.h
@@ -81,6 +81,7 @@ GQuark nm_setting_802_1x_error_quark (void);
 #define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD "phase2-private-key-password"
 #define NM_SETTING_802_1X_PIN "pin"
 #define NM_SETTING_802_1X_PSK "psk"
+#define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
 
 typedef struct {
 	NMSetting parent;
@@ -133,6 +134,7 @@ gboolean          nm_setting_802_1x_set_phase2_ca_cert_from_file     (NMSetting8
                                                                       const char *filename,
                                                                       NMSetting8021xCKType *out_ck_type,
                                                                       GError **err);
+gboolean          nm_setting_802_1x_get_system_ca_certs              (NMSetting8021x *setting);
 
 const GByteArray *nm_setting_802_1x_get_phase2_client_cert           (NMSetting8021x *setting);
 gboolean          nm_setting_802_1x_set_phase2_client_cert_from_file (NMSetting8021x *setting,
diff --git a/src/supplicant-manager/nm-supplicant-config.c b/src/supplicant-manager/nm-supplicant-config.c
index d087b2c227..2918504598 100644
--- a/src/supplicant-manager/nm-supplicant-config.c
+++ b/src/supplicant-manager/nm-supplicant-config.c
@@ -19,6 +19,10 @@
  * Copyright (C) 2007 - 2008 Novell, Inc.
  */
 
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
 #include <string.h>
 #include <stdlib.h>
 #include <glib.h>
@@ -620,7 +624,11 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 		ADD_STRING_VAL (phase2->str, "phase2", FALSE, FALSE, FALSE);
 	g_string_free (phase2, TRUE);
 
-	ADD_BLOB_VAL (nm_setting_802_1x_get_ca_cert (setting), "ca_cert", connection_uid);
+	if (nm_setting_802_1x_get_system_ca_certs (setting)) {
+		ADD_STRING_VAL (SYSTEM_CA_PATH, "ca_path", FALSE, FALSE, FALSE);
+	} else {
+		ADD_BLOB_VAL (nm_setting_802_1x_get_ca_cert (setting), "ca_cert", connection_uid);
+	}
 
 	array = nm_setting_802_1x_get_private_key (setting);
 	if (array) {
@@ -638,7 +646,11 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 		}
 	}
 
-	ADD_BLOB_VAL (nm_setting_802_1x_get_phase2_ca_cert (setting), "ca_cert2", connection_uid);
+	if (nm_setting_802_1x_get_system_ca_certs (setting)) {
+		ADD_STRING_VAL (SYSTEM_CA_PATH, "ca_path2", FALSE, FALSE, FALSE);
+	} else {
+		ADD_BLOB_VAL (nm_setting_802_1x_get_phase2_ca_cert (setting), "ca_cert2", connection_uid);
+	}
 
 	array = nm_setting_802_1x_get_phase2_private_key (setting);
 	if (array) {
diff --git a/src/supplicant-manager/nm-supplicant-settings-verify.c b/src/supplicant-manager/nm-supplicant-settings-verify.c
index b8bd9fc4c0..5e3079547b 100644
--- a/src/supplicant-manager/nm-supplicant-settings-verify.c
+++ b/src/supplicant-manager/nm-supplicant-settings-verify.c
@@ -101,6 +101,7 @@ static const struct Opt opt_table[] = {
 	{ "eap",                TYPE_KEYWORD, 0, 0, FALSE,  eap_allowed },
 	{ "identity",           TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "password",           TYPE_BYTES,   0, 0, FALSE,  NULL },
+	{ "ca_path",            TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "ca_cert",            TYPE_BYTES,   0, 65536, FALSE,  NULL },
 	{ "client_cert",        TYPE_BYTES,   0, 65536, FALSE,  NULL },
 	{ "private_key",        TYPE_BYTES,   0, 65536, FALSE,  NULL },