[gnome-online-accounts] Guard against invalid SSL certificates
- From: Debarshi Ray <debarshir src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-online-accounts] Guard against invalid SSL certificates
- Date: Tue, 5 Feb 2013 16:00:05 +0000 (UTC)
commit edde7c63326242a60a075341d3fea0be0bc4d80e
Author: Debarshi Ray <debarshir gnome org>
Date: Thu Jan 31 17:45:20 2013 +0100
Guard against invalid SSL certificates
None of the branded providers (eg., Google, Facebook and Windows Live)
should ever have an invalid certificate. So set "ssl-strict" on the
SoupSession object being used by GoaWebView.
Providers like ownCloud and Exchange might have to deal with
certificates that are not up to the mark. eg., self-signed
certificates. For those, show a warning when the account is being
created, and only proceed if the user decides to ignore it. In any
case, save the status of the certificate that was used to create the
account. So an account created with a valid certificate will never
work with an invalid one, and one created with an invalid certificate
will not throw any further warnings.
Fixes: CVE-2013-0240
data/dbus-interfaces.xml | 23 ++++++++++++++++++
src/goa/goaenums.h | 8 ++++--
src/goa/goaerror.c | 5 ++-
src/goabackend/goaewsclient.c | 25 ++++++++++++++++++-
src/goabackend/goaewsclient.h | 4 ++-
src/goabackend/goaexchangeprovider.c | 32 +++++++++++++++++++++++--
src/goabackend/goagoogleprovider.c | 1 +
src/goabackend/goahttpclient.c | 25 ++++++++++++++++++-
src/goabackend/goahttpclient.h | 4 ++-
src/goabackend/goaowncloudprovider.c | 42 +++++++++++++++++++++++++++++----
src/goabackend/goautils.c | 42 +++++++++++++++++++++++++++++++++-
src/goabackend/goautils.h | 5 +++-
src/goabackend/goawebview.c | 3 +-
13 files changed, 197 insertions(+), 22 deletions(-)
---
diff --git a/data/dbus-interfaces.xml b/data/dbus-interfaces.xml
index eaed174..0cf99de 100644
--- a/data/dbus-interfaces.xml
+++ b/data/dbus-interfaces.xml
@@ -448,6 +448,12 @@
server.
-->
<interface name="org.gnome.OnlineAccounts.Calendar">
+ <!-- AcceptSslErrors:
+ @since: 3.8.0
+ Accept SSL/TLS errors caused by invalid certificates.
+ -->
+ <property name="AcceptSslErrors" type="b" access="read"/>
+
<!-- Uri:
@since: 3.8.0
The top-level location of the calendars.
@@ -464,6 +470,12 @@
server.
-->
<interface name="org.gnome.OnlineAccounts.Contacts">
+ <!-- AcceptSslErrors:
+ @since: 3.8.0
+ Accept SSL/TLS errors caused by invalid certificates.
+ -->
+ <property name="AcceptSslErrors" type="b" access="read"/>
+
<!-- Uri:
@since: 3.8.0
The top-level location of the contacts.
@@ -509,6 +521,11 @@
server.
-->
<interface name="org.gnome.OnlineAccounts.Files">
+ <!-- AcceptSslErrors:
+ Accept SSL/TLS errors caused by invalid certificates.
+ -->
+ <property name="AcceptSslErrors" type="b" access="read"/>
+
<!-- Uri:
The top-level location of the files.
@@ -529,6 +546,12 @@
a Microsoft Exchange server.
-->
<interface name="org.gnome.OnlineAccounts.Exchange">
+ <!-- AcceptSslErrors:
+ @since: 3.8.0
+ Accept SSL/TLS errors caused by invalid certificates.
+ -->
+ <property name="AcceptSslErrors" type="b" access="read"/>
+
<!-- Host:
The Exchange server to use. This is always a domain name.
diff --git a/src/goa/goaenums.h b/src/goa/goaenums.h
index 2a13aec..bb17a5e 100644
--- a/src/goa/goaenums.h
+++ b/src/goa/goaenums.h
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2011 Red Hat, Inc.
+ * Copyright (C) 2011, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -38,6 +38,7 @@ G_BEGIN_DECLS
* @GOA_ERROR_DIALOG_DISMISSED: The dialog was dismissed.
* @GOA_ERROR_ACCOUNT_EXISTS: Account already exists.
* @GOA_ERROR_NOT_AUTHORIZED: Not authorized to perform operation.
+ * @GOA_ERROR_SSL: Invalid SSL certificate.
*
* Error codes for the #GOA_ERROR error domain and the
* corresponding D-Bus error names.
@@ -48,10 +49,11 @@ typedef enum
GOA_ERROR_NOT_SUPPORTED, /* org.gnome.OnlineAccounts.Error.NotSupported */
GOA_ERROR_DIALOG_DISMISSED, /* org.gnome.OnlineAccounts.Error.DialogDismissed */
GOA_ERROR_ACCOUNT_EXISTS, /* org.gnome.OnlineAccounts.Error.AccountExists */
- GOA_ERROR_NOT_AUTHORIZED /* org.gnome.OnlineAccounts.Error.NotAuthorized */
+ GOA_ERROR_NOT_AUTHORIZED, /* org.gnome.OnlineAccounts.Error.NotAuthorized */
+ GOA_ERROR_SSL /* org.gnome.OnlineAccounts.Error.SSL */
} GoaError;
-#define GOA_ERROR_NUM_ENTRIES (GOA_ERROR_NOT_AUTHORIZED + 1)
+#define GOA_ERROR_NUM_ENTRIES (GOA_ERROR_SSL + 1)
G_END_DECLS
diff --git a/src/goa/goaerror.c b/src/goa/goaerror.c
index 9a238bf..de54abf 100644
--- a/src/goa/goaerror.c
+++ b/src/goa/goaerror.c
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2011 Red Hat, Inc.
+ * Copyright (C) 2011, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -39,7 +39,8 @@ static const GDBusErrorEntry dbus_error_entries[] =
{GOA_ERROR_NOT_SUPPORTED, "org.freedesktop.Goa.Error.NotSupported"},
{GOA_ERROR_DIALOG_DISMISSED, "org.gnome.OnlineAccounts.Error.DialogDismissed"},
{GOA_ERROR_ACCOUNT_EXISTS, "org.gnome.OnlineAccounts.Error.AccountExists"},
- {GOA_ERROR_NOT_AUTHORIZED, "org.gnome.OnlineAccounts.Error.NotAuthorized"}
+ {GOA_ERROR_NOT_AUTHORIZED, "org.gnome.OnlineAccounts.Error.NotAuthorized"},
+ {GOA_ERROR_SSL, "org.gnome.OnlineAccounts.Error.SSL"}
};
GQuark
diff --git a/src/goabackend/goaewsclient.c b/src/goabackend/goaewsclient.c
index aeeb12a..155a508 100644
--- a/src/goabackend/goaewsclient.c
+++ b/src/goabackend/goaewsclient.c
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -35,6 +35,7 @@
#include "goalogging.h"
#include "goaewsclient.h"
+#include "goautils.h"
struct _GoaEwsClient
{
@@ -78,6 +79,7 @@ typedef struct
GSimpleAsyncResult *res;
SoupMessage *msgs[2];
SoupSession *session;
+ gboolean accept_ssl_errors;
gulong cancellable_id;
xmlOutputBuffer *buf;
} AutodiscoverData;
@@ -175,7 +177,9 @@ ews_client_autodiscover_response_cb (SoupSession *session, SoupMessage *msg, gpo
{
GError *error;
AutodiscoverData *data = user_data;
+ GTlsCertificateFlags cert_flags;
gboolean op_res;
+ gboolean using_https;
guint status;
gint idx;
gsize size;
@@ -212,6 +216,16 @@ ews_client_autodiscover_response_cb (SoupSession *session, SoupMessage *msg, gpo
goto out;
}
+ if (!data->accept_ssl_errors)
+ {
+ using_https = soup_message_get_https_status (msg, NULL, &cert_flags);
+ if (using_https && cert_flags != 0)
+ {
+ goa_utils_set_error_ssl (&error, cert_flags);
+ goto out;
+ }
+ }
+
soup_buffer_free (soup_message_body_flatten (SOUP_MESSAGE (msg)->response_body));
g_debug ("The response headers");
g_debug ("===================");
@@ -404,6 +418,7 @@ goa_ews_client_autodiscover (GoaEwsClient *client,
const gchar *password,
const gchar *username,
const gchar *server,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -442,9 +457,13 @@ goa_ews_client_autodiscover (GoaEwsClient *client,
data->res = g_simple_async_result_new (G_OBJECT (client), callback, user_data, goa_ews_client_autodiscover);
data->msgs[0] = ews_client_create_msg_for_url (url1, buf);
data->msgs[1] = ews_client_create_msg_for_url (url2, buf);
- data->session = soup_session_async_new_with_options (SOUP_SESSION_USE_NTLM, TRUE,
+ data->session = soup_session_async_new_with_options (SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ SOUP_SESSION_SSL_STRICT, FALSE,
+ SOUP_SESSION_USE_NTLM, TRUE,
SOUP_SESSION_USE_THREAD_CONTEXT, TRUE,
NULL);
+ data->accept_ssl_errors = accept_ssl_errors;
+
if (cancellable != NULL)
{
data->cancellable = g_object_ref (cancellable);
@@ -514,6 +533,7 @@ goa_ews_client_autodiscover_sync (GoaEwsClient *client,
const gchar *password,
const gchar *username,
const gchar *server,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GError **error)
{
@@ -531,6 +551,7 @@ goa_ews_client_autodiscover_sync (GoaEwsClient *client,
password,
username,
server,
+ accept_ssl_errors,
cancellable,
ews_client_autodiscover_sync_cb,
&data);
diff --git a/src/goabackend/goaewsclient.h b/src/goabackend/goaewsclient.h
index 6f72c41..367ac74 100644
--- a/src/goabackend/goaewsclient.h
+++ b/src/goabackend/goaewsclient.h
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -42,6 +42,7 @@ void goa_ews_client_autodiscover (GoaEwsClient *client,
const gchar *password,
const gchar *username,
const gchar *server,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer gpointer);
@@ -53,6 +54,7 @@ gboolean goa_ews_client_autodiscover_sync (GoaEwsClient *client,
const gchar *password,
const gchar *username,
const gchar *server,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GError **error);
diff --git a/src/goabackend/goaexchangeprovider.c b/src/goabackend/goaexchangeprovider.c
index 0f08e6c..eafd8ae 100644
--- a/src/goabackend/goaexchangeprovider.c
+++ b/src/goabackend/goaexchangeprovider.c
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -203,11 +203,16 @@ build_object (GoaProvider *provider,
exchange = goa_object_get_exchange (GOA_OBJECT (object));
if (exchange == NULL)
{
+ gboolean accept_ssl_errors;
gchar *host;
+ accept_ssl_errors = g_key_file_get_boolean (key_file, group, "AcceptSslErrors", NULL);
host = g_key_file_get_string (key_file, group, "Host", NULL);
exchange = goa_exchange_skeleton_new ();
- g_object_set (G_OBJECT (exchange), "host", host, NULL);
+ g_object_set (G_OBJECT (exchange),
+ "accept-ssl-errors", accept_ssl_errors,
+ "host", host,
+ NULL);
goa_object_skeleton_set_exchange (object, exchange);
g_free (host);
}
@@ -261,6 +266,7 @@ ensure_credentials_sync (GoaProvider *provider,
GoaAccount *account;
GoaEwsClient *ews_client;
GoaExchange *exchange;
+ gboolean accept_ssl_errors;
gboolean ret;
const gchar *email_address;
const gchar *server;
@@ -306,6 +312,7 @@ ensure_credentials_sync (GoaProvider *provider,
}
exchange = goa_object_peek_exchange (object);
+ accept_ssl_errors = goa_exchange_get_accept_ssl_errors (exchange);
server = goa_exchange_get_host (exchange);
ews_client = goa_ews_client_new ();
@@ -314,6 +321,7 @@ ensure_credentials_sync (GoaProvider *provider,
password,
username,
server,
+ accept_ssl_errors,
cancellable,
error);
if (!ret)
@@ -624,6 +632,7 @@ add_account (GoaProvider *provider,
GVariantBuilder details;
GoaEwsClient *ews_client;
GoaObject *ret;
+ gboolean accept_ssl_errors;
const gchar *email_address;
const gchar *server;
const gchar *password;
@@ -632,6 +641,8 @@ add_account (GoaProvider *provider,
gint response;
ews_client = NULL;
+ accept_ssl_errors = FALSE;
+
ret = NULL;
memset (&data, 0, sizeof (AddAccountData));
@@ -679,6 +690,7 @@ add_account (GoaProvider *provider,
password,
username,
server,
+ accept_ssl_errors,
data.cancellable,
autodiscover_cb,
&data);
@@ -700,6 +712,17 @@ add_account (GoaProvider *provider,
{
gchar *markup;
+ if (data.error->code == GOA_ERROR_SSL)
+ {
+ gtk_button_set_label (GTK_BUTTON (data.connect_button), _("_Ignore"));
+ accept_ssl_errors = TRUE;
+ }
+ else
+ {
+ gtk_button_set_label (GTK_BUTTON (data.connect_button), _("_Try Again"));
+ accept_ssl_errors = FALSE;
+ }
+
markup = g_strdup_printf ("<b>%s:</b> %s",
_("Error connecting to Microsoft Exchange server"),
data.error->message);
@@ -708,7 +731,6 @@ add_account (GoaProvider *provider,
gtk_label_set_markup (GTK_LABEL (data.cluebar_label), markup);
g_free (markup);
- gtk_button_set_label (GTK_BUTTON (data.connect_button), _("_Try Again"));
gtk_expander_set_expanded (GTK_EXPANDER (data.expander), TRUE);
gtk_widget_set_no_show_all (data.cluebar, FALSE);
gtk_widget_show_all (data.cluebar);
@@ -725,6 +747,7 @@ add_account (GoaProvider *provider,
g_variant_builder_add (&details, "{ss}", "CalendarEnabled", "true");
g_variant_builder_add (&details, "{ss}", "ContactsEnabled", "true");
g_variant_builder_add (&details, "{ss}", "Host", server);
+ g_variant_builder_add (&details, "{ss}", "AcceptSslErrors", (accept_ssl_errors) ? "true" : "false");
/* OK, everything is dandy, add the account */
/* we want the GoaClient to update before this method returns (so it
@@ -781,6 +804,7 @@ refresh_account (GoaProvider *provider,
GoaExchange *exchange;
GtkWidget *dialog;
GtkWidget *vbox;
+ gboolean accept_ssl_errors;
gboolean ret;
const gchar *email_address;
const gchar *server;
@@ -842,6 +866,7 @@ refresh_account (GoaProvider *provider,
username = goa_account_get_identity (account);
exchange = goa_object_peek_exchange (object);
+ accept_ssl_errors = goa_exchange_get_accept_ssl_errors (exchange);
server = goa_exchange_get_host (exchange);
g_cancellable_reset (data.cancellable);
@@ -850,6 +875,7 @@ refresh_account (GoaProvider *provider,
password,
username,
server,
+ accept_ssl_errors,
data.cancellable,
autodiscover_cb,
&data);
diff --git a/src/goabackend/goagoogleprovider.c b/src/goabackend/goagoogleprovider.c
index d6f7809..088805d 100644
--- a/src/goabackend/goagoogleprovider.c
+++ b/src/goabackend/goagoogleprovider.c
@@ -612,6 +612,7 @@ ensure_credentials_sync (GoaProvider *provider,
uri_caldav,
username,
password,
+ FALSE,
cancellable,
error);
if (!ret)
diff --git a/src/goabackend/goahttpclient.c b/src/goabackend/goahttpclient.c
index 7edd755..828cb09 100644
--- a/src/goabackend/goahttpclient.c
+++ b/src/goabackend/goahttpclient.c
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -28,6 +28,7 @@
#include "goalogging.h"
#include "goahttpclient.h"
+#include "goautils.h"
struct _GoaHttpClient
{
@@ -71,6 +72,7 @@ typedef struct
GSimpleAsyncResult *res;
SoupMessage *msg;
SoupSession *session;
+ gboolean accept_ssl_errors;
gulong cancellable_id;
} CheckData;
@@ -136,7 +138,9 @@ http_client_check_response_cb (SoupSession *session, SoupMessage *msg, gpointer
{
GError *error;
CheckData *data = user_data;
+ GTlsCertificateFlags cert_flags;
gboolean op_res;
+ gboolean using_https;
error = NULL;
op_res = FALSE;
@@ -153,6 +157,16 @@ http_client_check_response_cb (SoupSession *session, SoupMessage *msg, gpointer
goto out;
}
+ if (!data->accept_ssl_errors)
+ {
+ using_https = soup_message_get_https_status (msg, NULL, &cert_flags);
+ if (using_https && cert_flags != 0)
+ {
+ goa_utils_set_error_ssl (&error, cert_flags);
+ goto out;
+ }
+ }
+
op_res = TRUE;
out:
@@ -183,6 +197,7 @@ goa_http_client_check (GoaHttpClient *client,
const gchar *uri,
const gchar *username,
const gchar *password,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -199,13 +214,17 @@ goa_http_client_check (GoaHttpClient *client,
data = g_slice_new0 (CheckData);
data->res = g_simple_async_result_new (G_OBJECT (client), callback, user_data, goa_http_client_check);
- data->session = soup_session_async_new_with_options (SOUP_SESSION_USE_THREAD_CONTEXT, TRUE,
+ data->session = soup_session_async_new_with_options (SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ SOUP_SESSION_SSL_STRICT, FALSE,
+ SOUP_SESSION_USE_THREAD_CONTEXT, TRUE,
NULL);
logger = soup_logger_new (SOUP_LOGGER_LOG_BODY, -1);
soup_logger_set_printer (logger, http_client_log_printer, NULL, NULL);
soup_session_add_feature (data->session, SOUP_SESSION_FEATURE (logger));
g_object_unref (logger);
+ data->accept_ssl_errors = accept_ssl_errors;
+
data->msg = soup_message_new (SOUP_METHOD_GET, uri);
soup_message_headers_append (data->msg->request_headers, "Connection", "close");
@@ -271,6 +290,7 @@ goa_http_client_check_sync (GoaHttpClient *client,
const gchar *uri,
const gchar *username,
const gchar *password,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GError **error)
{
@@ -287,6 +307,7 @@ goa_http_client_check_sync (GoaHttpClient *client,
uri,
username,
password,
+ accept_ssl_errors,
cancellable,
http_client_check_sync_cb,
&data);
diff --git a/src/goabackend/goahttpclient.h b/src/goabackend/goahttpclient.h
index 0e46f94..bad5c9b 100644
--- a/src/goabackend/goahttpclient.h
+++ b/src/goabackend/goahttpclient.h
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -41,6 +41,7 @@ void goa_http_client_check (GoaHttpClient *client,
const gchar *uri,
const gchar *username,
const gchar *password,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer gpointer);
@@ -51,6 +52,7 @@ gboolean goa_http_client_check_sync (GoaHttpClient *client,
const gchar *uri,
const gchar *username,
const gchar *password,
+ gboolean accept_ssl_errors,
GCancellable *cancellable,
GError **error);
diff --git a/src/goabackend/goaowncloudprovider.c b/src/goabackend/goaowncloudprovider.c
index a5255ee..63f9767 100644
--- a/src/goabackend/goaowncloudprovider.c
+++ b/src/goabackend/goaowncloudprovider.c
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -110,6 +110,7 @@ build_object (GoaProvider *provider,
GoaFiles *files;
GoaPasswordBased *password_based;
SoupURI *uri;
+ gboolean accept_ssl_errors;
gboolean calendar_enabled;
gboolean contacts_enabled;
gboolean files_enabled;
@@ -158,6 +159,8 @@ build_object (GoaProvider *provider,
if (uri != NULL)
soup_uri_set_user (uri, identity);
+ accept_ssl_errors = g_key_file_get_boolean (key_file, group, "AcceptSslErrors", NULL);
+
/* Calendar */
calendar = goa_object_get_calendar (GOA_OBJECT (object));
calendar_enabled = g_key_file_get_boolean (key_file, group, "CalendarEnabled", NULL);
@@ -179,7 +182,10 @@ build_object (GoaProvider *provider,
}
calendar = goa_calendar_skeleton_new ();
- g_object_set (G_OBJECT (calendar), "uri", uri_caldav, NULL);
+ g_object_set (G_OBJECT (calendar),
+ "accept-ssl-errors", accept_ssl_errors,
+ "uri", uri_caldav,
+ NULL);
goa_object_skeleton_set_calendar (object, calendar);
g_free (uri_caldav);
}
@@ -211,7 +217,10 @@ build_object (GoaProvider *provider,
}
contacts = goa_contacts_skeleton_new ();
- g_object_set (G_OBJECT (contacts), "uri", uri_carddav, NULL);
+ g_object_set (G_OBJECT (contacts),
+ "accept-ssl-errors", accept_ssl_errors,
+ "uri", uri_carddav,
+ NULL);
goa_object_skeleton_set_contacts (object, contacts);
g_free (uri_carddav);
}
@@ -250,7 +259,10 @@ build_object (GoaProvider *provider,
}
files = goa_files_skeleton_new ();
- g_object_set (G_OBJECT (files), "uri", uri_webdav, NULL);
+ g_object_set (G_OBJECT (files),
+ "accept-ssl-errors", accept_ssl_errors,
+ "uri", uri_webdav,
+ NULL);
goa_object_skeleton_set_files (object, files);
g_free (uri_webdav);
}
@@ -305,6 +317,7 @@ ensure_credentials_sync (GoaProvider *provider,
GVariant *credentials;
GoaAccount *account;
GoaHttpClient *http_client;
+ gboolean accept_ssl_errors;
gboolean ret;
const gchar *username;
gchar *password;
@@ -335,6 +348,7 @@ ensure_credentials_sync (GoaProvider *provider,
goto out;
}
+ accept_ssl_errors = goa_util_lookup_keyfile_boolean (object, "AcceptSslErrors");
uri = goa_util_lookup_keyfile_string (object, "Uri");
uri_webdav = g_strconcat (uri, WEBDAV_ENDPOINT, NULL);
@@ -358,6 +372,7 @@ ensure_credentials_sync (GoaProvider *provider,
uri_webdav,
username,
password,
+ accept_ssl_errors,
cancellable,
error);
if (!ret)
@@ -680,6 +695,7 @@ add_account (GoaProvider *provider,
GVariantBuilder details;
GoaHttpClient *http_client;
GoaObject *ret;
+ gboolean accept_ssl_errors;
const gchar *uri_text;
const gchar *password;
const gchar *username;
@@ -691,6 +707,7 @@ add_account (GoaProvider *provider,
gint response;
http_client = NULL;
+ accept_ssl_errors = FALSE;
presentation_identity = NULL;
server = NULL;
uri = NULL;
@@ -742,6 +759,7 @@ add_account (GoaProvider *provider,
uri_webdav,
username,
password,
+ accept_ssl_errors,
data.cancellable,
check_cb,
&data);
@@ -765,6 +783,17 @@ add_account (GoaProvider *provider,
{
gchar *markup;
+ if (data.error->code == GOA_ERROR_SSL)
+ {
+ gtk_button_set_label (GTK_BUTTON (data.connect_button), _("_Ignore"));
+ accept_ssl_errors = TRUE;
+ }
+ else
+ {
+ gtk_button_set_label (GTK_BUTTON (data.connect_button), _("_Try Again"));
+ accept_ssl_errors = FALSE;
+ }
+
markup = g_strdup_printf ("<b>%s:</b> %s",
_("Error connecting to ownCloud server"),
data.error->message);
@@ -773,7 +802,6 @@ add_account (GoaProvider *provider,
gtk_label_set_markup (GTK_LABEL (data.cluebar_label), markup);
g_free (markup);
- gtk_button_set_label (GTK_BUTTON (data.connect_button), _("_Try Again"));
gtk_widget_set_no_show_all (data.cluebar, FALSE);
gtk_widget_show_all (data.cluebar);
@@ -792,6 +820,7 @@ add_account (GoaProvider *provider,
g_variant_builder_add (&details, "{ss}", "ContactsEnabled", "true");
g_variant_builder_add (&details, "{ss}", "FilesEnabled", "true");
g_variant_builder_add (&details, "{ss}", "Uri", uri);
+ g_variant_builder_add (&details, "{ss}", "AcceptSslErrors", (accept_ssl_errors) ? "true" : "false");
/* OK, everything is dandy, add the account */
/* we want the GoaClient to update before this method returns (so it
@@ -850,6 +879,7 @@ refresh_account (GoaProvider *provider,
GoaHttpClient *http_client;
GtkWidget *dialog;
GtkWidget *vbox;
+ gboolean accept_ssl_errors;
gboolean ret;
const gchar *password;
const gchar *username;
@@ -889,6 +919,7 @@ refresh_account (GoaProvider *provider,
create_account_details_ui (provider, GTK_DIALOG (dialog), GTK_BOX (vbox), FALSE, &data);
+ accept_ssl_errors = goa_util_lookup_keyfile_boolean (object, "AcceptSslErrors");
uri = goa_util_lookup_keyfile_string (object, "Uri");
gtk_entry_set_text (GTK_ENTRY (data.uri), uri);
gtk_editable_set_editable (GTK_EDITABLE (data.uri), FALSE);
@@ -921,6 +952,7 @@ refresh_account (GoaProvider *provider,
uri_webdav,
username,
password,
+ accept_ssl_errors,
data.cancellable,
check_cb,
&data);
diff --git a/src/goabackend/goautils.c b/src/goabackend/goautils.c
index 4b07b02..398b2ed 100644
--- a/src/goabackend/goautils.c
+++ b/src/goabackend/goautils.c
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -465,3 +465,43 @@ goa_utils_keyfile_set_string (GoaAccount *account, const gchar *key, const gchar
g_free (group);
g_free (path);
}
+
+void
+goa_utils_set_error_ssl (GError **err, GTlsCertificateFlags flags)
+{
+ const gchar *error_msg;
+
+ switch (flags)
+ {
+ case G_TLS_CERTIFICATE_UNKNOWN_CA:
+ error_msg = _("The signing certificate authority is not known.");
+ break;
+
+ case G_TLS_CERTIFICATE_BAD_IDENTITY:
+ error_msg = _("The certificate does not match the expected identity of the site that it was "
+ "retrieved from.");
+ break;
+
+ case G_TLS_CERTIFICATE_NOT_ACTIVATED:
+ error_msg = _("The certificate's activation time is still in the future.");
+ break;
+
+ case G_TLS_CERTIFICATE_EXPIRED:
+ error_msg = _("The certificate has expired.");
+ break;
+
+ case G_TLS_CERTIFICATE_REVOKED:
+ error_msg = _("The certificate has been revoked.");
+ break;
+
+ case G_TLS_CERTIFICATE_INSECURE:
+ error_msg = _("The certificate's algorithm is considered insecure.");
+ break;
+
+ default:
+ error_msg = _("Invalid certificate.");
+ break;
+ }
+
+ g_set_error (err, GOA_ERROR, GOA_ERROR_SSL, error_msg);
+}
diff --git a/src/goabackend/goautils.h b/src/goabackend/goautils.h
index f38828f..fdce9cd 100644
--- a/src/goabackend/goautils.h
+++ b/src/goabackend/goautils.h
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -27,6 +27,7 @@
#ifndef __GOA_UTILS_H__
#define __GOA_UTILS_H__
+#include <gio/gio.h>
#include <glib.h>
#include <gtk/gtk.h>
#include <goabackend/goabackendtypes.h>
@@ -71,6 +72,8 @@ void goa_utils_keyfile_set_boolean (GoaAccount *account, const gchar
void goa_utils_keyfile_set_string (GoaAccount *account, const gchar *key, const gchar *value);
+void goa_utils_set_error_ssl (GError **err, GTlsCertificateFlags flags);
+
G_END_DECLS
#endif /* __GOA_UTILS_H__ */
diff --git a/src/goabackend/goawebview.c b/src/goabackend/goawebview.c
index fac69ff..e8826a5 100644
--- a/src/goabackend/goawebview.c
+++ b/src/goabackend/goawebview.c
@@ -1,6 +1,6 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012, 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -235,6 +235,7 @@ goa_web_view_init (GoaWebView *self)
priv = self->priv;
session = webkit_get_default_session ();
+ g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, SOUP_SESSION_SSL_STRICT, TRUE, NULL);
soup_session_add_feature_by_type (session, SOUP_TYPE_PROXY_RESOLVER_DEFAULT);
g_object_set (session, "accept-language-auto", TRUE, NULL);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]