[network-manager-openconnect/NETWORKMANAGER_0_7] Pass server's SSL certificate signature to openconnect as VPN 'secret'.

[Dan Williams <dcbw src gnome org>]

commit b1bf89214f2326456d5cca3caebd64207c8b3355
Author: David Woodhouse <David Woodhouse intel com>
Date:   Tue May 26 18:44:25 2009 +0100

    Pass server's SSL certificate signature to openconnect as VPN 'secret'.
    
    Since we run openconnect as an unprivileged user, it may not be able to
    read the original trust chain and validate the certificate for itself.
    But since the auth-dialog has already connected to the server and done
    the authentication, it can just give us the known signature for the
    certificate the server is using today...

 src/nm-openconnect-service.c |   13 +++++++++++--
 src/nm-openconnect-service.h |    1 +
 2 files changed, 12 insertions(+), 2 deletions(-)
---
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index a5ef2c3..c4846ff 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -84,6 +84,7 @@ static ValidProperty valid_properties[] = {
 static ValidProperty valid_secrets[] = {
 	{ NM_OPENCONNECT_KEY_COOKIE,  G_TYPE_STRING, 0, 0 },
 	{ NM_OPENCONNECT_KEY_GATEWAY, G_TYPE_STRING, 0, 0 },
+	{ NM_OPENCONNECT_KEY_GWCERT,  G_TYPE_STRING, 0, 0 },
 	{ NULL,                       G_TYPE_NONE, 0, 0 }
 };
 
@@ -258,7 +259,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
 	GPtrArray *openconnect_argv;
 	GSource *openconnect_watch;
 	gint	stdin_fd;
-	const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu;
+	const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu, *props_gwcert;
 	
 	/* Find openconnect */
 	openconnect_binary = openconnect_binary_paths;
@@ -298,6 +299,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
 		             "No WebVPN cookie provided.");
 		return -1;
 	}
+	props_gwcert = nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_GWCERT);
 
 	props_cacert = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CACERT);
 	props_mtu = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_MTU);
@@ -305,7 +307,10 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
 	openconnect_argv = g_ptr_array_new ();
 	g_ptr_array_add (openconnect_argv, (gpointer) (*openconnect_binary));
 
-	if (props_cacert && strlen(props_cacert)) {
+	if (props_gwcert && strlen(props_gwcert)) {
+		g_ptr_array_add (openconnect_argv, (gpointer) "--servercert");
+		g_ptr_array_add (openconnect_argv, (gpointer) props_gwcert);
+	} else if (props_cacert && strlen(props_cacert)) {
 		g_ptr_array_add (openconnect_argv, (gpointer) "--cafile");
 		g_ptr_array_add (openconnect_argv, (gpointer) props_cacert);
 	}
@@ -413,6 +418,10 @@ real_need_secrets (NMVPNPlugin *plugin,
 		*setting_name = NM_SETTING_VPN_SETTING_NAME;
 		return TRUE;
 	}
+	if (!nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_GWCERT)) {
+		*setting_name = NM_SETTING_VPN_SETTING_NAME;
+		return TRUE;
+	}
 	return FALSE;
 }
 
diff --git a/src/nm-openconnect-service.h b/src/nm-openconnect-service.h
index 27076cd..98c5026 100644
--- a/src/nm-openconnect-service.h
+++ b/src/nm-openconnect-service.h
@@ -42,6 +42,7 @@
 
 #define NM_OPENCONNECT_KEY_GATEWAY "gateway"
 #define NM_OPENCONNECT_KEY_COOKIE "cookie"
+#define NM_OPENCONNECT_KEY_GWCERT "gwcert"
 #define NM_OPENCONNECT_KEY_AUTHTYPE "authtype"
 #define NM_OPENCONNECT_KEY_USERCERT "usercert"
 #define NM_OPENCONNECT_KEY_CACERT "cacert"