[network-manager-openconnect] Bug 770880 - Disallow manual cert acceptance
- From: dwmw2 <dwmw2 src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [network-manager-openconnect] Bug 770880 - Disallow manual cert acceptance
- Date: Thu, 15 Dec 2016 13:08:13 +0000 (UTC)
commit 84f3ca01e6ec8fb4a15dfcd7cc1c20115ff6dd9d
Author: David Woodhouse <dwmw2 infradead org>
Date: Thu Dec 15 12:53:37 2016 +0000
Bug 770880 - Disallow manual cert acceptance
auth-dialog/main.c | 35 ++++++++++++++++++----------
properties/nm-openconnect-dialog.ui | 19 +++++++++++++++
properties/nm-openconnect-editor-plugin.c | 12 ++++++++++
properties/nm-openconnect-editor.c | 14 +++++++++++
shared/nm-service-defines.h | 1 +
src/nm-openconnect-service.c | 1 +
6 files changed, 69 insertions(+), 13 deletions(-)
---
diff --git a/auth-dialog/main.c b/auth-dialog/main.c
index 63d570a..508c8f3 100644
--- a/auth-dialog/main.c
+++ b/auth-dialog/main.c
@@ -756,6 +756,9 @@ static gboolean user_validate_cert(cert_data *data)
{
auth_ui_data *ui_data = _ui_data; /* FIXME global */
+ char *prevent_invalid_cert;
+ gboolean invalid_cert_allowed;
+
GtkWidget *dlg;
char *title;
@@ -813,21 +816,27 @@ static gboolean user_validate_cert(cert_data *data)
g_signal_connect(cancel_button, "clicked", G_CALLBACK(cert_dialog_cancel_clicked), dlg);
gtk_widget_show(cancel_button);
- security_expander = gtk_expander_new(_("I really know what I am doing"));
- gtk_box_pack_start(GTK_BOX(vbox), security_expander, FALSE, FALSE, 0);
- gtk_widget_show(security_expander);
+ prevent_invalid_cert = g_hash_table_lookup(ui_data->options,
+ NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT);
+ invalid_cert_allowed = prevent_invalid_cert ? !strcmp(prevent_invalid_cert, "no") : TRUE;
+
+ if (invalid_cert_allowed) {
+ security_expander = gtk_expander_new(_("I really know what I am doing"));
+ gtk_box_pack_start(GTK_BOX(vbox), security_expander, FALSE, FALSE, 0);
+ gtk_widget_show(security_expander);
- expander_hbox = gtk_box_new(GTK_ORIENTATION_HORIZONTAL, 0);
- gtk_container_add(GTK_CONTAINER(security_expander), expander_hbox);
- gtk_container_set_border_width(GTK_CONTAINER(expander_hbox), 0);
- gtk_widget_show(expander_hbox);
+ expander_hbox = gtk_box_new(GTK_ORIENTATION_HORIZONTAL, 0);
+ gtk_container_add(GTK_CONTAINER(security_expander), expander_hbox);
+ gtk_container_set_border_width(GTK_CONTAINER(expander_hbox), 0);
+ gtk_widget_show(expander_hbox);
- connect_button = gtk_button_new_with_label(_("Connect anyway"));
- gtk_box_pack_start(GTK_BOX(expander_hbox), connect_button, FALSE, FALSE, 0);
- gtk_widget_set_margin_start(connect_button, 12);
- gtk_widget_set_margin_top(connect_button, 8);
- g_signal_connect(connect_button, "clicked", G_CALLBACK(cert_dialog_connect_clicked), dlg);
- gtk_widget_show(connect_button);
+ connect_button = gtk_button_new_with_label(_("Connect anyway"));
+ gtk_box_pack_start(GTK_BOX(expander_hbox), connect_button, FALSE, FALSE, 0);
+ gtk_widget_set_margin_start(connect_button, 12);
+ gtk_widget_set_margin_top(connect_button, 8);
+ g_signal_connect(connect_button, "clicked", G_CALLBACK(cert_dialog_connect_clicked), dlg);
+ gtk_widget_show(connect_button);
+ }
result = gtk_dialog_run(GTK_DIALOG(dlg));
diff --git a/properties/nm-openconnect-dialog.ui b/properties/nm-openconnect-dialog.ui
index 28283ba..8f2bb60 100644
--- a/properties/nm-openconnect-dialog.ui
+++ b/properties/nm-openconnect-dialog.ui
@@ -609,6 +609,25 @@
<property name="fill">False</property>
</packing>
</child>
+ <child>
+ <object class="GtkCheckButton" id="prevent_invalid_cert_button">
+ <property name="border_width">2</property>
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Prevent user from manually accepting invalid
certificates</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
+ <property name="active">False</property>
+ <property name="inconsistent">False</property>
+ <property name="draw_indicator">True</property>
+ </object>
+ <packing>
+ <property name="padding">0</property>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ </packing>
+ </child>
</object>
<packing>
<property name="padding">0</property>
diff --git a/properties/nm-openconnect-editor-plugin.c b/properties/nm-openconnect-editor-plugin.c
index f578000..c7af0e4 100644
--- a/properties/nm-openconnect-editor-plugin.c
+++ b/properties/nm-openconnect-editor-plugin.c
@@ -192,6 +192,11 @@ import (NMVpnEditorPlugin *iface, const char *path, GError **error)
bval = g_key_file_get_boolean (keyfile, "openconnect", "FSID", NULL);
if (bval)
nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID, "yes");
+
+ /* Prevent invalid cert */
+ bval = g_key_file_get_boolean (keyfile, "openconnect", "PreventInvalidCert", NULL);
+ if (true)
+ nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, "yes");
/* Soft token mode */
buf = g_key_file_get_string (keyfile, "openconnect", "StokenSource", NULL);
@@ -224,6 +229,7 @@ export (NMVpnEditorPlugin *iface,
const char *usercert = NULL;
const char *privkey = NULL;
gboolean pem_passphrase_fsid = FALSE;
+ gboolean prevent_invalid_cert = FALSE;
const char *token_mode = NULL;
const char *token_secret = NULL;
gboolean success = FALSE;
@@ -284,6 +290,10 @@ export (NMVpnEditorPlugin *iface,
value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID);
if (value && !strcmp (value, "yes"))
pem_passphrase_fsid = TRUE;
+
+ value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT);
+ if (value && !strcmp (value, "yes"))
+ prevent_invalid_cert = TRUE;
value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_MODE);
if (value && strlen (value))
@@ -310,6 +320,7 @@ export (NMVpnEditorPlugin *iface,
"UserCertificate=%s\n"
"PrivateKey=%s\n"
"FSID=%s\n"
+ "PreventInvalidCert=%s\n"
"StokenSource=%s\n"
"StokenString=%s\n",
/* Description */ nm_setting_connection_get_id (s_con),
@@ -322,6 +333,7 @@ export (NMVpnEditorPlugin *iface,
/* User Certificate */ usercert,
/* Private Key */ privkey,
/* FSID */ pem_passphrase_fsid ? "1" : "0",
+ /* Prevent invalid cert */ prevent_invalid_cert ? "1" : "0",
/* Soft token mode */ token_mode ? token_mode : "",
/* Soft token secret */ token_secret ? token_secret : "");
diff --git a/properties/nm-openconnect-editor.c b/properties/nm-openconnect-editor.c
index f6cdb45..fba9fd9 100644
--- a/properties/nm-openconnect-editor.c
+++ b/properties/nm-openconnect-editor.c
@@ -326,6 +326,16 @@ init_editor_plugin (OpenconnectEditor *self, NMConnection *connection, GError **
}
g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self);
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "prevent_invalid_cert_button"));
+ if (!widget)
+ return FALSE;
+ if (s_vpn) {
+ value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT);
+ if (value && !strcmp(value, "yes"))
+ gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON (widget), TRUE);
+ }
+ g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self);
+
widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button"));
if (!widget)
return FALSE;
@@ -416,6 +426,10 @@ update_connection (NMVpnEditor *iface,
str = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON (widget))?"yes":"no";
nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID, str);
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "prevent_invalid_cert_button"));
+ str = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON (widget))?"yes":"no";
+ nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, str);
+
widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button"));
str = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON (widget))?"yes":"no";
nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE, str);
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index 08fca3b..60dfb35 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -40,6 +40,7 @@
#define NM_OPENCONNECT_KEY_PRIVKEY "userkey"
#define NM_OPENCONNECT_KEY_MTU "mtu"
#define NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID "pem_passphrase_fsid"
+#define NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT "prevent_invalid_cert"
#define NM_OPENCONNECT_KEY_PROTOCOL "protocol"
#define NM_OPENCONNECT_KEY_PROXY "proxy"
#define NM_OPENCONNECT_KEY_CSD_ENABLE "enable_csd_trojan"
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index dc82a9f..77934aa 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -86,6 +86,7 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENCONNECT_KEY_PRIVKEY, G_TYPE_STRING, 0, 0 },
{ NM_OPENCONNECT_KEY_MTU, G_TYPE_STRING, 0, 0 },
{ NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID, G_TYPE_BOOLEAN, 0, 0 },
+ { NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, G_TYPE_BOOLEAN, 0, 0 },
{ NM_OPENCONNECT_KEY_PROTOCOL, G_TYPE_STRING, 0, 0 },
{ NM_OPENCONNECT_KEY_PROXY, G_TYPE_STRING, 0, 0 },
{ NM_OPENCONNECT_KEY_CSD_ENABLE, G_TYPE_BOOLEAN, 0, 0 },
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
