[network-manager-openvpn/bg/tls-crypt: 3/4] use new key for tls-crypt
- From: Beniamino Galvani <bgalvani src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [network-manager-openvpn/bg/tls-crypt: 3/4] use new key for tls-crypt
- Date: Thu, 11 May 2017 15:24:39 +0000 (UTC)
commit cd455f49179859fd9bc485375725f6af7c0e7d24
Author: Beniamino Galvani <bgalvani redhat com>
Date: Thu May 11 17:23:41 2017 +0200
use new key for tls-crypt
properties/import-export.c | 31 ++++++----
properties/tests/test-import-export.c | 104 +++++++++++++++++++++++++++++++++
shared/nm-service-defines.h | 1 +
src/nm-openvpn-service.c | 23 +++++---
4 files changed, 139 insertions(+), 20 deletions(-)
---
diff --git a/properties/import-export.c b/properties/import-export.c
index c5cae86..ec3ef05 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1198,11 +1198,13 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
if (s_direction)
setting_vpn_add_data_item (s_vpn,
NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, s_direction);
have_sk = TRUE;
- } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH, NMV_OVPN_TAG_TLS_CRYPT)) {
+ } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH)) {
setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TA, file);
if (s_direction)
setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, s_direction);
- } else
+ } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_CRYPT))
+ setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, file);
+ else
g_assert_not_reached ();
continue;
}
@@ -1406,7 +1408,7 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
is_base64 = TRUE;
key = NULL;
} else if (nm_streq (token, INLINE_BLOB_TLS_CRYPT))
- key = NM_OPENVPN_KEY_TA;
+ key = NM_OPENVPN_KEY_TLS_CRYPT;
else if (nm_streq (token, INLINE_BLOB_TLS_AUTH)) {
key = NM_OPENVPN_KEY_TA;
can_have_direction = TRUE;
@@ -1939,7 +1941,7 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
if (NM_IN_STRSET (connection_type,
NM_OPENVPN_CONTYPE_TLS,
NM_OPENVPN_CONTYPE_PASSWORD_TLS)) {
- const char *x509_name, *ta_key;
+ const char *x509_name, *key;
args_write_line_setting_value (f, NMV_OVPN_TAG_REMOTE_CERT_TLS, s_vpn,
NM_OPENVPN_KEY_REMOTE_CERT_TLS);
args_write_line_setting_value (f, NMV_OVPN_TAG_NS_CERT_TYPE, s_vpn,
NM_OPENVPN_KEY_NS_CERT_TYPE);
@@ -1960,16 +1962,23 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
args_write_line (f, NMV_OVPN_TAG_VERIFY_X509_NAME, name, type);
}
- ta_key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
- if (_arg_is_set (ta_key)) {
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
+ if (_arg_is_set (key)) {
gs_free char *s_free = NULL;
- const char *ta_dir = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
- const char *tls_type = _arg_is_set (ta_dir) ? NMV_OVPN_TAG_TLS_AUTH :
NMV_OVPN_TAG_TLS_CRYPT;
args_write_line (f,
- tls_type,
- nmv_utils_str_utf8safe_unescape_c (ta_key, &s_free),
- _arg_is_set (ta_dir));
+ NMV_OVPN_TAG_TLS_AUTH,
+ nmv_utils_str_utf8safe_unescape_c (key, &s_free),
+ _arg_is_set (nm_setting_vpn_get_data_item (s_vpn,
NM_OPENVPN_KEY_TA_DIR)));
}
+
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT);
+ if (_arg_is_set (key)) {
+ gs_free char *s_free = NULL;
+ args_write_line (f,
+ NMV_OVPN_TAG_TLS_CRYPT,
+ nmv_utils_str_utf8safe_unescape_c (key, &s_free));
+ }
+
}
proxy_type = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_PROXY_TYPE);
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index a8ea385..b532759 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -278,6 +278,71 @@ test_tls_import (void)
}
static void
+test_tls_import_2 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ NMConnection *connection;
+ NMSettingConnection *s_con;
+ NMSettingVpn *s_vpn;
+ char *expected_path;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls2.ovpn");
+ g_assert (connection);
+
+ /* Connection setting */
+ s_con = nm_connection_get_setting_connection (connection);
+ g_assert (s_con);
+ g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "tls2");
+ g_assert (!nm_setting_connection_get_uuid (s_con));
+
+ /* VPN setting */
+ s_vpn = nm_connection_get_setting_vpn (connection);
+ g_assert (s_vpn);
+
+ /* Data items */
+ _check_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE, NM_OPENVPN_CONTYPE_TLS);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DEV, "tun");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PROTO_TCP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, "adaptive");
+ _check_item (s_vpn, NM_OPENVPN_KEY_FLOAT, "yes");
+ _check_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE, "173.8.149.245:1194");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PORT, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE, "/CN=myvpn.company.com");
+ _check_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME,
+ "subject:C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list gnome org");
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS, "server");
+
+ expected_path = g_strdup_printf ("%s/keys/mg8.ca", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CA, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/clee.crt", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CERT, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/clee.key", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_KEY, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/46.key", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, expected_path);
+ g_free (expected_path);
+
+ /* Secrets */
+ _check_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD, NULL);
+ _check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
+
+ g_object_unref (connection);
+}
+
+static void
test_file_contents (const char *id,
const char *dir,
NMSettingVpn *s_vpn,
@@ -399,6 +464,42 @@ test_tls_export (void)
g_free (path);
}
+#undef TLS_EXPORTED_NAME
+#define TLS_EXPORTED_NAME "tls2.ovpntest"
+static void
+test_tls_export_2 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ NMConnection *connection;
+ NMConnection *reimported;
+ char *path;
+ gboolean success;
+ GError *error = NULL;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls2.ovpn");
+ g_assert (connection);
+
+ path = g_build_path ("/", TMPDIR, TLS_EXPORTED_NAME, NULL);
+ success = nm_vpn_editor_plugin_export (plugin, path, connection, &error);
+ g_assert_no_error (error);
+ g_assert (success);
+
+ /* Now re-import it and compare the connections to ensure they are the same */
+ reimported = get_basic_connection (plugin, TMPDIR, TLS_EXPORTED_NAME);
+ (void) unlink (path);
+ g_assert (reimported);
+
+ /* Clear secrets first, since they don't get exported, and thus would
+ * make the connection comparison below fail.
+ */
+ remove_secrets (connection);
+ g_assert (nm_connection_compare (connection, reimported, NM_SETTING_COMPARE_FLAG_EXACT));
+
+ g_object_unref (reimported);
+ g_object_unref (connection);
+ g_free (path);
+}
+
static void
test_pkcs12_import (void)
{
@@ -1406,6 +1507,9 @@ int main (int argc, char **argv)
_add_test_func_simple (test_tls_inline_import);
_add_test_func_simple (test_tls_export);
+ _add_test_func_simple (test_tls_import_2);
+ _add_test_func_simple (test_tls_export_2);
+
_add_test_func_simple (test_pkcs12_import);
_add_test_func_simple (test_pkcs12_export);
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index a70201b..86a0233 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -65,6 +65,7 @@
#define NM_OPENVPN_KEY_DEV_TYPE "dev-type"
#define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6"
#define NM_OPENVPN_KEY_TLS_CIPHER "tls-cipher"
+#define NM_OPENVPN_KEY_TLS_CRYPT "tls-crypt"
#define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote"
#define NM_OPENVPN_KEY_VERIFY_X509_NAME "verify-x509-name"
#define NM_OPENVPN_KEY_REMOTE_CERT_TLS "remote-cert-tls"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 4dbf196..37e4465 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -175,6 +175,7 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENVPN_KEY_DEV_TYPE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TUN_IPV6, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_CIPHER, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_CRYPT, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_REMOTE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_VERIFY_X509_NAME, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_REMOTE_CERT_TLS, G_TYPE_STRING, 0, 0, FALSE },
@@ -1576,20 +1577,24 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
}
add_openvpn_arg (args, "--auth-nocache");
- /* TA */
- tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
+ /* tls-crypt */
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT);
if (tmp && tmp[0]) {
- tmp2 = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
- if (tmp2 && strlen (tmp2)) {
+ add_openvpn_arg (args, "--tls-crypt");
+ add_openvpn_arg_utf8safe (args, tmp);
+ } else {
+ /* tls-auth */
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--tls-auth");
add_openvpn_arg_utf8safe (args, tmp);
- add_openvpn_arg (args, tmp2);
- } else {
- add_openvpn_arg (args, "--tls-crypt");
- add_openvpn_arg_utf8safe (args, tmp);
+
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
+ if (tmp && tmp[0])
+ add_openvpn_arg (args, tmp);
}
}
-
+
/* tls-remote */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE);
if (tmp && tmp[0]) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
